Wireless Security Presentation v6

8/3/2019 Wireless Security Presentation v6

1/49

802.11 Wireless Security

John Berti

Senior Manager

Deloitte Security and Privacy Services
http://images.google.ca/imgres?imgurl=www.net4nowt.com/uploaded_images/main_images/wifi.gif&imgrefurl=http://www.net4nowt.com/isp_news/news_article.asp%3FNews_ID%3D1316&h=180&w=300&sz=7&tbnid=jbrf7mBnb3YJ:&tbnh=66&tbnw=110&start=1&prev=/images%3Fq%3Dwifi%26hl%3Den%26lr%3D%26ie%3DUTF-8


2/49

Agenda

Introduction to WirelessWireless NetworksWireless SecurityTop 8 Security Issues with 802.11Security Controls for Wireless NetworksSummary Best PracticesFinal Thoughts


3/49

Introduction to Wireless


4/49

Cell Phones

PDAs

WLANs

The WirelessWorld

CordlessPhones

Toys

Appliances

http://palmorder.modusmedia.com/P5/P5-80400U.htm


5/49

103 Hz

106 Hz

109 Hz

1012 Hz

1015 Hz

1018 Hz

1021 Hz

Radio

Microwave

Infrared

Visible LightUltraviolet

X-Ray

Gamma Rays

http://www.physicsclassroom.com/Class/sound/u11l2a2.gif


6/49

The Radio Frequency Band

0 100 200 300 400 500 600 700 800 900 1GHz 3GHz 5GHz 10GHz

AM Radio (5351605 KHz)

VHF TV (174216 MHz)

FM Radio (88108 MHz)

UHF TV (512806 MHz)

Analog Cellular (824-894 MHz)

Digital Cellular (1850-1900 MHz)

Cordless Phones, Toys (900 MHz)

802.11b,g Bluetooth, Phones (2.4 GHz)

802.11a, g (5 GHz)

Unlicensed Radio Frequencies

Licensed Radio Frequencies

http://www.crtc.gc.ca/eng/welcome.htm


7/49

Wireless Networks


8/49

What is a Wireless Network

Wireless AccessPoint

Demilitarized Zone(Firewall, Web Servers)

Wireless NetworkCard

Wireless Laptop

Wireless Phone

Wireless PDA

InternalNetwork

Internal Network

Wireless Networks


9/49

Wireless Network Standards

Bluetooth Intended as a replacement for cables over shorter

distances, with an effective range of up to 10 meters. 1 Mbps Date Rate 2.4 GHz Frequency Band

802.11b Extension to 802.11 Wireless LAN standard 11 Mbps Data Rate 2.4 GHz Frequency Band Digital Sequence Spread Spectrum (DSSS)

Wireless Networks


10/49

Wireless Network Standards

802.11a Extension to 802.11 Wireless LAN standard 54 Mbps Data Rate 5 GHz Frequency Band Orthogonal Frequency Division Multiplexing (OFDM)

802.11g Replacement for 802.11b with higher rate 54 Mbs Data Rate 2.4 GHz and 5 GHz Frequency Bands

Wireless Networks


11/49

Wireless Networks

802.11 Standards Comparison

WirelessStandard

802.11b 802.11a 802.11g

Popularity Widely Adopted Not Very Popular Widely Adopted

Speed 11 Mbps 54 Mbps 54 Mbps

Cost Inexpensive More Expensive Inexpensive

Frequency 2.4 GHz 5 GHz 2.4 GHz

Range 300 1750 ft 60 100 ft 100 150 ft

Public Access

Hotspots availableat most airports,

colleges and somerestaurants and

coffee shops

NoneHotspots readily

available

Compatibility 802.11b 802.11a802.11b802.11g

Comparison Data From http://www.linksys.com/edu/wirelessstandards.asp


12/49

Wireless Networks

Other task groups:

802.11e Quality of Service802.11n 100mb over Wireless802.11s Mesh Networks (Self Healing)

802.11r Fast Hand-off Re-association from AP toAP

802.11p Wi-Fi in moving vehicles


13/49

Wireless Security


14/49

Wireless Security

There are numerous risks associated with wirelesstechnology that could potentially be detrimental toan organization and its wireless infrastructure.

These risks can be categorized into 6 classes:

Eavesdropping;Transitive Trust;Impersonation or masquerading;Denial of Service;

Infrastructure;Device vulnerability;


15/49

802.1x Access Control Complete and published standard for controlled port access Dynamically generated, session based WEP keys Both session & packet authentication User oriented authentication support Extensible Authentication Protocol (EAP) an extension to

RADIUS servers enabling wireless client authentication to the

wired LAN. Several vendors, like Cisco and 3Com, have already begunmeasures to ensure their implementations comply with thelatest draft of 802.1x standards

802.11i Security

100% focus on security Standard completed Provides extensions to current WEP requirements

Authentication algorithm yet to be determined

Advanced Encryption Standard (AES) - block cipher encryption algorithm

Wireless Security


16/49

Wireless Security

Wired Equivalent Privacy (WEP) is the standard for WLAN encryption It is not widely used (50% of networks dont use it) Easily broken It uses shared keys

For more details on WEP Cracking see the paper by Scott Fluhrer, ItsikMantin, and Adi Shamir.http://www.drizzle.com/%7Eaboba/IEEE/rc4_ksaproc.pdf

Newer WLAN equipment will support Wi-Fi Protected Access (WPA)standards Subset of WLAN security standards based on 802.11i working group

WPA TKIP Changing of keys WPA2 - Advanced Encryption Standard (AES)


17/49

Problems with WEP

1. WEP is hardly used!

In this scan donerecently on my wayto work only 15 ofthe 45 access pointsdetected used WEP.

Thats only 33%.

Note: Some of thesenetworks mayactually use othermethods ofencrypting data such

as VPN


18/49

Problems with WEP

2. WEP Can Be Cracked

The IV is sent as plaintext with the encrypted packet. It can besniffed.

XOR is a simple process that can be easily used to deduce anyunknown value if the other two values are known

The first byte of transmitted data is always the same, giving an

attacker knowledge of both the plaintext and ciphertext.(The SNAP header, which equals AA in hex or 170decimal.)

A certain format of IVs are known to be weak. By targetingattacks on packets with weak IVs the amount of data and analysis

needed to derive the shared key is greatly reduced. By combining the above observations about the implementationof WEP, hackers have developed tools that can obtain the sharedkey after collecting approximately 500,000 to 2,000,000 packetswith < 1 minute cracking time.


19/49

Problems with WEP

3. WEP uses a Shared Key

Using shared keys is impractical on large networks

Key management is very difficult (Difficult to ensure keys can beperiodically changed)

Knowledge of the shared key is disseminated

Inevitably someone will incorrectly configure a wireless device

IndexNetwork

Type ESSIDBSSID (MAC

address) Channel Cloaked WEPDataRate

Max SignalStrength

1 Access Point 00:01:xx:xx:xx:xx 11 No Yes 11 62

2 Access Point 00:01:xx:xx:xx:xx 0 No No 0 69

3 probe wlan 00:01:xx:xx:xx:xx 0 No No 11 71

4 probe wlan 00:01:xx:xx:xx:xx 0 No No 11 73

5 unknown wlan 00:01:xx:xx:xx:xx 0 No No 11 60

6 unknown !OUxxxxxx 00:40:xx:xx:xx:xx 6 No No 11 71


20/49

WPA Security

WiFi Protected Access (WPA) originally a temporary answer to flaws inWEP. At the heart of WPA is TKIP (Temporary Key Integrity Protocol) whichuses re-keying to get away from the problems inherent in static WEP.


21/49

WPA Security

Adds authentication through one of two methods1) Pre-shared Key (PSK), which is similar to WEP, fine for small networks2) 802.1x authentication, uses a backend authentication server such asRADIUS


22/49

Top 8 Security Issues with 802.11


23/49


24/49

Detection & Eavesdropping

Detection WLAN will generateand broadcastdetectable radio

waves for a greatdistance

Eavesdropping WLAN signals

extend beyondphysical securityboundaries


25/49

Eavesdropping

Service Set Identifier (SSID) may be broadcasted. SSID string may identify your organization.


26/49

Eavesdropping

Standard Wired Equivalent Privacy (WEP)encryption is often not used. When used, WEP is flawed and vulnerable. No user authentication in WEP.

Clear Text PasswordsIP Addresses

Company Data


27/49

Modification, Injection & Hijacking

Modification Standard Wired Equivalent Privacy (WEP)

encryption has no effective integrity protection. Injection

Static WEP keys can be determined by analysis.

Adversaries can attach to the network withoutauthorization. Hijacking

Adversaries can hijack authenticated sessionsprotected only by WEP.


28/49

Security Architecture

Firewall

Internal Network

Internet

DMZ

WLAN Architecture

Rogue AP


29/49

Wireless LAN Security Controls


30/49

Wireless LAN Security ControlsSubtopics

1. SSID Broadcasting2. MAC Address Filtering3. Security Architecture4. Radio Frequency Management

5. Encryption6. Authentication7. New Wireless LAN Security Protocols


31/49

SSID Broadcasting

Disable the broadcasting of the SSID.Not possible on all Access PointsEasily bypassed

Only useful on low-value networksSSID should also not be easily correlated toyour organization name


32/49

MAC Address Filtering

Some Access Points allow the administratorto specify which link layer (MAC) addressescan attach.

Easily bypassedDoes not scaleOnly useful for low-value networks


33/49

Security Architecture

Firewall

Internal Network

Internet DMZ (VPN Server)

DMZ (VPN Server)

Firewall


34/49

Radio Frequency Management

Building A

Parking Lot

Use a scanner to determine yourRF footprintMonitor interference sources


35/49

Wireless Encryption

Static WEP keys are insufficient for manynetworksNew secure protocols exist for WLANprotection

Layered VPN is a common solution for WLANnetworks


36/49

Subtopics

Wireless LAN Security Mechanisms:

Access Control Authentication Encryption Integrity

802.11 Wireless LAN Security Protocols: 802.1X / Dynamic WEP Wi-Fi Protected Access (WPA) Wi-Fi Protected Access 2 (WPA2)


37/49

Authentication

Wireless LAN needs an authenticated key exchangemechanism

Most secure WLAN implementations use ExtensibleAuthentication Protocol (EAP)

Many EAP methods are availableOne factor include EAP-MD5, LEAP, PEAP-MSCHAP,

TTLS-MSCHAP, EAP-SIMTwo factor methods include EAP-TLS, TTLS withOTP, and PEAP-GTC

Need mutual authentication


38/49


39/49

Integrity Protection

WEP has no cryptographically strong integrityprotectionTKIP uses a new Message Integrity Codecalled Michael

CCMP uses AES in CBC-MAC mode


40/49

802.11 Security Solutions

802.1xDynamic WEP

Wi-FiProtectedAccess

Wi-FiProtectedAccess 2

Access Control 802.1X 802.1X or Pre-

Shared Key

802.1X or Pre-

Shared Key

Authentication EAP methods EAP methodsor Pre-SharedKey

EAP methodsor Pre-SharedKey

Encryption WEP TKIP (RC4) CCMP (AESCounter Mode)

Integrity None Michael MIC CCMP (AESCBC-MAC)


41/49

Tools and Techniques


42/49

Hacker Tools and Techniques

Discovery

Association Polling Set SSID to Any on Client Card automatically associates with the strongest AP Default setting for most wireless clients

* Reason that Fake APs are a threat to unsuspecting clients

Scan Mode Polling Send a Scan Request to the card, receive a Scan response back with AP info Card keeps track of received beacon packets and probe requests Will detect both APs as well as adhoc networks Will only detects Access Points that are configured to Beacon the SSID Technique used by Netstumbler


43/49


44/49


45/49

Hacker Tools and Techniques

Discovery Tools

Kismet Runs on Linux Cards must be capable of running in RF-Monitor Mode Can also be setup with drones to use it as a wireless intrusion

detection solution.
http://www.kismetwireless.net/index.shtml


46/49

Summary Best Practices


47/49


48/49


49/49

Date post:	06-Apr-2018
Category:	Documents
Upload:	umasikamani
View:	223 times
Download:	0 times

Wireless Security Presentation v6

Documents