Welcome to the May NA ISACA Meeting

1
Welcome to the May NA ISACA Meeting
rcreid_at_uwf.edu
2
Securing Wireless Systems

• Randall C. Reid, Ph.D., CISA, CISSP, Security,
  Network, A
• Assistant Professor of MIS
• University of Alabama in Huntsville
• Huntsville, Alabama
• rcreid_at_uwf.edu

3
Questions ?
Not only encouraged but appreciated!
4
The Inherent Security Trade-off

• Confidentiality
• Accessibility Integrity

5
Wireless Security Issues

• Loss of Physical Security access controls
• Eavesdropping
• File Sharing
• Session Hijacking
• Unauthorized Access
• Jamming/DOS attacks

6
Definitions

• AP Access Point, a WLAN radio transceiver
• DSSS Direct Sequence Spread Spectrum
• FHSS Frequency Hopping Spread Spectrum
• ISM Industrial Scientific Medical Frequency
  Range
• MAC Media Access Control address
• RADIUS Remote Authentication Dial-In User
  Service
• RF Radio Frequency
• SSID Service Set Identifier
• TKIP Temporal Key Integrity Protocol
• Transceiver TRANSmitter ReCEIVER
• WAP Wireless Access Point
• Wireless Applications Protocol
• WECA Wireless Ethernet Compatibility Alliance
  
• WEP Wired Equivalent Protocol
• Wi-Fi Wireless Fidelity, interoperability
  standard for 802.11b
• WLAN Wireless Local Area network
• WTLS Wireless Transport Layer Security
• WPA WiFi Protected Access

7
Risk Analysis
8
IEEE 802.11x

• Multiple frequency and multiple modulation
  techniques
• Specification of a MAC protocol
• 3 Physical layer specifications
• Frequency-hopping spread spectrum (FHSS)
• Direct sequence spread spectrum (DSSS)
• Diffuse infrared (does not require line of sight)
• Available US frequencies (ISM frequencies)
• 902 Mhz 928 Mhz
• 2.4 Ghz 2.4835 Ghz (802.11, 802.11b, 802.11g)
• 5.725 Ghz 5.875 Ghz (802.11a)

9
Flavors of 802.11
10
802.11 Future Versions

• 802.11c support for 802.11 frames
• Folded into 802.11d
• 802.11d support for 802.11 frames, new
  regulations
• Work is on-going
• 802.11e QoS enhancements in the MAC
• Proposal is in draft form
• 802.11f Inter Access Point Protocol
• Work is on-going
• 802.11g High Rate or Turbo Mode 2.4GHz
  bandwidth extension to 22Mbps
• Draft Jan 2001, final expected 2003
• 802.11h Dynamic Channel Selection and Transmit
  Power Control
• Work is on-going
• 802.11i Security Enhancement in the MACWork is
  on-going
• Work is on-going / WAP has been released
• 802.11j 5 GHz Globalization among IEEE, ETSI
  Hiperlan2, ARIB, HiSWANa
• Disbanded

11
Basic Network Topology
Internet/WWW
Firewall
Router
Switch
HUB A
WAP
HUB B
12
Peer-to-Peer 802.11 Ad Hoc Network
13
ESS (Extended Service Set) 802.11 Network
14
Antenna Footprint
Black omni directional Red -
unidirectional
15
Antenna issues

• Use unidirectional antennas to limit coverage
  area.
• Place omni directional antennas so that coverage
  drops off near exterior walls and windows.
• Use minimum possible transmitter power
• Remember
• Radio waves will penetrate floors and ceilings.
• Antennas can detect small signals!

16
Pringles Can Yagi Antenna
http//www.oreillynet.com/lpt/wlg/448
17
Heddi Lamar
18
DSSS Direct Sequence Spread Spectrum

• Divides 2.401 2.473 ghz ISM band into 11 22 mhz
  channels
• Due to overlap can only co-locate 3 channels
  without interference (1, 6, 11)
• Supports transfer of 1 2 mbs (802.11) and 5.5
  11 mbs (802.11b)
• Supports redundant encoding to facilitate error
  correction

19
DSSS Channel Allocation
Channel ID Frequency 1 2.412 2 2.417
3 2.422 4 2.427 5 2.432 6 2.437
7 2.442 8 2.447 9 2.452 10 2.457 11 2.462
Each channel is 22 Mhz
Channel Number 1 2 3 4 5
6 7 8 9 10 11
2.473 Ghz
2.401 Ghz
20
WLAN Configuration Utility (Channel) (Belkin
Wireless NIC)
21
States of Authentication and Association

• Unauthenticated and unassociated
• Completely disconnected and unable to
  send/receive from the network
• Authenticated and unassociated
• Identity has been established but not yet
  connected to an access point
• Authenticated and associated
• Fully connected and authorized to pass traffic on
  the network

22
Open Systems Authentication

• Default setting on wireless equipment
• Only requirement correct SSID
• Process
• Client makes a request to authenticate to the AP
• AP authenticates the client sends a positive
  response that completes the authentication
• Client is now connected (authenticated and
  associated)

23
WLAN Configuration Utility (SSID) (Belkin
Wireless NIC)
24
WEP Authentication

• Precondition
• WEP enabled and code word entered on both AP and
  client
• Process
• Client authentication
• AP challenges client by sending a block of
  randomly generated text (clear transmission)
• Client responds by encrypting the challenge text
  with the WEP key
• AP decrypts message and responds
• If correct client is authenticated and
  associated
• In incorrect client is denied access
• Weak
• Fluhrer, Martin and Shamir attack
• AirSnort can determine the WEP key in seconds
  after "listening" to 100MB-1GB of traffic
  (http//airsnort.sourceforge.net)

25
WLAN Configuration Utility (WEP) (Belkin
Wireless NIC)
26
Controlling Access by MAC Address(Belkin
Wireless Hub/Router)
27
WAP (Wi-Fi Protected Access) Corporate Format

• Client associates with an AP (access Point)
• Access blocked till authenticated
• Credentials provided by client
• Authenticated process continues
• Not authenticated process terminates, access
  denied
• Authentication server distributes encryption keys
  to AP and Client
• Client is now granted access
• All traffic is encrypted
• Client is authenticated

28
802.11i

• The official IEEE attempt to supply strong
  security for wireless links.
• TKIP (Temporal Key Integrity Protocol)
• - dynamically updating the key, based on WEP's
  own RC4 128 bit encryption across all devices
  once for every 10,000 packets transmitted
• - plans are to replace RC4 with AES to extend
  life
• Supposed to be able to be accomplished via
  firmware upgrade
• 802.11i is a work in progress (due Sept. 2003)

29
Wireless Network Isolation
http//wlana.net/example.htm
30
VPN Solution

• User authentication ensures only authorized users
• Only authorized user from authorized machine
• Encrypted transmissions
• Confidentiality even if intercepted
• Data integrity
• Data alteration can be detected

31
VPN Logical Structure
Application Software
VPN Client Software
820.11x Access Point
802.11x Transmission Protocol
Firewall
RADUS Server
VPN Server
32
Wireless Policy Elements

• Register all wireless devices and cards used in
  the corporation.
• Limit access to registered devices.
• Identify registered devices (approved
  sticker).
• Centrally control all access points.
• Unauthorized (rogue) access points are
  confiscated.

33
Securing 802.11x Wireless

• 8) Disable DHCP
• 9) Change sub-net
• - default subnet 193.168.1.0
• - default router/WAP 193.168.1.1
• 10) Isolate Wireless network
• 11) Turn off ad-hoc networking
• 12) Move from WEP to WAP as soon as
  practical

• 1) Enable WEP (128 if possible)
• - default WEP is disabled
• 2) Change the default SSID
• - Shut off broadcast of SSID
• 3) Change the default password
• 4) Change access point location
• - antenna footprints
• 5) Conduct preemptive scans
• 6) Limit connections
• - MAC based
• 7) Use additional authentication
• - RADIUS
• - VPN

34
Thank you for your time and attention
Any further questions or comments please contact
me rcreid_at_uwf.edu