Wired networks offer more and better security options than wireless More thoroughly established standards with wired networks Wireless networks are much more equipment dependent than wired networks Easier to implement security policies on wired networks
802.11b Overview
802.11
802.11 Standards 802.11 The original WLAN Standard. Supports 1 Mbps to 2 Mbps. 802.11a High speed WLAN standard for 5 Ghz band. Supports 54 Mbps. 802.11b WLAN standard for 2.4 Ghz band. Supports 11 Mbps. 802.11e Address quality of service requirements for all IEEE WLAN radio interfaces. 802.11f Defines inter-access point communications to facilitate multiple vendor-distributed WLAN networks. 802.11g Establishes an additional modulation technique for 2.4 Ghz band. Intended to provide speeds up to 54 Mbps. Includes much greater security. 802.11h Defines the spectrum management of the 5 Ghz band for use in Europe and in Asia Pacific. 802.11i Address the current security weaknesses for both authentication and encryption protocols. The standard encompasses 802.1X, TKIP, and AES protocols.
3
Wireless Security?
Hacking is no longer the esoteric domain of the techno-elite. Most often done by young males ages 15-25 that have extensive computer programming knowledge. Variety of reasons from simple curiosity all the way to achieving terrorist ideals.
RISK: Inability to meet core business and customer needs that could lead to loss of revenue
6
Computerworld survey estimate at least 30 percent of businesses have rogue wireless LANs.
Clients must be configured with the correct SSID to access their WLAN.
Service Set Identifier (SSID) differentiates one access point from another
By default, access point broadcasts its SSID in plaintext beacon frames every few seconds
Access point settings can be changed to prevent it from announcing its presence in beacon frames and from using an easily guessable SSID
But then every user must know SSID in advance
9
Uses RC4 stream cipher seeded with 24-bit initialization vector and 40-bit key
Terrible design choice for wireless environment In SSL, we will see how RC4 can be used properly
10
WEP Flaws
Two basic flaws undermined its use for protection against other than the casual browser - eavesdropper
No defined method for encryption key refresh or distribution Pre-shared keys were set once at installation and rarely if ever changed
Use of RC4 which was designed to be a one-time cipher not intended for multiple message use
But because the pre-shared key is rarely changed, same key used over and over
Attacker monitors traffic and finds enough examples to work out the plaintext from message context
With knowledge of the cipertext and plaintext, can compute the key
11
Encryption
WEP Flaw
Takes about 10,000 packets to discover the key
Large amounts of known data is the fastest way of determining as many keystreams as possible
The information may be as innocuous as the fields in the protocol header or the DNS name query
12
Other Problems
13
Other Problems
Spoofing Wireless
Is easy Unlike internet devices which have routing issues to overcome, IP addresses of wireless devices can be manually changed at will Some networks systems serve up the IP address dynamically
14
Do Not Do This
[courtesy of Brian Lee]
Ingredients: Laptop (with 802.11b card, GPS, Netstumbler, Airsnort, Ethereal) and the car of your choice
Drive around, use Netstumbler to map out active wireless networks and (using GPS) their access points If network is encrypted, park the car, start Airsnort, leave it be for a few hours
Airsnort will passively listen to encrypted network traffic and, after 5-10 million packets, extract the encryption key
Once the encryption key is compromised, connect to the network as if there is no encryption at all
Alternative: use Ethereal (or packet sniffer of your choice) to listen to decrypted traffic and analyze
Weak Countermeasures
Have each access point maintain a list of network cards addresses that are allowed to connect to it
Infeasible for large networks Attacker can sniff a packet from a legitimate card, then re-code (spoof) his card to use a legitimate address
16
18
802.1X
Framework to control port access between devices, AP, and servers
EAP Types
20
EAP-TTLS
Tunneled TLS -- -- uses two TLS sessions Outer--TLS session with Server certificate for server authentication Inner Inner--TLS session using certificates at both ends and password Protects users identity from intermediary entities
PEAP
Similar to EAP-TTLS, but only allows EAP for authentication Server authentication via Server certificate
Wi-Fi Protected Access (WPA) Interim Solution between WEP and 802.11i
Plugs holes in legacy 802.11 devices; typically requires firmware or driver upgrade, but not new hardware
Subset of the 802.11i and is forward compatible
WPA
Benefits
Encryption weakness improved but not solved Some concern that TKIP may degrade WLAN performance without hardware accelerator But protects current device investment Will be available sooner than 802.11i
23
WPA
Pass phrase remains constant, but a new encryption key is generated for each session
24
TKIP
Benefits
Uses existing device calculation capabilities to perform the encryption operations
Improves security, but is still only a short-term fix
25
26
27
Client
Access Point 4
WLAN Switch
Ethernet Switch
RADIUS Server
1. Client sends request for association and security negotiation to AP, which forward to WLAN switch. 2. WLAN switch passes request to Authentication Server (RADIUS). 3. RADIUS authenticates client. 4. Switch and client initiate 4 way key negotiation to create unique session key. Switch pushes key, which is AES encrypted to AP. AES encrypts all data traffic.
28
Final Words
802.11 is truly useful technology Wireless networking will continue to expand As the networking standards change so will the security issues Network security specialists need to understand wireless networking; and vice versa
30
802.11a
Works at 40mhz, in the 5ghz range THEORETICAL transfer rates of up to 54mpbs ACTUAL transfer rates of about 26.4mbps Limited in use because it is almost a line of sight transmittal which necessitates multiple WAPs (wireless access points) Cannot operate in same range as 802.11b/g Absorbed more easily than other wireless implementations
31
802.11b WiFi
Operates at 20mhz, in the 2.4ghz range Most widely used and accepted form of wireless networking THEORETICAL speeds of up to 11mbps
Can transmit up to 8km in the city; rural environments may be longer if a line of sight can be established
32
Not as easily absorbed as 802.11a signal Can cause or receive interference from:
Microwave ovens (microwaves in general) Wireless telephones Other wireless appliances operating in the same frequency
33
802.11g - Super G
Operates at the same frequency range as 802.11b THEORETICAL throughput of 54mpbs ACTUAL transmission rate is dependent on several factors, but averages 24.7mbps Logical upgrade from 802.11b wireless networks backwards compatibility Suffers from same limitations as 802.11b network System may suffer significant decrease in network speeds if network is not completely upgraded from 802.11b
34
802.11n (Ultranet)
Standards in discussion now; should be completed by the end of 2006 REAL throughput of at least 100mbps
4 5 times faster than 802.11g/a 20 times faster than 802.11b!
Better distance than 802.11a/b/g Being designed with speed and security in mind Perfect compliment for WWW2
35
36
WarChalking
38
Wireless Tools
Sniffing
Handheld
Hacking tools
WEP Cracking ARP Spoofing
39
Stumbling Tools
Stumbling tools identify the presence of wireless networks. They look for beacons from access points, and also broadcast client probes and wait for access points to respond.
40
Netstumbler
http://www.netstumbler.com
Free Window based Very simple GUI GPS capable
41
Wellenreiter
http://www.remote-exploit.org
Free Linux based Supports many wireless cards GPS capable
42
MacStumbler (MAC)
http://homepage.mac.com/macstumbler/
MiniStumbler (PocketPC)
http://www.netstumbler.com/download.php?op=getit&lid=21
Mognet (JAVA)
http://chocobospore.org/mognet/
43
Sniffing Tools
Sniffing tools capture the traffic from a wireless network and can view the data passed across the air.
44
Kismit
http://www.kismetwireless.net
Free Linux based GPS capable
45
AiroPeek
http://www.wildpackets.com/products/airopeek
Must pay for it Windows based Real time packet decoding
46
AirTraf (Linux)
http://airtraf.sourceforge.net/index.php
47
Handheld Tools
Handheld tools are more portable and provide wireless network identification and network status monitoring.
48
AirMagnet
http://www.airmagnet.com/
Pocket PC based
49
Waverunner
http://www.flukenetworks.com/us/LAN/Handheld+Testers/Wa veRunner/Overview.html
Linux kernal on iPaq
50
51
Hacking Tools
Hacking tools are for pointed attacks to gain access to secured wireless networks.
52
WEPCrack
http://wepcrack.sourceforge.net/
AirSnort
http://sourceforge.net/projects/airsnort/
BSD-Tools dweputils
http://www.dachb0den.com/projects/dweputils.html
53
libradiate
http://www.packetfactory.net/projects/radiate/
ettercap
http://ettercap.sourceforge.net
dsniff
http://naughty.monkey.org/~dugsong/dsniff/
AirJack
http://802.11ninja.net
54
56
57
Foundstone Foundscan
http://www.foundstone.com
Qualys
http://www.qualys.com
Nmap
http://www.insecure.org/nmap/
59
Netstumbler
http://www.netstumbler.com
Kismet
http://www.kismetwireless.net
Wellenreiter
http://www.remote-exploit.org
Air Magnet
http://www.airmagnet.com/
60
Air Defense
http://www.airdefense.net/
Isomair
http://www.isomair.com/
61
Apply all security features of products Require Authentication and Authorization and Encryption Use the same well known network security solutions as wired networks including:
Network segmentation
63
Wireless Blogs
http://www.wardriving.com/ http://80211b.weblogger.com/
Mailing Lists
wireless-subscribe@kismetwireless.net
64
Devices
Availability
Wireless becoming more and more available as time passes Wireless data networks are growing at roughly the same rate as cellular telephone networks with comparable coverage Does not rely on laying cables for connectivity Network cannot be accessed in situations where RF signals have interference Largely inaccessible in rural areas
66
Environmental
Weather
Rain, lightening affect RF signals Solar flares
Electromagnetic interference
Generators Power plants
67
Adding Devices
Extending range requires additional WAPs Not always a viable option Possible conflicts between 802.11b and 802.11g cause significant speed decrease in network Opens network up to more attacks Non-conflicting SSIDs (Service Set Identifiers)
SSIDs are numbers that identify wireless devices on a network. When SSIDs are not set dynamically
68
Security Issues
Wired
Networks
Wired networks offer more and better security options than wireless More thoroughly established standards with wired networks Wireless networks are much more equipment dependent than wired networks Easier to implement security policies on wired networks
70
Wired networks less susceptible to hackers/crackers RF signals allow for more unauthorized attempts Ubiquitous wireless networking devices allow access Hacking
Gaining unauthorized access to networks/devices by algorithms or penetration programs
Cracking
Extending the use of devices past original intentions
71
Referred to as Wardrivers or Warchalkers Use PDAs, laptops, scanners, tablets or any WiFi enabled devices Underground networks list and update open networks that are waiting to be exploited Attack weak keys or sniff messages going over the network to determine SSID range
72
Types of Attacks
Social Engineering
73
Dictionary attacks
Attackers use pre-populated list of frequently used passwords and regular words
Birthday attacks
A complicated algorithmic attack
74
Open Networks
Most often associated with home networks Networks are the target of hackers that wardrive. Result of wireless networks that are either unsecured entirely or are using weak WEP keys Effects can be devastating
75
Wireless Networks
Enforce the rule of least access Ensure SSIDs are changed regularly Ensure insurance and authentication standards created and enforced
77
Treat WLANs as untrusted networks that must operate inside the DMZ
78
Do not, under any circumstances, allow ad hoc WLANS Embrace and employ the 802.11i IEEE security standard
Native per user access control Native strong authentication (tokens, smartcards and certificates)
79
When initially created, US received lion share of IP addresses; Europe and Asia left with remainder
81
Pros of IPv6
Can accept a range of IP addresses Minimizes hackers/crackers ability to penetrate networks Increases scalability
82
Cons
Network Changes
Re-addressing of current IPv4 hardware/clients
83
Parting Thoughts
Wireless Networking while great in theory has significant problems that are not easily addressed Upgrades to wireless technology that are on the horizon make changing over/integrating far less attractive
84