Access Control and Site Security (Part 2)

(January 28, 2015)

© Abdou Illia – Spring 2015

2

Learning Objectives

Discuss Site Security Discuss Wireless LAN Security

Site Security

4

Building Security Basics

Single point of (normal) entry to building

Fire doors and alarms

Security centers Monitors for closed-circuit TV (CCTV) Videotapes that must be retained (Don’t reuse too much

or the quality will be bad)

Interior doors to control access between parts of the building

Prevent piggybacking, i.e. holding the door open so that someone can enter without identification defeats this protection

5

Building Security Basics

Phone stickers with security center phone number

Prevent dumpster diving by keeping dumpsters in locked, lighted area

Training security personnel

Training all employees

Enforcing policies: You get what you enforce

6

Reading Questions

Answer Reading Questions 1 posted to the course web site (in Notes’ section)

802.11 Wireless LAN Security

8

Basic Terminology

Accidental Association Wireless device latching onto a neighboring Access Point when turned on.

User may not even notice the association

Malicious association Intentionally setting a wireless device to connect to a network

Installing rogue wireless devices to collecting corporate info

War driving Driving around looking for weak unprotected WLAN

9

802.11b 802.11a 802.11g

2.4 GHz 5 GHz 2.4 GHzUnlicensed Band

≤11 Mbps ≤ 54 Mbps ≤ 54 MbpsRated Speed

IEEE 802.11 WLAN standards

802.11n*

2.4 GHz or 5 GHz

≤ 300 Mbps

* Under development

0 Hz

FrequencySpectrum

Infinity

AM Radio service band: 535 kHz-1705 kHz

FM Radio service band: 88 MHz-108 MHz

802.11b WLAN: 2.4 GHz-2.4835 GHz

3 12 13# of channels 14

802.11g uses Orthogonal Frequency Division Multiplexing (OFDM) modulation scheme to achieve higher speed than 802.11b

AM radio channels have a 10KHz bandwidth FM radio channels: 200KHz bandwidth

35m/100m 25m/75m 25m/75mRange (Indoor/Outdoor) 50m/125m

Service band 2.4 - 2.4835 GHz divided into 13 channels

Each channel is 22 MHz wide Channels spaced 5 MHz apart Channel 1 centered on 2412 MHz.

Channel 13 centered on 2472 MHz Transmissions spread across multiple

channels 802.11b and 802.11g devices use

only Channel 1, 6, 11 to avoid transmission overlap.

10

802.11 Wireless LAN (WLAN) Security

Basic Operation: Main wired network for servers (usually 802.3

Ethernet) Wireless stations with wireless NICs Access points for spreading service across

the site Access points are internetworking devices

that link 802.11 LANs to 802.3 Ethernet LANs

11

802.11 FrameContaining Packet

802.11 Wireless LAN operation

802.11 refers to the IEEE Wireless LAN standards

NotebookWith PC CardWireless NIC

EthernetSwitch

AccessPoint

Server

802.3 FrameContaining Packet

(2)

(3)

Client PC

(1)

12

802.11 Wireless LAN operation

NotebookWith PC CardWireless NIC

EthernetSwitch

AccessPoint

Server

802.11 FrameContaining Packet

802.3 FrameContaining Packet

(2)

(1)

Client PC

(3)

1. If the AP is 802.11n-compliant, it could communicate with the notebook even if the notebook has a 802.11a NIC. T F

2. The Wireless AP needs to have a 802.3 interface T F

3. The switch needs to have at least one wireless port. T F

4. How many layers should the Wireless AP have to perform its job?

13

Summary Question (1)

Which of the following is among Wireless Access Points’ functions?

a) Convert electric signal into radio wave

b) Convert radio wave into electric signal

c) Forward messages from wireless stations to devices in a wired LAN

d) Forward messages from one wireless station to another

e) All of the above

f) Only c and d

14

MAC Filtering

The Access Point could be configured to only allow mobile devices with specific MAC addresses

Today, attack programs exist that could sniff MAC addresses, and then spoof them

AccessPoint

MAC Access Control List

O9-2X-98-Y6-12-TR

10-U1-7Y-2J-6R-11

U1-E2-13-6D-G1-90

01-23-11-23-H1-80

……………………..

15

IP Address Filtering

The Access Point could be configured to only allow mobile devices with specific IP addresses

Attacker could Get IP address by guessing based on companies

range of IP addresses Sniff IP addresses

AccessPoint

IP Address Access Control List

139.67.180.1/24-139.67.180.30/24

139.67.180.75

139.67.180.80

139.67.180.110

……………………..

16

SSID: Apparent 802.11 Security Service Set Identifier (SSID)

It’s a “Network name” of up to 32 characters Access Points come with default SSID. Example:

“tsunami” for Cisco or “linksys” for Linksys All Access Points in a WLAN have same SSID Mobile devices must know the SSID to “talk” to the

access points SSID frequently broadcasted by the access point for

ease of discovery. SSID in frame headers are transmitted in clear text SSID broadcasting could be disabled but it’s a weak

security measure Sniffer programs (e.g. Kismet) can find SSIDs easily

17

Wired Equivalent Privacy (WEP) Standard originally intended to make wireless networks

as secure as wired networks

With WEP, mobile devices need a key used with an Initialization Vector to create a traffic key Typical WEP key length: 40-bit, 128-bit, 256-bit

WEP key is shared by mobile devices and Access Points

Problems: shared keys create a security hole

WEP is not turned-on by default

1. Wireless station sends authentication request to AP2. AP sends back a 128 bits challenge text in plaintext3. Wireless station encrypts challenge text with its WEP key and sends result to AP4. AP regenerate the WEP from received result, then compare WEP to its own WEP5. AP sends a success or failure message

WEP authentication process

aircrack-ngweplabWEPCrack airsnort

Open Source WEP Cracking software

18

802.11i and Temporal Key Integrity Protocol (TKIP)

In 2004, the IEEE 802.11 working group developed a security standard called 802.11i to be implement in 802.11 networks.

802.11i tightens security through the use of the Temporal Key Integrity Protocol (TKIP)

TKIP can be added to existing AP and NICs

TKIP uses a 128-bit key (that changes) to encrypt the WEP.

19

Using Authentication server orWi-Fi Protected Access (WPA)

AccessPoint

1.Authentication

Request

2.Pass on Request to

RADIUS Server

3.Get User Lee’s Data(Optional; RADIUSServer May Store

Authentication Data)

4. AcceptApplicant Key=XYZ 5. OK

UseKey XYZ

DirectoryServer orKerberos

Server

RADIUS Server / WAP Gateway

RADIUS is an AAA (Authentication, Authorization, Accounting) protocol Once user authenticated, AP assigns user individual key, avoiding shared key.

WPA is an early version of the 802.11i and 802.11x security standards

Applicant(Lee)

20

Protocols used in WPA

Authentication and data integrity in 802.11i and 802.11x rely on the Extensible Authentication Protocol (EAP) which has different options: Wireless Transport Layer Security (WTLS) protocol

Server and mobile devices must have digital certificates Requires that Public Key Infrastructure (PKI) be installed to

manage digital certificates Tunneled WTLS

Digital certificates are installed on the server only Once server is securely authenticated to the client via its

Certificate Authority, a secured tunnel is created. Server authenticates the client through the tunnel. Client could use passwords as mean of authentication

21

Soft Access Point*

NotebookWith PC CardWireless NIC

EthernetSwitch

AccessPoint

Server

802.3 FrameContaining Packet

(2)

(3)

Client PC

(1)

* Also called Rogue Access Point

SoftAP

Usually, a soft AP is a laptop loaded with cracking software Soft AP allow the hacker to get passwords, MAC address, etc.

22

Wireless Intrusion Detection Systems

Monitor the radio spectrum for the presence of unauthorized access points

Conventionally, operate by checking the MAC addresses of the participating access points

Use fingerprinting approach to weed out devices with spoofed MAC addresses

Compare unique signatures exhibited by the signals emitted by each wireless access point against the known signatures of legitimate access points

23

How Cracking Wireless Networks works?

Visit Youtube.com Search for the following video

Video name: Cracking Wireless Networks Posted by: spektral311 Date: 9/8/2006

Copy of video in Review section of website

24

Summary Questions

What is meant by accidental association? Malicious association?

What are the functions of a wireless access point?

What is a SSID? How many SSIDs are needed in a WLAN with 3 wireless access points and 13 mobile stations?

How good security measure is disabling the broadcasting of a WLAN’s SSID?

What is WEP? How secure is a WEP-protected WLAN compared to a WPA WLAN using the 802.11i standard?

What does using TKIP add to a WEP-protected WLAN?

Explain the operation of a WPA WLAN using a RADIUS

What is rogue AP? How can you detect a rogue AP?