Wireless Network Security

Transcription

1 Wireless Network Security

2 Why wireless? Wifi, which is short for wireless fi something, allows your computer to connect to the Internet using magic. -Motel 6 commercial 2

3 but it comes at a price Wireless networks present security risks far above and beyond traditional wired networks Rogue access points Ad-hoc networks ARP poisoning Evil twins Wired/wireless bridging War driving Compromised clients Spectrum DoS Traffic cracking DHCP spoofing IP leakage Man-in-the-middle Grizzly bears Eavesdropping MAC spoofing Packet-based DoS 3

4 4 Today s wireless network

5 Agenda Wireless Networks and Security Attacking and defending WEP Attacking and defending WPA/WPA2 Common defense techniques Summary 5

6 Wireless Networks and Security 1) What are Wireless Networks? A wireless network is the way that a computer is connected to a router without a physical link. 2) Why do we need? Facilitates mobility You can use lengthy wires instead, but someone might trip over them. 3) Why security? Attacker may hack a victim s personal computer and steal private data or may perform some illegal activities or crimes using the victim s machine and ID. Also there's a possibility to read wirelessly transferred data (by using sniffers) 6

7 Wireless Security Methods Three security approaches: 1. WEP (Wired Equivalent Privacy) 2. WPA (Wi-Fi Protected Access) 3. WPA2 (Wi-Fi Protected Access, Version 2) WPA also has two generations named Enterprise and Personal. 7

8 WEP (Wired Equivalent Privacy) Encryption: 40 / 64 bits 104 / 128 bits 24 bits are used for IV (Initialization vector) Passphrase: Key 1-4 Each WEP key can consist of the letters "A" through "F" and the numbers "0" through "9". It should be 10 hex or 5 ASCII characters in length for 40/64-bit encryption and 26 hex or 13 ASCII characters in length for 104/128-bit encryption. 8

9 WPA/WPA2 Personal Encryption: TKIP AES Pre-Shared Key: A key of 8-63 characters Key Renewal: You can choose a Key Renewal period, which instructs the device how often it should change encryption keys. The default is 3600 seconds 9

10 Attacking WEP iwconfig a tool for configuring wireless adapters. You can use this to ensure that your wireless adapter is in monitor mode which is essential to sending fake ARP (Address Resolution Protocol) requests to the target router macchanger a tool that allows you to view and/or spoof (fake) your MAC address airmon a tool that can help you set your wireless adapter into monitor mode (rfmon) airodump a tool for capturing packets from a wireless router (otherwise known as an AP) aireplay a tool for forging ARP requests aircrack a tool for decrypting WEP keys 10

11 11 How to defend when using WEP Use longer WEP encryption keys, which makes the data analysis task more difficult. If your WLAN equipment supports 128-bit WEP keys. Change your WEP keys frequently. There are devices that support "dynamic WEP" which is off the standard but allows different WEP keys to be assigned to each user. Use a VPN for any protocol, including WEP, that may include sensitive information. Implement a different technique for encrypting traffic, such as IPSec over wireless. To do this, you will probably need to install IPsec software on each wireless client, install an IPSec server in your wired network, and use a VLAN to the access points to the IPSec server.

12 Attacking WPA macchanger a tool that allows you to view and/or spoof (fake) your MAC address airmon a tool that can help you set your wireless adapter into monitor mode (rfmon) airodump a tool for capturing packets from a wireless router (otherwise known as an AP) aireplay a tool for forging ARP requests Capture WPA/WPA2 handshakes by forcing clients to reauthenticate Generate new Initialization Vectors aircrack a tool for decrypting WEP keys (should be used with dictionary) 12

13 How to defend WPA Passphrases the only way to crack WPA is to sniff the password PMK associated with the handshake authentication process, and if this password is extremely complicated it will be almost impossible to crack Passphrase Complexity select a random passphrase that is not made up of dictionary words. Select a complex passphrase of a minimum of 20 characters in length and change it at regular intervals 13

14 Common defense techniques Change router default user name and password Change the internal IP subnet if possible Change default name and hide broadcasting of the SSID (Service Set Identifier) None of the attack methods are faster or effective when a larger passphrase is used. Restrict access to your wireless network by filtering access based on the MAC (Media Access Code) addresses Use Encryption 14

15 15 Threat points

16 Network Admission Control (NAC) Determines the users, their machines, and their roles Grant access to network based on level of security compliance Interrogation and remediation of noncompliant devices Audits for security compliance 16

17 Firewall (Placement Options) Source: Cisco, Deploying Firewalls Throughout Your

18 Why Placing Firewalls in Multiple Network Segments? Provide the first line of defense in network security infrastructures Prevent access breaches at all key network junctures WLAN separation with firewall to limit access to sensitive data and protect from data loss Help organizations comply with the latest corporate and industry governance mandates

19 Security Monitoring, Analysis and Reporting System Monitor the network Detect and correlate anomalies (providing visualization) Mitigate threats 19

20 Monitoring, Anomalies, & Mitigation Discover Layer 3 devices on network Entire network can be mapped Find MAC addresses, end-points, topology Monitors wired and wireless devices Unified monitoring provides complete picture Anomalies can be correlated Complete view of anomalies (e.g. host names, MAC addresses, IP addresses, ports, etc.) Mitigation responses triggered using rules Rules can be further customized to extend MARS

21 Rogue Access Points Rogue Access Points refer to unauthorized access points setup in a corporate network Two varieties: Added for intentionally malicious behavior Added by an employee not following policy Either case needs to be prevented 21

22 22 Rogue AP Mapping - Cisco

23 23 Guest Wireless

24 Guest Wifi Benefits Network segmentation Policy management Guest traffic monitoring Customizable access portals 24

25 Compromised Clients Wifi Threat Security Concern Counter Measure Ad-hoc Connections Concurrent wired/wifi connection Wide-open connections Unencrypted Unauthenticated Insecure Contaminating secure wired environment Access to unsecured wifi May lack authentication / encryption Risk of traffic cracking, rogue network devices Pre-define ad-hoc policy Concurrent wired/wifi pre-defined policy Disable wifi traffic if wired detected Enforce Location based policies. Restrict allowed SSIDs Enforce stronger security policies 25