Date post: | 15-Jan-2016 |
Category: |
Documents |
Upload: | loren-rice |
View: | 216 times |
Download: | 0 times |
Research & Development TNC06 – May, 2006
Detecting Misuses ofWireless Networks
Pierre Ansel – Laurent ButtiFrance Telecom Division R&Dfirstname dot lastname at francetelecom dot com
Terena Networking Conference15-18 May 2006, Catania, Italy
Research & Development TNC06 – May, 2006
Agenda
A few reminders on Wi-Fi technologies
Overview of possible attacks
Wi-Fi corporate access architectures
Open issues
Wi-Fi intrusion detection technology
Feedbacks and recommandations
Research & Development TNC06 – May, 2006
Introduction
IEEE 802.11-1999 suffered of critical security issues
Security mechanisms were unable to satisfy Authentication Data confidentiality and integrity
802.11’s conceptual weaknesses WEP is unpractical in corporate environments (shared secret) Most weaknesses are implemented in publicly available tools
-WEP cracking-Trafic injection-…
Research & Development TNC06 – May, 2006
Introduction
Wireless technologies are critical from a security perspective Particularly in corporate environments
Any wireless deployment may have serious security impacts Radio propagation is hardly predictable And anonymously reachable…
Mastering Wi-Fi deployments in corporate environments is a big challenge!
Wi-Fi corporate access and intrusion detection deployment
Research & Development TNC06 – May, 2006
Normative Enhancements
IEEE 802.11i, Medium Access Control (MAC) Security Enhancements, was ratified on June, 2004
Provides enhanced security mechanisms Medium access control enforcement
-Port-Based Network Access Control (IEEE 802.1X) Flexible authentication framework
-Extensible Authentication Protocol (EAP) Newly designed crypto-protocols
-Temporal Key Integrity Protocol (TKIP) based on RC4-CBC-MAC Protocol (CCMP) based on AES
Key derivation and distribution-4-Way Handshake and Group Key Handshake
Research & Development TNC06 – May, 2006
Wi-Fi Corporate Access : open mode+VPN
Securing Wi-Fi employee access thanks to IPsec Deployed at France Télécom Division R&D since early 2002
Uses Wi-Fi “open” mode and protects data above layer 3 WEP
-is unuseful, -does not improve the overall security level-is a sysadmin nightmare (shared secret)
IPsec protocol is considered robust If authentication is robust (thanks to certificates) If selected and negociated crypto-protocol is robust
Research & Development TNC06 – May, 2006
Wi-Fi Corporate Access : WPA / WPA2
Newly supported security mechanisms in Wi-Fi Protected Access standard (WPA/WPA2) are available
Largely supported since 2/3 years … but not easy to deploy !
-France Télécom Division R&D– WPA since late 2003, WPA2 since late 2005
Must take into account Robust authentication Robust confidentiality and integrity (mandatory TKIP, recommended CCMP)
Robust network architecture (VLAN logical segmentation)
Research & Development TNC06 – May, 2006
Open Issues
Protecting your infrastructure is a requirement Robust wireless access both for employees and visitors
But cannot solve every potential issue Weakest links subsist
Research & Development TNC06 – May, 2006
Weakest Link n°1: Client
WinXP’s Preferred Networks List is updated whenever you connect to an “open” Wi-Fi network
Then autoconfiguration will seek for these Wi-Fi networks Create a fake access point emulating a client’s preferred network The attacker will 0wn the client!
-Information leaking, MitM, open shares, exploits…
Wi-Fi/Ethernet double-attachment is also a critical issue
Research & Development TNC06 – May, 2006
Weakest Link n°2: Infrastructure An “open” access point interconnected with a corporate’s wired network is
a critical security breach Anonymous layer 2 (and above) access to all corporate ressources (depending on internal filtering policies)
Usually, access control is not performed within networks but at edge (firewalls, proxies…)
Misconfigured access points Bad configurations and interconnexions
Everyone is potentially vulnerable Even environments without Wi-Fi may be attacked
How to detect and mitigate these security incidents?
Research & Development TNC06 – May, 2006
Wi-Fi Intrusion Detection
Wired supervision tools are helpless !
WiFi-specific threats : A fake access point 0wning some employee laptops A rogue access point interconnected with your wired networks Malicious activities like WarDriving Denial of service on radio side
Wi-Fi intrusion detection is necessary !
Research & Development TNC06 – May, 2006
Wi-Fi Intrusion Detection
Listening to the radio will give the possibility to detect
Clients and access points that are “speaking” Known attacks like
-MAC spoofing-WarDriving-Trafic injection-…
Wi-Fi intrusion detection goals Detect, qualify (interconnected ?) and geolocalize illegitimate access points or sources
Research & Development TNC06 – May, 2006
Wi-Fi Intrusion Detection
Will automatically audit Wi-Fi access points in range thanks to deployed sensors
Replace periodic manual Wi-Fi audits Proactive reaction when a critical security issue is detected
Counter-measures (intrusion prevention) are also possible Prevent clients from associating to rogue and fake access points Deactivate switch ports where a rogue access point was localized But must be used carefully
-DoSing internal infrastructure and neighbours is not an option!
Research & Development TNC06 – May, 2006
Internal Wi-Fi Intrusion Detection ToolFeatures
Internal development of a Wireless IDS from scratch Goals: addressing most issues and improving our skills
Main features C language core detection engine running on WRT54G(S) Flexible ruleset thanks to a basic langage (~ 60 signatures) Anomaly detection engine essentially for MAC spoofing detection
SYSLOG based alerting On-the-fly agregation and correlation thanks to SEC Offline correlation to qualify access points thanks to Netdisco SQL storage and PHP presentation
Research & Development TNC06 – May, 2006
Internal Wi-Fi Intrusion Detection ToolArchitecture Overview
WirelessSensor
WirelessSensor
Aggregationand
CorrelationSYSLOG
SYSLOG
EventsDatabase
SQL
Presentationand
Administration
SQL
SSH/SCP
SiteAdministrator
HTTPS
Architecture is divided into several technical partsWireless sensors: detecting and sending eventsCentral collector: event aggregation and correlationDatabase: aggregated and correlated events storageGUI: presentation and supervision/administration
Research & Development TNC06 – May, 2006
Internal Wi-Fi Intrusion Detection ToolArchitecture Overview
AP
Internal Network
AP
ProbeProbe
HTTPS
SYSLOG
SSH/SCP
Aggregationand
Correlation
Presentation and AdministrationSQL
Research & Development TNC06 – May, 2006
Screenshots
Research & Development TNC06 – May, 2006
Screenshots
Research & Development TNC06 – May, 2006
Screenshots
Research & Development TNC06 – May, 2006
Screenshots
Research & Development TNC06 – May, 2006
Internal Wi-Fi Intrusion Detection ToolFeedbacks
Development of a robust wireless IDS is not trivial Amount of events (hundreds per second)
Building an efficient GUI for sysadmins is not trivial
Difficulties to identify all interfering access points What about neighbours, hot spots ?
False positive rate is a classic issue for IDS technologies Minimize this rate thanks to enhanced correlation
Performance issues Lightweight wireless probe may have packet losses SQL table may become huge
Research & Development TNC06 – May, 2006
Overall Requirements
Enforce a restrictive security policy especially in risky environments (meeting rooms, labs…)
Do not activate RJ45 plugs by default Activate ‘Port Security’ and MAC filtering on switches
Consider using quarantine networks for guest access
Consider using IEEE 802.1X for your wired networks
Maintain a list of Wi-Fi equipements Network cards Access points and configuration (MAC address, SSID…)
Research & Development TNC06 – May, 2006
Specific requirements for employee access
Use robust authentication Certificates whenever possible
-IKE with certificates for IPsec tunneling-EAP-TLS for WPA/WPA2-Smart cards for robust private keys storage
Use robust crypto-protocols for data communications 3DES/AES for IPsec tunneling CCMP for WPA2 and TKIP for WPA
Consider Wi-Fi access as external networks Logical VLAN segmentation and network filtering enforcement
Research & Development TNC06 – May, 2006
Specific requirements forclient configuration
If Wi-Fi is not a requirement, deactivate physically Wi-Fi (remove mini-PCI card)
Use a double-attachment prevention system
Clean periodically WinXP’s Preferred Networks List
Use a well configured firewall to enforce filtering especially on Windows protocols
Research & Development TNC06 – May, 2006
Specific RequirementsWi-Fi Intrusion Detection
Must be evaluated in terms of security Results are somewhat variable Evaluate packet losses at wireless sensors Tune your ruleset for performance and effectiveness Attacks aimed at Wi-Fi intrusion detection systems are becoming available
-Log filling
Select solutions that Have minimal impacts on your architecture Have geolocalization capabilities Use intrusion prevention techniques
Deploy enough wireless sensors at the edge of your physical perimeter
Research & Development TNC06 – May, 2006
Conclusions
Radio technologies have serious impacts on security Do not consider them as negligible
Mastering wireless deployments is a global approach Restrictive network security policy Laptop configuration hardening Robust Wi-Fi employee access deployment Wi-Fi intrusion detection system deployment
Research & Development TNC06 – May, 2006
(Some) References
KARMA – Dino A. Dai Zovi and Shane Macaulayhttp://www.theta44.org/karma/index.html
Design, Implementation and Deployment of a Wireless IDS – Laurent Butti and Franck Veysset
ShmooCon 2005
Research & Development TNC06 – May, 2006
Questions …
Research & Development TNC06 – May, 2006
Introduction
Wi-Fi is defined by the Wi-Fi AllianceStandards specified in the IEEE 802.11 Working Group
-Group 802:–IEEE Standard for Local and Metropolitan Area Network
-Part 11:–Wireless LAN Medium Access Control (MAC) and Physical Layer
(PHY) Specifications
Widely available technologyEntrepriseResidential (wireless boxes)Hot spots
Research & Development TNC06 – May, 2006
Are You Confident in Radio Propagation?
Wi-Fi range is usually about a few dozens of meters, but…
Research & Development TNC06 – May, 2006
Summary
Wi-Fi corporate access thanks to IPsec and WPA/WPA2Robust authentication thanks to certificates and smart cardsRobust confidentiality and integrity mandatory
Wi-Fi visitor access thanks to a captive portal techniqueRobust authentication thanks to a dynamically created token
Double-attachment preventionInternal tool
Rogue access point and wireless attacks detectionDesign, implementation and deployment of a fully-featured wireless intrusion detection system