Wireless Security - PowerPoint PPT Presentation

About This Presentation

Wireless Security


Wireless Security Part 1 3/10/04 Mark Lachniet, Analysts International – PowerPoint PPT presentation

Number of Views:935
Avg rating:3.0/5.0
Slides: 80
Provided by: AiC57


Transcript and Presenter's Notes

Title: Wireless Security

Wireless Security Part 1 3/10/04 Mark Lachniet,
Analysts International
  • Mark Lachniet, Technical Director of Analyst
    Internationals Security Services Group
  • Technical lead developing for services,
    methodology, quality control, technical presales
  • Certified Information Systems Auditor (CISA) from
  • Certified Information Systems Security
    Professional (CISSP) ISC2
  • Linux LPIC-1, Novell Master CNE, Microsoft MCSE,
    Checkpoint CCSE, TruSecure ICSA, etc.
  • Former I.T. director of Holt Public Schools
  • Frequent speaker for local organizations

  • Overview of Wireless
  • Wireless frequency types and products
  • Controlling signal and site surveys
  • Wireless modes of operation
  • Wardriving and Warchalking
  • Basic wireless security features
  • Advanced wireless security features
  • Wireless in the network environment
  • Conclusions
  • Discussion

Class Logistics
  • Frequent breaks, maybe not 20 mins.
  • I do not mind if you mess around with your
    computers while I am talking, in fact I encourage
    it - you are here because you want to be
  • Will attempt to do more hands-on exercises and
    less talking
  • Please speak up! This will be most useful if you
    ask questions! Dont wait for the end
  • Consider finding a partner, especially one of a
    higher or lower technical skill level

Class CD-ROM
  • I have included a CD-ROM with many tools and
    utilities on it
  • Some of these we will use, some of them we may
  • Most are 30-day expiring demos
  • You should go to the web site(s) yourself and
    download the software, so you can get registered

Classroom Network
Why Wireless?
  • Flexibility
  • Instructional Potential (mobile labs, data
    collection, research in common areas, etc.)
  • Overcome building limitations (all brick,
    asbestos, leased buildings, etc.)
  • Ubiquitous technology - built into many PDAs and
  • In use in many homes, coffee shops, airports
  • Many people already have it on their laptop,
    making it easy for visits, ad-hoc meetings

Why Not Wireless
  • Speed considerations (11mb/s or 54mb/s
    theoretical throughput - actually much slower
    than this in reality)
  • Security, both real and perceived, especially
    cost of supporting infrastructure
  • Signal interference from other devices
  • Signal penetration problems through dense
  • Changing technologies and standards
  • A little bit too much fun for bored students to

Wireless Technology
  • Wireless, and especially wireless security
    operate at many different levels in many
    different ways
  • For the purposes of our class, we will start with
    the most basic elements of wireless technology
    (hardware) and work our way up to the most
    complex (applications)
  • One of the best representations of this type of
    abstraction is the OSI model

The OSI Model
  • The OSI Model is used to describe different
    layers of networks and network services
  • Layers 1 and 2 are at the hardware level, but
    in our case there are no wires, but rather
  • Layer 3, 4 and 5 deal with association and
    TCP/IP, which may be handled by a wireless Access
    Point / router

Types of Wireless
  • Lets focus first at the lowest levels of the OSI
    model - frequencies and standards
  • Wireless has a few standards
  • Frequency Hopping Spread Spectrum (FHSS)
  • Direct Sequence Spread Spectrum (DSSS)
  • Orthogonal Frequency Division Multiplexing (OFDM)
  • FHSS is used in Proxim cards, in industrial
    applications, barcode scanners, etc.
  • DSSS is the most common type, used most in WLAN
    cards, access devices, etc.
  • OFDM is used in modern 54mb/s devices

Direct Sequence Spread Spectrum
  • High-speed code sequence manages frequency
  • Produces signal centered at carrier frequency

Frequency Hopping Spread Spectrum
  • Code function determines hops to manage
    frequency modulation
  • Carrier is flat across spectrum

Orthogonal Frequency Division
  • Uses multiple carrier waves on different
  • Each wave carries part of the message
  • Used for 54mb/s applications (802.11a/g)
  • May designate a number of encoding types

Wireless Types and Frequencies
Wireless Types and Frequencies
  • Frequencies
  • 802.11b and 802.11g are both 2.4ghz
  • 802.11a is 5ghz
  • Bandwidth
  • The 5ghz space has more bandwidth (throughput
    speed capability)
  • Non-Overlapping Channels (may not match APs)
  • 802.11/b/g _at_ 2.4ghz has 3
  • 802.11a _at_ 5ghz has 4
  • Compatibility
  • 802.11g is usually backwards compatible with
    802.11b _at_ 11mb/s only
  • 802.11a isnt compatible

Interference / Penetration / Leakage
  • Managing your signal is an important part of
    Wireless security
  • If you can control your signal, keeping it mostly
    inside, you can worry less about hackers outside
    of your building
  • At the same time, you want to make sure you can
    penetrate all important areas of your building
  • You also need to be aware of interference issues
    from phones, microwaves, cell towers, etc.
  • Use non-overlapping channels wisely
  • The best way to make these determinations is by
    doing a site survey

Performing a Site Survey
  • The Site Survey Toolkit
  • One or more access points
  • Various antennas and cables
  • Various WLAN NIC cards
  • Distance Roller thingy
  • Tape, ZIP ties, etc.
  • One or more people
  • May need walkie-talkies
  • Keep people away from the equipment

Performing a Site Survey
  • Attempt to find the best configuration of WLAN
    equipment by setting it up and measuring signal
  • Use a blueprint or floor layout map of the target
  • Use the roller to determine distance
  • Measure signal characteristics at various
    locations to develop a signal coverage map
  • Should use the exact hardware that will be
  • Looks at signal strength, signal to noise ratios,
    and access ranges at specific speeds
  • Consider potential usage - 5 users _at_ 54mb/s or 20
    users _at_ 11mb/s? (lock wireless cards at that
    speed, and map with this in mind)

Use Built In Tools w/ Laptop
  • Analyze signal strength and signal to noise ratio
    using a client utility (passive mode)
  • Lock your card at a specific speed and just walk
    away until it stops working
  • Use the client utility to generate a large number
    of packets and see how many arrive correctly
    (active mode)

Create a Layout
Install AP and Measure Speed
  • For example, place it more or less in the middle
    of the Gym - in this case there is a signal
    problem in the Library

Multiple AP Placement
Signal Leakage Risk!
Directional Antennas
  • A directional antenna may help direct signal
    stop leaks

Wireless Components
  • The most common type of Wireless Local Area
    Network (WLAN) infrastructure typically involves
    two components
  • An Access Point, which works as a kind of smart
    hub to allow communication
  • A Client, which is typically a laptop, desktop or
    PDA with a wireless NIC
  • Within this paradigm are any number of different
    products, technologies or variations
  • The base standard for wireless LAN is 802.11, as
    determined by the IEEE
  • http//grouper.ieee.org/groups/802/11/index.html

Ad-Hoc Mode
  • In Ad-Hoc mode, all devices can talk to each
    other directly (if they are in range and on the
    same frequency)
  • Relatively uncommon, used in WAN configurations,
    LAN Games, impromptu meetings, etc.
  • Referred to as an Independent Basic Service Set

Ad-Hoc Mode Definition
  • http//www.webopedia.com/TERM/A/ad_hoc_mode.html
  • An 802.11 networking framework in which devices
    or stations communicate directly with each other,
    without the use of an access point (AP). Ad-hoc
    mode is also referred to as peer-to-peer mode or
    an Independent Basic Service Set (IBSS). Ad-hoc
    mode is useful for establishing a network where
    wireless infrastructure does not exist or where
    services are not required.

Infrastructure Mode
  • The most common type of WLAN is the
    infrastructure Mode - used most places
  • All devices talk to the access point
  • Referred to as a Basic Service Set (BSS).

Infrastructure Mode Definition
  • http//www.webopedia.com/TERM/I/infrastructure_mod
  • An 802.11 networking framework in which devices
    communicate with each other by first going
    through an Access Point (AP). In infrastructure
    mode, wireless devices can communicate with each
    other or can communicate with a wired network.
    When one AP is connected to wired network and a
    set of wireless stations it is referred to as a
    Basic Service Set (BSS). An Extended Service Set
    (ESS) is a set of two or more BSSs that form a
    single subnetwork. Most corporate wireless LANs
    operate in infrastructure mode because they
    require access to the wired LAN in order to use
    services such as file servers or printers.

Advanced Infrastructure Mode
  • There may be multiple access points in an
  • This raises a number of issues, including mobile
  • Comprised of multiple BSS to create an Extended
    Service Set (ESS)

Extended Service Set
  • Uses a 32-char ID to represent the ESS, known as
    an ESSID (or SSID) such as USR8054
  • This essentially represents the network and is
    something all users must have configured in some

SSID Example
  • For example, this is how it looks on a USR8054
  • Note the ability to turn off the broadcast of the

  • One popular hobby for geeks is to war drive for
    wireless networks
  • Using special software such as Net Stumbler,
    drive or walk around looking for access points,
    frequently chalking them and/or recording the
    location with a GPS (then uploading coordinates
    to the Internet)
  • http//www.netstumbler.com
  • Passive scanners will just passively listen for
    SSID broadcasts
  • Active scanners will probe for them
  • Scanners will usually tell you if advanced
    security (encryption) is configured
  • Some will even tell you about connected clients

Warchalking Examples
Wardriving Resources
  • http//Michiganwireless.org
  • http//Netstumbler.com
  • http//www.wardriving.com
  • http//www.wigle.net/ (locations)
  • http//packetstormsecurity.org/wireless
  • type in war drive in google )

Activity 1 War Driving
  • Install a Lucent Wavelan / Orinoco card in your
  • Install Net Stumbler from your CD-ROM
  • Run the application, observe the local network
  • Survey the facilities (?) and win a prize?

Activity 2 Protocol Analyzer
  • Install WinPCap
  • Reboot
  • Install Ethereal on your laptop
  • Associate with the access point (it may complain
    about it being insecure, that is OK)
  • Run Ethereal

Basic Wireless Security Features
  • There are a number of basic wireless security
    features and protocols
  • Utilize static IP addresses
  • SSID Security (not broadcasting SSID)
  • MAC Address Filtering
  • WEP Encryption
  • Signal control and speed locking
  • 802.1X Authentication / Encryption
  • WPA Authentication / Encryption
  • External security (VPN, VLAN, or other things
    not part of wireless per se

Utilize Static IP
  • Although it wont stop a hacker with a protocol
    analyzer, using static IP address assignment
    instead of DHCP will help
  • This will stop the casual and/or stupid hackers
    from automatically getting an IP address and
    being allowed to surf
  • It creates a management burden, as each laptop
    must be uniquely identified ahead of time
  • It also creates an opportunity, as you can figure
    out what a user is doing on the network very

SSID Broadcasting
  • For an extremely minimal amount of security, you
    can turn off SSID broadcasting
  • This means that someone must somehow know or
    discover the SSID in order to use the access
  • May be able to identify the SSID through
    analyzing network traffic from another user (via.
    AP Association Frames)
  • Active scanners may find this through a brute
    force SSID scan (rare)
  • Windows may remember the AP/SSID

Turning Off SSID Broadcasting
Activity 3 SSID Broadcast
  • Now that I have turned off SSID Broadcast,
    disassociate with the AP
  • Stop and restart Net Stumbler
  • Is the access point still visible?
  • Can you connect to it anyway through windows by
    manually typing in the SSID?
  • The SSID USR8054

MAC Address Filtering
  • Each network device has a unique hardware
    identifier built into it, called a MAC address
  • In Windows, use ipconfig /all to view the
    current MAC address of your devices
  • This can be used for security purposes

MAC Address Filtering
Problems with MAC Filtering
  • Although MAC addresses are hard-coded, they can
    be changed in some hardware via software
  • Thus, a hacker would only have to sniff enough
    traffic to learn some allowed MAC addresses,
    and then impersonate that MAC address
  • Also, MAC address filtering can be very painful
    to manage in the long haul
  • How do you keep track of all the addresses?
  • What about traveling users and visitors?
  • What is the maximum of MAC addresses you access
    point will allow you to type in?

Activity 4 MAC Filtering
  • I will now configure the AP to only allow my own
  • Try not to lock yourself out of your AP )

WEP Encryption
  • To get around the various wireless security
    problems, an early solution was WEP
  • This allows you to configure a 40bit, 64bit or
    128bit key to encrypt traffic
  • A WEP key is essentially a password
  • Normally, the same WEP keys are manually
    programmed into the client and access point
  • If the WEP keys match, the devices can
  • WEP encryption is better than nothing but it
    still has its problems

WEP Encryption Problems
  • First of all, the WEP key must be stored on the
    client computer (or typed in each time)
  • Thus, the security of the client workstation(s)
    is very important
  • It might be possible to steal the WEP key from
    the registry or some configuration file
  • Also, WEP adds a little bit of processing
    overhead (3 in hardware?)
  • Most importantly, the WEP implementation is
    flawed and WEP encryption can be cracked!

Cracking WEP
  • Software such as AirSnort (http//airsnort.shmoo.c
    om/) allows you to monitor encrypted wireless
    activity and eventually get enough information to
    crack a WEP key
  • The problem is due to a flawed implementation of
    the RC4 protocol in WEP
  • Specifically, while almost everything in the
    packet is encrypted, a plain-text Initialization
    Vector is used to keep the encryption in sync
  • This IV periodically computes in a way that
    provides interesting information about the key
  • Given enough packets, 5-10 million, AirSnort can
    crack the WEP key

Activity 5 Configuring WEP
  • First, we need to configure it on the access
  • Note that the key size may be 40 or 128 bit
  • Also note that keys may be in ASCII or HEX format

Activity 5 Configuring WEP
  • Now configure the client software (WEP Key is
  • Attempt to access something - did it work?

Activity 5 Configuring WEP
  • Now try some of our old tools
  • Disassociate with the access point (or type in
    the wrong WEP key)
  • Now try Net Stumbler - do you see the ?icon?
    That means WEP is enabled
  • 1/2 the class run Ethereal without the WEP key,
    the other half with it
  • What are the results?? (your mileage may vary
    depending upon card, etc.)

Advanced Wireless Security
  • After all of the problems with WEP, alternate
    security systems needed to be devised
  • One is 802.1X, which provides
  • Use of encryption certificates
  • Provides port-based controls
  • Uses the extensible authentication protocol
    (EAP). Can use different protocols w/in EAP.
  • Mutual authentication
  • Automated encryption key management and rotation
  • Authentication (username and password) to a
    back-end RADIUS server

  • Requires an 802.1X compliant access point (old
    ones are not!) or high-end Ethernet switches
  • Requires compatible clients and RADIUS servers
    (for authentication purposes)
  • The Supplicant is the client - Windows XP SP1 has
    this built in, other Windows clients require a
    commercial product
  • Macintosh 10.3 (?) has 802.1X supplicant
    software built in, some Linux / UNIX support
  • The AP is the authenticator, and the RADIUS
    server is the authentication source
  • Slides from http//www.blackhat.com/presentations

802.1X Before Authentication
802.1X After Authentication
RADIUS Authentication
  • Authentication systems for wireless typically
    uses encryption-aware RADIUS servers
  • Examples include Microsoft IAS, Cisco Secure ACS,
    and Funk Software products
  • RADIUS servers without encryption are very common
    (Border Manager Authentication Services, etc) but
    wont work
  • RADIUS is also used in a number of other
    applications such as VPN authentication, etc.

RADIUS Servers in the Network
  • Client talks to AP, AP talks to RADIUS server,
    which may talk to another authentication server
  • The RADIUS server may have its own user database
  • Client and RADIUS must talk same EAP protocol

RADIUS Server Types
  • The majority of RADIUS servers authenticate to a
    local or network authentication database
  • Some RADIUS servers have advanced security
    features such as two-factor authentication (like
    RSAs SecurID)
  • This requires two of three factors
  • Something you have
  • Something you know
  • Something you are
  • For example, a thumbprint reader, or a SecurID
    token that changes codes, etc.
  • Although expensive, this provides a high level of
    security, as you would have to steal something

802.1X on the USR 8054
802.1X EAP Types
  • There are a number of EAP authentication types
    that 802.1X can use
  • They all have different advantages and

  • Lightweight EAP
  • LEAP is a Cisco-Specific protocol
  • Its fairly easy to use because it does not
    require certificates (this can be a big issue)
  • It has one disadvantage - people can attempt to
    brute force your network passwords by guessing
    each one
  • If you are an all-Cisco environment, it may be
    better than WEP, but its no longer the ideal

  • EAP with Transport Layer Security
  • Requires the use of certificates to prove
    identities (both the access point and the client)
  • A certificate is a bit of text that includes
    identity and encryption key information
  • These must be generated and distributed to all
  • This requires touching every workstation,
    something that may not be practical
  • Windows 2k/XP/2003 environments have these
    services and can be integrated (maybe not easily)
  • Use MMC-gtCertificates in windows to view yours

Obtaining Certificates for EAP
  • Certificates may be automatically generated
    (i.e., a machine certificate when a machine joins
    a domain)
  • Certificates can also be manually generated, for
    example by requesting one from a windows server
    running IIS and Certificate services
  • http//www.win2kserver.com/certsrv
  • For an example of how this would work with the
    Cisco Secure ACS server, check out
  • http//www.cisco.com/en/US/products/sw/secursw/ps2
  • Also can use openssl to create certificates under
    Linux / UNIX operating systems

  • EAP Tunneled TLS and Protected EAP
  • Similar to EAP-TLS, but instead of relying
    entirely on certificates, can use usernames and
    passwords via MS-CHAP
  • This allows you to authenticate the USER instead
    of the client machine
  • However, you still verify the identity of the
    authentication server (stops Man in the Middle
    Attacks) by the certificate

Man In The Middle Attacks
  • Use a program like AirSnarf to masquerade as a
    legitimate access point (http//airsnarf.shmoo.com
  • As an intermediary, view all network traffic
    w/out encryption, including passwords

  • Wifi Protected Access (WPA) is the emerging
    standard for security
  • Includes TKIP and 802.1X features
  • Soon to be replaced by the 802.11i standard
  • Allows for a simple version of encryption -
  • Pre-shared keys are similar to WEP keys, but
    rotation of the keys will take place, minimizing
    the risk of cracking

Temporal Encryption Keys
  • TKIP is a system that is used to change the
    encryption in use on the WLAN
  • Essentially changes the WEP key so frequently
    that sniffing the network and cracking the
    password is not feasible
  • This will defeat AirSnort type attacks against
    the IV
  • Not all access points support TKIP

Configure Logging
  • In addition to actually performing all of these
    security functions, make sure that there is also
    a log of everything that happens
  • Many Access Points and RADIUS servers and send
    log data to a syslog server
  • Consider consolidating logs from many APs on to a
    single log server (such as the Kiwi Syslog
  • http//www.kiwisyslog.com/
  • Use log analysis and customized alerting to tell
    you of interesting events (such as failed
    administrator logon attempts)
  • You could even get real-time pages of hacks!

Wireless Network Designs
  • Where you put your access point(s) in the network
    have a huge impact on security
  • In terms of network designs, consider the
    wireless net as hostile as Internet
  • The least secure place to connect an access point
    is to your Internal network
  • If possible, put on a dedicated network, and
    force access through a firewall or VPN appliance

Access Points on a DMZ
  • Here you control and log Wireless traffic with a
  • It may be possible to limit access to deny all by
    default, but allow access top specific servers
    and the Internet

Wireless Networks
  • The wireless network, be it behind a firewall or
    not, may actually be one large Virtual LAN (VLAN)
  • Thus, you could have wireless access points all
    over the building or organization, but on the
    same VLAN
  • This allow for roaming
  • It also allows for centralization of all access
    points to a single firewall device
  • Also allows for a single place to monitor all
    traffic with a protocol analyzer or IDS

Use an Intrusion Detection System
  • An Intrusion Detection System (IDS) might alert
    you to the presence of attacks
  • This is another advantage of using a Wireless
    VLAN (only one IDS port required)
  • There are also IDS systems specifically for
  • Can use honey pots to emulate vulnerable hosts
    (and tell you about it)
  • Can also use software designed to confuse war
    drivers by sending hundreds or thousands of bogus
    SSIDs ala FakeAP
  • http//www.blackalchemy.to/project/fakeap/

Using a VPN Concentrator
  • If you are using a VPN concentrator, you may be
    able to use totally insecure wireless and force
    security through existing or new VPN services

Policies and Procedures
  • Due to the difficulty of controlling wireless, it
    would be wise to establish some policies and
    procedures to regulate their usage
  • Installation should only be performed by the I.T.
    department (no individuals or departments should
    ever install them)
  • Try to hook into the purchasing process such that
    wireless purchase orders require authorization
    from I.T.
  • Verify compliance by wardriving your own
    organization regularly

Policies and Procedures
  • Create minimum mandatory standards for all access
    points (WEP, etc.)
  • Require the use of authentication, and use
    controlled authentication databases
  • Require that people not share encryption keys,
    passwords, etc.
  • Require that APs be turned off when not in use
    (especially after-hours)
  • Lock down clients that have certificates and keys
    programmed in to them

  • This presentation to be available at
  • http//lachniet.com/powerpoint
  • Mark LachnietCISSP, CISA, MCSE, MCNE, CCSE,
  • Technical Director, Security GroupAnalysts
    International(517) 336-1004 (voice)(517)
    336-1100 (fax)mailto mlachniet_at_analysts.com
Write a Comment
User Comments (0)
About PowerShow.com