Upload
adrian-mikeliunas
View
497
Download
10
Embed Size (px)
DESCRIPTION
Citation preview
Wireless Home SecurityWireless Home Security
by Adrian Mikeliunas, CISSP, by Adrian Mikeliunas, CISSP, CLP x 33478 - ISGGCCLP x 33478 - ISGGC
22
33
44
AgendaAgenda
• Wireless LAN: Basic concepts Wireless LAN: Basic concepts • Network componentsNetwork components• Configuration modesConfiguration modes
• Ad hoc mode (peer to peer)Ad hoc mode (peer to peer)• Infrastructure mode (Access Point)Infrastructure mode (Access Point)
• Security Security • Wi-Fi Protected Access with preshared keyWi-Fi Protected Access with preshared key
• FeedbackFeedback
55
Wireless LAN – WHY?Wireless LAN – WHY?
• ConvenienceConvenience– Mobile (great for laptops!)Mobile (great for laptops!)– Less expensive than conventional wiringLess expensive than conventional wiring
• Cool factorCool factor
• Drawbacks?Drawbacks?– Subject to interferenceSubject to interference– Sharing your network with the world…Sharing your network with the world…
66
Wireless Support in WindowsWireless Support in WindowsWireless Configuration ServiceWireless Configuration Service
• Discovers wireless LANs in proximityDiscovers wireless LANs in proximity
• Notifies user about wireless LANNotifies user about wireless LAN
• Stores and retrieves user-preferred Stores and retrieves user-preferred configurationsconfigurations
• Dynamically selects the wireless LAN Dynamically selects the wireless LAN to be joinedto be joined
• Dynamically detects Dynamically detects addition/removal of wireless addition/removal of wireless adaptersadapters
77
Wireless Configuration Wireless Configuration Service in WindowsService in Windows
• Discovers wireless LANs in the Discovers wireless LANs in the proximity and notifies userproximity and notifies user
88
99
1010
Wireless LAN SpecsWireless LAN Specs
• 802.11a802.11a (older)(older)– 5-GHz band5-GHz band– 54 Mbps “raw” (throughput ~25 Mbps)54 Mbps “raw” (throughput ~25 Mbps)
• 802.11b802.11b (most popular)(most popular)– 2.4-GHz band2.4-GHz band– 11 Mbps “raw” (throughput ~6 Mbps)11 Mbps “raw” (throughput ~6 Mbps)
• 802.11g802.11g (latest & greatest)(latest & greatest)– 2.4-GHz band2.4-GHz band– 54 Mbps “raw” (throughput ~25 Mbps)54 Mbps “raw” (throughput ~25 Mbps)
1111
Wireless LAN – ConceptsWireless LAN – Concepts
• Ad hoc mode (peer-to-peer)Ad hoc mode (peer-to-peer)– Wireless clients connect directlyWireless clients connect directly
• Infrastructure modeInfrastructure mode– Require access points (AP)Require access points (AP)– All wireless clients connect through the All wireless clients connect through the
APAP
1212
Wireless LAN – AcronymsWireless LAN – Acronyms
• SSID – Service set identifier SSID – Service set identifier
• WEP – Wired Equivalent PrivacyWEP – Wired Equivalent Privacy
• WPA – Wi-Fi Protected AccessWPA – Wi-Fi Protected Access
• WPA-PSK – WPA with preshared keyWPA-PSK – WPA with preshared key
• TKIP – Temporal Key Integrity TKIP – Temporal Key Integrity ProtocolProtocol
• AES – Advanced Encryption StandardAES – Advanced Encryption Standard
1313
Home Wireless NetworksHome Wireless NetworksPeer-to-Peer ConfigurationPeer-to-Peer Configuration
• No AP (Ad Hoc)No AP (Ad Hoc)
• Internet Connection SharingInternet Connection Sharing
To Internet To Internet (Cable modem, (Cable modem, DSL, dial-up…)DSL, dial-up…)
Wireless Medium Wireless Medium (WM)(WM)
Wireless ClientsWireless Clients
Home PC with wireless adapter in Home PC with wireless adapter in ad hoc mode and Internet ad hoc mode and Internet
connection sharedconnection shared
1414
Home Wireless Networks inHome Wireless Networks inAd Hoc ModeAd Hoc Mode
• Share the Internet Share the Internet
Connection on the Connection on the PCPC
• Turn on Internet Turn on Internet
Connection Connection FirewallFirewall
1515
Home Wireless Networks inHome Wireless Networks inAd Hoc Mode Ad Hoc Mode (2)(2)
• Add an ad hoc Add an ad hoc network network
to the preferred listto the preferred list
• Use maximum WEP Use maximum WEP keykey
length (104 bit, length (104 bit, inputinput
13 characters)13 characters)
1616
Home Wireless NetworksHome Wireless NetworksInfrastructure ConfigurationInfrastructure Configuration
• AP connected to cable or DSL AP connected to cable or DSL modemmodem
Wireless ClientsWireless Clients
To Internet To Internet (Cable modem, (Cable modem,
DSL…)DSL…)
Wireless Medium Wireless Medium (WM)(WM)
Home PC Home PC Wired ClientWired Client
Wireless Base StationWireless Base Station(Access point and router)(Access point and router)
1717
Home Wireless Networks in Home Wireless Networks in Infrastructure ModeInfrastructure Mode
• AP requires configuration (do not AP requires configuration (do not keep default configuration)keep default configuration)– Open authentication without encryptionOpen authentication without encryption– Default SSIDDefault SSID
• Levels of wireless securityLevels of wireless security– Nonbroadcast SSIDNonbroadcast SSID– Media Access Control (MAC) address Media Access Control (MAC) address
filteringfiltering– WEPWEP
1818
AP ConfigurationAP Configuration
• Connect AP to PCConnect AP to PC
• From web browser connect to APFrom web browser connect to AP– Broadband detailsBroadband details– LAN detailsLAN details– SecuritySecurity
1919
2020
Infrastructure ModeInfrastructure ModeNonbroadcast SSIDNonbroadcast SSID
• SSID is required to associate to an SSID is required to associate to an AP.AP.
• General operation: 802.11 beacon General operation: 802.11 beacon advertises the SSID of the network advertises the SSID of the network every 100 ms.every 100 ms.
• Nonbroadcast case: Still must be sent Nonbroadcast case: Still must be sent to associate (associate request).to associate (associate request).
• Nonbroadcast means waiting longer Nonbroadcast means waiting longer for the SSID (sniff).for the SSID (sniff).
2121
2222
Infrastructure ModeInfrastructure ModeMAC Address FilteringMAC Address Filtering
• Restricting access to the wireless LAN Restricting access to the wireless LAN based on a table of valid MAC based on a table of valid MAC addressesaddresses
• Malicious user can easily try many Malicious user can easily try many MAC addresses until he finds one that MAC addresses until he finds one that worksworks
• Wait to sniff traffic from a valid user Wait to sniff traffic from a valid user and then use its MAC addressand then use its MAC address
• MAC address table management MAC address table management overheadoverhead
2323
Home Wireless NetworksHome Wireless NetworksWEP EncryptionWEP Encryption
• Each wireless client shares a key with Each wireless client shares a key with APAP
• Each packet is encrypted with shared Each packet is encrypted with shared key and initialization vector (IV)key and initialization vector (IV)
• WEP key size 40 bit or 104 bitWEP key size 40 bit or 104 bit
• Multiple problems (can be broken)Multiple problems (can be broken)
2424
Home Wireless Networks in Home Wireless Networks in Infrastructure ModeInfrastructure Mode
• Windows client configurationWindows client configuration
2525
2626
Home Wireless NetworksHome Wireless NetworksAdditional Protection:Additional Protection:
• AT&T VPN AT&T VPN – Encrypts traffic from client before Encrypts traffic from client before
broadcastbroadcast– Just like a wired workstation Just like a wired workstation
• WPA-PSK: 256-bit numberWPA-PSK: 256-bit number– Input passphrase: 8 to 63 bytes longInput passphrase: 8 to 63 bytes long– TKIP: Replacement for WEPTKIP: Replacement for WEP
• Rekeying: Encryption keys are changed Rekeying: Encryption keys are changed after a specified time intervalafter a specified time interval
2727
Home Wireless Networks Home Wireless Networks WPA-PSKWPA-PSK
• Windows clientWindows clientconfiguration configuration
• Requires Requires supportsupportin the wirelessin the wirelessnetwork adapternetwork adapterdriverdriver
2828
WB ResourcesWB Resources
• At WB intranet, At WB intranet, type type http://GRAS – Help: Help: – Guides and Guides and
Installation Installation InstructionsInstructions
– Technical Technical Documentation: Documentation:
– Broadband Broadband ConnectivityConnectivity
GRAS Walk-in GRAS Walk-in LocationsLocations
I building:I building:
2—3002—300
H building:H building:
H5-268H5-268
MC building:MC building:
MC1-401MC1-401
2929
Additional ResourcesAdditional Resources
• IEEE 802.11IEEE 802.11– http://grouper.ieee.org/groups/802/11/index.ht
ml
• ““Security of the WEP Algorithm”Security of the WEP Algorithm”– http://www.isaac.cs.berkeley.edu/isaac/wep-fa
q.html
• WPA informationWPA information– www.wifialliance.org/opensection/protected_access.asp
• 802.11 Security802.11 Security• www.wirelessdevnet.com/articles/80211sec
urity
3030
QuestionsQuestions
??
??
??