pcie it roundtable workshop

Annual Conference

PCIE/ECIE

Evaluating Wireless Networks

Robert W. Cobband Staff

National Aeronautics and Space Administration

IT Roundtable25 March 2003

2

Annual Conference

PCIE/ECIE

Outline

• Introduction to wireless networks• Threats and vulnerabilities• Evaluating wireless networks

• Objectives• Methodology• Tools• Findings• General recommendations

• Conclusion

3

Annual Conference

PCIE/ECIE

Introduction to Wireless Networks

• Fastest-growing computer communications technology

• Agencies increasingly use wireless networks• Convenient• Flexible• Inexpensive• Easy to implement

4

Annual Conference

PCIE/ECIE

Introduction to Wireless Networks (cont.)

• Uses radio waves instead of cables• Consists of

• Access Points• Wireless clients (e.g. laptops, PDAs)• Gateways to wired networks

• Major standard• Institute of Electrical and Electronic Engineers (IEEE)

802.11, Wireless Local Area Networks

5

Annual Conference

PCIE/ECIE

6

Annual Conference

PCIE/ECIE

Threats

• Disclosure of sensitive/confidential data• Denial of service (DoS)• Unauthorized access to wireless-enabled

resources• Potential weakening of existing security

measures on connected wired networks and systems

7

Annual Conference

PCIE/ECIE

8

Annual Conference

PCIE/ECIE

Vulnerabilities

• Wired Equivalent Privacy (WEP) encryption standard extremely weak

• Radio signals susceptible to jamming and interference• Protocol vulnerabilities allow

• Network sessions to be taken over by an intruder• Injection of invalid data into network traffic• Network reconnaissance

9

Annual Conference

PCIE/ECIE

Evaluating Wireless Networks

• Wireless networks are• Easy to implement• Difficult to secure

• Policies often have not been developed

10

Annual Conference

PCIE/ECIE

Evaluation Objectives

• Assess the current Agency/Department position regarding wireless networks

• Examine the use of wireless technology• Evaluate the security of wireless network applications

including threats to• Data integrity• Confidentiality• Availability of services and resources• Security of wired networks

• Determine the level of staff awareness of wireless technology

11

Annual Conference

PCIE/ECIE

Evaluation Methodology

• External scanning to illustrate the ease with which unauthorized persons could intercept wireless signals

• Internal scanning and physical inspection to verify the source of signals

• Traffic analysis to see if sensitive data is being transmitted, if transmissions are encrypted, and how vulnerable the networks are to attack

• Review network topologies to assess connectivity to wired networks and determine measures to protect wired networks

• Meet with wireless users and administrators to assess awareness, employee expertise, and strength of security measures

12

Annual Conference

PCIE/ECIE

Evaluation Tools

• Hardware• Laptop• Wireless network card• Antenna• GPS

• Wireless sniffing software• WEP encryption cracking software• Mapping software

13

Annual Conference

PCIE/ECIE

Evaluation Findings

• Wireless networks with inadequate security• Ranges of wireless networks exceed physical

boundaries of user organizations• Non-existent or inadequate policies on wireless networks• IT staff with inadequate enforcement authority over

wireless networks• Insufficient employee awareness on agency position

over the use of wireless networks

14

Annual Conference

PCIE/ECIE

Example: Many wireless networks do not use WEP or other encryption to protect network traffic.

▲ = Access points using encryption▲ = Access points without encryption

15

Annual Conference

PCIE/ECIE

Example: The radio signal from a wireless network can spill over from the building where access points are located to neighboring buildings, parking lots and public roads.

16

Annual Conference

PCIE/ECIE

General Evaluation Recommendations

• Develop wireless network policies• Perform risk assessments to determine required

level of security• Limit access to wireless networks through the

use of Virtual Private Networks (VPN)• Maintain logical separation between wireless

and wired networks• Monitor for wireless applications (i.e., actively

enforce policies)

17

Annual Conference

PCIE/ECIE

Conclusion

• Wireless network evaluations are easy to conduct using inexpensive or freely available tools.

• Evaluations are very necessary• Wireless networks are inexpensive, convenient, and

simple to use – so people will use them. • BUT, wireless networks are vulnerable.

18

Annual Conference

PCIE/ECIE

Contacts for Wireless Network Evaluations

Stephen Mullins

(916) 408-5573

stephen.mullins@tigta.treas.gov

Jamil Farshchi

(202) 358-1897

jamil@nasa.gov