Wireless Security

1
Wireless Security Part 1 3/10/04 Mark Lachniet,
Analysts International
2
Introductions

• Mark Lachniet, Technical Director of Analyst
  Internationals Security Services Group
• Technical lead developing for services,
  methodology, quality control, technical presales
• Certified Information Systems Auditor (CISA) from
  ISACA
• Certified Information Systems Security
  Professional (CISSP) ISC2
• Linux LPIC-1, Novell Master CNE, Microsoft MCSE,
  Checkpoint CCSE, TruSecure ICSA, etc.
• Former I.T. director of Holt Public Schools
• Frequent speaker for local organizations

3
Agenda

• Overview of Wireless
• Wireless frequency types and products
• Controlling signal and site surveys
• Wireless modes of operation
• Wardriving and Warchalking
• Basic wireless security features
• Advanced wireless security features
• Wireless in the network environment
• Conclusions
• Discussion

4
Class Logistics

• Frequent breaks, maybe not 20 mins.
• I do not mind if you mess around with your
  computers while I am talking, in fact I encourage
  it - you are here because you want to be
• Will attempt to do more hands-on exercises and
  less talking
• Please speak up! This will be most useful if you
  ask questions! Dont wait for the end
• Consider finding a partner, especially one of a
  higher or lower technical skill level

5
Class CD-ROM

• I have included a CD-ROM with many tools and
  utilities on it
• Some of these we will use, some of them we may
  not
• Most are 30-day expiring demos
• You should go to the web site(s) yourself and
  download the software, so you can get registered

6
Classroom Network
7
Why Wireless?

• Flexibility
• Instructional Potential (mobile labs, data
  collection, research in common areas, etc.)
• Overcome building limitations (all brick,
  asbestos, leased buildings, etc.)
• Ubiquitous technology - built into many PDAs and
  Laptops
• In use in many homes, coffee shops, airports
• Many people already have it on their laptop,
  making it easy for visits, ad-hoc meetings

8
Why Not Wireless

• Speed considerations (11mb/s or 54mb/s
  theoretical throughput - actually much slower
  than this in reality)
• Security, both real and perceived, especially
  cost of supporting infrastructure
• Signal interference from other devices
• Signal penetration problems through dense
  materials
• Changing technologies and standards
• A little bit too much fun for bored students to
  hack

9
Wireless Technology

• Wireless, and especially wireless security
  operate at many different levels in many
  different ways
• For the purposes of our class, we will start with
  the most basic elements of wireless technology
  (hardware) and work our way up to the most
  complex (applications)
• One of the best representations of this type of
  abstraction is the OSI model

10
The OSI Model

• The OSI Model is used to describe different
  layers of networks and network services
• Layers 1 and 2 are at the hardware level, but
  in our case there are no wires, but rather
  signals
• Layer 3, 4 and 5 deal with association and
  TCP/IP, which may be handled by a wireless Access
  Point / router

11
Types of Wireless

• Lets focus first at the lowest levels of the OSI
  model - frequencies and standards
• Wireless has a few standards
• Frequency Hopping Spread Spectrum (FHSS)
• Direct Sequence Spread Spectrum (DSSS)
• Orthogonal Frequency Division Multiplexing (OFDM)
• FHSS is used in Proxim cards, in industrial
  applications, barcode scanners, etc.
• DSSS is the most common type, used most in WLAN
  cards, access devices, etc.
• OFDM is used in modern 54mb/s devices

12
Direct Sequence Spread Spectrum

• High-speed code sequence manages frequency
  modulation
• Produces signal centered at carrier frequency

13
Frequency Hopping Spread Spectrum

• Code function determines hops to manage
  frequency modulation
• Carrier is flat across spectrum

14
Orthogonal Frequency Division

• Uses multiple carrier waves on different
  frequencies
• Each wave carries part of the message
• Used for 54mb/s applications (802.11a/g)
• May designate a number of encoding types

15
Wireless Types and Frequencies
16
Wireless Types and Frequencies

• Frequencies
• 802.11b and 802.11g are both 2.4ghz
• 802.11a is 5ghz
• Bandwidth
• The 5ghz space has more bandwidth (throughput
  speed capability)
• Non-Overlapping Channels (may not match APs)
• 802.11/b/g _at_ 2.4ghz has 3
• 802.11a _at_ 5ghz has 4
• Compatibility
• 802.11g is usually backwards compatible with
  802.11b _at_ 11mb/s only
• 802.11a isnt compatible

17
Interference / Penetration / Leakage

• Managing your signal is an important part of
  Wireless security
• If you can control your signal, keeping it mostly
  inside, you can worry less about hackers outside
  of your building
• At the same time, you want to make sure you can
  penetrate all important areas of your building
• You also need to be aware of interference issues
  from phones, microwaves, cell towers, etc.
• Use non-overlapping channels wisely
• The best way to make these determinations is by
  doing a site survey

18
Performing a Site Survey

• The Site Survey Toolkit
• One or more access points
• Various antennas and cables
• Various WLAN NIC cards
• Distance Roller thingy
• Tape, ZIP ties, etc.
• One or more people
• May need walkie-talkies
• Keep people away from the equipment

19
Performing a Site Survey

• Attempt to find the best configuration of WLAN
  equipment by setting it up and measuring signal
• Use a blueprint or floor layout map of the target
  area
• Use the roller to determine distance
• Measure signal characteristics at various
  locations to develop a signal coverage map
• Should use the exact hardware that will be
  installed
• Looks at signal strength, signal to noise ratios,
  and access ranges at specific speeds
• Consider potential usage - 5 users _at_ 54mb/s or 20
  users _at_ 11mb/s? (lock wireless cards at that
  speed, and map with this in mind)

20
Use Built In Tools w/ Laptop

• Analyze signal strength and signal to noise ratio
  using a client utility (passive mode)
• Lock your card at a specific speed and just walk
  away until it stops working
• Use the client utility to generate a large number
  of packets and see how many arrive correctly
  (active mode)

21
Create a Layout
22
Install AP and Measure Speed

• For example, place it more or less in the middle
  of the Gym - in this case there is a signal
  problem in the Library

23
Multiple AP Placement
24
Signal Leakage Risk!
25
Directional Antennas

• A directional antenna may help direct signal
  stop leaks

26
Wireless Components

• The most common type of Wireless Local Area
  Network (WLAN) infrastructure typically involves
  two components
• An Access Point, which works as a kind of smart
  hub to allow communication
• A Client, which is typically a laptop, desktop or
  PDA with a wireless NIC
• Within this paradigm are any number of different
  products, technologies or variations
• The base standard for wireless LAN is 802.11, as
  determined by the IEEE
• http//grouper.ieee.org/groups/802/11/index.html

27
Ad-Hoc Mode

• In Ad-Hoc mode, all devices can talk to each
  other directly (if they are in range and on the
  same frequency)
• Relatively uncommon, used in WAN configurations,
  LAN Games, impromptu meetings, etc.
• Referred to as an Independent Basic Service Set
  (IBSS)

28
Ad-Hoc Mode Definition

• http//www.webopedia.com/TERM/A/ad_hoc_mode.html
• An 802.11 networking framework in which devices
  or stations communicate directly with each other,
  without the use of an access point (AP). Ad-hoc
  mode is also referred to as peer-to-peer mode or
  an Independent Basic Service Set (IBSS). Ad-hoc
  mode is useful for establishing a network where
  wireless infrastructure does not exist or where
  services are not required.

29
Infrastructure Mode

• The most common type of WLAN is the
  infrastructure Mode - used most places
• All devices talk to the access point
• Referred to as a Basic Service Set (BSS).

30
Infrastructure Mode Definition

• http//www.webopedia.com/TERM/I/infrastructure_mod
  e.html
• An 802.11 networking framework in which devices
  communicate with each other by first going
  through an Access Point (AP). In infrastructure
  mode, wireless devices can communicate with each
  other or can communicate with a wired network.
  When one AP is connected to wired network and a
  set of wireless stations it is referred to as a
  Basic Service Set (BSS). An Extended Service Set
  (ESS) is a set of two or more BSSs that form a
  single subnetwork. Most corporate wireless LANs
  operate in infrastructure mode because they
  require access to the wired LAN in order to use
  services such as file servers or printers.

31
Advanced Infrastructure Mode

• There may be multiple access points in an
  environment
• This raises a number of issues, including mobile
  clients
• Comprised of multiple BSS to create an Extended
  Service Set (ESS)

32
Extended Service Set

• Uses a 32-char ID to represent the ESS, known as
  an ESSID (or SSID) such as USR8054
• This essentially represents the network and is
  something all users must have configured in some
  way

33
SSID Example

• For example, this is how it looks on a USR8054
• Note the ability to turn off the broadcast of the
  SSID

34
Wardriving

• One popular hobby for geeks is to war drive for
  wireless networks
• Using special software such as Net Stumbler,
  drive or walk around looking for access points,
  frequently chalking them and/or recording the
  location with a GPS (then uploading coordinates
  to the Internet)
• http//www.netstumbler.com
• Passive scanners will just passively listen for
  SSID broadcasts
• Active scanners will probe for them
• Scanners will usually tell you if advanced
  security (encryption) is configured
• Some will even tell you about connected clients

35
Warchalking Examples
36
Wardriving Resources

• http//Michiganwireless.org
• http//Netstumbler.com
• http//www.wardriving.com
• http//www.wigle.net/ (locations)
• http//packetstormsecurity.org/wireless
• type in war drive in google )

37
Activity 1 War Driving

• Install a Lucent Wavelan / Orinoco card in your
  laptop
• Install Net Stumbler from your CD-ROM
• Run the application, observe the local network
• Survey the facilities (?) and win a prize?

38
Activity 2 Protocol Analyzer

• Install WinPCap
• Reboot
• Install Ethereal on your laptop
• Associate with the access point (it may complain
  about it being insecure, that is OK)
• Run Ethereal

39
Basic Wireless Security Features

• There are a number of basic wireless security
  features and protocols
• Utilize static IP addresses
• SSID Security (not broadcasting SSID)
• MAC Address Filtering
• WEP Encryption
• Signal control and speed locking
• 802.1X Authentication / Encryption
• WPA Authentication / Encryption
• External security (VPN, VLAN, or other things
  not part of wireless per se

40
Utilize Static IP

• Although it wont stop a hacker with a protocol
  analyzer, using static IP address assignment
  instead of DHCP will help
• This will stop the casual and/or stupid hackers
  from automatically getting an IP address and
  being allowed to surf
• It creates a management burden, as each laptop
  must be uniquely identified ahead of time
• It also creates an opportunity, as you can figure
  out what a user is doing on the network very
  easily

41
SSID Broadcasting

• For an extremely minimal amount of security, you
  can turn off SSID broadcasting
• This means that someone must somehow know or
  discover the SSID in order to use the access
  point
• May be able to identify the SSID through
  analyzing network traffic from another user (via.
  AP Association Frames)
• Active scanners may find this through a brute
  force SSID scan (rare)
• Windows may remember the AP/SSID

42
Turning Off SSID Broadcasting
43
Activity 3 SSID Broadcast

• Now that I have turned off SSID Broadcast,
  disassociate with the AP
• Stop and restart Net Stumbler
• Is the access point still visible?
• Can you connect to it anyway through windows by
  manually typing in the SSID?
• The SSID USR8054

44
MAC Address Filtering

• Each network device has a unique hardware
  identifier built into it, called a MAC address
• In Windows, use ipconfig /all to view the
  current MAC address of your devices
• This can be used for security purposes

45
MAC Address Filtering
46
Problems with MAC Filtering

• Although MAC addresses are hard-coded, they can
  be changed in some hardware via software
• Thus, a hacker would only have to sniff enough
  traffic to learn some allowed MAC addresses,
  and then impersonate that MAC address
• Also, MAC address filtering can be very painful
  to manage in the long haul
• How do you keep track of all the addresses?
• What about traveling users and visitors?
• What is the maximum of MAC addresses you access
  point will allow you to type in?

47
Activity 4 MAC Filtering

• I will now configure the AP to only allow my own
  MAC
• Try not to lock yourself out of your AP )

48
WEP Encryption

• To get around the various wireless security
  problems, an early solution was WEP
• This allows you to configure a 40bit, 64bit or
  128bit key to encrypt traffic
• A WEP key is essentially a password
• Normally, the same WEP keys are manually
  programmed into the client and access point
• If the WEP keys match, the devices can
  communicate
• WEP encryption is better than nothing but it
  still has its problems

49
WEP Encryption Problems

• First of all, the WEP key must be stored on the
  client computer (or typed in each time)
• Thus, the security of the client workstation(s)
  is very important
• It might be possible to steal the WEP key from
  the registry or some configuration file
• Also, WEP adds a little bit of processing
  overhead (3 in hardware?)
• Most importantly, the WEP implementation is
  flawed and WEP encryption can be cracked!

50
Cracking WEP

• Software such as AirSnort (http//airsnort.shmoo.c
  om/) allows you to monitor encrypted wireless
  activity and eventually get enough information to
  crack a WEP key
• The problem is due to a flawed implementation of
  the RC4 protocol in WEP
• Specifically, while almost everything in the
  packet is encrypted, a plain-text Initialization
  Vector is used to keep the encryption in sync
• This IV periodically computes in a way that
  provides interesting information about the key
• Given enough packets, 5-10 million, AirSnort can
  crack the WEP key

51
Activity 5 Configuring WEP

• First, we need to configure it on the access
  point
• Note that the key size may be 40 or 128 bit
• Also note that keys may be in ASCII or HEX format

52
Activity 5 Configuring WEP

• Now configure the client software (WEP Key is
  12345)
• Attempt to access something - did it work?

53
Activity 5 Configuring WEP

• Now try some of our old tools
• Disassociate with the access point (or type in
  the wrong WEP key)
• Now try Net Stumbler - do you see the ?icon?
  That means WEP is enabled
• 1/2 the class run Ethereal without the WEP key,
  the other half with it
• What are the results?? (your mileage may vary
  depending upon card, etc.)

54
Advanced Wireless Security

• After all of the problems with WEP, alternate
  security systems needed to be devised
• One is 802.1X, which provides
• Use of encryption certificates
• Provides port-based controls
• Uses the extensible authentication protocol
  (EAP). Can use different protocols w/in EAP.
• Mutual authentication
• Automated encryption key management and rotation
  (TKIP)
• Authentication (username and password) to a
  back-end RADIUS server

55
802.1X

• Requires an 802.1X compliant access point (old
  ones are not!) or high-end Ethernet switches
• Requires compatible clients and RADIUS servers
  (for authentication purposes)
• The Supplicant is the client - Windows XP SP1 has
  this built in, other Windows clients require a
  commercial product
• Macintosh 10.3 (?) has 802.1X supplicant
  software built in, some Linux / UNIX support
• The AP is the authenticator, and the RADIUS
  server is the authentication source
• Slides from http//www.blackhat.com/presentations
  /win-usa-03/bh-win-03-riley-wireless/bh-win-03-ril
  ey.pdf

56
802.1X
57
802.1X Before Authentication
58
802.1X After Authentication
59
RADIUS Authentication

• Authentication systems for wireless typically
  uses encryption-aware RADIUS servers
• Examples include Microsoft IAS, Cisco Secure ACS,
  and Funk Software products
• RADIUS servers without encryption are very common
  (Border Manager Authentication Services, etc) but
  wont work
• RADIUS is also used in a number of other
  applications such as VPN authentication, etc.

60
RADIUS Servers in the Network

• Client talks to AP, AP talks to RADIUS server,
  which may talk to another authentication server
• The RADIUS server may have its own user database
• Client and RADIUS must talk same EAP protocol

61
RADIUS Server Types

• The majority of RADIUS servers authenticate to a
  local or network authentication database
• Some RADIUS servers have advanced security
  features such as two-factor authentication (like
  RSAs SecurID)
• This requires two of three factors
• Something you have
• Something you know
• Something you are
• For example, a thumbprint reader, or a SecurID
  token that changes codes, etc.
• Although expensive, this provides a high level of
  security, as you would have to steal something

62
802.1X on the USR 8054
63
802.1X EAP Types

• There are a number of EAP authentication types
  that 802.1X can use
• They all have different advantages and
  disadvantages

64
LEAP

• Lightweight EAP
• LEAP is a Cisco-Specific protocol
• Its fairly easy to use because it does not
  require certificates (this can be a big issue)
• It has one disadvantage - people can attempt to
  brute force your network passwords by guessing
  each one
• If you are an all-Cisco environment, it may be
  better than WEP, but its no longer the ideal

65
EAP-TLS

• EAP with Transport Layer Security
• Requires the use of certificates to prove
  identities (both the access point and the client)
• A certificate is a bit of text that includes
  identity and encryption key information
• These must be generated and distributed to all
  clients
• This requires touching every workstation,
  something that may not be practical
• Windows 2k/XP/2003 environments have these
  services and can be integrated (maybe not easily)
• Use MMC-gtCertificates in windows to view yours

66
Obtaining Certificates for EAP

• Certificates may be automatically generated
  (i.e., a machine certificate when a machine joins
  a domain)
• Certificates can also be manually generated, for
  example by requesting one from a windows server
  running IIS and Certificate services
• http//www.win2kserver.com/certsrv
• For an example of how this would work with the
  Cisco Secure ACS server, check out
• http//www.cisco.com/en/US/products/sw/secursw/ps2
  086/products_configuration_example09186a00801df0ea
  .shtml
• Also can use openssl to create certificates under
  Linux / UNIX operating systems

67
EAP-TTLS / PEAP

• EAP Tunneled TLS and Protected EAP
• Similar to EAP-TLS, but instead of relying
  entirely on certificates, can use usernames and
  passwords via MS-CHAP
• This allows you to authenticate the USER instead
  of the client machine
• However, you still verify the identity of the
  authentication server (stops Man in the Middle
  Attacks) by the certificate

68
Man In The Middle Attacks

• Use a program like AirSnarf to masquerade as a
  legitimate access point (http//airsnarf.shmoo.com
  /)
• As an intermediary, view all network traffic
  w/out encryption, including passwords

69
WPA

• Wifi Protected Access (WPA) is the emerging
  standard for security
• Includes TKIP and 802.1X features
• Soon to be replaced by the 802.11i standard
• Allows for a simple version of encryption -
  WPA-PSK
• Pre-shared keys are similar to WEP keys, but
  rotation of the keys will take place, minimizing
  the risk of cracking

70
Temporal Encryption Keys

• TKIP is a system that is used to change the
  encryption in use on the WLAN
• Essentially changes the WEP key so frequently
  that sniffing the network and cracking the
  password is not feasible
• This will defeat AirSnort type attacks against
  the IV
• Not all access points support TKIP

71
Configure Logging

• In addition to actually performing all of these
  security functions, make sure that there is also
  a log of everything that happens
• Many Access Points and RADIUS servers and send
  log data to a syslog server
• Consider consolidating logs from many APs on to a
  single log server (such as the Kiwi Syslog
  server)
• http//www.kiwisyslog.com/
• Use log analysis and customized alerting to tell
  you of interesting events (such as failed
  administrator logon attempts)
• You could even get real-time pages of hacks!

72
Wireless Network Designs

• Where you put your access point(s) in the network
  have a huge impact on security
• In terms of network designs, consider the
  wireless net as hostile as Internet
• The least secure place to connect an access point
  is to your Internal network
• If possible, put on a dedicated network, and
  force access through a firewall or VPN appliance

73
Access Points on a DMZ

• Here you control and log Wireless traffic with a
  firewall
• It may be possible to limit access to deny all by
  default, but allow access top specific servers
  and the Internet

74
Wireless Networks

• The wireless network, be it behind a firewall or
  not, may actually be one large Virtual LAN (VLAN)
• Thus, you could have wireless access points all
  over the building or organization, but on the
  same VLAN
• This allow for roaming
• It also allows for centralization of all access
  points to a single firewall device
• Also allows for a single place to monitor all
  traffic with a protocol analyzer or IDS

75
Use an Intrusion Detection System

• An Intrusion Detection System (IDS) might alert
  you to the presence of attacks
• This is another advantage of using a Wireless
  VLAN (only one IDS port required)
• There are also IDS systems specifically for
  wireless
• Can use honey pots to emulate vulnerable hosts
  (and tell you about it)
• Can also use software designed to confuse war
  drivers by sending hundreds or thousands of bogus
  SSIDs ala FakeAP
• http//www.blackalchemy.to/project/fakeap/

76
Using a VPN Concentrator

• If you are using a VPN concentrator, you may be
  able to use totally insecure wireless and force
  security through existing or new VPN services

77
Policies and Procedures

• Due to the difficulty of controlling wireless, it
  would be wise to establish some policies and
  procedures to regulate their usage
• Installation should only be performed by the I.T.
  department (no individuals or departments should
  ever install them)
• Try to hook into the purchasing process such that
  wireless purchase orders require authorization
  from I.T.
• Verify compliance by wardriving your own
  organization regularly

78
Policies and Procedures

• Create minimum mandatory standards for all access
  points (WEP, etc.)
• Require the use of authentication, and use
  controlled authentication databases
• Require that people not share encryption keys,
  passwords, etc.
• Require that APs be turned off when not in use
  (especially after-hours)
• Lock down clients that have certificates and keys
  programmed in to them

79
Discussion

• This presentation to be available at
• http//lachniet.com/powerpoint
• Mark LachnietCISSP, CISA, MCSE, MCNE, CCSE,
  LPIC-1, TICSA
• Technical Director, Security GroupAnalysts
  International(517) 336-1004 (voice)(517)
  336-1100 (fax)mailto mlachniet_at_analysts.com