Manage & Secure
Your Wireless
Connections
Ernest Staats
Director of Technology and Network Services at GCA
MS Information Assurance, CISSP, CWNA, CEH, MCSE, CNA,
Security+, I-Net+, Network+, Server+, A+
erstaats@gmail.com
Resources available @
Why Manage?
Bandwidth (when downloading or using VoIP)
Co-channel interference (phones, microwaves, rogue
AP’s)
Old Firmware (check for updates every quarter)
Management and control frames can’t be encrypted,
nor can header values like ESSID and MAC address
Stumblers <CommView> and WEP/PSK crackers
Mobile devices
DoS attacks (point-and-click raw packet injection tools)
Forged messages
Demand for more wireless access
)
802.11n issues
Wireless Vulnerabilities
Wireless Vulnerabilities
Overlooked: Site Survey
What types of interference are you going
to contend with?
What distances do you need to
broadcast?
What types of data are you going to
support over WIFI?
(data/voice) network access
Set up worst-case scenario for testing
Know your signal-to-noise ratio
You should expect an interview before
any testing is done
(how many users, roaming,
location of wiring closets)
Adapted from: Certified Wireless Network Administrator certification Course available at::
Changing Default Settings
Change the default logon password and make it long!
All defaults are known and published on the Net
http://www.phenoelit.de/dpl/dpl.html
updated often
AP Management Interface
HTTP, SNMP, Telnet
HTTP login
Linksys: UID=blank PW=admin
SNMP (disable SNMP or use a management VLAN that is
secure)
All: PW=public
Change default open systems to WPA2: use a long
passphrase
Cell Sizing
How far is your WIFI signal going? (that is called your cell
size)
Can’t cover whole building?
Better antenna
MIMO
802.11n
Power setting
The cell size is usually adjusted by the power setting
Go outside and see how far your wireless signal is
reaching (you will be surprised)
ESSID Naming
Identifies network
Helps others identify whether or not you have left default
settings on
Broadcast on by default
Once again with the default settings, your wireless device
broadcasts its name, saying, “My name is … connect to me”
Turning off SSID broadcasting is called “cloaking”; can cause
issues in enterprise systems
Avoid naming your SSID a private or personal code (It’s
not a password!!! Even cloaked ESSID’s are easily
discovered )
MAC Filtering
A MAC address is the
hardware number that
is network card specific
(literally burned into the
network card when it is
made)
Does not scale to large
networks
Relatively easy to
defeat
Good option for home
users
Authentication with 802.1x
Authenticates users before
granting access to L2 media
Makes use of EAP (Extensible
Authentication Protocol)
PEAP, EAP-TLS, EAP-TTLS,
etc.
802.1x authentication
happens at L2 – users will be
authenticated before an IP
address is assigned
Encrypt the Data
WEP
Simple & easy to crack
No key management
It is worse than no encryption
TKIP (Temporal Key Integrity Protocol)
WPA/WPA2
Works on legacy hardware
Has been cracked
AES used in WPA 2
Considered the best option
FIPS 140-2 approved (Federal Information
Processing Standard)
Use with 802.1x
Encryption
WEP – First Wireless Security
Cracked -- Any middle-schooler can crack your WEP
key in short order
WPA
Cracked… but
Key changes
WPA2
Cracked… but
Harder to crack than WPA; don’t use PSK
802.1x
Uses server to authorize user
Can be very secure
802.11i
AES encryption – “uncrackable”
Authorize Data
Most organizations do a decent job of
authentication (who the user is), but a poor job of
authorization (what the user is allowed to do);
NAC’s/NAP’s and 802.11i help this issue
Mobile networks are typically multi-use
Authentication provides you with user identity –
now use it! Identity-aware firewall policies can
restrict what a user can do, based on that user’s
needs
Home Wireless Overlooked
Change default settings -- SSID and passwords
Use WPA (or better, WPA2); use long PSK
Use a MAC filter
Turn off SSID broadcasting
Know how far your wireless signal is reaching
Turn off wireless when not being used, & turn off DHCP
or limit DHCP
Disable remote administration
Update Firmware on AP and wireless cards semi-
annually
Secure your home machines
Current AV
Firewall
(if the wireless router has a firewall option, turn it on)
Spyware protection
Auto update Windows
Use VPN
Common sense (check the “
Secure Your Laptop Section
”)
Secure Your Laptop
Turn your firewall on:
Start > Settings > Network Connections >
Wireless Network Connection > Change Advanced Settings >
Advanced Tab > Windows Firewall Settings > Select “On” > OK
BETTER YET
use another firewall (i.e. Kerio, Jetico, or Zone
Alarm)
Turn ad-hoc mode off:
Start > Settings > Network Connections >
Wireless Network Connection > Change Advanced Settings >
Wireless Networks Tab > Select Network > Properties > Uncheck
“This is a computer-to-computer (ad-hoc) network” > OK
Disable file sharing:
Start > Settings > Network Connections >
Wireless Network Connection > Change Advanced Settings >
Uncheck “File and Printer Sharing” > OK
Change Administrator password :
Click Start > Control Panel >
User Accounts. Ensure the Guest account is disabled. Click your
administrator user account and reset the password
VPN Solutions
Hotspot Shield, a free software
download. Install it on a Windows PC
Paid VPN Solutions
personalVPN,
VPN connections require installation of a utility
on the computer
Teach Hotspot Security
Use a personal firewall
Use anti-virus software (update daily or hourly)
Update your operating system and other applications
(i.e. Office, Adobe Reader) regularly
Turn off file sharing
Use Web-based e-mail that employs secure http (https)
Use a virtual private network (VPN)
Password-protect your computer and important files
(make sure your administrator account has a good long
password)
Encrypt files before transferring or e-mailing them
Make sure you're connected to a legitimate access point
Be aware of people around you
Properly log out of web sites by clicking log out instead
of just closing your browser or typing in a new Internet
address
Use a more secure browser Chrome in private mode
TIPS for WIFI at Work
Use a wireless system that has a centrally managed
controller and reporting system
Name all your AP's with the same name so if the signal
gets blocked and they then get a stronger signal from
another work AP they do not have to re-authenticate to
the work wireless network
Make sure all your AP's are on the same subnet if you
are doing AD authentication
Make sure the work network is the only one listed on the
preferred networks
Use a wireless firewall (Motorola)
Know your air space issues (AirMagnet)
I prefer the single channel solution
TIPS for WIFI at Work
(cont.)
Make sure laptops are set to infrastructure
mode
Make sure the “Automatically connect to non-
preferred networks” is unchecked
Use 802.1x (or better, 802.11i)
Use a WIPS (Wireless Intrusion Prevention
System); look at log files
Use NAC
Have WIFI policies
Disable WIFI card if plugged into network
Have users take home a secure AP that will
tunnel back into the corporate network
(Aruba,
Motorola
)
A Layered Approach
Key Security Principles
Principle of Least Privilege
Authentication, identity-based security, firewalls
Defense in depth
Authentication, encryption, intrusion protection,
client integrity
Prevention is ideal; detection is a must
Intrusion detection systems, log files, audit trails,
alarms, and alerts
“Know your enemies & know yourself” (Sun Tzu)
Integrated centralized management
Wireless Gold Standard
Centralized wireless
Have and update WIFI policies
Keep clients updated – drivers too!
Guest access on separate VLAN / Network
Wireless intrusion detection
Locate and protect against rogue APs
WPA-2
Device authentication using 802.1x and PEAP
User authentication using 802.1x and PEAP
AES for link-layer encryption
Long (not strong) passwords (15 character)
Token-card products
Protect wireless users from other wireless users
Protect sections of the network from unauthorized access
Must Have a WIFI Policy
At a minimum, the policy should involve continuous review
of potential threats and vulnerabilities and should deal
with the following:
Overall policy
Access control
<this includes non-enterprise devices>
Usage management and monitoring
Security monitoring
<this includes non-enterprise devices>
Network security
<this includes non-enterprise devices>
Virus protection
<this includes non-enterprise devices>
Encryption
<this includes non-enterprise devices>
Pertinent laws
<this includes non-enterprise devices>
Incident response
<this includes non-enterprise devices>
Enforcement
<this includes non-enterprise devices>
Captive Portals for Guests
Browser-based authentication
SSL encrypted
Use for guest access only
Put on separate VLAN or network
Controller Dashboard
802.11n Issues
Frame aggregation
Block Acknowledgment
40 MHz channel bonding
Spoofed duration fields
Only channel 3,9 do not overlap with 40 MHz
channels on the 2.4 range
AP Placement is 180
0
different
What About “NAC”?
Identity-based policy control
Assess user role, device, location, time, application
Policies follow users throughout network
Health-based assessment
Client health validation
Remediation
Ongoing compliance
Network-based protection
Stateful firewalls to enforce policies and quarantine
User/device blacklisting based on policy validation
We use Bradford for our NAC at GCA Excellent Pricing
for Edu’s
Shameless Plug
Presentations on my site located at
Come join my afternoon lecture @ 1:30pm
Session 3: Intrusion Prevention from the Inside
Out
To learn more about GCA (Georgia
Cumberland Academy)
Resources: Software
Air Magnet
http://www.airmagnet.com/products/demo-
download.php
Net Stumbler –Free
http://www.netstumbler.com/downloads/
Mini Stumbler –Free
http://www.netstumbler.com/downloads/
Aircrack-2.1 802.11 sniffer and WEP key
cracker for Windows and Linux. -Free
Resources: Links
CWNP Learning Center has over 1000 free
white papers, case studies:
http://www.cwnp.com/learning_center/index.htm
l
free electronic site survey forms
(excellent):
http://www.cwnp.com/mlist/subscribe.php
GUIDE TO MASTERING NEGOTIATIONS:
http://common.ziffdavisinternet.com/download/0
/2537/whiteboardtoview.pdf