research & development tnc06 – may, 2006 detecting misuses of wireless networks pierre ansel...

Research & Development TNC06 – May, 2006

Detecting Misuses ofWireless Networks

Pierre Ansel – Laurent ButtiFrance Telecom Division R&Dfirstname dot lastname at francetelecom dot com

Terena Networking Conference15-18 May 2006, Catania, Italy


Agenda

A few reminders on Wi-Fi technologies

Overview of possible attacks

Wi-Fi corporate access architectures

Open issues

Wi-Fi intrusion detection technology

Feedbacks and recommandations


Introduction

IEEE 802.11-1999 suffered of critical security issues

Security mechanisms were unable to satisfy Authentication Data confidentiality and integrity

802.11’s conceptual weaknesses WEP is unpractical in corporate environments (shared secret) Most weaknesses are implemented in publicly available tools

-WEP cracking-Trafic injection-…


Introduction

Wireless technologies are critical from a security perspective Particularly in corporate environments

Any wireless deployment may have serious security impacts Radio propagation is hardly predictable And anonymously reachable…

Mastering Wi-Fi deployments in corporate environments is a big challenge!

Wi-Fi corporate access and intrusion detection deployment


Normative Enhancements

IEEE 802.11i, Medium Access Control (MAC) Security Enhancements, was ratified on June, 2004

Provides enhanced security mechanisms Medium access control enforcement

-Port-Based Network Access Control (IEEE 802.1X) Flexible authentication framework

-Extensible Authentication Protocol (EAP) Newly designed crypto-protocols

-Temporal Key Integrity Protocol (TKIP) based on RC4-CBC-MAC Protocol (CCMP) based on AES

Key derivation and distribution-4-Way Handshake and Group Key Handshake


Wi-Fi Corporate Access : open mode+VPN

Securing Wi-Fi employee access thanks to IPsec Deployed at France Télécom Division R&D since early 2002

Uses Wi-Fi “open” mode and protects data above layer 3 WEP

-is unuseful, -does not improve the overall security level-is a sysadmin nightmare (shared secret)

IPsec protocol is considered robust If authentication is robust (thanks to certificates) If selected and negociated crypto-protocol is robust


Wi-Fi Corporate Access : WPA / WPA2

Newly supported security mechanisms in Wi-Fi Protected Access standard (WPA/WPA2) are available

Largely supported since 2/3 years … but not easy to deploy !

-France Télécom Division R&D– WPA since late 2003, WPA2 since late 2005

Must take into account Robust authentication Robust confidentiality and integrity (mandatory TKIP, recommended CCMP)

Robust network architecture (VLAN logical segmentation)


Open Issues

Protecting your infrastructure is a requirement Robust wireless access both for employees and visitors

But cannot solve every potential issue Weakest links subsist


Weakest Link n°1: Client

WinXP’s Preferred Networks List is updated whenever you connect to an “open” Wi-Fi network

Then autoconfiguration will seek for these Wi-Fi networks Create a fake access point emulating a client’s preferred network The attacker will 0wn the client!

-Information leaking, MitM, open shares, exploits…

Wi-Fi/Ethernet double-attachment is also a critical issue


Weakest Link n°2: Infrastructure An “open” access point interconnected with a corporate’s wired network is

a critical security breach Anonymous layer 2 (and above) access to all corporate ressources (depending on internal filtering policies)

Usually, access control is not performed within networks but at edge (firewalls, proxies…)

Misconfigured access points Bad configurations and interconnexions

Everyone is potentially vulnerable Even environments without Wi-Fi may be attacked

How to detect and mitigate these security incidents?


Wi-Fi Intrusion Detection

Wired supervision tools are helpless !

WiFi-specific threats : A fake access point 0wning some employee laptops A rogue access point interconnected with your wired networks Malicious activities like WarDriving Denial of service on radio side

Wi-Fi intrusion detection is necessary !



Listening to the radio will give the possibility to detect

Clients and access points that are “speaking” Known attacks like

-MAC spoofing-WarDriving-Trafic injection-…

Wi-Fi intrusion detection goals Detect, qualify (interconnected ?) and geolocalize illegitimate access points or sources



Will automatically audit Wi-Fi access points in range thanks to deployed sensors

Replace periodic manual Wi-Fi audits Proactive reaction when a critical security issue is detected

Counter-measures (intrusion prevention) are also possible Prevent clients from associating to rogue and fake access points Deactivate switch ports where a rogue access point was localized But must be used carefully

-DoSing internal infrastructure and neighbours is not an option!


Internal Wi-Fi Intrusion Detection ToolFeatures

Internal development of a Wireless IDS from scratch Goals: addressing most issues and improving our skills

Main features C language core detection engine running on WRT54G(S) Flexible ruleset thanks to a basic langage (~ 60 signatures) Anomaly detection engine essentially for MAC spoofing detection

SYSLOG based alerting On-the-fly agregation and correlation thanks to SEC Offline correlation to qualify access points thanks to Netdisco SQL storage and PHP presentation


Internal Wi-Fi Intrusion Detection ToolArchitecture Overview

WirelessSensor

WirelessSensor

Aggregationand

CorrelationSYSLOG

SYSLOG

EventsDatabase

SQL

Presentationand

Administration

SQL

SSH/SCP

SiteAdministrator

HTTPS

Architecture is divided into several technical partsWireless sensors: detecting and sending eventsCentral collector: event aggregation and correlationDatabase: aggregated and correlated events storageGUI: presentation and supervision/administration


Internal Wi-Fi Intrusion Detection ToolArchitecture Overview

AP

Internal Network

AP

ProbeProbe

HTTPS

SYSLOG

SSH/SCP

Aggregationand

Correlation

Presentation and AdministrationSQL


Screenshots


Internal Wi-Fi Intrusion Detection ToolFeedbacks

Development of a robust wireless IDS is not trivial Amount of events (hundreds per second)

Building an efficient GUI for sysadmins is not trivial

Difficulties to identify all interfering access points What about neighbours, hot spots ?

False positive rate is a classic issue for IDS technologies Minimize this rate thanks to enhanced correlation

Performance issues Lightweight wireless probe may have packet losses SQL table may become huge


Overall Requirements

Enforce a restrictive security policy especially in risky environments (meeting rooms, labs…)

Do not activate RJ45 plugs by default Activate ‘Port Security’ and MAC filtering on switches

Consider using quarantine networks for guest access

Consider using IEEE 802.1X for your wired networks

Maintain a list of Wi-Fi equipements Network cards Access points and configuration (MAC address, SSID…)


Specific requirements for employee access

Use robust authentication Certificates whenever possible

-IKE with certificates for IPsec tunneling-EAP-TLS for WPA/WPA2-Smart cards for robust private keys storage

Use robust crypto-protocols for data communications 3DES/AES for IPsec tunneling CCMP for WPA2 and TKIP for WPA

Consider Wi-Fi access as external networks Logical VLAN segmentation and network filtering enforcement


Specific requirements forclient configuration

If Wi-Fi is not a requirement, deactivate physically Wi-Fi (remove mini-PCI card)

Use a double-attachment prevention system

Clean periodically WinXP’s Preferred Networks List

Use a well configured firewall to enforce filtering especially on Windows protocols


Specific RequirementsWi-Fi Intrusion Detection

Must be evaluated in terms of security Results are somewhat variable Evaluate packet losses at wireless sensors Tune your ruleset for performance and effectiveness Attacks aimed at Wi-Fi intrusion detection systems are becoming available

-Log filling

Select solutions that Have minimal impacts on your architecture Have geolocalization capabilities Use intrusion prevention techniques

Deploy enough wireless sensors at the edge of your physical perimeter


Conclusions

Radio technologies have serious impacts on security Do not consider them as negligible

Mastering wireless deployments is a global approach Restrictive network security policy Laptop configuration hardening Robust Wi-Fi employee access deployment Wi-Fi intrusion detection system deployment


(Some) References

KARMA – Dino A. Dai Zovi and Shane Macaulayhttp://www.theta44.org/karma/index.html

Design, Implementation and Deployment of a Wireless IDS – Laurent Butti and Franck Veysset

ShmooCon 2005


Questions …


Introduction

Wi-Fi is defined by the Wi-Fi AllianceStandards specified in the IEEE 802.11 Working Group

-Group 802:–IEEE Standard for Local and Metropolitan Area Network

-Part 11:–Wireless LAN Medium Access Control (MAC) and Physical Layer

(PHY) Specifications

Widely available technologyEntrepriseResidential (wireless boxes)Hot spots


Are You Confident in Radio Propagation?

Wi-Fi range is usually about a few dozens of meters, but…


Summary

Wi-Fi corporate access thanks to IPsec and WPA/WPA2Robust authentication thanks to certificates and smart cardsRobust confidentiality and integrity mandatory

Wi-Fi visitor access thanks to a captive portal techniqueRobust authentication thanks to a dynamically created token

Double-attachment preventionInternal tool

Rogue access point and wireless attacks detectionDesign, implementation and deployment of a fully-featured wireless intrusion detection system

research & development tnc06 – may, 2006 detecting misuses of wireless networks pierre ansel...

Documents