Date post: | 27-Dec-2015 |
Category: |
Documents |
Upload: | evan-thornton |
View: | 214 times |
Download: | 0 times |
Lock up your Wireless LANs
There are Hackers in Town
Tuesday 26th February 20021:30 to 2:15 PM
Ross ChiswellCEO
Integrity Data Systems Pty. Ltd.
Ross Chiswell
Ross Chiswell, Chief Executive Officer of Integrity Data Systems, is a veteran of the wireless networking industry. Involved in IT for almost two decades and specifically in wireless networking since 1993, Ross has developed an in-depth knowledge of wireless technologies and is recognised as Australia’s expert in the field.
Ross has a key focus to source new technology from around the world and establish strategic partnerships with world-class suppliers.
Wireless LAN Security Issues
• Cracking the encryption key– decrypting and reading the wireless LAN packets
• Unauthorised access..– to wireless LAN as a resource when not a registered user
– to the main network via the wireless LAN
• Authorised user, but..– unauthorised snooping or sniffing of other traffic
– eavesdropping in public space wireless LANs on other users traffic
• Phantom Access Points gathering data from genuine users
• Unknown wireless LANs inside corporation
Wireless LAN Security Stories
New wireless LAN vulnerabilities uncoveredMonday 13 August, 2001 14:53 GMT+10:00 By Staff writer
A second, more dangerous method of defeating wireless LAN encryption has been revealed by security experts. Researchers from Rice University and AT&T Labs in Florham Park, New Jersey, have….
Wireless LANs dealt new blowSecurity goes from bad to worseDennis Fisher & Carmen Nobel , eWEEK August 10, 2001 5:57 PM ET
A new attack that can compromise the encryption cipher used on wireless…...
Lock up your wireless LANBy George LawtonAugust 23, 2001 The driver of the unmarked van outside your office may not be on a long lunch break….
Wireless LAN Security - Background
• Wired Equivalent Privacy (WEP)– Designed by the IEEE to prevent eavesdroppers and unauthorised
connections to the wireless network.
– Provide privacy similar to a wired LAN, not as an encryption solution
– WEP 64 bit RC4 encryption algorithm - 5 digit key
– WEP 128 bit RC4 encryption algorithm - 13 digit key
WEP - Background
• Wired Equivalent Privacy (WEP)– Designed by the IEEE to prevent eavesdroppers and unauthorised
connections to the wireless network.
– Provide privacy similar to a wired LAN, not as an encryption solution
– WEP 64 bit RC4 encryption algorithm - 5 digit key
– WEP 128 bit RC4 encryption algorithm - 13 digit key
This cable acts as an antenna and may carry raw (un-encrypted) signals.
Wireless LAN Analysis- tools
• AiroPeek from WildPackets
• Grasshopper from BV Systems
• Mobile Manager from Wavelink
• Sniffer Wireless from Network Associates
• NetStumbler• AirSnort via the SourceForge
– AirSnort has been designed to break WEP encryption keys.– It operates by passively monitoring transmissions, and when enough
“interesting” packets have been gathered, usually over a 24 hour period, it can then calculate the WEP key.
– Once the WEP key has been obtained, then WEP encrypted packets on the wireless LAN can be opened and read, just like on a wired LAN.
WEP - How is it broken
• Weak key attack– Attacks the key scheduling section of the algorithm
• Described in a paper– “Weaknesses in the Key Scheduling Algorithm of RC4”
• written by Scott Fluhrer, Itisk Mantin and Adi Shamir
– Also called the “FMS” attack
• Hacker using tools like AirSnort captures packets– AirSnort looks for the pattern bought about by the key scheduling,
tagging interesting packets. Once it has enough “interesting” packets it can then calculate the key...
4D7E6CB8 4FA4A5B 4FA4A5D 4FA4A5E 4FA4A5F
4FA4A60
5E4FDF4 592CC5F 4FE70EA
18F6C512 184D4C16 19581CF918F38B254FA4A634FA4A614FA4A62
WEP - How is it broken
• Weak key attack– Attacks the key scheduling section of the algorithm
• Described in a paper– “Weaknesses in the Key Scheduling Algorithm of RC4”
• written by Scott Fluhrer, Itisk Mantin and Adi Shamir
– Also called the “FMS” attack
• Hacker using tools like AirSnort captures packets– AirSnort looks for the pattern bought about by the key scheduling,
tagging interesting packets. Once it has enough “interesting” packets it can then calculate the key...
4D7E6CB8 4FA4A5B 4FA4A5D 4FA4A5E 4FA4A5F
4FA4A60
5E4FDF4 592CC5F 4FE70EA
18F6C512 184D4C16 19581CF918F38B254FA4A634FA4A614FA4A62
4FA4A5C = 83511900
WEP - Future
• New standards– IEEE 802.11i, new wireless security standard
• will possibly use WEP2 encryption protocol, expected to be completed 2002
• moving towards Advanced Encryption Standard (AES)
– IEEE 802.1x, new authentication management system protocol
• 802.1x does not protect the data it ONLY control access
• Development work by key wireless chipset manufacturers– Agere Systems, Intersil and Cisco
• Together working on XWEP
– Agere Systems
• WEPplus uses random key generation
Wireless Security - What about right now
• Ensure basic security features are turned on– Do not use default settings
• Use Secure Access Points– Additional non WEP based encryption
– Per user per session key exchange
– Radius AAA authentication
• Implement Virtual Private Networks (VPNs)– End to end security, include authentication and additional non WEP
based encryption
– Access Point should have VPN support or IPSec pass through as a minimum
– Access Points with built in firewalls
• Use Gateway devices to protect main network
Wireless Security - What about right now
• Talk with your wireless LAN vendor– what is their current and future security strategy– make your own assessment as to their products risk, do not believe the
“marketing” information at face value
• New WEP firmware– Old WEP firmware
• AirSnort - 30,000,000 packets gathered - 6,000 “interesting” packets found
– WEP Key broken in 24 hours
– New WEP firmware • WEPplus from Agere Systems ORiNOCO first to market Nov 01• AirSnort - 41,000,000 packets gathered - Zero “interesting” packets
found– If one interesting packet had been found, it could take years to break key
Wireless Security - Basics
• Change wireless network name from default– any, 101, tsunami
• Turn on closed group feature, if available in AP– Turns off beacons, so you must know name of the wireless network
Wireless Security - Basics
• Change wireless network name from default– any, 101, tsunami
• Turn on closed group feature, if available in AP – Turns off beacons, so you must know name of the wireless network
• MAC access control table in AP– Use Media Access Control address of wireless LAN cards to control
access
MAC address4FA4A5C
MAC Table5E4FDF44FA4AFC
Your on the list, I will connect
Wireless Security - Basics
• Change wireless network name from default– any, 101, tsunami
• Turn on closed group feature, if available in AP– Turns off beacons, so you must know name of the wireless network
• MAC access control table in AP– Use Media Access Control address of wireless LAN cards to control
access
• Use Radius support if available in AP– Define user profiles based on user name and password
User NamePassword
MAC address4FA4A5C
Your on the list, I will connect
Profile TableRoss Chiswell
xxxxxx4FA4AFC
I will check
Radius
Wireless Security Solution #1 - Encryption and Authentication
• High Encryption Access Points– Non WEP based encryption
– Key exchange on a per session per user basis
– No common or shared key in both directions
– Radius authentication (Steel Belted Radius)
Key 1
Key 3
Key 2
User to user privacy
Wireless Security Solution #2 - Wireless & VPN
• VPN Back-end, Wireless Front-end– Standard Access Points using WEP based encryption
– Radius or IEEE 802.1x authentication
– Requires VPN Servers in back office
VPN remote client
softwareVPN
pass thru
VPN Server
Danger to user to user privacy and corporate infrastructure
Wireless Security Solution #3 - VPN Access Points
• VPN capable Access Points– Non WEP based encryption
– Radius authentication
– VPN implemented over wireless LAN– VPN server in Access Point (does not need backend VPN server)
– Firewall implemented in Access Point
VPN remote client
softwareVPN
pass thru
Access Pointhas VPN server
and firewall
Support•L2TP•PPTP•IPSec
User to user privacy
• Wireless gateway– Allows user profiles for access and quality of service
– Supports centralised user Authentication• Radius, LDAP, NT4 Domain, Windows 2000 Active Directory
– Support for VPN, Digital Certificates, Tokens and Smartcards
– Allows role based access to services in mixed user environments
Supports•L2TP•PPTP•IPSec
Wireless Security Solution #4 - Wireless Gateway
Wireless Security Summary
• Understand the issues and assess the risk– right product for the right situation
• Different vendors product will have different capabilities– IEEE 802.11 / WiFi compliance, and price are not the only issues
– understand the difference, research and question vendors
– basic inexpensive products, may only offer connectivity
• Select the right wireless technology partner– trained and accredited resellers, that understand wireless issues
– wireless product not just a “me too” option for vendor
At Home or SOHO
Cable, DSL, ISDN modem
OR
POTSIP Networks
Network Operations Centre
RADIUS server
Network management, TFTP server
Leased line, DSL, wireless, etc
In Public Spaces or
High Security
Leased line, DSL, wireless, etc
In Office Environmen
ts
Servers
VPN and Firewall in AP
VPN &Firewall box
VPN Gateway
Wireless LAN - Which Product Where
Integrity Data SystemsSpecialist distributor of wireless networking technology
www.integritydata.com.au1300 131 000
“We don’t just stock it, we know how it works”