220 likes | 363 Views
Wired or Wireless?. James Tucker 459650490 Dr. Durrett ISQS 6342. Summary. Food for Thought Corporate Level University Level Public Access Level. Food For Thought 1. 10 Steps to Secure a Wireless Network Control your broadcast area Lock each AP Ban rogue access points
E N D
Wired or Wireless? James Tucker 459650490 Dr. Durrett ISQS 6342
Summary • Food for Thought • Corporate Level • University Level • Public Access Level
Food For Thought1 • 10 Steps to Secure a Wireless Network • Control your broadcast area • Lock each AP • Ban rogue access points • Use 128-bit WEP • Use SSIDS wisely • Limit access rights • Limit the number of user addresses • Authenticate users • Use RADIUS • Call in the big boys
Control your broadcast area: wireless access points allow for control of signal strength, and some direction. Place in center of area. • Lock each AP: people don’t change the darn defaults! Change them – and MAKE IT GOOD!!! (www.pcmag.com/passwords, click on password dos and don’ts) • Ban rogue access points: if you have an AP on your network, make sure you put it there. (www.netstumbler.com)
Use 128-bit WEP: adds a layer of difficulty. HOWEVER easily cracked with freeware (http://airsnort.shmoo.com) • Use SSIDS wisely: Change the defaults – AGAIN! Service Set Identifiers (SSIDS) show all your AP information. Also, buy a product that allows you to disable broadcasting the SSIDS. • Limit access rights: Authorized MAC cards only!
Limit # of user addresses: constrict the # of DHCP addresses to just enough – then if you have some connection trouble you know you have unauthorized access! • Authenticate users: firewalls with VPN connectivity, and require log-ons. • Use RADIUS: provides another authentication method (time of day & simultaneous) – can be pricey. (www.freeradius.org) • Call in the big boys: AirDefense, server appliance that monitors activity and protects traffic on LANs – really pricey ($10k - $100k depending on # sensors)
Corporate Level • Attacks to Consider: • WEP Attacks • WAP Attacks • Brute Force
Corporate Level • Security Design • IT Sub Department • Spec Hardware • Spec Software • Diagram User Levels • Define User Access • Define LAN Architecture (Wired and Wireless) • Define DMZ’s • Define Firewall Protocols • Define Wireless Sniffing Tools
Corporate Level • IT Sub Department: ruthless individuals • Spec Hardware based upon needs (# of AP’s defined by # of users, etc…) • Go for 802.11a!!! • Spec Software based upon required security • Granted – Pocketbook is King • Diagram User Levels: who needs access to what? • Employee status, Employee Area, Employee Expertise
Corporate Level • Define LAN Architecture: Does the entire building need wireless? Remember 10 steps. • Hardwire offices, meeting rooms, etc… • Wireless for open spaces, floor level access for IT employees • Define DMZs: What is available online? What is available to Wireless protocols?
Corporate Level • Define Firewall Protocols • Allow only ports and protocols needed • Kill Telnet, ping, port-scan, etc… • Define Wireless Sniffing Tools • Use of sniffers to determine unauthorized access is becoming more and more popular. Example: Wavelink’s Mobile Manager. (www.wavelink.com, www.mcafee.com)
Mobile Manager by Wavelink • Reduction of DNS attacks through Access Point profiles (streamlining of all AP profiles)
University Level • Treat it like Corporate: • Much less likely to have money requirements of 802.11a, BUT: • Securing 802.11b is defined by: • Broadcast area • Sniffing • Restricting # Users • Restricting Access Rights
University Level • Use of 802.11b requires more physical security: • Wardriving still possible • Attacks through Staff • Attacks through dormatories • Requires a very accurate listing of User MAC addresses • Requires accurate accounting for DHCP address use
University Level • Time of Day lockdown implementation • Set-up of DMZ is critical • Just as important as securing corporate data is securing sensitive University data • Grades, Degree Plans, Financial Information, etc… • Building by building better than broadcast cloud
Public Access Level • Problems: • Unlike Corporate or University Level, listing MAC addresses is more difficult. • Creating the correct DMZ cloud • Answers • Setting up an account service requiring MAC addresses of users • Creating architecture of system before implementation!
Closing • Be Smart and Realize that no network is perfect! • Hire Good People with a diverse background in Security (More eyes and ears!) • Restrict User Access • Restrict Number of Users • Use of Sniffing Tools • Change the Defaults!
Reference • Security Watch, PC MAGAZINE, February 25th, 2003, www.pcmag.com. • Hacking Exposed, McClure, Scambray, Kurtz, McGrawHill, Chicago, 2001. • Secrets & Lies, Schneier, Wiley, New York, 2000. • Cisco AVVID Network Infrastructure Enterprise Wireless LAN Design, Adobe Acrobat Presentation, www.cisco.com, 2003.
Questions? • Queries? • Posers? • Inquiries? • Huh?