Embed Size (px)
Citation preview
Agenda
10:00 11:00 Securing wireless networks
11:00 11:15 Break
11:15 12:00 Patch Management in the Enterprise
12:00 1:00 Lunch
1:00 2:30 Network Isolation using IPSec and Group Policies
2:30 2:15 Break
2:15 3:30 Detecting the Hacker
3:30 Q&A
Wireless LAN Security
Paul Hogan
Ward Solutions
Session Prerequisites
Hands-on experience with Windows 2000 or Windows Server 2003
Working knowledge of networking, including basics of security
Basic knowledge of WLANS
Level 300
This sessions are about…
…about operational security
The easy way is not always the secure way
Networks are usually designed in particular ways
In many cases, these practices simplify attacks
In some cases these practices enable attacks
In order to avoid these practices it helps to understand how an attacker can use them
This sessions are NOT …
a hacking tutorial
Hacking networks you own can be enlightening
HACKING NETWORKS YOU DO NOT OWN IS ILLEGAL
…demonstrating vulnerabilities in Windows
Everything we show stems from operational security or custom applications
Knowing how Windows operates is critical to avoiding problems
…for the faint of heart
The Sessions
The Network
External LAN
IIS 6.0Windows 2003
IASPKI
Access Points
ISA Server Firewall
MOMSM
Why Does Network Security Fail?
Network security fails in several common areas, including:Network security fails in several common areas, including:
Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date
Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date
Session Agenda
WLANs and WLAN issues
WLAN Deployment models
Out-of-box
Block SSID / MAC address filtering
WEP
WPA (WPA-PSK)
WLAN and Windows Server 2003
Wireless LAN – Good News
“Cheap, easy to deploy, high performance radio based technology that does not respect the physical
parameters of a building”.
“Cheap, easy to deploy, high performance radio based technology that does not respect the physical
parameters of a building”.
Wireless LAN – Bad News
“Cheap, easy to deploy, high performance radio based technology that does not respect the physical
parameters of a building”.
“Cheap, easy to deploy, high performance radio based technology that does not respect the physical
parameters of a building”.
Wireless LAN
By 2006, 60% of Fortune 1000 companies will be deploying wireless networks
By 2010, the majority of Fortune 2000 companies will be heavily dependent on wireless networks.
Gartner Group 2003
Wireless Network
AccessPoint (AP)
Database Servers
Corporate Servers
Corporate Network
And Now a Warning…..Corporations turning to wireless, for operational flexibility without considering the security issues, may be carelessly sacrificing the integrity of their systems…
Lets go for a drive “Drive by hacking”
Ward Solutions independent analysis
Completely non obtrusive
ToolsLaptopWiFi PCM network cardOrinoco driverNetstumbler software
Results65 % Networks not encrypted55 % NO access controls45 % Broadcasting network name
What can be done
Interception
Monitoring
Insertion
Packet Analysis
Broadcast Monitoring
Access Point Cloning
Jamming
Denial of Service
Brute Force
Reconfiguration
WLAN Deployment: Toaster Install
Out of Box
Connected to Network
Default SSID
No Security configurations
Could this be happening to you
WLAN Deployment: SSID / Mac Filtering
So I blocked SSID and have MAC locking
Limitations of MAC Address Filtering Scalability - Must be administered and propagated to all APs. List
may have a size limit. No way to associate a MAC to a username. User could neglect to report a lost card. Attacker could spoof an allowed MAC address.
SSIDs can be determined even if blocked
Limitations of Wired Equivalent Privacy (WEP) WEP is inherently weak to due poor key exchange. WEP keys are not dynamically changed and therefore vulnerable
to attack. No method for provisioning WEP keys to clients.Generations of WEP APs that filter weak IVs Change keys frequentlyWEP Cracking tools Airsnort Dwepcrack Aircrack + aireplay +
WLAN Deployment: WEP
VPN Connectivity PPTP L2TP Third PartyIPSec Many vendorsPassword-based Layer 2 Authentication Cisco LEAP RSA/Secure ID IEEE 802.1x PEAP/MSCHAP v2Certificate-based Layer 2 Authentication IEEE 802.1x EAP/TLS
Possible Solutions
WLAN Security Type Security Level
Ease of Deployment
Usability and Integration
IEEE 802.11 Low High High
VPN Medium Medium Low
Password-based Medium Medium High
IPSec High Low Low
IEEE 802.1x TLS High Low High
WLAN Security Comparisons
Defines port-based access control mechanism
Works on anything, wired and wireless
Access point must support 802.1X
No special encryption key requirements
Allows choice of authentication methods using EAP
Chosen by peers at authentication time
Access point doesn’t care about EAP methods
Manages keys automatically
No need to preprogram wireless encryption keys
802.1X
A specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless LAN systems
Goals Enhanced Data Encryption (TKIP) Provide user authentication (802.1x) Be forward compatible with (802.11i) Provide non-RADIUS solution for Small/Home offices WPA-
PSK
Typically a software upgrade and Wi-Fi Alliance began certification testing for interoperability on Wi-Fi Protected Access products in February 2003WPA2
Wi-Fi Protected Access (WPA)
WEPs IV only 24 bits and so are repeated every few hours WPA increased IV to 24 bits repeated 900 years
WPA alters values acceptable as IVs
Protects against forgery and replay attacks
IV formed MAC address
TSC
TKIP: New password generated every 10,000 packets
WPA-PSK Passphrase
WPA 802.ii1 recommend 20-character password
Crack is brute force based
Wi-Fi Protected Access (WPA)
802.1x and PEAP
WLAN - 802.1X using EAP/TLS
Domain Controller
DHCP
Exchange
File Server
Certification Authority
RADIUS (IAS)
Server Certificate
Laptop
Domain User/Machine
Certificate
EAP Connection
1, 2, 63, 5, 7
4
Best Practices
Use 802.1x authentication
Organize wireless users and computers into groups
Apply wireless access policies using Group Policy
Use EAP/TLS and 128 bit WEP – 802.1x PEAP
Set clients to force user authentication as well as machine authentication
Develop a method to manage rogue APs such as LAN based 802.1x authentication and wireless sniffers.
Microsoft
Securing a wireless LAN Security Strategy
Securing wireless LANs with PEAP and Passwords
Questions and Answers
