Wireless Security

background image

Manage & Secure
Your Wireless
Connections

Ernest Staats
Director of Technology and Network Services at GCA

MS Information Assurance, CISSP, CWNA, CEH, MCSE, CNA,
Security+, I-Net+, Network+, Server+, A+

erstaats@gmail.com
Resources available @

http://es-es.net

background image

Why Manage?

Bandwidth (when downloading or using VoIP)

Co-channel interference (phones, microwaves, rogue
AP’s)

Old Firmware (check for updates every quarter)

Management and control frames can’t be encrypted,

nor can header values like ESSID and MAC address

Stumblers <CommView> and WEP/PSK crackers

Mobile devices

DoS attacks (point-and-click raw packet injection tools)

Forged messages

Demand for more wireless access

BackTrack (

www.remote-exploit.org

)

802.11n issues

background image

Wireless Vulnerabilities

background image

Wireless Vulnerabilities

background image

Overlooked: Site Survey

What types of interference are you going
to contend with?

What distances do you need to

broadcast?

What types of data are you going to

support over WIFI?

(data/voice) network access

Set up worst-case scenario for testing

Know your signal-to-noise ratio

You should expect an interview before
any testing is done

(how many users, roaming,

location of wiring closets)

Adapted from: Certified Wireless Network Administrator certification Course available at::

http://www.cwnp.com/

background image

Changing Default Settings

Change the default logon password and make it long!

All defaults are known and published on the Net

http://www.phenoelit.de/dpl/dpl.html

updated often

AP Management Interface

HTTP, SNMP, Telnet

HTTP login

Linksys: UID=blank PW=admin

SNMP (disable SNMP or use a management VLAN that is
secure)

All: PW=public

Change default open systems to WPA2: use a long
passphrase

background image

Cell Sizing

How far is your WIFI signal going? (that is called your cell

size)

Can’t cover whole building?

Better antenna

MIMO

802.11n

Power setting

The cell size is usually adjusted by the power setting

Go outside and see how far your wireless signal is

reaching (you will be surprised)

background image

ESSID Naming

Identifies network

Helps others identify whether or not you have left default

settings on

Broadcast on by default

Once again with the default settings, your wireless device
broadcasts its name, saying, “My name is … connect to me”

Turning off SSID broadcasting is called “cloaking”; can cause
issues in enterprise systems

Avoid naming your SSID a private or personal code (It’s
not a password!!! Even cloaked ESSID’s are easily
discovered )

background image

MAC Filtering

A MAC address is the

hardware number that

is network card specific

(literally burned into the

network card when it is

made)

Does not scale to large
networks

Relatively easy to
defeat

Good option for home
users

background image

Authentication with 802.1x

Authenticates users before
granting access to L2 media

Makes use of EAP (Extensible
Authentication Protocol)

PEAP, EAP-TLS, EAP-TTLS,
etc.

802.1x authentication
happens at L2 – users will be
authenticated before an IP
address is assigned

background image

Encrypt the Data

WEP

Simple & easy to crack

No key management

It is worse than no encryption

TKIP (Temporal Key Integrity Protocol)
WPA/WPA2

Works on legacy hardware

Has been cracked

AES used in WPA 2

Considered the best option

FIPS 140-2 approved (Federal Information
Processing Standard)

Use with 802.1x

background image

Encryption

WEP – First Wireless Security

Cracked -- Any middle-schooler can crack your WEP
key in short order

WPA

Cracked… but

Key changes

WPA2

Cracked… but

Harder to crack than WPA; don’t use PSK

802.1x

Uses server to authorize user

Can be very secure

802.11i

AES encryption – “uncrackable”

background image

Authorize Data

Most organizations do a decent job of
authentication (who the user is), but a poor job of
authorization (what the user is allowed to do);
NAC’s/NAP’s and 802.11i help this issue

Mobile networks are typically multi-use

Authentication provides you with user identity –
now use it! Identity-aware firewall policies can
restrict what a
user can do, based on that user’s
needs

background image

Home Wireless Overlooked

Change default settings -- SSID and passwords

Use WPA (or better, WPA2); use long PSK

Use a MAC filter

Turn off SSID broadcasting

Know how far your wireless signal is reaching

Turn off wireless when not being used, & turn off DHCP
or limit DHCP

Disable remote administration

Update Firmware on AP and wireless cards semi-
annually

Secure your home machines

Current AV

Firewall

(if the wireless router has a firewall option, turn it on)

Spyware protection

Auto update Windows

Use VPN

Common sense (check the “

Secure Your Laptop Section

”)

background image

Secure Your Laptop

Turn your firewall on:

Start > Settings > Network Connections >

Wireless Network Connection > Change Advanced Settings >
Advanced Tab > Windows Firewall Settings > Select “On” > OK

BETTER YET

use another firewall (i.e. Kerio, Jetico, or Zone

Alarm)

Turn ad-hoc mode off:

Start > Settings > Network Connections >

Wireless Network Connection > Change Advanced Settings >
Wireless Networks Tab > Select Network > Properties > Uncheck
“This is a computer-to-computer (ad-hoc) network” > OK

Disable file sharing:

Start > Settings > Network Connections >

Wireless Network Connection > Change Advanced Settings >
Uncheck “File and Printer Sharing” > OK

Change Administrator password :

Click Start > Control Panel >

User Accounts. Ensure the Guest account is disabled. Click your
administrator user account and reset the password

background image

VPN Solutions

AnchorFree's

Hotspot Shield, a free software

download. Install it on a Windows PC

Paid VPN Solutions

WiTopia's

personalVPN,

HotspotVPN

(SSL)

VPN connections require installation of a utility
on the computer

background image

Teach Hotspot Security

Use a personal firewall

Use anti-virus software (update daily or hourly)

Update your operating system and other applications

(i.e. Office, Adobe Reader) regularly

Turn off file sharing

Use Web-based e-mail that employs secure http (https)

Use a virtual private network (VPN)

Password-protect your computer and important files

(make sure your administrator account has a good long

password)

Encrypt files before transferring or e-mailing them

Make sure you're connected to a legitimate access point

Be aware of people around you

Properly log out of web sites by clicking log out instead

of just closing your browser or typing in a new Internet

address

Use a more secure browser Chrome in private mode

background image

TIPS for WIFI at Work

Use a wireless system that has a centrally managed
controller and reporting system

Name all your AP's with the same name so if the signal
gets blocked and they then get a stronger signal from
another work AP they do not have to re-authenticate to
the work wireless network

Make sure all your AP's are on the same subnet if you
are doing AD authentication

Make sure the work network is the only one listed on the
preferred networks

Use a wireless firewall (Motorola)

Know your air space issues (AirMagnet)

I prefer the single channel solution

background image

TIPS for WIFI at Work

(cont.)

Make sure laptops are set to infrastructure
mode

Make sure the “Automatically connect to non-
preferred networks” is unchecked

Use 802.1x (or better, 802.11i)

Use a WIPS (Wireless Intrusion Prevention
System); look at log files

Use NAC

Have WIFI policies

Disable WIFI card if plugged into network

Have users take home a secure AP that will
tunnel back into the corporate network
(Aruba,

Motorola

)

background image

A Layered Approach

background image

Key Security Principles

Principle of Least Privilege

Authentication, identity-based security, firewalls

Defense in depth

Authentication, encryption, intrusion protection,
client integrity

Prevention is ideal; detection is a must

Intrusion detection systems, log files, audit trails,
alarms, and alerts

“Know your enemies & know yourself” (Sun Tzu)

Integrated centralized management

background image

Wireless Gold Standard

Centralized wireless

Have and update WIFI policies

Keep clients updated – drivers too!

Guest access on separate VLAN / Network

Wireless intrusion detection

Locate and protect against rogue APs

WPA-2

Device authentication using 802.1x and PEAP

User authentication using 802.1x and PEAP

AES for link-layer encryption

Long (not strong) passwords (15 character)

Token-card products

Protect wireless users from other wireless users

Protect sections of the network from unauthorized access

background image

Must Have a WIFI Policy

At a minimum, the policy should involve continuous review
of potential threats and vulnerabilities and should deal
with the following:

Overall policy

Access control

<this includes non-enterprise devices>

Usage management and monitoring

Security monitoring

<this includes non-enterprise devices>

Network security

<this includes non-enterprise devices>

Virus protection

<this includes non-enterprise devices>

Encryption

<this includes non-enterprise devices>

Pertinent laws

<this includes non-enterprise devices>

Incident response

<this includes non-enterprise devices>

Enforcement

<this includes non-enterprise devices>

background image

Captive Portals for Guests

Browser-based authentication

SSL encrypted

Use for guest access only

Put on separate VLAN or network

background image

Controller Dashboard

background image

802.11n Issues

Frame aggregation

Block Acknowledgment

40 MHz channel bonding

Spoofed duration fields

Only channel 3,9 do not overlap with 40 MHz
channels on the 2.4 range

AP Placement is 180

0

different

background image

What About “NAC”?

Identity-based policy control

Assess user role, device, location, time, application

Policies follow users throughout network

Health-based assessment

Client health validation

Remediation

Ongoing compliance

Network-based protection

Stateful firewalls to enforce policies and quarantine

User/device blacklisting based on policy validation

We use Bradford for our NAC at GCA Excellent Pricing
for Edu’s

background image

Shameless Plug

Presentations on my site located at

www.es-es.net

Come join my afternoon lecture @ 1:30pm

Session 3: Intrusion Prevention from the Inside
Out

To learn more about GCA (Georgia
Cumberland Academy)

www.gcasda.org

background image

Resources: Software

Air Magnet

http://www.airmagnet.com/products/demo-
download.php

Net Stumbler –Free

http://www.netstumbler.com/downloads/

Mini Stumbler –Free

http://www.netstumbler.com/downloads/

Aircrack-2.1 802.11 sniffer and WEP key
cracker for Windows and Linux. -Free

http://www.cr0.net:8040/code/network/

background image

Resources: Links

CWNP Learning Center has over 1000 free
white papers, case studies:

http://www.cwnp.com/learning_center/index.htm
l

free electronic site survey forms

(excellent):

http://www.cwnp.com/mlist/subscribe.php

GUIDE TO MASTERING NEGOTIATIONS:

http://common.ziffdavisinternet.com/download/0
/2537/whiteboardtoview.pdf


Document Outline


Wyszukiwarka

Podobne podstrony:
200703 hpomeranz wireless security
ieee 802 11 wireless lan security performance GQRO5B5TUOC7HMLSH2CWB5FMY6KJ5CX2O42KGCQ
NIST Guidelines for Securing Wireless Local Area Networks (WLANs) sp800 153
(Ebooks) Hacking Wireless Lan Security, What Hackers Know That You Dont
CNSSP 17 Wireless Systems Security
Mobile OS Security
Free Energy & Technological Survival Homemade Wireless Antenna
norton internet security istrukcja obsługi pl p3a4wlu5ztwbf4adg5q6vh3azb6qmw2tumllsaq P3A4WLU5ZTWBF
WIRELESS CHARGING OF MOBILE PHONES USING MICROWAVES
Security Analysis & Portfolio Management 6
Linux Wireless
(05)4? CIA Security International SA
Pytania i odpowiedzi ? 115 Security Awareness
Windows Server 03 Security Guide
11 2 4 6 Lab Securing Network?vices

więcej podobnych podstron