Securing the Wireless LAN - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

Securing the Wireless LAN

Description:

Securing the Wireless LAN George Ou Network Systems Architect Contributing editor ZDNet Contents Introduction Relative risks of Wireless LANs Six dumbest ways to ... – PowerPoint PPT presentation

Number of Views:77
Avg rating:3.0/5.0
Slides: 34
Provided by: lanarchit
Category:
Tags: lan | securing | wireless

less

Transcript and Presenter's Notes

Title: Securing the Wireless LAN


1
Securing the Wireless LAN
  • George Ou
  • Network Systems Architect
  • Contributing editor ZDNet

2
Contents
  • Introduction
  • Relative risks of Wireless LANs
  • Six dumbest ways to secure a WLAN
  • Tools of the wireless LAN hacker
  • The best ways to secure the WLAN
  • SOHO WLAN implementations
  • Enterprise WLAN implementations

3
Introduction
  • Wireless security is a huge headache in IT
  • Wireless security widely misunderstood
  • Wireless security is everyones problem even if
    you dont think you have a WLAN
  • Banning WLANs often result in improvised home
    grown solutions
  • Wireless LANs can be secured
  • Wireless security applicable elsewhere in IT

4
Relative risks of Wireless LANs
  • Wireless security is NOT an oxymoron
  • Less dangerous than having an Internet connection
    direct or indirect
  • Attacks from the Internet can come from anywhere
    on the entire globe
  • Web/FTP/Mail/DNS Servers
  • Back doors R00TK1T5 that can dial home
  • Attacks on Wireless LANs are limited to a couple
    of kilometers

5
Six dumbest ways to secure a WLANOverview
  • MAC authentication
  • SSID hiding
  • LEAP authentication
  • Disabling DHCP
  • Antenna placement and signal suppression
  • Switch to 802.11a or Bluetooth Wireless LANs
  • ______________________________________
  • Dishonorable mention WEP

Original article on http//blogs.zdnet.com/Ou
6
Six dumbest ways to secure a WLANMAC
authentication
  • Use of the word authentication is laughable
  • All thats happening is MAC address filtering
  • MAC addresses are transmitted in clear text
  • Extremely easy to capture
  • Extremely easy to clone and defeat
  • Extremely difficult to manage MAC filtering

7
Six dumbest ways to secure a WLANMAC spoofing
8
Six dumbest ways to secure a WLANSSID hiding
  • No such thing as hiding an SSID
  • All thats happening is Access Point beacon
    suppression
  • Four other SSID broadcasts not suppressed
  • Probe requests
  • Probe responses
  • Association requests
  • Re-association requests
  • SSIDs must be transmitted in clear text or else
    802.11 cannot function

9
Six dumbest ways to secure a WLANLEAP
authentication
  • Cisco LEAP authentication is extremely weak
  • LEAP successor EAP-FAST not much better
  • Cisco dominates Enterprise WLAN market
  • Significant percentage of Cisco shops use LEAP
    but have started to migrate to EAP-TLS
  • LEAP and EAP-FAST are free on client side
  • Only Cisco can sell LEAP and EAP-FAST on Access
    Points
  • Cisco APs support all open authentication
    standards like EAP-TLS and PEAP

10
Six dumbest ways to secure a WLANDisabling DHCP
  • Disabling DHCP and forcing the use of Static IP
    addresses is another common myth
  • IP schemes are easy to figure out since the IP
    addresses are sent over the air in clear text
  • Takes less than a minute to figure out an IP
    scheme and statically enter an IP address

11
Six dumbest ways to secure a WLANAntenna
placement and signal suppression
  • Antenna placement and signal suppression does
    nothing to encrypt data
  • The hackers antenna is bigger than yours
  • Directional high-gain antennas can pick up a weak
    signal from several kilometers away
  • Lowering the signal hurts legitimate users a lot
    more than it hurts the hackers
  • Wi-Fi paint or wall paper not 100 leak proof and
    very expensive to implement

12
Six dumbest ways to secure a WLANSwitch to
802.11a or Bluetooth wireless LANs
  • 802.11a is a transport mechanism similar to
    802.11b or 802.11g
  • 802.11a has nothing to do with security
  • Pray that the hacker doesnt have 5 GHz 802.11a
    capable equipment
  • Bluetooth is more of a wireless USB alternative
  • Can be used for wireless networking but not
    designed as an 802.11 a or b/g replacement

13
Six dumbest ways to secure a WLANDishonorable
mention WEP
  • WEP barely missed the six dumbest list because it
    can still hold up for a couple of minutes
  • Hacker named KoreK releases new WEP analysis
    tool in August 2004
  • WEP coupled with 802.1x and EAP key rotation (AKA
    DWEP) is considered broken
  • Packet injection techniques lowers WEP cracking
    times to minutes

Article Next generation WEP cracking tools
14
Tools of the wireless LAN hackerOverview
  • Software
  • Auditor CD
  • Kismet
  • ASLEAP
  • Void11, Aireplay, Airedump, and Aircrack
  • Hardware
  • Cheap and compatible cardbus adapters
  • Omni directional high-gain antennas
  • Directional high-gain antennas
  • Off the shelf Laptop computer

15
Tools of the wireless LAN hackerAuditor CD
  • Bootable Linux CD with every security auditing
    tool under the sun
  • Everything needed to penetrate most wireless LAN
    and more
  • Mentioned as a favorite of the FBI
  • Relatively easy to use

16
Tools of the wireless LAN hackerKismet
  • Kismet is a Linux wireless LAN audit tool
  • Can see hidden SSIDs
  • Can see MAC addresses
  • Can see IP schemes
  • Can capture raw packet
  • GUI version lays everything out

17
Tools of the wireless LAN hackerASLEAP
  • ASLEAP cracks Cisco LEAP authentication
  • Exploits weak MSCHAPv2 authentication
  • Uses pre-computed indexed hash tables
  • Checks 45 million passwords a second
  • Upgraded to support PPTP VPN cracking

18
Tools of the wireless LAN hackerVoid11,
Aireplay, Airedump, and Aircrack
  • New set of tools makes WEP cracking hundreds of
    times faster
  • Void11 forces users to re-authenticate
  • Aireplay monitors re-auth session for ARP and
    then plays back the ARP request to trigger
    responses from legitimate computers
  • Airedump captures all of the raw packets
  • Aircrack only needs 200,000 packets instead of
    10,000,000 packets from previous tools

19
Tools of the wireless LAN hackerHardware Cheap
and compatible cardbus adapters
  • Prism 2/3 based 802.11b adapters
  • PrismGT based 802.11 b/g adapters
  • Atheros based 802.11 a/b/g adapters
  • All typically around 40 to 70 USD
  • All compatible with Linux cracking tools

20
Tools of the wireless LAN hackerOmni directional
high-gain antennas
  • Typically 7 to 9 dB gain
  • General purpose surveying and war driving
  • Can be used to create evil twin access point
  • Less than 100 USD

21
Tools of the wireless LAN hackerDirectional
high-gain antennas
  • Used to aim and focus in on victim
  • Picks up weak signals many kilometers away
  • Around 100 USD

22
Tools of the wireless LAN hackerOff the shelf
Laptops
  • Any Laptop or PC can be used for hacking
  • New Laptops with good cracking speed are as low
    as 400 USD
  • Wireless hacking is NOT cost prohibitive!

23
The best ways to secure the WLANOverview
  • Good cryptography allows secure communications
    over unsecured medium
  • Follow best practice cryptographic principles
  • Strong authentication
  • Strong encryption
  • WPA and WPA2 standards

24
The best ways to secure the WLANStrong
authentication background
  • Strong authentication is often overlooked
  • Well established secure authentication methods
    all use SSL or TLS tunnels
  • TLS is the successor of SSL
  • SSL has been used for nearly a decade in
    E-Commerce
  • SSL or TLS requires Digital Certificates
  • Digital Certificates usually involves some form
    of PKI and Certificate management

25
The best ways to secure the WLANStrong
authentication in Wireless LANs
  • Wireless LANs typically use 802.1x and EAP
  • Common standard EAP types are EAP-TLS, EAP-TTLS
    and PEAP
  • LEAP and EAP-FAST are not standard
  • EAP-TLS requires server and client certificates
  • EAP-TTLS and PEAP only require client-side
    certificates
  • EAP-TTLS created by Funk and Certicom
  • PEAP created by Microsoft, Cisco and RSA

Details on EAP types at http//blogs.zdnet.com/O
u/?p67
26
The best ways to secure the WLANStrong
authentication and RADIUS servers
  • EAP authentication requires RADIUS support in
    Access Point and one or more RADIUS servers
  • Microsoft Windows 2003 Server has fully
    functional RADIUS component called IAS
  • Supports EAP-TLS and PEAP
  • Windows 2000 only supports EAP-TLS
  • Easily integrates in to NT domains or Active
    Directory
  • Funk software makes Steelbelted and Odyssey
  • Open source FreeRadius supports broad range of
    EAP types

27
The best ways to secure the WLANStrong encryption
  • Encryption is well understood
  • No known methods of breaking good encryption
  • DES encryption has never been crypto-analyzed in
    nearly 30 years and must be brute forced
  • 3DES still considered solid but slow
  • AES is the official successor to DES and is solid
    at 128, 192, or 256 bits

28
The best ways to secure the WLANStrong
encryption in Wireless LANs
  • RC4 encryption is known to be weak
  • WEP uses a form of RC4 encryption
  • Dynamic WEP makes WEP cracking harder
  • TKIP is a rewritten WEP algorithm
  • No known methods against TKIP yet but some
    theoretical attacks are on the horizon
  • AES encryption mandated in the newest Wireless
    LAN standards is rock solid

29
The best ways to secure the WLANWPA and WPA2
standards
  • WPA used a trimmed down version of 802.11i
  • WPA2 uses the ratified 802.11i standard
  • WPA and WPA2 certified EAP types
  • EAP-TLS (first certified EAP type)
  • EAP-TTLS
  • PEAPv0/EAP-MSCHAPv2 (Commonly known as PEAP)
  • PEAPv1/EAP-GTC
  • EAP-SIM
  • WPA requires TKIP capability with AES optional
  • WPA2 requires both TKIP and AES capability

Details on EAP types at http//blogs.zdnet.com/O
u/?p67
30
SOHO WLAN implementations
  • Minimum encryption should be TKIP
  • Run AES encryption if possible
  • EAP authentication usually not feasible for Small
    offices and home offices
  • SOHO WLANs usually rely on WPA-PSK
  • PSK (pre-shared keys) are easier than WEP with 26
    HEX digits
  • PSK must be at least 8 alphanumeric random
    characters
  • Zyxel offers Access Points with PEAP RADIUS
    built-in

31
Enterprise WLAN implementationsWPA and WPA2
standards
  • Minimum encryption should be TKIP
  • Run AES encryption if possible
  • EAP-TLS authentication recommended
  • PEAP or EAP-TTLS authentication at a minimum

32
Enterprise WLAN implementationsWireless Switches
  • Wireless LAN switches manage large numbers of
    Access Points
  • Much easier to manage
  • Wireless switch makers
  • Symbol
  • Cisco Airespace
  • Aruba

33
Enterprise WLAN implementationsAdvanced security
implementations
  • Multiple Virtual SSID and VLAN support
  • VLAN assignment based on group membership
  • Guest Wireless LANs that are isolated
  • Mitigating WEP security risks for WEP only
    devices using Firewall or Router ACLs (Access
    Control Lists)
  • Can be done with single device such as the Cisco
    851W which is a Firewall, Router, Managed Switch,
    and Access Point all-in-one
Write a Comment
User Comments (0)
About PowerShow.com