Securing Wireless Communications · 802.11 Wireless Networks – The Definitive Guide by Matthew S. Gast – 2nd Edition, by Matthew S. Gast, O’Reilly Publications, 2005 FOR ISSA

Intelligence and Information Solutions • Enterprise Security SolutionsSecure Infrastructure • Civilian Federal Security • Treasury

Securing Wireless Communications

A Presentation for the ISSA Central Virginia Chapter

Tad Steinberg

CISSP, CISA, CIA, CQA, CSSP

April 11, 2007

FOR ISSA CENTRAL VIRGINIA CHAPTER USE ONLY 2

Trends and Happenings: Information Security,

Wireless Communication, Wireless Security

�Phishing, Malware and Social Engineering, Increased Targeted Attacks (ID Theft, Software Vulnerabilities),(Security Threats on the Rise in 2007 by Mike Paquett, The ISSA Journal, March 2007, Page 12

�TJX Intrusions Exposed 45.7 Million Credit and Debit Cards (March 28 & 29, 2007) (SANS NewsBites - Volume: IX, Issue: 26)

�Vendors are now coming out with plug-and-play tools that make wireless networking relatively pain free. Trends in Wireless Networking,

By Drew Robb, March 16, 2006, Small Business Computing.com)

�Wi-Fi®/Mobile Convergence Benefits Would Entice Many Subscribers to Switch Wireless Carriers and Abandon Landlines (Wi-Fi Alliance, March 26,2007, http://www.wi-fi.org/pressroom_overview.php?newsid=507)

�Demand for Secure Wireless Communication Grows -Wireless Benefits Outweigh Drawbacks(http://www.washingtontechnology.com/ad_sup/solutions-systems/solutions-systems5.html - April 3, 2007)

�VPNs Complement Wireless Technology(http://www.washingtontechnology.com/ad_sup/solutions-systems/solutions-systems5.html - April 3, 2007)


Background

�Wireless communication used for voice, data and converged communication

� Employees, contractors and business partners may use WLAN and other wireless technology off-premises to reach your networks

� The nature of wireless communications is such that physical cabling is being supplemented and in some cases replaced by radio waves or radio frequency as the transmission medium.

�Wireless communication also includes the use of infrared, satellite and RFID technologies

�Satellite communication serves as transport mechanism to support Internet service provider broadband access.

�RFID is used to support automated identification verification systems such as those used to support physical access control tosecure areas.

� Infrared is deployed through remote control, wireless keyboard and wireless mouse devices.

�Reconsider communication threats and vulnerabilities

�Refine risk reduction measures or controls


Governing Bodies

� IEEE – Institute of Electrical and Electronics Engineers –professional society responsible for standardizing 802 networks.

� FCC – Federal Communications Commission – the regulatory agency for the U.S. governing telecommunications in this country.

�NIST – National Institute of Standards and Technology – U.S. government agency responsible for setting technology standards for the federal government.

�WiFi Alliance - a global, non-profit organization with the goal of driving the adoption of a single worldwide-accepted standard for high-speed wireless local area networking (1999)

802.11 Wireless Networks – The Definitive Guide by Matthew S. Gast – 2nd Edition, by Matthew S. Gast, O’Reilly Publications, 2005


Definitions & References

See Appendices


Standards

� 802.11 – First physical standard (1997) featured both frequency-hopping and direct sequence modulation techniques (Speed (S): 1 to 2 Mbps, Frequency Band (FB) – 2.4GHz)

� 802.11a- Second physical standard (1999), products not release until late 2000 (S: Up to 54 Mbps, FB 5GHz)

� 802.11b-Third physical standard (2001), second wave of products (S:5.5 Mbps to 11 Mbps, FB:2.4GHz)

� 802.11d - Also referred to as the Global Harmonization standard. It is used in countries where systems using other standards in the IEEE 802.11 family are not allowed to operate. Enabling this standard operation on the access point causes the AP to broadcast the ISO country code for the country it is operating in as a part of its beacons and probe responses.

� 802.11F - Inter-Access Point Protocol is a recommendation that describes an optional extension to IEEE 802.11 that provides wireless access-point communications among multivendor systems.

� 802.11g-Fourth physical standard (2003), The most common technology included with laptops in 2005 (S: Up to 54 Mbps, FB: 2.4GHz)

� 802.11h - the IEEE standard for Spectrum and Transmit Power Management Extensions. It solves problems like interference with satellites and radar using the same 5 GHz frequency band.

� 802.11i - known as WPA2, is an amendment to the 802.11 standard specifying security mechanisms for wireless networks. 802.11i is the new security specification of the 802.11 standard. Consists of two components: IEEE 802.1x and Robust Security Network (RSN). The RSN is comprised of the following components – 802.1x, an EAP type (Protected Extensible Authentication (PEAP), EAP- Transport Layer Security (TLS), EAP-FAST etc.) for mutual authentication and finally AES as the Layer 2 Encryption algorithm.

� 802.11j - "Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications: 4.9 to 5 GHz Operation in Japan" is designed specially for Japanese market. Finalized in 2004, the standard works in the 4.9 GHz to 5 GHz band to conform to the Japanese rules for radio operation for indoor, outdoor and mobile applications.

� 802.11n - Higher throughput improvements using MIMO (multiple input, multiple output antennas) is a developing WLAN standard that will provide data rates in excess of 100 Mbps.

� 802.1x is the Port Based Network Access Control standard. Included in the IEEE 802.1x standard is EAP, which provides multiple user-based authentication methods (smart cards, Kerberos, PKI, etc.). EAP provides a standard method for user authentication in WLAN systems.


Protocols

� Primary wireless protocols include:– Wireless Access Protocol (WAP)

– Wired Equivalent Privacy (WEP)

– Extensible Authentication Protocol (EAP)

– Temporal Key Integrity Protocol (TKIP)

– Counter Mode with CBC-MAC Protocol (CCMP)

– WiFi Protected Access (WPA/WPA2)

� The protocol used determines the security features

�Security protocols implemented above the link layer do not offereffective protection to the link layer, so higher-layer security should be augmented with additional host-based security

�Higher layer security protocols include IPsec, SSL and SSH

802.11 Wireless Networks – The Definitive Guide 2nd Edition by Mathew Gast, O’Reilly Publications


ISO Open System Interconnect Model

http://www.webopedia.com/quick_ref/OSI_Layers.asp


WEP Security

�WEP

– Rivest Cipher 4 (RC4) for confidentiality

– 64 or 128 bit encryption

– Concatenated packet key

– CRC-32 for data integrity

– No header integrity check

– No protection against replay attack

– EAP-based (optional)

Center for Internet Security Wireless Networking Benchmark, Version 1.0, April 2005


WPA Security

�WPA

– RC4 by default for confidentiality

– 64 bit authentication 128 bit encryption

– Mixing function packet key

– Michael (message integrity check algorithm specified as part of TKIP) used for data integrity

– Michael used for header integrity check

– Uses initialization vector to protect against replay attack

– EAP-based



WPA2 Security

�WPA2

– AES by default for encryption and confidentiality (RSN) TKIP forencryption and MIC for integrity also supported for less capableequipment

– 128 bit encryption

– Packet key not needed

– Counter-Mode/CBC-MAC Protocol (CCMP) used for data integrity

– CCMP used for header integrity check

– Uses initialization vector to protect against replay attack

– EAP-based



Infrastructure

�Modems

�Routers/Access Points

�Handsets/Cell Phones

�Antennas/Dishes

�Conventional Computer Platforms

�Blue Tooth


Applications

�Office Wireless Local Area Network (WLAN)

�Home WLAN

� Public Hotspots

�Mobility

�RFID

�Wireless Wide Area Network (WWAN)


Threats

�Breach of privacy and confidentiality

�Unavailable service

�Alteration or loss of Information

�Malicious code contamination

�Wireless hacking


Vulnerabilities

�Unauthorized service use

�Unauthorized traffic monitoring

�Service disruption predominantly through jamming

�Unauthorized traffic interception and alteration

�Wireless network component (handset, router, server, client workstation) compromise


Security Framework

� NIST – Management, Operational, Technical Controls

Security Control Family

Control Class

Identifier

Management Family

Risk Assessment RA

Planning PL

System and Services Acquisition SA

Certification, Accreditation, and Security Assessments CA

Operational Family

Personnel Security PS

Physical and Environmental Protection PE

Contingency Planning CP

Configuration Management CM

Maintenance MA

System and Information Integrity SI

Media Protection MP

Incident Response IR

Awareness and Training AT

Technical Family

Identification and Authentication IA

Access Control AC

Audit and Accountability AU

System and Communications Protection SC


Management Controls

� The client workstation originating the transmission to networks through a WLAN must be authorized

� The server receiving the transmission from a WLAN must be authorized server

�Authorized cell phone devices will be used to access networks.


Operational Controls

�Wireless security awareness training provided to user community

�WLAN routers and handset configurations and other content baselined and backed-up to facilitate operational continuity and configuration management

�Wireless device configuration baselines compared to current configuration to detect abnormalities.

�WLAN routers, cell phone handsets, and client workstations afforded sufficient physical security to preclude system compromise, theft or destruction.

�WLAN router and PDA/Cell (Blackberry) firmware will be updated with the latest software releases and patches


Technical Controls

� Client workstation originating the transmission must be hardened

– Client work stations will enforce user: system identities, authentication, authorization, and logging.

– Workstation will contain a firewall, intrusion detection system (IDS), malicious code protection and current security patches

– Unnecessary system services will be deactivated,

– file/printer sharing with unauthorized workstations will be disabled

– plugins will be disabled except for those considered essential.

� The server receiving the transmission will also be hardened

� WLAN will be configured to support virtual private networks (VPN)

� Strong authentication will be used by authorized system users attempting to gain access to networks from remote locations

� Only 802.11g compliant or later wireless communication equipment will be used and such equipment will undergo MAC address filtering


Technical Controls

�Wireless communication equipment deployed will utilize the WPA2 security protocol in personal mode when accessing your networks

�Alternatively, the WLAN router or access point encryption protocol (WEP) will be used with an approved VPN for transmission encryption utilizing the maximum key size available. The encryption key will also be changed periodically

�WLAN router will be configured so that the Service Set Identifier (SSID) will be suppressed from repeated broadcasting

� If SSID broadcasting is not suppressed, the WLAN router will be configured to maximize the beacon interval so that SSID broadcast is infrequent

�WLAN router will be configured so that The SSID will be changed from the default value specified by the manufacturer


Technical Controls

� WLAN router will be configured so that default cryptographic keys are changed

� WLAN router will be configured so that the default channel is changed from that specified by the manufacturer to lessen radio frequency interference

� If SNMP is used to monitor the WLAN router or access point, deploy SNMP version 3. If SNMP is not used, disable the SNMP feature

� If feasible, disabling DHCP and using static IP addresses on the wireless network to lessen the probability of hacker wireless network access

� Default administrator password on WLAN router will be changed to one that is compliant with password policy

� The broadband service modem used with the wireless router will be registered and undergo MAC address filtering by the broadband service provider

� Authorized Blackberry or other PDA devices will be configured to require password-based user authentication and these devices will undergo MAC address filtering and certificate-based device authentication


Technical Controls

�Authorized Blackberry and other PDA devices will invoke FIPS 140-2 compliant and approved encryption algorithms with dynamic key management.

�WLAN routers will be configured to deploy network address translation (NAT) and other embedded firewall services to prevent unauthorized access to the router itself, client workstations, and handsets to prevent system compromise and corruption

� Facilities will undergo regular, random wireless network scanning using approved wireless intrusion detection systems (WIDS). Owners and users of unauthorized WLANS will be subject to disciplinary action


Technical Controls

�Bluetooth accessory deployment requires data link level encryption and authentication protocols are used with only trusted devices through the configuration specification of: Security Mode 3, Encryption Mode 3, Service Level 1 and Trusted

�Adhoc-mode WLAN configurations will not be deployed to support communication. Rather, infrastructure-mode WLAN configurations will be used.


Technical Controls

�RFID devices will include encryption of personally identifiable information (PII) and other data supporting identity verification to prevent its unauthorized duplication and exploitation.

�WWAN communication deployment will be supported by encryption and authentication available through mobile WiMax or cellular data networks. Mobile WiMAX supports mutual device/user authentication, flexible key management protocol, strong traffic encryption, control and management plane message protection. Alternatively, equivalent security services can be used through supporting technologies such as those provided through VPN technology.

�Cordless telephones not to be used for sensitive voice communication.


Ongoing Wireless Security Operations

�Wireless Architecture

– Degree of risk

– Level of protection

– Defense in Depth

�Wireless Enrollment

�Detecting Rogue Access Points

�Repair/Replace Components

�Credentials Maintenance

�Ongoing Risk Management


Wireless Architecture Example (CIS)


Wireless Sniffers

� Netstumbler www.netstumbler.com, http://www.netstumbler.com/downloads/

� Kismet http://www.kismetwireless.net/

� AirSnort http://airsnort.shmoo.com/

� Airtraf http://sourceforge.net/projects/airtraf, http://airtraf.sourceforge.net/

� APhunter http://www.math.ucla.edu/~jimc/mathnet_d/download.html

� AP Radar http://apradar.sourceforge.net/

� BSD-Airtools http://www.dachb0den.com/projects/bsd-airtools.html

� Dstumbler http://www.dachb0den.com/projects/dstumbler.html

� Get-scanner http://sourceforge.net/projects/wavelan-tools

� PocketWarrior PocketPC http://sourceforge.net/projects/pocketwarrior/

� Mognet, an 802.11b Protocol Analyzer in Java http://node99.org/projects/mognet/

Assessing the security of a wireless environment By Michael Gough, John Rhoton, 2005, Center for Intenet Security (CIS) Wireless Assessment, Version 2.0


Wireless Sniffers

802.11 based Linux software

�Prism Stumbler http://prismstumbler.sourceforge.net/

�Pocket Warrior http://www.pocketwarrior.org/

�Wellenreiter http://www.wellenreiter.net/

�WIFIscanner http://sourceforge.net/projects/wifiscanner/

�AirJack http://sourceforge.net/projects/airjack/

�WifiScanner http://www.hsc.fr/ressources/outils/wifiscanner/

�WaveStumbler http://www.cqure.net/tools.jsp?id=08

�Ethereal http://www.ethereal.com/

Assessing the security of a wireless environment By Michael Gough, John Rhoton, 2005, CIS Wireless Assessment, Version 2.0


Other Considerations Regarding Wireless

Technology

� Ergonomics

– Repetitive stress disorders – PDA/Cell Phone Text Messaging, Email

�Component Durability

– Unplanned obsolescence, fragile, hard to handle

�Component Loss and Theft Potential

� Integration and Synchronization

�Convenience

� Legal

�Cost


What’s Next – Future of Wireless According to

Tad

� Expanded Use (clarity, convenience)

�Continued Focus on Security

�Growth in Wireless Security Assessments

�Growth in Wireless IDS

�Growth in Ergonomic Issues

�Growth in Wireless Hacking


Questions/Comments

�Will this be your organization if you do not secure wireless communications?

http://www.securitywizardry.com/cartoons.htm


Appendix - Definitions

�Radio Waves or Radio Frequency (RF) A term that refers to alternating current (AC) having characteristics such that, if the current is input to an antenna, an electromagnetic (EM) field isgenerated suitable for wireless broadcasting and/or communications. These frequencies cover a significant portion ofthe electromagnetic radiation spectrum, extending from nine kilohertz (9 kHz)—the lowest allocated wireless communications frequency (it's within the range of human hearing)—to thousands of gigahertz (GHz). Many types of wireless devices make use of RF fields. Cordless and cellular telephone, radio, and television broadcast stations, satellite communications systems, and two-way radio services all operate in the RF spectrum.


Definitions

�Wired Equivalent Privacy (WEP) A standard for ciphering individual data frames. It was intended to provide minimal privacy and has succeeded in this respect.

�Wi-Fi Protected Access (WPA/WPA2) A security standard based on 802.11i draft 3. The Wi-Fi- Alliance took 802.11i draft 3 and began certifying compliance with early TKIP implementation to accelerate adoption of 802.11 security protocols. WPA2 is based on the full ratified version of 802.11i.

�Strong Authentication is defined as authentication using one-time or session passwords, challenge and response protocols, digital signatures, or encryption.

�Wireless Hacking are techniques and tools used to compromise the integrity of wireless technologies and exploit vulnerabilities.


Definitions

� Infrared is an invisible band of radiation at the lower end of the visible light spectrum. With wavelengths from 750 nm to 1 mm, infrared starts at the end of the microwave spectrum and ends at the beginning of visible light. Infrared (IR) is a form of wireless communications commonly used with devices such as remote controls, cordless computer keyboards, mouse devices, and wireless hi-fi stereo headsets, all of which require a direct line of sight between the transmitter and the receiver.

� Radio frequency identification (RFID) is a technology that incorporates the use of electromagnetic or electrostatic coupling in the radio frequency portion of the electromagnetic spectrum to uniquely identify an object, animal, or person. RFID is coming into increasing use in industry as an alternative to the bar code.

� Satellite Communication is normally used by geographically dispersed organizations and offers a viable alternative to ground-based communications in the event of a disaster. Furthermore, a communications satellite (sometimes abbreviated to comsat) is anartificial satellite stationed in space for the purposes of telecommunications or reconnaissance using radio at microwave frequencies. Most communications satellites use geosynchronous orbits or near-geostationary orbits, although some recent systems use low Earth-orbiting satellites. A location is on the ground that satellite dishes use to transmit to or receive from and is referred to as an earth station or teleport.


Definitions

� Ad hoc mode networks, as the name suggests, have no supporting infrastructure. Ad hoc mode networks are comprised of a dynamic set of cooperating peers, which share their wireless capabilities with other similar devices to enable communication with devices not in direct radio-range of each other, effectively relaying messages on behalf of others.

� Infrastructure Mode is when an access point connects wireless stations to each other or to a distribution system, typically a wired network. Infrastructure mode is the most commonly used mode for WLANs.

� Mobile WiMAX is a broadband wireless solution based upon the IEEE 802.16 standard that enables convergence of mobile and fixed broadband networks through a common wide area broadband radio access technology and flexible network architecture.

� Wireless metropolitan area networks (WMAN): networks that can provide connectivity to users located in multiple facilities that are generally within a few miles of each other.


Definitions

�Wireless Wide Area Networks (WWAN): networks that connect individuals and devices over large geographic areas, often globally. WWANs are typically used for cellular voice and data communications, as well as satellite communications.

�Wireless personal area networks (WPAN) Small-scale wireless networks that require little or no infrastructure. A WPAN is typically used by a few devices in a single room instead of connecting the devices with cables. For example, WPANs can provide print services or enable a wireless keyboard or mouse tocommunicate with a computer.

� IEEE 802.15.1 (Bluetooth) This WPAN standard is designed for wireless networking between small portable devices. Bluetooth operates at 2.4 GHz and has a maximum data rate of approximately 720 kilobits per second (Kbps).


Appendix - References

�National Institute of Standards and Technology: Federal Information Processing Standards (FIPS), Publication 140-2, Security Requirements for Cryptographic Modules, May 25, 2001

�National Institute of Standards and Technology: Special Publication 800-53. Recommended Security Controls for Federal Information Systems, February 2005 (AC-17, AC-18, AC-19, AC-20)

�National Institute of Standards and Technology: Special Publication 800-46, Security for Telecommuting and Broadband Communications, August 2002.

�National Institute of Standards and Technology: Special Publication 800-48, Wireless Network Security 802.11, Bluetooth and Handheld Devices, November, 2002.

�Draft Special Publication 800-97, Guide to IEEE 802.11i: Robust Security Networks, June 5, 2006


References

�NIST SP 800-46 Provides guidance on telecommuting using broadband communications from remote locations with a focus on home-based wireless local area networks.

�NIST SP 800-48 Provides guidance on wireless network security with particular emphasis on the IEEE 802.11b and Bluetooth standards.

�NIST SP 800-97 – Draft Provides guidance on IEEE 802.11i and recommendations for securing wireless local area networks.

� http://wiki.personaltelco.net/index.cgi/WirelessSniffer

� http://www.linux-sec.net/Wireless/Sniffers/

� http://sourceforge.net/

� http://wifinetnews.com/

� 802.11 Wireless Networks – The Definitive Guide, 2nd Edition, Matthew S. Gast, O’Reilly Publications, 2005

�Wireless Networking Benchmark, Version 1.0, Center for Internet Security (CIS), April 2005

�Assessing Wireless Networks, CIS, April 2005

�Wireless Hacks, Rob Flickenger, O’Reilly Publications, 2003

Documents

Securing Wireless Communications · 802.11 Wireless Networks – The Definitive Guide by Matthew S. Gast – 2nd Edition, by Matthew S. Gast, O’Reilly Publications, 2005 FOR ISSA