Manage & Secure
Your Wireless
Connections

Ernest Staats
Director of Technology and Network Services at GCA

MS Information Assurance, CISSP, CWNA, CEH, MCSE, CNA,
Security+, I-Net+, Network+, Server+, A+

erstaats@gmail.com
Resources available @

http://es-es.net

Why Manage?



Bandwidth (when downloading or using VoIP)



Co-channel interference (phones, microwaves, rogue
AP’s)



Old Firmware (check for updates every quarter)



Management and control frames can’t be encrypted,

nor can header values like ESSID and MAC address



Stumblers <CommView> and WEP/PSK crackers



Mobile devices



DoS attacks (point-and-click raw packet injection tools)



Forged messages



Demand for more wireless access



BackTrack (

www.remote-exploit.org

)



802.11n issues

Wireless Vulnerabilities

Wireless Vulnerabilities

Overlooked: Site Survey



What types of interference are you going
to contend with?



What distances do you need to

broadcast?



What types of data are you going to

support over WIFI?

(data/voice) network access



Set up worst-case scenario for testing



Know your signal-to-noise ratio



You should expect an interview before
any testing is done

(how many users, roaming,

location of wiring closets)

Adapted from: Certified Wireless Network Administrator certification Course available at::

http://www.cwnp.com/

Changing Default Settings



Change the default logon password and make it long!



All defaults are known and published on the Net



http://www.phenoelit.de/dpl/dpl.html

updated often



AP Management Interface



HTTP, SNMP, Telnet



HTTP login



Linksys: UID=blank PW=admin



SNMP (disable SNMP or use a management VLAN that is
secure)



All: PW=public



Change default open systems to WPA2: use a long
passphrase

Cell Sizing



How far is your WIFI signal going? (that is called your cell

size)



Can’t cover whole building?



Better antenna



MIMO



802.11n



Power setting



The cell size is usually adjusted by the power setting



Go outside and see how far your wireless signal is

reaching (you will be surprised)

ESSID Naming



Identifies network



Helps others identify whether or not you have left default

settings on



Broadcast on by default



Once again with the default settings, your wireless device
broadcasts its name, saying, “My name is … connect to me”



Turning off SSID broadcasting is called “cloaking”; can cause
issues in enterprise systems



Avoid naming your SSID a private or personal code (It’s
not a password!!! Even cloaked ESSID’s are easily
discovered )

MAC Filtering



A MAC address is the

hardware number that

is network card specific

(literally burned into the

network card when it is

made)



Does not scale to large
networks



Relatively easy to
defeat



Good option for home
users

Authentication with 802.1x



Authenticates users before
granting access to L2 media



Makes use of EAP (Extensible
Authentication Protocol)



PEAP, EAP-TLS, EAP-TTLS,
etc.



802.1x authentication
happens at L2 – users will be
authenticated before an IP
address is assigned

Encrypt the Data



WEP



Simple & easy to crack



No key management



It is worse than no encryption



TKIP (Temporal Key Integrity Protocol)
WPA/WPA2



Works on legacy hardware



Has been cracked



AES used in WPA 2



Considered the best option



FIPS 140-2 approved (Federal Information
Processing Standard)



Use with 802.1x

Encryption



WEP – First Wireless Security



Cracked -- Any middle-schooler can crack your WEP
key in short order



WPA



Cracked… but



Key changes



WPA2



Cracked… but



Harder to crack than WPA; don’t use PSK



802.1x



Uses server to authorize user



Can be very secure



802.11i



AES encryption – “uncrackable”

Authorize Data



Most organizations do a decent job of
authentication (who the user is), but a poor job of
authorization (what the user is allowed to do);
NAC’s/NAP’s and 802.11i help this issue



Mobile networks are typically multi-use



Authentication provides you with user identity –
now use it! Identity-aware firewall policies can
restrict what a user can do, based on that user’s
needs

Home Wireless Overlooked



Change default settings -- SSID and passwords



Use WPA (or better, WPA2); use long PSK



Use a MAC filter



Turn off SSID broadcasting



Know how far your wireless signal is reaching



Turn off wireless when not being used, & turn off DHCP
or limit DHCP



Disable remote administration



Update Firmware on AP and wireless cards semi-
annually



Secure your home machines



Current AV



Firewall

(if the wireless router has a firewall option, turn it on)



Spyware protection



Auto update Windows



Use VPN



Common sense (check the “

Secure Your Laptop Section

”)

Secure Your Laptop



Turn your firewall on:

Start > Settings > Network Connections >

Wireless Network Connection > Change Advanced Settings >
Advanced Tab > Windows Firewall Settings > Select “On” > OK



BETTER YET

use another firewall (i.e. Kerio, Jetico, or Zone

Alarm)



Turn ad-hoc mode off:

Start > Settings > Network Connections >

Wireless Network Connection > Change Advanced Settings >
Wireless Networks Tab > Select Network > Properties > Uncheck
“This is a computer-to-computer (ad-hoc) network” > OK



Disable file sharing:

Start > Settings > Network Connections >

Wireless Network Connection > Change Advanced Settings >
Uncheck “File and Printer Sharing” > OK



Change Administrator password :

Click Start > Control Panel >

User Accounts. Ensure the Guest account is disabled. Click your
administrator user account and reset the password

VPN Solutions



AnchorFree's

Hotspot Shield, a free software

download. Install it on a Windows PC

Paid VPN Solutions



WiTopia's

personalVPN,



HotspotVPN

(SSL)



VPN connections require installation of a utility
on the computer

Teach Hotspot Security



Use a personal firewall



Use anti-virus software (update daily or hourly)



Update your operating system and other applications

(i.e. Office, Adobe Reader) regularly



Turn off file sharing



Use Web-based e-mail that employs secure http (https)



Use a virtual private network (VPN)



Password-protect your computer and important files

(make sure your administrator account has a good long

password)



Encrypt files before transferring or e-mailing them



Make sure you're connected to a legitimate access point



Be aware of people around you



Properly log out of web sites by clicking log out instead

of just closing your browser or typing in a new Internet

address



Use a more secure browser Chrome in private mode

TIPS for WIFI at Work



Use a wireless system that has a centrally managed
controller and reporting system



Name all your AP's with the same name so if the signal
gets blocked and they then get a stronger signal from
another work AP they do not have to re-authenticate to
the work wireless network



Make sure all your AP's are on the same subnet if you
are doing AD authentication



Make sure the work network is the only one listed on the
preferred networks



Use a wireless firewall (Motorola)



Know your air space issues (AirMagnet)



I prefer the single channel solution

TIPS for WIFI at Work

(cont.)



Make sure laptops are set to infrastructure
mode



Make sure the “Automatically connect to non-
preferred networks” is unchecked



Use 802.1x (or better, 802.11i)



Use a WIPS (Wireless Intrusion Prevention
System); look at log files



Use NAC



Have WIFI policies



Disable WIFI card if plugged into network



Have users take home a secure AP that will
tunnel back into the corporate network
(Aruba,

Motorola

)

A Layered Approach

Key Security Principles



Principle of Least Privilege



Authentication, identity-based security, firewalls



Defense in depth



Authentication, encryption, intrusion protection,
client integrity



Prevention is ideal; detection is a must



Intrusion detection systems, log files, audit trails,
alarms, and alerts



“Know your enemies & know yourself” (Sun Tzu)



Integrated centralized management

Wireless Gold Standard



Centralized wireless



Have and update WIFI policies



Keep clients updated – drivers too!



Guest access on separate VLAN / Network



Wireless intrusion detection



Locate and protect against rogue APs



WPA-2



Device authentication using 802.1x and PEAP



User authentication using 802.1x and PEAP



AES for link-layer encryption



Long (not strong) passwords (15 character)



Token-card products



Protect wireless users from other wireless users



Protect sections of the network from unauthorized access

Must Have a WIFI Policy



At a minimum, the policy should involve continuous review
of potential threats and vulnerabilities and should deal
with the following:



Overall policy



Access control

<this includes non-enterprise devices>



Usage management and monitoring



Security monitoring

<this includes non-enterprise devices>



Network security

<this includes non-enterprise devices>



Virus protection

<this includes non-enterprise devices>



Encryption

<this includes non-enterprise devices>



Pertinent laws

<this includes non-enterprise devices>



Incident response

<this includes non-enterprise devices>



Enforcement

<this includes non-enterprise devices>

Captive Portals for Guests



Browser-based authentication



SSL encrypted



Use for guest access only



Put on separate VLAN or network

Controller Dashboard

802.11n Issues



Frame aggregation



Block Acknowledgment



40 MHz channel bonding



Spoofed duration fields



Only channel 3,9 do not overlap with 40 MHz
channels on the 2.4 range



AP Placement is 180

0

different

What About “NAC”?



Identity-based policy control



Assess user role, device, location, time, application



Policies follow users throughout network



Health-based assessment



Client health validation



Remediation



Ongoing compliance



Network-based protection



Stateful firewalls to enforce policies and quarantine



User/device blacklisting based on policy validation



We use Bradford for our NAC at GCA Excellent Pricing
for Edu’s

Shameless Plug



Presentations on my site located at



www.es-es.net



Come join my afternoon lecture @ 1:30pm



Session 3: Intrusion Prevention from the Inside
Out



To learn more about GCA (Georgia
Cumberland Academy)



www.gcasda.org

Resources: Software



Air Magnet

http://www.airmagnet.com/products/demo-
download.php



Net Stumbler –Free

http://www.netstumbler.com/downloads/



Mini Stumbler –Free

http://www.netstumbler.com/downloads/



Aircrack-2.1 802.11 sniffer and WEP key
cracker for Windows and Linux. -Free

http://www.cr0.net:8040/code/network/

Resources: Links



CWNP Learning Center has over 1000 free
white papers, case studies:

http://www.cwnp.com/learning_center/index.htm
l



free electronic site survey forms

(excellent):

http://www.cwnp.com/mlist/subscribe.php



GUIDE TO MASTERING NEGOTIATIONS:

http://common.ziffdavisinternet.com/download/0
/2537/whiteboardtoview.pdf