Upload
norah-hall
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
2
Wireless Security
Why Wireless is not secure ?Wireless LANs are inherently insecure because they
transmit data as electromagnetic waves through free space.
unlike wired LANs – a wireless LAN can't restrict data
transmission to a single designated recipient. Wireless LANs are insecure because wireless devices
are portable and therefore are easily lost or stolen.
3
Security Definitions
Communication from A to B should provide :Authentication - to prove identityIntegrity - to detect altered packetsPrivacy - to prevent eavesdropping
4
Wireless LAN Security
If unauthorized users gain access to a network, they caneavesdrop on communications access or alter data or network set-upaccess network services
5
Attacks on wireless LAN
1. Passive attacks2. Active Attacks3. Jamming attacks4. Man in the middle attacks
6
Passive Attacks
In a passive attack, a hacker eavesdrops on a network, but does not interfere with data or devices.
Passive attacks are undetectable, because the hacker does not need to connect to a wireless network to receive transmitted data. Hackers can use a directional antenna and devices or programs known as "sniffers" to gather information about a wireless network from a distance (passwords, usernames, MAC addresses, SSID, etc.).
7
Active Attacks
In an active attack, a hacker accesses a wireless LAN to perform some function on the network., copy the files , change settings, impersonate a user, or even reconfigure the network.
8
Jamming Attacks
Jamming occurs when a very powerful radio frequency (RF) signal cuts off the signals from access points and clients in a wireless LAN.
Jamming can happen unintentionally or deliberate, when signals from other legitimate devices (in the same frequency range) interfere with wireless LAN transmissions.
jamming attacks are similar to denial-of-service attacks on servers.
jamming equipment is expensive so these attacks are rare.Users need spectrum analyser to find the jamming signal.
9
Man in the middle attacks
In a man-in-the-middle attack, hackers install their "rogue" access point in a wireless LAN.
Wireless clients associate with the rogue access point and the hacker has access to the data they send.
To do this, a hacker can use a device to create all-band interference around a legitimate access point, causing wireless clients to disconnect. Wireless clients then roam to find a good signal and associate with the powerful rogue access point.
10
Man in the middle attacks
To install a rogue access point, a hacker needs to know the SSID and any encryption keys that wireless clients are using.
if the access point broadcasts the SSID (or use the default one), a hacker may easily obtain the SSID by using a "sniffer."
the IEEE 802.11b standard by default stipulates one-way authentication. That is, an access point authenticates a user, but a user does not authenticate an access point. So a user cannot tell when an access point is not legitimate.
11
Wireless Security (Ad-hoc LANs)
Wireless Ad-hoc networks (peer-peer) are very insecure. If hackers have a card in ad hoc mode and are within range of an ad-hoc wireless LAN, they are immediately connected to a user's wireless client and can attempt to gain access to the network via the client.
Most PC cards are shipped with ad-hoc mode enabled by default. You should disable ad hoc mode on clients whenever possible.
Infrastructure Wireless LANs are more secure.
12
Security (Solutions)
What is your security?WEPWPAFiltering: Mac filtering, SSID filtering, protocol filtering
SSID =Service Set Identifier for APRADIUS serverIPsecvirtual private networks (VPNs)wireless gateways (and proxy server)to limit the cell size of the access points – that is, to limit
the geographical area that wireless signals cover. Directional antennas
13
Brief Overview
Case Study (how insecure wireless LANs are accessed).
Current Wireless Technology Overview802.11 a/b/gWEP
New Wireless Security Standard802.1xWPA, WPA-2
14
Basic 802.11b Overview
802.11b was IEEE approved in 1999Infrastructure Mode or Ad HocUtilizes 2.4GHz band on 15 different
channels 11Mbps shared among all users on
access point )more uses, less bandwidth for you)
Cheap!!!
15
Basic 802.11g OverviewFaster than 802.11b (54Mbps)Backward compatibility with (b)Same interference problem with 802.11b as they
use the same frequency (2.4 GHz)
16
Filtering
Filtering is a security mechanism that allows you to restrict network access based on predefined criteria.
In a wireless LAN, you can use the following types of filtering:
service set identifier (SSID) filtering media access control (MAC) filtering protocol filtering (e.g. only allow TCP/IP
protocol)
17
802.11 Built in Security Features
Service Set Identifier (SSID)Differentiates one access point from
anotherSSID is broadcasted every few seconds.Beacon frames (broadcast) are in plain
text!First layer of security
18
SSID Filtering
An SSID is a shared network name for devices in a wireless LAN subsystem.
In SSID filtering, a wireless client must match the SSID of an access point to access a wireless LAN.
SSID filtering is a very basic form of access control. While it is often used to segment the network, it should not be relied upon for wireless LAN security.
19
Do’s and Don'ts for SSID’s
Default SSID’s are well known (Linksys AP’s default to linksys, CISCO defaults to tsunami, etc) so change them immediately in AP settings when you purchase.
Do change the settings on your AP so that it does not broadcast the SSID in the beacon frame (Disable Broadcast).
20
Hide the SSID
As stated earlier, the SSID is by default broadcast every few seconds.
Turning braodcast off makes it harder to figure out a wireless connection is there
Reading raw packets will reveal the SSID since even when using WEP, the SSID is in plain text.
21
MAC Address Filtering
To implement MAC filtering, you program a filter list of permitted MAC addresses into each access point in a wireless LAN.
If a PC card with a MAC address that is not on the filter list tries to associate with an access point, the access point denies access to the client
programming every access point with the MAC addresses of all the wireless clients can be impractical.
22
MAC address filtering
MAC address filtering works by only allowing specific hardware (within MAC list) to connect to the AP
Management on large networks unfeasibleUsing a packet sniffer software, one can very
easily find a valid MAC address and modify their OS to use it, even if the data is encrypted
May be good for small networksPrevents casual hacking..
23
MAC Filtering
Not a good solution, for example if a computer is stolen, Until the theft is reported, a hacker can use the NIC card to access a wireless LAN. It is especially dangerous if static WEP key is used (the encryption key used is fixed and within the computer).
24
MAC Filtering
you can program access points to disallow the MAC address of the employee's card that has left (reverse MAC filtering) for added security.
25
RADIUS Servers
A more scalable security solution is to implement MAC filters on some Remote Authentication Dial-in User Service (RADIUS) servers.
When users log in to a network, the RADIUS server checks their MAC address along with their user identification information.
26
WEP
All IEEE 802.11x wireless LAN standards employ an encryption algorithm known as Wired Equivalent Privacy (WEP) to protect data from eavesdropping over the wireless segment of the LAN.
WEP uses keys for authenticating users and for encrypting data.
You need to set the authentication method for each wireless client and it must match the setting of the access point with which it associates.
27
WEP (Wired Equivalent Privacy)
(Wired Equivalent Privacy) An IEEE standard security protocol for wireless 802.11 networks.
WEP uses preshared keys that are entered manually at both ends (static keys). Using the RC4 encryption algorithm,
WEP originally specified a WEP-64 had 40-bit key, but was later boosted to a 104-bit key (WEP-128).
WEP is inadequate (cannot be relied on)
28
Associating with the AP
Access points have two ways of initiating communication with a client
Shared Key or Open Key authenticationOpen key (Open Access) allows anyone to start a
conversation with the AP (no encryption).Shared Key is supposed to add an extra layer of
security by requiring authentication info as soon as one associates
29
How Shared Key Authentication Works ?
Client begins by sending an association request to the AP. AP does not ask client to send the key to check it as it is insecure, instead:
AP responds with a ‘challenge text’ (unencrypted)
Client, using the proper WEP key, encrypts text and sends it back to the AP
AP check this (de-encrypts), if properly encrypted, and the results matched the ‘challenge text’, AP allows communication with the client.
30
Shared Key Problems
Using passive sniffing software, one can gather 2 of the three variables needed in Shared Key authentication: challenge text and the encrypted challenge text.
By using sniffing software key can be found (monitoring the wireless link)
31
Open Authentication (open key)
Open authentication is the default mode for access points. Clients associate with an access point using unencrypted text and no WEP keys are required for access. Default is therefore no WEP.
32
Shared Key Allocation
Shared Key allocation can be static or dynamic :
In static key allocation: Because each client must be manually configured with WEP keys and because the keys never change, this presents an inherent security risk. It is also impractical for big networks due to many computers involved.
33
Dynamic Key Allocation (Key changes)
Per-packet WEP key distribution calls for a new WEP key to be assigned to both ends of the connection for every packet sent. This will add a significant traffic overhead to the network but more security.
Per-session WEP key distribution uses a new WEP key for each new session between nodes.
Centralized dynamic encryption key servers provide significant advantage over static keys. The WEP-keys continually change and are valid only for the predetermined interval of time or transmission.
34
WEP
WEP employs the RC4 algorithm for encryption purposes and the CRC-32 checksum for transmission integrity.
WEP can be implemented as a very basic security solution on most wireless LANs, but you should be aware of the inherent flaws that leave it vulnerable to attack. Cannot be relied on.
36
WEP Problems (with static key allocation)
Once again, passively monitoring the network for a few hours (or even minutes) can be enough time to gather enough information to figure out the WEP key (when static key is used)
The time needed to deploy the attack is linearly proportional to the key length.
37
Virtual Private Networks (VPN)
When a client associates with an access point using VPN technology, the client uses off-the-shelf VPN software that uses protocols such as IPSec (or L2TP for PPP protocol) to form a tunnel (commonly across internet) to the access point in order to transmit data.
All data that passes through the access point travels via the tunnel and encrypted.
38
Virtual Private Networks (VPN)
Deploying a secure VPN over a wireless network can greatly increase the security of your data
Idea behind this is to treat the wireless network the same as an insecure wired network (the internet).
IPSecInternet Protocol Security (IPSec) is a protocol
suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session. IPSec is a set of protocols to provide various types of protection an IP network. IPSec works at the network layer to provide protections for any higher layer TCP/IP application or protocol without additional security methods, which is a major strength.
39
40
IPSec (IP Security)
IPSec is a framework of standards for ensuring data privacy over Internet Protocol (IP) networks. Used in VPN
Works at layer 3 (IP), designed for IP.You can use IPSec to secure wireless LAN
communications by placing an IPSec client on every computer connected to the wireless network. Users must establish an IPSec tunnel to transmit any traffic to the wired LAN. IPSec encrypts data using a standard that encrypts data three times with up to three different keys.
IPSec Tunnel Mode and Transport Mode
1. Transport Mode
Transport mode is the default mode for IPSec, and it used for end-to-end communications. In transport mode, IPSec encrypts only the IP payload. Typical IP payloads are TCP segments, a UDP message or an ICMP message. the IP header is neither modified nor encrypted, the routing is intact..
41
2. IPSec Tunnel Mode
Tunnel mode is used to create virtual private networks for network-to-network, host-to-network, and host-to-host communications. When IPSec tunnel mode is used, IPSec encrypts the IP header and the payload, whereas transport mode only encrypts the IP payload.
42
43
IEEE 802.1X
802.1X is a port-based, layer 2 authentication framework on IEEE 802 networks.
Not limited or specific to 802.11 networks, originally for campus networks, extended to wireless.
Uses EAP (Extensible Authentication Protocol ) for authentication implementation with clients.
Provides means for key transport
44
802.1x-EAP client authentication
A security approach for wireless LANs that provides a framework for centralized authentication and dynamic key distribution uses the following elements:
the IEEE 802.1x standard the Extensible Authentication Protocol
(EAP)
45
IEEE 802.1x
The IEEE 802.1x standard provides specifications for port-based network access control where the port is placed in blocking mode until a backend system has authenticated the user.
46
EAP
EAP negotiates an authentication method. It allows wireless client adaptors that may support different authentication types to communicate with Remote Access Dial-In User Service (RADIUS) server.
47
How 802.1x functions ? Using EAP and 802.1x, the client and the RADIUS server
perform mutual authentication through the access point. When mutual authentication is successfully completed, the
RADIUS server and the client determine a key that is specific to the client. This key is known as a session key.
The client loads the session key and prepares to use it for the logon session with the access point.
The RADIUS server sends the session key over the wired LAN to the access point.
Once the access point receives the session key, it uses the session key to encrypt the broadcast key, which it sends to the client.
The client uses its session key to decrypt the broadcast key that is used to encrypt the data being broadcasted (sent).
The above will avoid the broadcast key to be sent down the line (can be found out quickly, insecure).
52
more benefits of choosing 802.1X…
802.1x integrates well with other open standards such as RADIUS RADIUS is de-facto
Software upgradeAccess points only need a firmware upgrade to enable
802.1X. firm·ware (Computer programming instructions that are stored in a read-only memory unit rather than being implemented through software.)
On the client side, 802.1X can be enabled with an updated driver for the NIC
Depending on the EAP you choose, you can have a very secure authentication scheme!
dynamic key management available
53
Wireless gateways (esp. Proxy server)
Enterprise wireless gateways sit on a wired network segment between the access point and the wired network. The gateway controls access from the wireless LAN to the wired LAN.
If a hacker gains access to a wireless LAN, the wireless gateway prevents the hacker from accessing the wired network.
54
Summary of Security Solutions
What is your security?WEP improvements (dynamic key allocation)WPAMac filteringSSID filtering, Protocol filteringRADIUS serverIPsecvirtual private networks (VPNs)wireless gateways (and proxy server)to limit the cell size of the access points – that is, to limit
the geographical area that wireless signals cover. Directional antennas (to limit the signal to special area)Use WiFi Manager to spot the hackings.
55
WiFi Manager Server
WiFi Manager Software installed on LAN and used to monitor/manage the security of wireless and identify if the WLAN is being hacked:
Identify rogue APTo identify any hackings by monitoring the networkMonitor who is using your networkMonitor the AP bandwidth utilisationMonitor WLAN equipments (APs connected)
Can also be used to configure the APs.
56
Review: WPA
A central key distribution system is available that dynamically assigns per-session or per-packet keys. A new WPA key to a client and an access point for each session or for each data packet sent between them.
57
WPA (WiFi Protected Access)
To supersede WEP because of its problemsGenerates a new key for encryption each
time a wireless client establishes access to AP (sophisticated encryption). RADIUS, 802.1x are used for central authentication for all of the network. Key is generated by RADIUS authentication server. WPA uses 128 bit key
while WEP-128 used 104 bit key.
WPA-2
Later version of WPA128 bit Key used to encrypt/de-encrypyt dataSupports IEEE 802.11i encryption standards to
secure wireless LANs.Can use RADIUS server for central
authentication.WPA-2 uses Advanced Encryption Standard
(AES) wherseas WEP and WPA used RC4 algorithm.
58
59
Links to the some sites used to get info on Wireless links:Airsnort
http://airsnort.shmoo.comNetstumbler
http://www.netstumbler.comEthereal
http://www.ethereal.comtinyPEAP
http://www.tinypeap.com