Final Exam Review

1
Final Exam Review

• Week 15
• Questions
• Dont forget to review the first 8 weeks of
  material.
  

2
Denial of Service Attacks

• DoS are most prevalent
• Range from bursts to prolonged service
  deprivations
  
• DoS Attack Tools
• Available for most Unix platforms
• Very easy to implement

3
DoS Attack Tool Void11

• Trivial to spoof MAC address of AP
• Void11 options
• Single client or entire network
• Flood - Disassociate or Deauthenticate
• Resource Starvation - Deauthentication
• Stations are kicked off

4
DoS Damages

• Growing trend to rely on wireless services
  without ability to prevent these attacks
  
• Wide area of coverage
• High gain antennas and RF amplifiers
• Equipment is easily concealed

5
Attack Scenario 2

• Weak WEP Keys
• AirJack, WEPCrack, BSD-Airtools, AirSnort
• WEP reinjection attack tool reinj.c
• Accelerates frame traffic by reinjecting TCP SYN
  or ARP frames
  
• WEP key recovery possible in less than 60 minutes
  
  

6
More about WEP

• Only data packets are encrypted
• Link layer packets are unencrypted
• WEP is shared private key
• Transparent protection

7
A Word about Wireless Detection

• Detecting wireless networks
• Active probes Netstumbler, Ministumbler
• Example of War Chalking
• Passive probes Kismet, Wellenreiter, Airsnort

8
WEB Attack Mitigation

• Use dynamic WEP keying
• Asymmetric WEP keys
• WEP (upgraded firmware)
• Disable unnecessary traffic
• Broadband and multicast traffic from wired
  network to wireless network

9
Some Defensive Myths

• SSID Cloaking
• Transparent protection
• Non-Beaconing
• SSID is still detectable
• Registering MAC Addresses
• Easy to spoof
• Administrative burden

10
Attack Scenarios 3

• MITM Attack
• Insert attack machine between victim and access
  point
  
• Attacker needs proximity to network
• Two wireless cards
• AirJack by Abaddon
• Monkey_Jack
• Kracker_Jack
• Also includes DoS tools

11
Monkey-Jack

• Attacker launches DoS attack
• Victims 802.11 card scans channels to search for
  new AP
  
• Victims 802.11 card associates with fake AP on
  the attack machine
  
• Attack machine associates with real AP
• Attack machine is now inserted and can pass
  frames through in a manner that is transparent to
  the upper level protocols
  

12
Defense Against MITM Attacks

• Use multiple authentication EAP types
• PEAP, TTLS or EAP/TLS
• Support WPA, 802.11i spec
• When possible, configure clients to detect
  presence of TLS tunnel
  
• Authentication credentials inside TLS tunnel
• Ask vendors to implement this feature

13
Future Attack Trends

• Complex attack tools
• More DoS attacks
• Firmware flaws
• Faster WEP cracking and more effective
  reinjection
  
• Attacks against PEAP, TTLS, EAP/TLS, TKIP
• Attacks we dont know about yet

14
Future Security Standards

• WPA and 802.11i
• Hot Spots effective key distribution
• TKIP (Temporal Key Integrity Protocol) and 802.1x
  mechanisms
  
• Dynamic key encryption
• Mutual authentication
• Integration with authentication server (e.g.,
  RADIUS) using 802.1x with EAP
  
• Preshared keys (i.e., pass phrases)

15
802.11i

• AES (stronger than RC4)
• Will require replacement of equipment
• 128, 192 or 256 bit key sizes
• Two strong authentication features
• WRAP
• CCMP
• Ratification in 2004?

16
Best Practices

• Enable all built-in security capabilities
• Avoiding signal leaks
• Use VPN strong mutual authentication
• Wireless IDS and Monitoring
• Kismet
• Lots of features FREE
• AirDefense
• Buy equipment that can be upgraded to new
  security standards
  

17
Resources

• Void11 wlsec.net/void11
• AirJack 802.11ninja.net
• Kismet www.kismetwireless.net
• AirDefense www.airdefense.net
• AirSnort airsnort.shmoo.com
• Finland Nokia Group paper on tunneled
  authentication/MITM
  
• www.saunalahti.fi/asokan/research/tunnel.pdf
• WEPCrack wepcrack.sourceforge.net
• DSniff - naughty.monkey.org/dugsong/dsniff/

18
So what is the business impact of security?

• According to the Computer Crime and Security
  Survey 2002, by the Computer Security Institute
  (CSI) and the FBI
  
• 44 of respondents (223 total) were able to
  quantify financial losses of 455M, or 2.05M per
  survey respondent
  
• 90 detected computer security breaches within
  the last 12 months. 80 acknowledged financial
  loss due to breach.
  
• 85 detected computer viruses
• 40 experienced Denial-of-Service attacks

Source FBI and Computer Security Institute
(CSI) Computer Crime and Security Survey 2002
Link http//www.gocsi.com

19
Technology, Process, People
Baseline Technology Standards, Encryption, Protec
tion Product security features Security tools an
d products
Planning for Security Prevention Detection Rea
ction
Dedicated Staff Training Security - a mindset an
d a priority
20
Setting up a Wireless Network Authentication
Services

• Open System
• Does not provide authentication
• Identification using the wireless adapter's MAC
  address
  
• Shared Key
• Verifies that an authenticating wireless client
  has knowledge of a shared secret key
  
• Similar to preshared key authentication in
  Internet Protocol security (IPsec)

21
Setting up a Wireless Network Authentication

• EAP-TLS
• Does not require any dependencies on the user
  account password
  
• Authentication occurs automatically, with no
  intervention by the user
  
• Uses certificates, providing a strong
  authentication scheme

22
Setting up a Wireless NetworkActive Directory

• IAS as a RADIUS proxy security considerations
• Shared secrets
• Firewall configuration
• Message Authenticator attribute
• Using IPSec filters to lock down IAS proxy
  servers
  
• Password Authentication Protocol (PAP)

23
Setting up a Wireless Network Security Issues
With 802.11

• No per-packet authentication
• Vulnerability to disassociation attacks
• No user identification and authentication
• No central authentication, authorization, and
  accounting support
  
• RC4 stream cipher is vulnerable to known plain
  text attacks
  
• Some implementations derive WEP keys from
  passwords
  
• No support for extended authentication

24
Security in a Wireless World Basic Steps to
Authentication
CHALLENGE
ID
25
Security in a Wireless World Basic Steps to
Authentication
RADIUS
REQUEST
SUCCESS
ID
KEY
26
Dynamic WEP Key Management
Fast Ethernet
RADIUS
Laptop computer
Access Blocked
802.11 Associate
802.11
RADIUS
EAPOW
EAPOL-Start
EAP-Request/Identity
Radius-Access-Request
EAP-Response/Identity
Radius-Access-Challenge
EAP-Request
EAP-Response (Credential)
Radius-Access-Request
Radius-Access-Accept
EAP-Success
EAPW-Key (WEP)
Access Allowed
27
So what is the business impact of security?

• According to the Computer Crime and Security
  Survey 2002, by the Computer Security Institute
  (CSI) and the FBI
  
• 44 of respondents (223 total) were able to
  quantify financial losses of 455M, or 2.05M per
  survey respondent
  
• 90 detected computer security breaches within
  the last 12 months. 80 acknowledged financial
  loss due to breach.
  
• 85 detected computer viruses
• 40 experienced Denial-of-Service attacks

Source FBI and Computer Security Institute
(CSI) Computer Crime and Security Survey 2002
Link http//www.gocsi.com

28
Technology, Process, People
Baseline Technology Standards, Encryption, Protec
tion Product security features Security tools an
d products
Planning for Security Prevention Detection Rea
ction
Dedicated Staff Training Security - a mindset an
d a priority
29
Setting up a Wireless Network Authentication
Services

• Open System
• Does not provide authentication
• Identification using the wireless adapter's MAC
  address
  
• Shared Key
• Verifies that an authenticating wireless client
  has knowledge of a shared secret key
  
• Similar to preshared key authentication in
  Internet Protocol security (IPsec)

30
Setting up a Wireless Network Authentication

• EAP-TLS
• Does not require any dependencies on the user
  account password
  
• Authentication occurs automatically, with no
  intervention by the user
  
• Uses certificates, providing a strong
  authentication scheme

31
Setting up a Wireless NetworkActive Directory

• IAS as a RADIUS proxy security considerations
• Shared secrets
• Firewall configuration
• Message Authenticator attribute
• Using IPSec filters to lock down IAS proxy
  servers
  
• Password Authentication Protocol (PAP)

32
Setting up a Wireless Network Security Issues
With 802.11

• No per-packet authentication
• Vulnerability to disassociation attacks
• No user identification and authentication
• No central authentication, authorization, and
  accounting support
  
• RC4 stream cipher is vulnerable to known plain
  text attacks
  
• Some implementations derive WEP keys from
  passwords
  
• No support for extended authentication

33
Security in a Wireless World Basic Steps to
Authentication
CHALLENGE
ID
34
Security in a Wireless World Basic Steps to
Authentication
RADIUS
REQUEST
SUCCESS
ID
KEY
35
Dynamic WEP Key Management
Fast Ethernet
RADIUS
Laptop computer
Access Blocked
802.11 Associate
802.11
RADIUS
EAPOW
EAPOL-Start
EAP-Request/Identity
Radius-Access-Request
EAP-Response/Identity
Radius-Access-Challenge
EAP-Request
EAP-Response (Credential)
Radius-Access-Request
Radius-Access-Accept
EAP-Success
EAPW-Key (WEP)
Access Allowed
36
Pros Cons of Wireless Security
37
Six-Steps for Wireless Security

• Enable 128-bit session encryption
• Configure RADIUS server authentication
• Force 30-minute periodic authentication for all
  users
  
• Source Computerworld

• Require use of VPN to access critical resources
• Restrict LAN access rights by role
• Implement two-factor authentication scheme using
  access tokens

38
Challenge Message

• Radius server sends challenge to client via
  access point
  
• This challenge packet will vary for each
  authentication attempt
  
• The challenge is pulled from information
  contained a table of known secrets
  
• New challenge can be sent at intervals based on
  Radius server settings, or upon client roaming

39
Calculated HASH

• Client responds with a calculated value using a
  one way hash function
  
• This value is derived from a known secrets list

Start
40
Authentication Granted/Denied

• Radius server checks response against it own
  calculated hash
  
• If it matches, then authentication is
  acknowledged to AP and client
  
• If authentication is not achieved, the AP will
  not permit any traffic for that client to pass

41
Cisco LEAP Deployment
Wireless
LEAPRadius Server
EAP Access Point
Laptop Computer with LEAP Supplicant
Backbone
Ethernet

• Network Logon
• Win 95/98
• Win NT
• Win 2K
• Win CE
• MacOS
• Linux

• Radius
• Cisco Secure ACS 2.6
• Authentication database
• Can use Windows user database

• Driver for OS x
• LEAP Authentication support
• Dynamic WEP key support
• Capable of speaking EAP

• Radius DLL
• LEAP Authentication support
• MS-MPPE-Send-key support
• EAP extensions for Radius

• EAP Authenticator
• EAP-LEAP today
• EAP-TLS today

Client/Supplicant
Backend/Radius server
Authenticator
42
TKIP

• Unique dynamic TKIP key by mixing WEP keys with
  MAC address.
  
• MIC (Message Integrity Code) prevents hackers
  from forging packets in the air.

43
IEEE 802.11i

• IEEE802.1x (EAP-TLS, EAP-TTLS, PEAP)
• TKIP
• AES-CCMP
• Needs new hardware.
• Secure IBSS (Ad-hoc)
• Secure handoff

44
IEEE 802.1x in Action (EAP-MD5)
Notebook
Access Point
RADIUS Server
45
802.11i and WPA

• Uses 802.1x authentication
• Uses Temporal Key Integrity Protocol (TKIP) to
  dynamically change encryption keys after 10,000
  packets are transferred
  
• Uses Advanced Encryption Standard (AES)
  encryption, which is much better than WEP
  
• A subset of 802.11i, Wi-Fi Protected Access (WAP)
  is available as a firmware upgrade today
  

46
802.11i and WPA Pitfalls

• Keys can be cracked using much less than 10,000
  packets
  
• Michael feature shuts down AP if it receives
  two login attempts within one second. Hackers can
  use this to perpetrate a DoS attack.
  
• 802.11i is yet to be released (Sometime in 2003?)

47
Topics

• Linux and Hacking Tools.
• Wireless Bridges over 100Mbs.
• 802.11i
• The future of wireless networking.

48
Overview of 350 series

• Solutions for the enterprise and small and medium
  sized business
  
• Offers scalable, centralized security and inline
  power
  
• integrates seamlessly into an existing network as
  a wireless overlay
  
• All Cisco Aironet 350 Series client adapters and
  access points are IEEE 802.11b compliant
  

49
Client Adapter Specifications

• Data Rates Supported 1, 2, 5.5, and 11 Mbps
• Network Standard IEEE 802.11b
• Frequency Band 2.4 to 2.4897 GHz
• Wireless Medium Direct Sequence
  Spread
  
• 
  Spectrum (DSSS)
  
• Media Access Protocol Carrier sense multiple
  
  
  
• access with collision avoidance
  (CSMA/CA)
  
• Modulation
• DBPSK _at_1 Mbps
• DQPSK _at_ 2 Mbps
• CCK _at_ 5.5 and 11 Mbps

50
Features of Client Adapter

• Superior range and throughput
• Secure network communications
• World mode for international roaming
• Full-featured utilities for easy configuration
  and management
  
• Compliance with the IEEE 802.11b high-rate
  standard
  
• Support for all popular operating systems

51
Features of AP

• The Cisco Aironet 350 Series AP supports data
  rates up to 11 Mbps, is IEEE 802.11b compliant
  
• Support for inline power over Ethernet,
  simplifying and reducing the total cost of
  installation and ownership
  
• High-performance 100 Milliwatt (mW) radio design,
  with power management capabilities
  
• Future-proof architecture that can support
  additional software features for investment
  protection
  

52
Software Features of AP

• 802.1x-based Extensible Authentication Protocol
  (EAP) services that provide centralized,
  user-based authentication for hassle-free
  security administration and user-based privacy
• Automatic channel selection, Cisco Discovery
  Protocol (CDP), Dynamic Host Configuration
  Protocol (DHCP), and BOOTP services to simplify
  installation and management of WLAN infrastructure
  s

53
Software Features of AP (cont)

• High-availability services, such as load
  balancing and hot-standby redundancy, for
  dependable, performance, and reliability
  
• Rich filtering options on both the Ethernet
  and radio side to provide performance and
  application tuning to meet specific business
  requirements

54
Load Balancing of AP

• Up to three APs, configured for different
  channels, can be colocated to achieve aggregate
  peak capacity of 33 Mbps for a single coverage
  area.
• Load-balancing policies based on number of users,
  error rates, or signal strengths redistribute
  users to deliver more balanced collision domains
  
• Another scalability enhancement is the addition
  of broadcast and multicast filtering. This
  enables administrators to select the amount of
  such frames that enter the WLAN, conserving the
  shared bandwidth.

55
Security of AP

• Cisco Aironet APs interoperate with EAP-enabled
  Remote Access Dial-In User Service (RADIUS)
  servers such as the Cisco Access Control Server
  2000 Version 2.6 and EAP-enabled client adapters
  such as Cisco Aironet Series clients providing
  user-level authentication over an encrypted
  link.
• After successful mutual authentication with the
  RADIUS server, the user derives a dynamic WEP
  encryption key that uniquely encrypts that users
  traffic over the air, ensuring security from both
  outside sources and inside network users.

56
General Overview

• Standard for wireless metropolitan area networks
  (WirelessMAN)
  
• Supports a variety of services such as IP, voice
  over IP, and streaming video
  
• Protocol independent supporting ATM packet
  based protocols

57
Applications

• Economically bridges the last mile
• Buildings equipped with subscriber and base
  stations, SS BS
  
• Users connect to SS via conventional network
  technologies (e.g. 802.3, 802.11)
  
• BSs connected directly to backbone
• Lowers barriers to entry for new ISPs increasing
  competition
  
• Provides broadband to rural communities and
  developing nations

58
802.16 Characteristics

• Point-to-multipoint broadband wireless access
• Operates in 10-66 GHz spectrum
• Data rates up to 134 Mbps
• Requires directional line-of-sight (LOS)
  propagation
  
• 802.16a adopted to address these concerns
• Operates in 2-11 GHz spectrum
• Eliminates need for directional LOS propagation
• Greater range but lower data rates

59
802.16 MAC

• WirelessMAN operates at MAC sub-layer of Data
  Link Layer
  
• MAC layer is further subdivided into three
  layers
  
• Convergence sub-layer (CS)
• Common part sub-layer (CPS)
• Privacy sub-layer

60
802.16 MAC Privacy Sub-Layer

• Provides secure communication
• Data encrypted with cipher clock chaining mode of
  DES
  
• Prevents theft of service
• SSs authenticated by BS using key management
  protocol

61
802.16 Physical Layer

• Variety of services supported requires support
  for continuous and bursty traffic
  
• Burst profiles associated with every frame
• Profiles describe transmission properties such as
  encoding modulation schemes
  
• Modulation encoding schemes dynamically
  adjusted to account for changing link conditions
  

62
802.16 Physical Layer

• Data rates determined by exact modulation and
  encoding schemes
  
• TDD and FDD supported in 802.16 to accommodate
  burst profiling
  
• 802.16a adds OFDM and OFDMA to support NLOS
  multipath propagation

63
Alternatives

• Mobile Broadband Wireless Access
• IEEE standard 802.20
• Extends broadband wireless to mobile users
• Data rates in excess of 1 Mbps
• Optimized for IP transport
• Supports vehicular mobility at 250 km/h

64
802.11

• Know all of the sub groups.
• A,B,G,E,I,K and so forth.

65
Short Question

• Make sure its a VERY COMPLETE ANSWER
• It will be 50 points. Final is total 200
  points.
  
• Describe a complete wireless security solution
  using an authentication method and encryption
  method. Be sure to describe all phases to
  getting a user onto the wired network, from
  association to secure packet transfer. Also
  document the equipment you would use based on our
  labs.