Lock up your Wireless LANs

1

• Lock up your Wireless LANs
• There are Hackers in Town

Tuesday 26th February 2002 130 to 215 PM Ross
Chiswell CEO Integrity Data Systems Pty. Ltd.
2

• Ross Chiswell

Ross Chiswell, Chief Executive Officer of
Integrity Data Systems, is a veteran of the
wireless networking industry. Involved in IT for
almost two decades and specifically in wireless
networking since 1993, Ross has developed an
in-depth knowledge of wireless technologies and
is recognised as Australias expert in the
field. Ross has a key focus to source new
technology from around the world and establish
strategic partnerships with world-class suppliers.
3
(No Transcript)
4
Wireless LAN Security Issues

• Cracking the encryption key
• decrypting and reading the wireless LAN packets
• Unauthorised access..
• to wireless LAN as a resource when not a
  registered user
• to the main network via the wireless LAN
• Authorised user, but..
• unauthorised snooping or sniffing of other
  traffic
• eavesdropping in public space wireless LANs on
  other users traffic
• Phantom Access Points gathering data from genuine
  users
• Unknown wireless LANs inside corporation

5
Wireless LAN Security Stories
New wireless LAN vulnerabilities
uncoveredMonday 13 August, 2001 1453 GMT1000
By Staff writer A second, more dangerous method
of defeating wireless LAN encryption has been
revealed by security experts. Researchers from
Rice University and ATT Labs in Florham Park,
New Jersey, have.
Wireless LANs dealt new blow Security goes from
bad to worse Dennis Fisher Carmen Nobel , eWEEK
August 10, 2001 557 PM ET A new attack that
can compromise the encryption cipher used on
wireless...
Lock up your wireless LAN By George LawtonAugust
23, 2001 The driver of the unmarked van outside
your office may not be on a long lunch break.
6
Wireless LAN Security - Background

• Wired Equivalent Privacy (WEP)
• Designed by the IEEE to prevent eavesdroppers and
  unauthorised connections to the wireless network.
• Provide privacy similar to a wired LAN, not as an
  encryption solution
• WEP 64 bit RC4 encryption algorithm - 5 digit key
• WEP 128 bit RC4 encryption algorithm - 13 digit
  key

7
WEP - Background

• Wired Equivalent Privacy (WEP)
• Designed by the IEEE to prevent eavesdroppers and
  unauthorised connections to the wireless network.
• Provide privacy similar to a wired LAN, not as an
  encryption solution
• WEP 64 bit RC4 encryption algorithm - 5 digit key
• WEP 128 bit RC4 encryption algorithm - 13 digit
  key

This cable acts as an antenna and may carry raw
(un-encrypted) signals.
WEP
8
Wireless LAN Analysis- tools

• AiroPeek from WildPackets
• Grasshopper from BV Systems
• Mobile Manager from Wavelink
• Sniffer Wireless from Network Associates
• NetStumbler
• AirSnort via the SourceForge
• AirSnort has been designed to break WEP
  encryption keys.
• It operates by passively monitoring
  transmissions, and when enough interesting
  packets have been gathered, usually over a 24
  hour period, it can then calculate the WEP key.
• Once the WEP key has been obtained, then WEP
  encrypted packets on the wireless LAN can be
  opened and read, just like on a wired LAN.

9
WEP - How is it broken

• Weak key attack
• Attacks the key scheduling section of the
  algorithm
• Described in a paper
• Weaknesses in the Key Scheduling Algorithm of
  RC4
• written by Scott Fluhrer, Itisk Mantin and Adi
  Shamir
• Also called the FMS attack
• Hacker using tools like AirSnort captures packets
• AirSnort looks for the pattern bought about by
  the key scheduling, tagging interesting packets.
  Once it has enough interesting packets it can
  then calculate the key...

4D7E6CB8
4FA4A5B
4FA4A5D
4FA4A5F
5E4FDF4
592CC5F
4FE70EA
4FA4A5E
4FA4A60
18F6C512
184D4C16
19581CF9
18F38B25
4FA4A63
4FA4A62
4FA4A61
10
WEP - How is it broken

• Weak key attack
• Attacks the key scheduling section of the
  algorithm
• Described in a paper
• Weaknesses in the Key Scheduling Algorithm of
  RC4
• written by Scott Fluhrer, Itisk Mantin and Adi
  Shamir
• Also called the FMS attack
• Hacker using tools like AirSnort captures packets
• AirSnort looks for the pattern bought about by
  the key scheduling, tagging interesting packets.
  Once it has enough interesting packets it can
  then calculate the key...

4D7E6CB8
4FA4A5B
4FA4A5D
4FA4A5F
5E4FDF4
592CC5F
4FE70EA
4FA4A5E
4FA4A60
18F6C512
184D4C16
19581CF9
18F38B25
4FA4A63
4FA4A62
4FA4A61
4FA4A5C
83511900
11
WEP - Future

• New standards
• IEEE 802.11i, new wireless security standard
• will possibly use WEP2 encryption protocol,
  expected to be completed 2002
• moving towards Advanced Encryption Standard (AES)
• IEEE 802.1x, new authentication management system
  protocol
• 802.1x does not protect the data it ONLY control
  access
• Development work by key wireless chipset
  manufacturers
• Agere Systems, Intersil and Cisco
• Together working on XWEP
• Agere Systems
• WEPplus uses random key generation

12
Wireless Security - What about right now

• Ensure basic security features are turned on
• Do not use default settings
• Use Secure Access Points
• Additional non WEP based encryption
• Per user per session key exchange
• Radius AAA authentication
• Implement Virtual Private Networks (VPNs)
• End to end security, include authentication and
  additional non WEP based encryption
• Access Point should have VPN support or IPSec
  pass through as a minimum
• Access Points with built in firewalls
• Use Gateway devices to protect main network

13
Wireless Security - What about right now

• Talk with your wireless LAN vendor
• what is their current and future security
  strategy
• make your own assessment as to their products
  risk, do not believe the marketing information
  at face value
• New WEP firmware
• Old WEP firmware
• AirSnort - 30,000,000 packets gathered - 6,000
  interesting packets found
• WEP Key broken in 24 hours
• New WEP firmware
• WEPplus from Agere Systems ORiNOCO first to
  market Nov 01
• AirSnort - 41,000,000 packets gathered - Zero
  interesting packets found
• If one interesting packet had been found, it
  could take years to break key

14
Wireless Security - Basics

• Change wireless network name from default
• any, 101, tsunami
• Turn on closed group feature, if available in AP
• Turns off beacons, so you must know name of the
  wireless network

My name is "WaveLAN"
Yes, thats my name
I'm looking for "WaveLAN"
My name is "WaveLAN"
My name is "WaveLAN"
My name is "WaveLAN"
I'm looking for "WaveLAN"
My name is "WaveLAN"
Yes, thats my name
My name is "WaveLAN"
My name is "WaveLAN"
15
Wireless Security - Basics

• Change wireless network name from default
• any, 101, tsunami
• Turn on closed group feature, if available in AP
• Turns off beacons, so you must know name of the
  wireless network
• MAC access control table in AP
• Use Media Access Control address of wireless LAN
  cards to control access

MAC address 4FA4A5C
MAC Table 5E4FDF4 4FA4AFC
Your on the list, I will connect
16
Wireless Security - Basics

• Change wireless network name from default
• any, 101, tsunami
• Turn on closed group feature, if available in AP
• Turns off beacons, so you must know name of the
  wireless network
• MAC access control table in AP
• Use Media Access Control address of wireless LAN
  cards to control access
• Use Radius support if available in AP
• Define user profiles based on user name and
  password

Profile Table Ross Chiswell xxxxxx 4FA4AFC
User Name Password MAC address 4FA4A5C
Your on the list, I will connect
Radius
I will check
17
Wireless Security Solution 1 - Encryption and
Authentication

• High Encryption Access Points
• Non WEP based encryption
• Key exchange on a per session per user basis
• No common or shared key in both directions
• Radius authentication (Steel Belted Radius)

Key 1
User to user privacy
Key 3
Steel Belted Radius
Key 2
18
Wireless Security Solution 2 - Wireless VPN

• VPN Back-end, Wireless Front-end
• Standard Access Points using WEP based encryption
• Radius or IEEE 802.1x authentication
• Requires VPN Servers in back office

VPN remote client software
VPN pass thru
Danger to user to user privacy and corporate
infrastructure
VPN Server
19
Wireless Security Solution 3 - VPN Access Points

• VPN capable Access Points
• Non WEP based encryption
• Radius authentication
• VPN implemented over wireless LAN
• VPN server in Access Point (does not need backend
  VPN server)
• Firewall implemented in Access Point

• Support
• L2TP
• PPTP
• IPSec

User to user privacy
VPN remote client software
VPN pass thru
Access Point has VPN server and firewall
20
Wireless Security Solution 4 - Wireless Gateway

• Wireless gateway
• Allows user profiles for access and quality of
  service
• Supports centralised user Authentication
• Radius, LDAP, NT4 Domain, Windows 2000 Active
  Directory
• Support for VPN, Digital Certificates, Tokens and
  Smartcards
• Allows role based access to services in mixed
  user environments

• Supports
• L2TP
• PPTP
• IPSec

21
Wireless Security Summary

• Understand the issues and assess the risk
• right product for the right situation
• Different vendors product will have different
  capabilities
• IEEE 802.11 / WiFi compliance, and price are not
  the only issues
• understand the difference, research and question
  vendors
• basic inexpensive products, may only offer
  connectivity
• Select the right wireless technology partner
• trained and accredited resellers, that understand
  wireless issues
• wireless product not just a me too option for
  vendor

22
Wireless LAN - Which Product Where
23
We dont just stock it, we know how it works
Integrity Data Systems Specialist distributor of
wireless networking technology www.integritydata.
com.au 1300 131 000