wireless lan security: risks & defenses

Copyright © 2002-2005 AirDefense Proprietary and Confidential.

Wireless LAN Security: Hacker-proof Your Wireless LAN

Kevin McCaffreyDirector, Mid-Atlantic Region

[email protected]


Unsecured Wireless Networks can be Devastating!

Wireless Networks Improve Productivity…They Also Open Backdoors, Making Security Investments Obsolete


AirDefense Snapshot

Pioneered Advanced Wireless Intrusion Prevention

15 Patents pending; Deep Differentiated Technology with Best Detection and Protection Against the Most Sophisticated Attacks

One of the Fastest Growing Companies; Absolute Market Leadership - 75%+ Market Share

Selected by over 400 Customers including Market Leaders in all Major Industries and Government

Selected by Industry Leaders e.g. Cisco, IBM, CSC and others

Won Numerous Industry Awards for Innovation and Recommended by Industry Analysts

Focus

Innovation

Leadership

Customers

Partners

Awards

http://www.airdefense.net/newsandpress/1_05_05.shtm

http://www.airdefense.net/newsandpress/12_10_04.shtm

http://www.infoworld.com/


0

20

40

60

80

100

2002 2003 2004 2005

Wireless is here to stay…

Survey carried out by Carrie Higbie, The Siemon Company to evaluate how secure business travelers were? Out of 17 cities (24-48 hrs at each location), on her laptop there were:

227 intrusion attempts 321 Spyware loads (many came right

off the main site to sign up for service) 21 attempts to get passwords 3 sent critical info (like credit card info)

via clear textTotal APs & WLAN Device shipments have crossed

the 100 million mark and growing rapidly

Millions of Units

Total APs & WLAN Devices Shipped

•Innocent employee mistakes and human errors make the entire network open and Vulnerable

Rogue devices are almost assured in enterprise air domain•Most threats and attacks go undetected•Liability and corporate compliance issues are just beginning to surface•Policy Enforcement is KEY


Wireless LAN Risks are Real and Occurring Daily…

"Wireless networks are wide open," says Steve Lewack, director of technology services for Columbus Regional Medical Center in Columbus, Ga.

Identity thieves can lurk at Wi-Fi spots

NEW YORK (CNN/Money) - With more than 20,000 hot spots just in the U.S., it's no wonder everyone has gone

5 Tips: Keeping your Wi-Fi use private

Hackers, Thieves Use Laptops, Other Wi-Fi Devices to Access Corporate Computer Systems

Wireless Mischief Double JeopardyBut falling prey to an evil twin isn't just a problem for personal users. Spencer Parker, a director of

AirDefense’s wireless IDS performs preliminary data analysis and cleaning at the sensor before forwarding

Making Sense of Wireless IPS

LONDON, England -- "Evil twins" are the latest menace to threaten the security of Internet users, experts in the UK are warning.

NEW YORK - If you think that wireless applications have become completely ubiquitous in corporate

How Lehman Brothers Overcame Its Wireless Fears

A Latte with a Side of Identity TheftWhat you need to know before your next visit to your favorite coffee shop?

Wi-Fi Security stories quadrupled since last year

http://edition.cnn.com/

http://online.wsj.com/home


What is Driving Evolution of Wireless Security? Drivers

Increased business dependency on Wireless Increasing user base At home and Hotspot use Evolving Standards and newer technologies VOIP One simple issue can expose the whole corporate network

Security issues Recreational hacker -> activist -> organized crime -> industrial espionage Greater proliferation of viruses Increased tooling to exploit vulnerabilities Internal vs. external threats Malicious intent vs. accidental

Secure Wireless & Policy Compliance are keys to Successful Deployment


Corporate Network

Barcode ScannerParking LotBEACONS

PROBES

PROBES

Accidental Association

Malicious Association

Intruder

Confidential Data

Soft AP

Neighboring WLAN

Rogue Devices signals bleed around physical walls and firewalls

Threats from Wireless Devices

Hardware AP

Wireless Laptop

Ad-Hoc

RogueAccess Point

Hotspot

Evil Twin

Intruders or hackers can launch attacks (DoS, Identity Theft) Associations accidental, malicious; peer-to-peer/ad hoc. VPN & Authentication don’t help Bridging wireless laptops: opens back doors and exposes wired network Wireless Phishing: can hijack users at hotspots (AirSnarf, Hotspotter, Evil Twin)


Tools & Trends for the Hacker Wannabe

Connected to www.test.com

www.test.com

WiGLE.net

Scanners• NetStumbler and MiniStumbler • Kismet • THC-WarDrive • PrismStumbler• MacStumbler• Mognet• Wellenreiter • WaveStumbler• Stumbverter • AP Scanner • SSID Sniff• Wavemon • Wireless Security Auditor• AirTraf

Sniffers• AiroPeek• NAI Wireless Sniffer• Etherea• VPNmonitorl

Bootable CDRom• WarLinux• Knopix• LSAKnopix

Exploit Tools• Pong “GSTsearch”• Ittra

Denial of Service• Hunter_Killer• VOID• FATAjack• Micheal

Multi-use Tools• AirJack• THC-RUT • Ettercap

WEP Tools WEPCrack AirSnort Wepwegie

Soft AP’s HostAP CqureAP DiskAP Coyete

Other Tools Fake AP MonkeyJack Airsnarff WINPCAP

http://www.netstumbler.org/


Evolving Trends: A Race Against New Vulnerabilities

Reconnaissance

Sniffing

Masquerading

Insertion,Injection

DoS Attacks

Detect WLANsNetstumbler, Kismet

Capture TrafficNetwork Protocols, dataCredentialsEthereal, Cain

Stealth IntrusionMac SpoofingWEPwedgieMan-in-the-middleAirSnarfEvil Twin

Network ManipulationARPwinARPoisoning

DisruptionAirJack, Hunter-Killer

Sophistication of Tools


Device Impersonation – Access Points3 simple steps

3. Connect AP into Network

Valid InternalMAC: 00 02 2D 50 D1 4E

ORIGINAL MAC: 00 12 2D 50 43 1E NEW MAC: 00 02 2D 50 D1 4E

2 3

1

Rogue AP

Implications:• Wired-side AP discovery can be fooled• Monitor your air waves

2. Copy valid user MAC to AP

1. Determine User Station MAC address & unplug the station

User Station

http://www.dell.com/us/en/gen/topics/segtopic_dimen.htm


Monitor for Soft APs

Bootable Floppy diskhttp://ap.cqure.net/ , http://www.coyotelinux.com/

Freeware: HostAPhttp://hostap.epitest.fi/

RPM install for 8.0 and 9.0 of Redhathttp://www.cat.pdx.edu/~baera/redhat_hostap/

No special firmware required for the wireless LAN card Supports normal laptop in Infrastructure and Ad hoc Soft APs come and go

Soft AP: Make any Laptop an AP


Now Coming to a Windows LAPTOP Near YOU!

http://www.pctel.com/prodSegSam.html

http://www.quetec.net


WLAN Denial of Service Attacks

Against a AP: Keeps all traffic from communicating with the rest of the network Against a Station: Keeps the Station from Communicating with any device. Broadcast: All network devices including some Internal networks shutdown

DoS a Station with WLAN-Jack

Target (User) AP

Attacker

1

2ORIGINAL MAC: 00 12 2D 50 43 1E

NEW MAC: 00 02 2D 50 D1 4E

MAC: 00 02 2D 50 D1 4E

3

3. Send Disassoc & Deauth frames

2. Impersonate AP by spoofing the MAC

1. User enjoying good connection


Man-in-the-Middle AttackWLAN Jack & Air-Jack tools

First Step: Disassociation of Target station from AP by spoofing the MAC of the AP and sending Disassociate & Deauth Frames

Second Step: Attacker re-associates target to Malicious station and connects to AP

TargetServerAP

Dual-Card Attacker


Ad-hoc networks – Peer to PeerNo Access Point Needed

Monitor for ad hoc networks

Native supportIn XP

Client software inOther Windows OS

Laptops can be put in ad hoc mode remotely (virus, Trojan horse)

Scanners not effective for detecting ad hoc – they come and go


What is my Laptop Doing?Associating? Forming ad hoc network?

List of Access Points (SSIDs) to which it has connected

XP stations send probes looking for SSIDs they have connected with in the past

Monitoring can tell you probing or unassociated PCs

Monitoring can tell you probing or unassociated PCs


Wireless LANs: End-to-End Security

Layered Approach to Security

Wireless Monitoring & IPS System


Handheld Scanners

What it does: Manually Used to Troubleshoot Issues in Specific Areas Used for War driving & periodic site surveys

Pros: Inexpensive tool; expensive

labor and risks

Cons: Single Snapshot in time: ONLY sees what is

present at time of survey Uncorrelated Information Not cost effective

Need Personnel resources per site Not scalable for large organizations

Distributed enterprises become difficult to monitor with regularity

Lacks central manageability and operations Reporting and analysis is manual ONLY sees what is present at time of survey

“Current radio frequency scanning tools such as Sniffer and AirMagnet are limited in their ability to perform scalable and repeatable audits.”META Group, September 2002


Purpose-built Monitoring & IDS/IPS

What it does: Enterprise-Wide 24x7 Full-Time Monitoring and Reporting

Pros: Comprehensive Enterprise View for APs and all

WLAN devices Highest security level Most detailed reporting Enhanced operational support

Cons: Requires additional

infrastructure


Expert Opinion on Wireless Monitoring

Incorrectly set-up WLANs put the wired LAN as risk as well”

“Unmanaged WLANs can jeopardize entire enterprise network, data and

operations”

“New sophisticated security risks continue to emerge as wireless matures”

“Through 2006, 70 % of successful WLAN attacks will be because of the

misconfiguration of APs or client software.”

“Wireless devices create backdoors for hackers and can render firewalls, IDS and

VPNs useless.”

WLAN security monitoring is necessary to keep your enterprise secure

“The signature, correlation and behavior analysis that AirDefense brings to the table

is best in class ”

“Best all around wireless IDS solution

in our lab tests”


Corporate Network

Barcode ScannerParking Lot

Intruder

Confidential Data

Soft AP

Neighboring WLAN

Proactively Prevents Exploitation of Wireless Network Prevents authorized stations from attaching to unauthorized devices Prevents unauthorized devices to attach to the network Surgically identifies and removes threatening rogues Extends wireless protection to the mobile worker

WLAN Monitoring/IPS: Secures from Threats

Hardware AP

Wireless Laptop

RogueAccess Point

Hotspot

Evil TwinSecure Secure


Key Requirements for a Manageable Wireless IPS

Discover Analyze Correct

There is an AP nearby

It is on my network

Disconnect it from my network

Flood of disconnect frames

It is affecting three stations

Have the network ignore requests

temporarily

Abnormal activity found

User appears to be in two places at once

Disconnect anomalous user

User drawn into Access Point

Spoofed AP downloading user data

Disconnect station; locate spoofed AP

Find It Figure It Out Fix It


Evolution of WLAN Monitoring Solutions

Capture + Basic Detection

Multi-engine Detection

Enterprise Policy Manager

Relationships & Behavior of WLAN Devices

Correlation Technologies

Forensics & Historical Analysis

Pro-activeEnforcement

1

2

3

4

5

6

7

Comprehensive systems must perform advanced/actionable analysis and

detection.

Advanced WLAN monitoring solution is not just about capturing RF traffic…


Technology for Accurate Detection of Threats & Attacks

Correlation Across Sensors

Stateful Analysis

Stat

istic

al B

ase-

linin

g a

nd A

ggre

gatio

n

AnomalousBehavior

ProtocolAbuse

SignatureAnalysis

PolicyManager

Cor

rela

tion

Goal: Detect all known and day zero threat and attacks reliablyChallenge: It is a race with hackers. New threats are evolving rapidly

ACCURATE ALARMS

ThreatIndex

Multiple Detection Technologies are required for accurate & comprehensive detection

Many threats require correlation across sensors

(certain identity theft)

Day Zero attacks require anomalous behavior analysis

Correlation across multiple detection engines reduces false positives

Third Party infrastructure e.g. Cisco

Focus on threat index by location or sensor rather than individual alarms


Policy Enforcement & Compliance

Adopt security policies and procedures to address the security weaknesses of the wireless environment

DODDHS

SOX HIPAAGLBAFDIC OCC

AirDefense Enables Compliance with

Monitor for Compliance• Compliance with

Corporate, regulatory requirements?

• Network performing correctly?

Monitor for ComplianceMonitor for Compliance

Enforce• Turn off SSID broadcast• Change channel of AP• Terminate

Enforce

Define Policy• Security• Configuration; VLANs• Performance• Vendor / Channel

Define Policy

Closed Loop Compliance

Monitor

Enforce

DefineDefine


Secured Area

Misconceptions of Security

Don’t get caught with a false sense of security. Monitor your air domain for threats and policy compliance.


Summary: Wireless LAN can be Secured1. WLAN Risks are Significant Due to

Shared Broadcast Media2. Every Organization has WLANs (rogue and/or sanctioned)

Check out wigle.net3. Probing Laptops are Serious & Often Ignored Threat

Employee use of wireless at home is pervasive 4. WLAN Policy Enforcement is Required

Define > Monitor > Enforce5. When deploying, use layered security approach

Encryption > Authentication > 24 X 7 RF Monitoring 6. Have Control over your Air Domain

Assets > Relationships > Behavior

wireless lan security: risks & defenses

Documents