46
Wireless Security & Controls: Issues, Treats, Solutions & Trends Prepared by: Greg Gabet, IBMGS Security & Internet Architect
| Date post: | 12-Nov-2014 |
| Category: |
Documents |
| Upload: | johnsondon |
| View: | 1,355 times |
| Download: | 0 times |
Wireless Security & Controls:Issues, Treats, Solutions & Trends
Prepared by:
Greg Gabet, IBMGSSecurity & Internet Architect
Abstract
• Wireless technology has hit critical mass before the security & controls have matured. Organizations are architecting wireless solutions for current business requirements & homes are integrating wireless environments that are often used as a platform for their business laptops to connect to the workplace.
• This presentation will exam the architecture, security, & control challenges for SOHO, as well as enterprises. Emerging standards, providers, & best practices for securing & controlling wireless will be discussed. This presentation is for the intermediate to advanced practitioner.
Agenda :
• Motivation for Wireless in the Enterprise
• Wireless Topologies,Characteristics, & Standards
• Wireless Challenges, Opportunities, & Architecture issues
• Specific Threats & New Authentication Mechanisms
• Wireless Management Issues
• Possible Architectures
• Trends
• Summary
$0
$1000
$2000
$3000
$4000
$5000
1998 1999 2000 2001 2002 2003 2004 2005
Source: Cahners In-Stat Group, 2001
+50%
+70%
Millions
Enterprise WLAN Revenues
% Laptops DeployedWith build-in wireless-------------------------------
2002 – 20% 2003 – 60%2004 – 90%
Consumer purchases Are 48% of sales &
Enterprises are about 43%. Operators/ISPs
Make up remainder. In 2003, 11% was
802.11G.
+30%
Wireless Topologies & Demographics
WAN(Wide Area Network)
2.5G - 3G Phone
MAN(Metropolitan Area Network)
802.11, 802.16, MMDS, LMDS
LAN(Local Area Network)802.11 & HyperLan2
PAN(Personal Area Network)
Bluetooth
General Characteristics of Wireless Technologies
PANPAN LAN/WLANLAN/WLAN MANMAN WANWAN
SStdstds BluetoothBluetooth802.11A,B,G802.11A,B,GHiperLAN2HiperLAN2(Europe)(Europe)
802.11/802.16802.11/802.16MMDS, LMDSMMDS, LMDS
GSM, GPRS,GSM, GPRS,CDMA2000, 2.5-CDMA2000, 2.5-
3G3G
SSpeedpeed < 1Mbps< 1Mbps11 & 54 Mbps (now)11 & 54 Mbps (now)
22 & 100Mbps (plans)22 & 100Mbps (plans) 11 to 100+ 11 to 100+ MbpsMbps 10 to 384Kbps10 to 384Kbps
RRangeange ShortShortMediumMedium
(1000ft w/o A.)(1000ft w/o A.)Medium-LongMedium-LongFixed Last MiFixed Last Mi
LongLong
AAppsppsPeer-to-PeerPeer-to-Peer
Device-to-Device-to-DeviceDevice
Home,Home,SOHO,SOHO,
Enterprise NetworksEnterprise Networks
T1 T1 Replacement, Replacement,
Last Mile Last Mile AccessAccess
PDA’s, PDA’s, Mobile Phones, Mobile Phones, Cellular AccessCellular Access
IEEE 802.11 Standards Activities
Standards D e s c r i p t i o n802.11a 5GHz, 54Mbps Max
802.11b 2.4GHz, 11Mbps Max Note: 22Mbps is proprietary
802.11d Multiple Regulatory Domains
802.11e Quality of Service (QoS)
802.11f Inter-Access Point Protocol (IAPP)
802.11g 2.4GHz, 54Mbps Max
802.11h Dynamic Frequency Selection (DFS) & Transmit Power Control (TPC)
802.11i Security
802.11- Both Freq. Bands will be Successful
5GHz - 802.11a 2.4GHz - 802.11b & g54Mbps8 channels for indoor use (allows “honeycomb” network deployment. 12 channels total USHigher expected throughput than 802.11gGlobal Acceptance 5 GHz band has less interferenceUS Government Likes for security reasons (limited distance)
11Mbps 36Mbps 54Mbps
3 channels
Worldwide
802.11g is forward-and-backward compatible with 802.11b
Easy upgrade path to 802.11g
802.11b has advantages on cost, size, & power consumption, so will continue to be popular, especially with PDA’s, phones
Security Challenges & Opportunities
Increased Connection & Management Complexity: Connections:
Difficult to assure C.I.A. of data over multiple 3rd party wireless data networks. Enabling different makes & models of mobile devices (PDAs, Cell Phones, Laptops) work
securely with new interfaces to e-business applications, especially when the security capabilities are severely restricted (VPN,PKI,Certs, ECC, CPU).
Mgmt & Integration of New Devices, OS’s, Protocols & Applications Into Security Architecture: Variety of vendors & AP/Node management options (IBM, CA, CISCO, & Immaturity of wireless devices, operating systems, applications & network technologies
(firmware upgrades are frequent, especially for 802.11A & G, LEAP/PEAP) Increased size of the user base increases the threat of hacker & malicious code attacks. New Policies, Procedures, Practices, Personnel, Mechanisms, Services & Objects!
Password Vulnerability: The initial psw on wireless devices tend to be deactivated by the manufacturer or user, thus
allowing unauthorized access to AP/connected devices.
Unauthorized configuration of Device: Wireless devices may have remote configuration facilities, undocumented APIs or software bugs
which could be exploited.
Denial-of-Service Attacks: Jamming or continuous transmissions of large amts of data to the wireless device will use network
bandwidth; thus leading to performance degradation or non-availability.
Loss-of-Data: Storage capabilities of mobile devices are increasing. If a device malfunctions, is lost, or data is
accidentally deleted, with no recent data backup of lack of restoration capability, the data will be lost forever.
Where & How Does Wireless Affect Corp Architecture?
Security Architecture Layers & Requirements
Objects & Information: AP, Wireless Cards, Wireless Mgmt Stations, RADIUS/LDAP servers
Security Services Organization/Personnel responsible for:
Maintenance of AP & Wireless Card firmware upgrades Authentication, Authorization, & Access Control to Wireless subnets/servers Audits, Reviews, Compliance Checks for wireless components & critical settings Network Architecture of Wireless AP Placement, redundancy, & bandwidth Encryption & Integrity of wireless transmissions
Security Mechanisms Tools
Sniffers, IDS, Vulnerability Assessment hardware & software Encryption Keys VLANs Firewalls, RADIUS, LDAP, SNMP, etc
Information Security Policies Wireless Usage Policy (External & Internal) VPN Usage Policy Wireless Placement
Critical Security & Privacy Issues for Wireless LAN
According to IDC’s Mobile Council Advisory Survey, the most significant wireless security concerns are:
Management of devices’ security
Corruption of data sent to wireless devices
Malicious code & Malware (Viruses,Trojans, Worms)
Unauthorized users
Confidentiality of data sent wirelessly
Security of data stored on a handheld device
Why Wireless LAN’s Create Problems
• CIA can be lost for information as it passes over wireless data networks
• Operators often turn off encryption & anonymous AP resets will set AP back to defaults. Note: Not all vendors provide a physically accessible reset button
• War driving can collect valuable info that often shared with the Internet
• Rogue access points can collect valuable info used to later break systems
• Data Interception on backbone networks can result in information disclosure
• RF signal jamming can lead to unavailability of mobile devices & network
• One way authentication: Most wireless clients are authenticated to the network, not vice versa (one sided authentication only). This enables "man-in-the-middle" attacks to eavesdrop on transmissions
• Paths of communication may pass multiple uncontrolled networks (Exec’s LAN)
• Lack of Security Awareness of Users – Actually your biggest bang for buck.
• Weak wireless crypto algorithms allow RF scanning & decryption of WEP keys
• Physical security issues (Access points and cards are easy to steal!)
• Lack of Policies, Procedures, Compliance & Audit Understanding
• Lack of granularity in access – Often, an all or nothing approach to access
• Minimum mainstream network infrastructure support (Probes, Agents, IDS, Radius with LEAP/PEAP/EAP support).
Threats – Unauthorized Access Points
• Plug-in Unauthorized Clients: An attacker tries to connect his wireless client, typically a laptop to an access point without authorization, intentional or unintentional. This is often used for those requiring ‘free’ internet access
• Plug-in Unauthorized Renegade Access Point: Companies are aware that internal employees have deployed wireless capabilities on their network. An internal employee wanting to add their own wireless capabilities to the network plugs in their own access point into the wired intranet – thus creating a risk if the access point has not been properly secured. This could lead unauthorized clients then gaining access to unauthorized access points, allowing intruders into the internal network.
Unsecured Rogue AP
Secure Valid AP
Internal Client
Hacker
LAN
Internal Client
Threats – War Driving Map Created & On Internet
War Driving: a process, named after the term War Dialing process used by hackers to locate compromisable dialup modems. Requires inexpensive equipment, typically a laptop or a PDA, Wireless card, GPS & an external “antenna”
As people are "War Driving", locating the APs & recording the GPS coordinates of the AP location, these AP maps are being shared to any attacker on the Internet.
If a company has their AP location & information shared on the Internet, their AP becomes a potential target & increases their risk.
Threats: Man-in-the-Middle
• Access Point Clone intercepting traffic: An attacker can trick legitimate wireless clients to connect to the attacker's honey pot network by placing an unauthorized base station with a stronger signal within close proximity of the wireless clients that mimic a legitimate base station. This may cause unaware users to attempt to log into the attacker's man in the middle servers. With false login prompts, the user unknowingly can give away sensitive data like passwords.
Rogue AP, not connected to internal LAN
Rogue DHCP Server Internal Client
Valid Access Point
Hacker LAN
Threats: Client Attack
• Client Dissociations : Forced client re-association / disassociation attacks. This will effectively causes a denial of of service on the client under attacks. A second form of this attack is to take over an established connection
Rogue AP internal to the
client
Rogue Attack Client
Internal Client
Valid Access Point
Hacker LAN
Threats: Security Controls
Misconfiguration issues: Many access stations analyzed have been configured in a minimal & default secure mode. Unless the administrator of the base station understands the security risks, most of the base stations will remain at a high risk level. Server Set ID (SSID) Attackers can use default SSIDs to attempt to penetrate base stations that are still in their default configuration.
Reset Issues: Included in this are reset access points. Often when an access point hangs or crashed, someone may push the reset button on the access point. This clears any WEP keys the access point may have had.
Physical Security Issues: Often security guards are not trained to recognize physical wireless attacks, nor how to detect them.
Threats – WEP security
• WEP Encryption Issues: 802.11b standard uses encryption called WEP (Wired Equivalent Privacy). WEP has known weaknesses in how the encryption is implemented (IV). Note: WEP is better than no WEP; it at least stops casual sniffers.
• Available Tools:Today, there are readily available tools for most attackers to crack the WEP keys. Airsnort, Yellowjacket, Airfart & others tools take a lot of packets (several million) to get the WEP key, on most networks this takes longer than most people are willing to wait (1 or more days). If the network is very busy, the WEP key can be cracked & obtained within 30 minutes. Because of the WEP weakness, wireless sniffing & hijacking techniques can work despite the WEP encrypted turned on.
• Weak Default WEP Keys: Access points have been seen with manufacturer created WEP keys linked to the Hex encoding of the SSID of the access point. Some manufacturing companies use WEP keys which are the same as the SSID or easily guessable
Lack of integrated user admin
Need for separate user databases; no use of RADIUS
Potential to identify user only by device attribute like MAC address
Inherent weaknesses in RC4-based WEP keys
TKIP and AES
Limitations of 802.11 WEP Security
Shared, static WEP keysNo centralized key mgmt
Poor protection from variety of security attacks
No effective way to deal with lost or stolen adapterPossessor has network access
Re-keying of all WLAN client devices is required
No mutual authentication
802.1X
WPA
802.1X Authentication Types
LEAP (EAP Cisco Wireless)• User authentication via user ID & password
• Supports Windows, CE, Linux, Mac OS, and DOS
• Aggressive licensing program by Cisco to other vendors
EAP-TLS (EAP-Transport Layer Security)• User authentication via client certificates & server certificates
• Supported in XP, but other Windows versions by 2004
• Currently used by Microsoft
PEAP (Protected EAP)• User authentication via user ID and password or OTP
• Supported by Cisco Aironet client adapters and by Microsoft in various Windows versions
• Uses server-side TLS, which requires only server certificates
EAP-TTLS• User authentication via user ID & password or OTP
• Uses server-side TLS
Note: EAP is Extensible Authentication Protocol
802.1X-based: Mutual Authentication
RADIUS server authenticates client
Client authenticates RADIUS serverDerive
keyDerivekey
Mutual Authentication is required to prevent rogue clients from accessing your network, AND to prevent rogue AP’s from “stealing” data from your clients
Mutual Authentication is required to prevent rogue clients from accessing your network, AND to prevent rogue AP’s from “stealing” data from your clients
RADIUS ServerAccess Point
AP blocks all requests until authentication
completes
802.1X/LEAP Mutual Authentication
RADIUS server
Start
identity
AP blocks all requests until authentication completes
identity
RADIUS server authenticates client
Request identity
Client authenticates RADIUS server DerivekeyDerive
key
Mutual Authentication is required to prevent rogue clients from accessing your network, AND to prevent rogue AP’s from “stealing” data from your clients
Mutual Authentication is required to prevent rogue clients from accessing your network, AND to prevent rogue AP’s from “stealing” data from your clients
PEAP Authentication
Use server-side EAP-TLS to authenticate RADIUS server…
user-supplied token
userdatabase
…& builds SSL-encrypted tunnel
Use tunnel to authenticate user via token, One Time Password, or other data
PEAP sets up a secure, encrypted tunnel between client and RADIUS server
PEAP sets up a secure, encrypted tunnel between client and RADIUS server
RADIUS server
Firewall Enterprise
High Speed
Hotel/Airport/Home With VPN Client
Wireless
Secure Intranet Using VPN
Remote Access Security using VPN
Internet
VPN Client
802.11 Access Using VPNsPros Cons
• Familiar
• Used in most organizations
• Makes WLAN and remote access UIs consistent
• Trusted for authentication and privacy
• Supports central security management
• Ensures 3DES encryption from client to concentrator
• Compatible with Aironet and other WLAN products
• Cost: Requires VPN concentrators behind APs
• Performance: Encryption is done in software on client
• Roaming: Roaming between VPN concentrators forces application restarts
• QoS: All traffic is IPSec traffic; no QoS, multicast, or multiprotocol support)
• Clients: Not supported on phones, scanners, or other specialized devices
IEEE 802.11i Security for Enterprise Level Sec.
Mutual Authentication
Dynamic Session Key
Message Integrity Check (MIC)
Temporal Key Integrity Protocol (TKIP)
Initialization Vector Sequencing
Rapid Re-Keying
Per-packet Key Hashing
• Future
Stronger encryption schemes such as AES
WPA = “Wi-Fi Protected Access”
• WPA = 802.1X + TKIP
• WPA requires authentication & encryption
• 802.1X authentication choices include LEAP, PEAP, TLS
• WPA has Strong Industry Supporters
• Adds to 802.1X & TKIP
• Widespread adoption of WPA will add robust security & remove the “security issue” from the WLAN industry
• WPA will become accepted as the standard
• WPA compliance is needed for Wi-Fi certification of new products beginning in August 2003
Threats – 802.1x issues
• Rogue 802.1x Log errors issues : Clients authenticating with rogue access points & rogue Cisco ACS servers will show up in the rogue ACS server logs, showing user ID Failures. Hence the only unknown is the password, as the userID, SSID & MAC can all be determined.
• 802.1x session termination: Authenticated clients can be sent a session termination string by a rogue access point / client combination allowing the rogue client to continue an established session.
Valid AP
Rogue AP Rogue DHCP ServerRogue ACS Server
802.1x Internal wireless
ClientError Log
Authentication Log
Threats – Internal Issues (ie SNMP)
Weak Internal issues: Wireless base stations may have a SNMP (Simple Network Management Protocol) agent running with the default community string name of “public”, an internal rogue employee can often both read & write sensitive information & data on the base station. .
With the default of most base stations using the community word "public", potentially sensitive information can be obtained from the access point. This includes turning off WEP encryption.
Configuration Patches: Some access points can have their configurations downloaded from the internal LAN’s, due to security configurations issues,
Wireless/Mobile Security Critical Issues There is a lack of end-to-end model, non-convergent standards, & support for seamless roaming
Internet
Wireless Applications
Portals
Wireless messaging
Wireless lifestyle
facilitation
Wireless Networks
WPAN
WLAN
WWAN
Wireless Devices
Personal application
services
UsersIntranet
Corporate office
services
Wireless transactions
Internet services
Insecure RF interfaces
Weak user authentication
controls
Data transmitted over the air with weak authentication &
encryption controls
Internet weakness still apply but are made worse by the much
larger user baseNew network gateways, often with weak security
Massive user base demanding confidentiality &
privacy while roaming
Insecure pervasive devices
New & innovative applications & technologies introduce many new
vulnerabilities
Threats are often not the biggest issue……..
Security Management
Traveler
Basic Wireless Security Profiles
No WEP and Broadcast Mode
Public Access
Open Access
Dynamic Encryption Key Scalable Key Managem’t
Mutual 802.1x/EAP Authentication
TKIP/WPA
Enterprise
Enhanced Security
40-bit, 128-bit, 256-bitStatic Encryption Key
Telecommuter & SOHO
Basic Security
Public NetworkSecurity
Special Apps./ Business Traveler
VirtualPrivate
Network (VPN)
Wireless Management Requirements
• Standardization of Network management & configuration tools used to manage wireless networks (budget & training)
• Centralized management from a network operations center
• Configuration of Access Points (logistics)
• Configuration of Clients & upgrade procedures (logistics & personnel)
• Client Management, access revocation, dual access, single signon
• Wireless policies
• Logging & accounting at a centralized level
• Standards Based, such as LDAP
• Centralized accounting & billing (maybe)
• Rogue detection & encryption confirmation
• Wireless LAN Key Management
• Intrusion detection & response processes will have to be extended to cover wireless
• Secure Password-protected management functions
• Differential Access could require multiple new groups/profiles to manage
• Wireless Technology integration
Wireless Policy Issues
• Policy needs to dictate permitted services & usage i.e. what types of connections are permitted ?
• Wireless Access is often binary. i.e. Full network access or no network access – Roles potentially need to be catered for. (scanner vs. full LAN access)
• One needs a means of identifying & enforcing wireless access policies
• Existing company security policies need to be updated to cater for wireless security issues
• Policy needs to indicate how access will be controlled.. i.e. Time of the day
• Policy requirements dictate that all access needs to be logged
• User compliance & standards enforcement
• Centralized control of security policies
• Wireless management
• Wireless intrusion alert issues
• Process to update client Software levels
• Intrusion detection Policies
Wireless Management of Threats & Risk Mitigation
• User involvement & Cost • Process Management & Standards • Audits & Controls,
• User & Key administration & authorization • Application security
• Environmental Security• Bandwidth Robustness• Client security & Awareness
• Network Security• Physical Security
11. Standards & technology issues12. Policy Creation13. Training for Support14. WEP Key Password Quality15. Technology (TKIP, AES, WAP)16. Compliance & Client Detection Tools17. Technology & Architecture (VPN,
RADIUS, FW)18. Network design & AP Layout19. Network Review, IDS, & Vulnerability
Assessments20. Education for Policy, Compliance &
Access Control21. Standards, Architecture, Patch
Management
Wireless Mgmt Must Balance all Security Weaknesses
1
2
3
4
User involvement, Awareness & Roles
Key password quality
User & key administration
Environment Integrity &Robustness
Network Security & Technology Issues
Client Security
Application Security
Audits & Controls, & IDS
Process Management & Standards
Weakness
Weakness
Strength
Weakness
“How to” Wireless Security Issues
Common challenges faced by our customers include the following: How to ensure business continuity? How to be sure our existing security controls are appropriate? How to justify the cost of security? How to determine what security controls need to be implemented? How to increase awareness & make security a priority within the business? How to be sure our existing security controls are appropriate? How to implement end-to-end solutions covering business & IT? How to leverage new methods & technologies? How to prepare for an industry recognised security certification? How to remain confident over time that we have an appropriate security level? How to find skilled individuals? How to Architect the solution for flexibility, scalability, reliability, & security
802.1Q wired network w/ VLANs
Client Differentiation with Separate VLANs
Channel: 11SSID: phoneVLAN: 3
Channel: 6SSID: pdaVLAN: 2
Channel: 1SSID: laptopVLAN: 1
SSID: phoneSecurity: WEP
SSID: laptopSecurity: PEAP, TKIP
SSID: pdaSecurity: LEAP, CKIP
Client Differentiation with VLANs
SSID: phoneSecurity: WEP
SSID: laptopSecurity: PEAP, TKIP
SSID: pdaSecurity: LEAP, CKIP
Channel: 6SSID laptop = VLAN 1SSID pda = VLAN 2 SSID phone = VLAN 3
802.1Q wired network w/ VLANs
Firewall
Internet LAN
VLAN
AP
Using Firewalls to Wireless AP Services
VLAN
AP
RADIUS
Challenges & Enablers for Wireless Security
The challenges can be addressed using Major 3rd Party Security Solution Providers
Risk management processIncident management processChange management process
Audit processSecurity awareness program
Secure & Resilient Industry Solutions
Technology Architecture
Processes SkillsRisk management expertiseIT security expertiseArchitecture and design expertiseIndustry knowledge
Session cryptography/VPNsFile encryption
Content and virus filteringPersonal firewalls
User and device authenticationUser authorization
Wireless PKIIntrusion detection
Security management
Structured design methodFunctional architectureOperational architectureEnd-to-end security designManaged Intrusion Response Security Services
Wireless Security Solution Design Companies
Wireless Security Solution Design Services
Look for companies to provide the following comprehensive set of activities from the planning & design phases of proven end-to-end Wireless services. And, can be delivered individually or packaged pieces according to your needs: Wireless Strategy Wireless Readiness Assessment Wireless Value Wireless Requirements Wireless Policy Conceptual Architecture Functional Architecture Wireless Product Selection Site Selection & Facility Design Component Architecture Process Development
Two Types of Wireless Security Auditing Techniques: Individual or Distributed
Distributed: What does it do?
Distributed: wireless clients do the work
Real-time: continuous audits
Autonomic: network fixes its problems automatically
Audit: looks for vulnerabilities, &
Locates: rogue access points
Individual: How does it work?
Passively monitors the wireless network
Reports policy violations
Human expert needed
Periodic audits
Wireless IDS is Needed that can
Detect & Protect against:
• WAP spoofing – “man in the middle” attacks
• Denial of Service
• RF Jamming
• WAP misconfiguration
• Rogues APs
• WarDriving probes
Wireless IDS services can significantly reduce your risk from attacks to your internal network & associated data
Conclusion
• Wireless is rapidly growing & has potential to increase productivity, especially in SOHO, Homes, certain industries
• Wireless is currently unsecure, but solutions are maturing rapidly• Wireless technology is becoming enbedded in many form factors
(laptops, PDAs, cellphones, etc)• 802.11 WEP security is insufficient for the enterprise• 802.1x & 802.11i offer great improvements and mitigate several
security concerns• True mobile 802.11 wireless is difficult, but Mobile IP and other
technologies are tackling the problem• New technologies create new and old challenges• People, Process, Policies, & Architecture are require to deploy
wireless securely.
