View
226
Download
0
Tags:
Embed Size (px)
Citation preview
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
Wireless Access and Security Wireless Access and Security
Dr. Lenny Superville, Ph.DCIO: NC Office of the State Auditor
NC Digital Government SummitSeptember 13-14, 2005
Page 2
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
Focus in this PresentationFocus in this Presentation
• Why some Government Agencies choose to go with Proprietary instead of Standards Based Wireless Networks (WLANs)? Then, why some don’t?
• Some Well Used Proprietary Wireless Networks – Secret
• A survey of 802.11 (WI-FI)/WLANs wireless networking standards -Open
• Hackers’ tools used to sniff or intrude WLAN networks - Threats
• Effective options to keep unauthorized users/hackers out of WLAN networks- Countermeasures
• A Protection Methodology for WLAN Mobile Computing – While Performing Day-to-Day Operations
Page 3
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
At the End of this Presentation, you should be able to At the End of this Presentation, you should be able to understand:understand:
• The major security concerns associated with the various wireless topologies, especially standards based
• The vulnerabilities of WLAN mobile computing environments
• The defenses available to protect WLAN mobile computing environments
• Best Practices to implement and maintain data security while using wireless data communications in day-to-day operations
Page 4
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
Well Known Examples of Secured Proprietary Wireless/Wired Well Known Examples of Secured Proprietary Wireless/Wired NetworksNetworks
• Proprietary means (Secret encryption algorithm + Hardware):
• NIPRNET – (DoD) Unclassified but Sensitive Internet Protocol Router Network (BLUE)
• SIPRNET - (DoD) Classified Internet Protocol Router Network (RED)
• Lord Warrior Computer/Radio Subsystem – (Army) • CAISI (Army) – Combat Service Support Automated
Information System Interface. The lesser known the better security
Beware: This technology requires additional, costly hardware and IT staff to implement and maintain.
Page 5
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
Characteristics of Proprietary Enterprise Wireless Secured Characteristics of Proprietary Enterprise Wireless Secured Networks – Complete SolutionNetworks – Complete Solution
• Sophisticated Encryption• Strong Authentication• Stringent Access Control• http://www.airdefense.net/• http://www.cisco.com/• http://www.airmagnet.com/• This combined technology implementation is so successful
because it acts as a secure gateway to numerous networks that must be accessed
• Questions – 5 minutes
Page 6
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
WLANS - Wireless Networking/IEEE Standards - OpenWLANS - Wireless Networking/IEEE Standards - Open
WEP/WLAN/Radio Waves• 802.11 or WI-FI• 802.11b: 2.4Ghz, 11Mbps• 802.11a: 5.8Ghz, 54Mbps• 802.11g: 2.4Ghz, 54Mbps• 802.11i: Security solution for 802.11a/b/g
802.11a and 802.11g are both 54Mbps; 802.11g –loweroperating frequency, greater range
EAP: Short for Extensible Authentication Protocol, is a general protocol for authentication
IEEE 802.1x specifies how EAP should be encapsulated in LAN frames.
Page 7
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
IEEE 802.11 WLANS (Standards Based - Open)IEEE 802.11 WLANS (Standards Based - Open)
WEP – Fix Key: Can be broken, Machine Authorization only •EAP-MD5 – No Certificates, TKIP (Rotating Key - Dictionary Attack), Human Authentication (802.1x), Server Authorization, •EAP-LEAP - No Certificates, TKIP •EAP-TLS - 2 Certificates, TKIP •EAP FAST – No Certificates (All CISCO)•EAP-TTLS – 1 Certificates, TKIP •EAP-PEAP – 1 Certificates, TKIP•EAP-WPA – 802.11 TKIP?•EAP-WPA2 – 802.11, CCMP, AES (3 Key sizes)•AES may be the answer to secure standards based WLANS.
Page 8
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
Examples of Government Efforts to Implement 802.11 Wireless Examples of Government Efforts to Implement 802.11 Wireless Networks (WLANs)Networks (WLANs)
• In the 1990’s Wireless Equivalency Protocol (WEP) protocol was attempted but in 2001 security exposures were found in IEEE 802.11b networks
• In the 1990’s Data Encryption Standard (DES) was found to be vulnerable
• As of 2002, Advanced Encryption Standard (AES) with its 3 different key sizes – 128, 192 and 256 bit – may be the solution.
• As of 2005, AES is still the best bet for a secured WLAN.
Page 9
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
Threats to WLANS - Threats to WLANS - A threat can be the perception of insecurity A threat can be the perception of insecurity
War Driving – driving through a street to discover wireless networks – for possible attack or just for the hell of it.
• Netstumbler is a well known freeware tool used to discover WLANs if the SSID (network name) is enabled
• Kismet discover WLANs even if the SSID is disabled
• KISMAC – Can be used for Security/Intrusion
Page 10
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
Examples of War Driving Tools - Examples of War Driving Tools - Intrusion is entry by force or Intrusion is entry by force or without permission or welcomewithout permission or welcome
Check http://www.netstumbler.com• Netstumbler (Windows); Ministumbler (CE/PocketPC)
Check http://www.kismetwireless.net• Kismet (Linux/Unix)
Check http://www.remote-exploit.org• Wellenreiter (Linux/Unix)
Page 11
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
Some Major Threats – Some Major Threats – You should knowYou should know
• Wired Mobile LANs used for training at Corp. sites (e.g. Ethernet)
• Wireless Mobile Wireless LANs used for training at Corp. sites (e.g. WEP, EAP-WPA2)
• Wireless Internet Service Provider (WISP) – Theft of Service• Hotspot Hijinks - Pagejacking• Wireless Sniffing – Interception of Traffic
Note: Wireless Sniffing is passive in nature and hence undetectable
Page 12
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
Countermeasures to WLANS - Countermeasures to WLANS - A countermeasure an action taken A countermeasure an action taken to offset another actionto offset another action
A countermeasure is a system (usually for a military application) designed to prevent weapons (Threats) from acquiring and/or destroying a target (WLANs)
Page 13
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
WLANs Countermeasures: Are they reliable?WLANs Countermeasures: Are they reliable?
• Wired Equivalent Privacy (WEP): a security protocol for wireless local area networks (WLANs)
• Attributes:• Defined in the 802.11b standard.• IEEE security for 802.11 – component of• Concerns:• AirSnort, once enough packets are gathered, can guess the
encryption password in less than a second• Uses RC4 encryption• Improper use of IV makes protocol vulnerable• Uses only one key – never changed
Note: 128 bit WEP is not officially part of the standard – some manufacturer’s key entry methods are incompatible
Page 14
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
Countermeasures: Reliable? (Cont’d)Countermeasures: Reliable? (Cont’d)
• Service set identifier (SSID)/password is also referred to as a network name
• Attributes:• Blanks SSID field in 802.11 Beacon Flame• Disables response to any Probe Request• No SSID – no association – (T/F)?• Concerns:• SSID is broadcast in all client association frames in the
clear• Tools can force client to disassociate and re-associate to
expose the SSIDESSID-Jack, a freeware tool, can expose a hidden SSID in
seconds
Page 15
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
Countermeasures: Reliable? (Cont’d)Countermeasures: Reliable? (Cont’d)
• MAC Address Filtering: Media Access Control address, a hardware address that uniquely identifies each node of a network
• Attributes:• Place authorized MACs in each AP- If you don’t have a valid MAC, you can’t get in, (T/F)?
- Concerns: - MACs are easily sniffed
More than 50% of WLANS in major cities have no security.
Page 16
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
Countermeasures: Reliable? (Cont’dCountermeasures: Reliable? (Cont’d))
Cisco LEAP (Lightweight Extensible Authentication Protocol):Attributes:
- Username/Password required for access- WEP keys rotate, making AirSnort useless- EAP-MSCHAPv2 can be used as an inner authentication method
with EAP-PEAP and EAP-TTLS.
- Concern: - Use of MS-CHAPv2 exposes credentials to devastating and
efficient dictionary attackSee: http://asleap.sourceforge.net for additional details
Best Buy and Lowe’s have experienced WLAN security breaches
Page 17
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
Countermeasures: Reliable? (Cont’d)Countermeasures: Reliable? (Cont’d)
IPSec Overlay: IPSec is an Internet standard framework for the establishment and management of data privacy between network entities.
Attributes: NAT and NAPT are techniques used to share and hide private IP addresses on edge devices like routers and firewalls.
Concerns: Unfortunately, when an IPsec session runs through NAT or
NAPT, security is often compromised1. Broadcast frames unencrypted2. ARP poisoning…. DoS attack
3. Client protection only after authentication
Page 18
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
Countermeasures: Reliable? (Cont’d)Countermeasures: Reliable? (Cont’d)
802.1x / WPA / 802.11i: Wi-Fi Protected Access for WLANSAttributes: • In the 802.11 standard, 802.1x authentication was optional; 802.1x
authentication is required in WPA; • The 802.11i standard addresses many of the security issues of the
original 802.11 standard.Concerns:• Single factor authentication (with few exceptions)• Multiple EAP types offer questionable security and vendor
incompatibilities• Attacks already presented against WPA
WPA is a built in security mechanism to prevent authentication attacks that shut down APs, sometimes up tp one minute.
Questions – 5 minutes
Page 19
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
Best Practices to implement & maintain data security – Best Practices to implement & maintain data security – While While Performing Day-to-Day Operations with WLANsPerforming Day-to-Day Operations with WLANs
• Risk Analysis – Assess vulnerabilities of the Security Architecture
• Well Written Security Policies • A Secure Environment for Applications that produce data –
Strong Passwords• Secure Servers where the data is stored – Robust
Physical/Network Access• Secure Network Level – Firewall, IPS, IPD, etc• Protection against Rogue Access Points
Page 20
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
A Protection Methodology - Now that some of the risks are understood, some prevention methods in a network infrastructure will be discussed.
• a. Host Protection – Remote Users• b. Data Encryption – Remote Users & Internal Network• c. Access Methods – Client vs Clientless VPNs• d. Authentication Technologies – Control Access to
Resources• e. Endpoint Security Compliance – Minimum Requirements
for Access• f. Protecting Internal Systems – Modular Approach
• g. Environments Favorable to Working with Wireless-
Firewalls, Anti-Virus, Strong Authentication, etc.
Page 21
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
Example of a Secure Wireless/Wired Network InfrastructureExample of a Secure Wireless/Wired Network Infrastructure
Page 22
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
a. Host Protection (Remote User) – A centrally managed anti-virus platform is key
Protecting a remote host is paramount to protecting corporate data, assets and services. This can be accomplished by using a centrally managed anti-virus platform that:
• • Provides visibility to remote systems upon connection• • Pushes updates to remote systems• • Synchronizes log information
A centrally managed host firewall platform that resides on the laptops and also provides some form of intrusion detection/ prevention will protect a remote host and the internal network.
Visibility on connection attempts and intrusion attempts will enable system administrators to fine-tune and adjust the technical controls and strengthen the overall posture of the organization.
Page 23
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
b. Data Encryption - provides a measure of confidentialityprovides a measure of confidentiality
• Users need to be aware of the risks associated with data on mobile devices. Ask yourself “what will be the situation if this device is lost or stolen?”
• Data encryption provides a measure of confidentiality if the laptop were to be lost, stolen or accessed by an unauthorized individual.
• This can be accomplished by numerous commercially available products.
• One drawback to the user of data encryption is the potential for a user to experience latency while working with encrypted files.
Page 24
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
c. Access Methods – A case for Client VPN (Fat Client)
A traditional virtual private network (VPN) connection that utilizes industry standard encryption can provide local-like access to remote resources.
VPNs typically require the use of a client or software utility that provides the mechanism for remote connectivity.
VPN clients can provide a level of security to the remote host by disallowing unsolicited connections from unauthorized hosts
Page 25
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
c. Access Methods – A case for Clientless VPN (Thin Client)
Clientless VPNs are becoming more popular and are implemented using secure sockets layer (ssl) technology. These operate in the same manner as a secured website (online banking) and can provide an access capability similar to a client VPN.
There are limitations as to the types of services that can be used, but many of these limitations can be overcome by implementing enhancements such as web-enabled application servers.
Web-enabled application services, e.g. Citrix, can also mitigate many of the issues relative to client VPNs.
This approach provides only a “window” for the remote user to perform tasks, while using the operating system and resources of the application server.
System administrators can focus much of their effort on maintaining the application server and less on the remote hosts.
Page 26
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
d. Authentication Technologies - To control access to resources
User authentication is the method used to control access to resources and ensure that only authorized individuals are permitted access to internal systems.
A standard username and password are the primary credentials required for access to most systems. These, however, can be easily compromised or guessed if a strong password policy isn’t implemented and enforced.
Two-factor authentication is a method that combines something you know (word, phrase, or numbers) with something you have (token). This method of access ensures that only individuals in possession of a device (token) with the correct pin can gain entry to corporate resources.
Brute force attacks launched against a corporate asset protected by two-factor authentication are futile.
Page 27
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
e. Endpoint Security Compliance - minimum requirements for access
• Written policy, standards and guidelines are important and must address such issues as support, operating systems, minimum browser versions and minimum patch levels.
• This policy should also state what is prohibited, such as user-installed applications or spyware.
• This security policy enforcement can be accomplished with technical controls as a user attempts to connect to the network.
Page 28
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
e. Endpoint Security Compliance – (Cont’d)
• Hosts can be audited for domain membership, the existence and status of anti-virus software, patch revision levels, intrusion detection signature revision levels and operating system configuration.
• Checks can also be performed to insure that rogue software is not present on the machine such as peer-to-peer file sharing applications and instant messaging.
• Checking the remote host “at the door”, prior to allowing access to internal resources, is a measure that can prevent the introduction of a multitude of issues to a protected network.
Page 29
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
f. Protecting Internal Systems – modular, VLANS, depth/defense –
A solid network design will take a modular approach by placing resources in a manageable area that can be monitored and protected.
The use of virtual local area networks (VLANs) in conjunction with intrusion detection and intrusion prevention (IDS/IDP) systems can provide an additional layer of protection from potential attacks via remotely connected hosts. This method adds an additional layer of visibility to network activity internal to the organization.
Providing access to internal resources is necessary, but ensuring that the internal network is protected from the home/hotel/airport, etc users are oftentimes overlooked.
Page 30
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
g. Environments Favorable to Wireless Computing - Firewall Firewall protection, anti-virus and strong authenticationprotection, anti-virus and strong authentication
Accessing the Internal Network is possible from many environments and across many types of potentially hostile networks.
To protect the remote device and its data while in these hostile environments, several minimum security controls should be in place:
Firewall protection, anti-virus and strong authentication for the remote access technology are essential.
Firewall protection can exist in the form of software on the PC, or in the form of hardware like the small consumer devices that are available.
Wireless hotspots, foreign corporate environments, hotel rooms, home networks and coffee shops are all capable of being “home” to a remote user, and all present threats to the “trusted” device while remote
Page 31
Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina
Any Questions?Any Questions?
Dr. Lenny Superville, Phd
Chief Information Officer (CIO)
Office of the State Auditor
2 S. Salisbury Street
20601 Mail Service Center
Raleigh, NC 27699-0601
Tele: (919) 807 7625
Fax: (919) 807 7647