secure w lan
Post on 04-Apr-2018
222 Views
Preview:
TRANSCRIPT
-
7/30/2019 Secure w Lan
1/33
Securing the Wireless LAN
George Ou
Network Systems ArchitectContributing editor ZDNet
http://blogs.zdnet.com/Ouhttp://blogs.zdnet.com/Ou -
7/30/2019 Secure w Lan
2/33
Contents
IntroductionRelative risks of Wireless LANsSix dumbest ways to secure a WLANTools of the wireless LAN hacker The best ways to secure the WLANSOHO WLAN implementationsEnterprise WLAN implementations
-
7/30/2019 Secure w Lan
3/33
Introduction
Wireless security is a huge headache in ITWireless security widely misunderstoodWireless security is everyones problem even if you dont think you have a WLAN Banning WLANs often result in improvisedhome grown solutions
Wireless LANs can be securedWireless security applicable elsewhere in IT
-
7/30/2019 Secure w Lan
4/33
Relative risks of Wireless LANs
Wireless security is NOT an oxymoronLess dangerous than having an Internetconnection direct or indirect
Attacks from the Internet can come fromanywhere on the entire globe
Web/FTP/Mail/DNS ServersBack doors R00TK1T5 that can dial home
Attacks on Wireless LANs are limited to a coupleof kilometers
-
7/30/2019 Secure w Lan
5/33
Six dumbest ways to secure a WLANOverview
MAC authentication SSID hiding LEAP authenticationDisabling DHCP
Antenna placement and signal suppressionSwitch to 802.11a or Bluetooth Wireless LANs
______________________________________ Dishonorable mention: WEP
Original article on http://blogs.zdnet.com/Ou
http://blogs.zdnet.com/Ouhttp://blogs.zdnet.com/Ou -
7/30/2019 Secure w Lan
6/33
Six dumbest ways to secure a WLANMAC authentication
Use of the word authentication is laughable All thats happening is MAC address filtering MAC addresses are transmitted in clear textExtremely easy to captureExtremely easy to clone and defeatExtremely difficult to manage MAC filtering
-
7/30/2019 Secure w Lan
7/33
Six dumbest ways to secure a WLANMAC spoofing
-
7/30/2019 Secure w Lan
8/33
Six dumbest ways to secure a WLANSSID hiding
No such thing as hiding an SSID All thats happening is Access Point beaconsuppression
Four other SSID broadcasts not suppressedProbe requestsProbe responses
Association requestsRe-association requests
SSIDs must be transmitted in clear text or else802.11 cannot function
-
7/30/2019 Secure w Lan
9/33
Six dumbest ways to secure a WLANLEAP authentication
Cisco LEAP authentication is extremely weak LEAP successor EAP-FAST not much better Cisco dominates Enterprise WLAN market
Significant percentage of Cisco shops use LEAPbut have started to migrate to EAP-TLSLEAP and EAP-FAST are free on client sideOnly Cisco can sell LEAP and EAP-FAST on
Access PointsCisco APs support all open authenticationstandards like EAP-TLS and PEAP
http://www.lanarchitect.net/Articles/Wireless/LEAP/index.htmhttp://www.lanarchitect.net/Articles/Wireless/EAP-FAST/index.htmhttp://www.lanarchitect.net/Articles/Wireless/EAP-FAST/index.htmhttp://www.lanarchitect.net/Articles/Wireless/LEAP/index.htm -
7/30/2019 Secure w Lan
10/33
Six dumbest ways to secure a WLANDisabling DHCP
Disabling DHCP and forcing the use of Static IPaddresses is another common mythIP schemes are easy to figure out since the IP
addresses are sent over the air in clear textTakes less than a minute to figure out an IPscheme and statically enter an IP address
-
7/30/2019 Secure w Lan
11/33
Six dumbest ways to secure a WLAN Antenna placement and signal suppression
Antenna placement and signal suppression doesnothing to encrypt dataThe hackers antenna is bigger than yours
Directional high-gain antennas can pick up aweak signal from several kilometers awayLowering the signal hurts legitimate users a lot
more than it hurts the hackersWi-Fi paint or wall paper not 100% leak proof andvery expensive to implement
-
7/30/2019 Secure w Lan
12/33
Six dumbest ways to secure a WLANSwitch to 802.11a or Bluetooth wireless LANs
802.11a is a transport mechanism similar to802.11b or 802.11g802.11a has nothing to do with securityPray that the hacker doesnt have 5 GHz 802.11acapable equipmentBluetooth is more of a wireless USB alternative
Can be used for wireless networking but notdesigned as an 802.11 a or b/g replacement
-
7/30/2019 Secure w Lan
13/33
Six dumbest ways to secure a WLANDishonorable mention: WEP
WEP barely missed the six dumbest list because itcan still hold up for a couple of minutesHacker named KoreK releases new WEP
analysis tool in August 2004WEP coupled with 802.1x and EAP key rotation(AKA DWEP) is considered broken
Packet injection techniques lowers WEP crackingtimes to minutes
Article: Next generation WEP cracking tools
http://blogs.zdnet.com/Ou/index.php?p=20http://blogs.zdnet.com/Ou/index.php?p=20 -
7/30/2019 Secure w Lan
14/33
Tools of the wireless LAN hacker Overview
Software Auditor CDKismet
ASLEAP
Void11, Aireplay, Airedump, and Aircrack
HardwareCheap and compatible cardbus adaptersOmni directional high-gain antennas
Directional high-gain antennasOff the shelf Laptop computer
-
7/30/2019 Secure w Lan
15/33
Tools of the wireless LAN hacker Auditor CD
Bootable Linux CD with every security auditingtool under the sunEverything needed to penetrate most wireless
LAN and moreMentioned as a favorite of the FBIRelatively easy to use
-
7/30/2019 Secure w Lan
16/33
Tools of the wireless LAN hacker Kismet
Kismet is a Linux wireless LAN audit toolCan see hidden SSIDs Can see MAC addressesCan see IP schemesCan capture raw packetGUI version lays everything out
-
7/30/2019 Secure w Lan
17/33
Tools of the wireless LAN hacker ASLEAP
ASLEAP cracks Cisco LEAP authenticationExploits weak MSCHAPv2 authenticationUses pre-computed indexed hash tablesChecks 45 million passwords a secondUpgraded to support PPTP VPN cracking
-
7/30/2019 Secure w Lan
18/33
Tools of the wireless LAN hacker Void11, Aireplay, Airedump, and Aircrack
New set of tools makes WEP cracking hundredsof times faster Void11 forces users to re-authenticate
Aireplay monitors re-auth session for ARP andthen plays back the ARP request to trigger responses from legitimate computers
Airedump captures all of the raw packets Aircrack only needs 200,000 packets instead of 10,000,000 packets from previous tools
-
7/30/2019 Secure w Lan
19/33
Tools of the wireless LAN hacker Hardware: Cheap and compatible cardbus adapters
Prism 2/3 based 802.11b adaptersPrismGT based 802.11 b/g adapters
Atheros based 802.11 a/b/g adapters All typically around $40 to $70 USD All compatible with Linux cracking tools
-
7/30/2019 Secure w Lan
20/33
Tools of the wireless LAN hacker Omni directional high-gain antennas
Typically 7 to 9 dB gainGeneral purpose surveying and war drivingCan be used to create evil twin access pointLess than $100 USD
-
7/30/2019 Secure w Lan
21/33
Tools of the wireless LAN hacker Directional high-gain antennas
Used to aim and focus in on victimPicks up weak signals many kilometers away
Around $100 USD
-
7/30/2019 Secure w Lan
22/33
Tools of the wireless LAN hacker Off the shelf Laptops
Any Laptop or PC can be used for hackingNew Laptops with good cracking speed are aslow as $400 USD
Wireless hacking is NOT cost prohibitive!
-
7/30/2019 Secure w Lan
23/33
The best ways to secure the WLANOverview
Good cryptography allows securecommunications over unsecured mediumFollow best practice cryptographic principles
Strong authenticationStrong encryption
WPA and WPA2 standards
-
7/30/2019 Secure w Lan
24/33
The best ways to secure the WLANStrong authentication background
Strong authentication is often overlookedWell established secure authentication methodsall use SSL or TLS tunnels
TLS is the successor of SSLSSL has been used for nearly a decade in E-Commerce
SSL or TLS requires Digital CertificatesDigital Certificates usually involves some form of PKI and Certificate management
-
7/30/2019 Secure w Lan
25/33
The best ways to secure the WLANStrong authentication in Wireless LANs
Wireless LANs typically use 802.1x and EAPCommon standard EAP types are EAP-TLS,EAP-TTLS and PEAP
LEAP and EAP-FAST are not standardEAP-TLS requires server and client certificatesEAP-TTLS and PEAP only require client-side
certificatesEAP-TTLS created by Funk and CerticomPEAP created by Microsoft, Cisco and RSA
Details on EAP types at: http://blogs.zdnet.com/Ou/?p=67
http://blogs.zdnet.com/Ou/?p=67http://blogs.zdnet.com/Ou/?p=67 -
7/30/2019 Secure w Lan
26/33
The best ways to secure the WLANStrong authentication and RADIUS servers
EAP authentication requires RADIUS support in Access Point and one or more RADIUS serversMicrosoft Windows 2003 Server has fully
functional RADIUS component called IASSupports EAP-TLS and PEAPWindows 2000 only supports EAP-TLSEasily integrates in to NT domains or Active Directory
Funk software makes Steelbelted and OdysseyOpen source FreeRadius supports broad rangeof EAP types
-
7/30/2019 Secure w Lan
27/33
The best ways to secure the WLANStrong encryption
Encryption is well understoodNo known methods of breaking good encryptionDES encryption has never been crypto-analyzedin nearly 30 years and must be brute forced3DES still considered solid but slow
AES is the official successor to DES and is solid
at 128, 192, or 256 bits
-
7/30/2019 Secure w Lan
28/33
The best ways to secure the WLANStrong encryption in Wireless LANs
RC4 encryption is known to be weakWEP uses a form of RC4 encryptionDynamic WEP makes WEP cracking harder TKIP is a rewritten WEP algorithmNo known methods against TKIP yet but sometheoretical attacks are on the horizon
AES encryption mandated in the newestWireless LAN standards is rock solid
-
7/30/2019 Secure w Lan
29/33
The best ways to secure the WLANWPA and WPA2 standards
WPA used a trimmed down version of 802.11iWPA2 uses the ratified 802.11i standardWPA and WPA2 certified EAP types
EAP-TLS (first certified EAP type)EAP-TTLSPEAPv0/EAP-MSCHAPv2 (Commonly known as PEAP)PEAPv1/EAP-GTC
EAP-SIM
WPA requires TKIP capability with AES optionalWPA2 requires both TKIP and AES capability
Details on EAP types at: http://blogs.zdnet.com/Ou/?p=67
http://blogs.zdnet.com/Ou/?p=67http://blogs.zdnet.com/Ou/?p=67 -
7/30/2019 Secure w Lan
30/33
SOHO WLAN implementations
Minimum encryption should be TKIPRun AES encryption if possibleEAP authentication usually not feasible for Smalloffices and home offices
SOHO WLANs usually rely on WPA-PSKPSK (pre-shared keys) are easier than WEPwith 26 HEX digitsPSK must be at least 8 alphanumeric randomcharactersZyxel offers Access Points with PEAP RADIUSbuilt-in
http://us.zyxel.com/http://us.zyxel.com/ -
7/30/2019 Secure w Lan
31/33
Enterprise WLAN implementationsWPA and WPA2 standards
Minimum encryption should be TKIPRun AES encryption if possibleEAP-TLS authentication recommended
PEAP or EAP-TTLS authentication at a minimum
-
7/30/2019 Secure w Lan
32/33
Enterprise WLAN implementationsWireless Switches
Wireless LAN switches manage large numbersof Access PointsMuch easier to manageWireless switch makers
SymbolCisco Airespace
Aruba
-
7/30/2019 Secure w Lan
33/33
Enterprise WLAN implementations Advanced security implementations
Multiple Virtual SSID and VLAN supportVLAN assignment based on group membershipGuest Wireless LANs that are isolated
Mitigating WEP security risks for WEP onlydevices using Firewall or Router ACLs (AccessControl Lists)Can be done with single device such as the
Cisco 851W which is a Firewall, Router,Managed Switch, and Access Point all-in-one
top related