Access Control and Site Security (Part 2)
(January 28, 2015)
© Abdou Illia – Spring 2015
2
Learning Objectives
Discuss Site Security Discuss Wireless LAN Security
Site Security
4
Building Security Basics
Single point of (normal) entry to building
Fire doors and alarms
Security centers Monitors for closed-circuit TV (CCTV) Videotapes that must be retained (Don’t reuse too much
or the quality will be bad)
Interior doors to control access between parts of the building
Prevent piggybacking, i.e. holding the door open so that someone can enter without identification defeats this protection
5
Building Security Basics
Phone stickers with security center phone number
Prevent dumpster diving by keeping dumpsters in locked, lighted area
Training security personnel
Training all employees
Enforcing policies: You get what you enforce
6
Reading Questions
Answer Reading Questions 1 posted to the course web site (in Notes’ section)
802.11 Wireless LAN Security
8
Basic Terminology
Accidental Association Wireless device latching onto a neighboring Access Point when turned on.
User may not even notice the association
Malicious association Intentionally setting a wireless device to connect to a network
Installing rogue wireless devices to collecting corporate info
War driving Driving around looking for weak unprotected WLAN
9
802.11b 802.11a 802.11g
2.4 GHz 5 GHz 2.4 GHzUnlicensed Band
≤11 Mbps ≤ 54 Mbps ≤ 54 MbpsRated Speed
IEEE 802.11 WLAN standards
802.11n*
2.4 GHz or 5 GHz
≤ 300 Mbps
* Under development
0 Hz
FrequencySpectrum
Infinity
AM Radio service band: 535 kHz-1705 kHz
FM Radio service band: 88 MHz-108 MHz
802.11b WLAN: 2.4 GHz-2.4835 GHz
3 12 13# of channels 14
802.11g uses Orthogonal Frequency Division Multiplexing (OFDM) modulation scheme to achieve higher speed than 802.11b
AM radio channels have a 10KHz bandwidth FM radio channels: 200KHz bandwidth
35m/100m 25m/75m 25m/75mRange (Indoor/Outdoor) 50m/125m
Service band 2.4 - 2.4835 GHz divided into 13 channels
Each channel is 22 MHz wide Channels spaced 5 MHz apart Channel 1 centered on 2412 MHz.
Channel 13 centered on 2472 MHz Transmissions spread across multiple
channels 802.11b and 802.11g devices use
only Channel 1, 6, 11 to avoid transmission overlap.
10
802.11 Wireless LAN (WLAN) Security
Basic Operation: Main wired network for servers (usually 802.3
Ethernet) Wireless stations with wireless NICs Access points for spreading service across
the site Access points are internetworking devices
that link 802.11 LANs to 802.3 Ethernet LANs
11
802.11 FrameContaining Packet
802.11 Wireless LAN operation
802.11 refers to the IEEE Wireless LAN standards
NotebookWith PC CardWireless NIC
EthernetSwitch
AccessPoint
Server
802.3 FrameContaining Packet
(2)
(3)
Client PC
(1)
12
802.11 Wireless LAN operation
NotebookWith PC CardWireless NIC
EthernetSwitch
AccessPoint
Server
802.11 FrameContaining Packet
802.3 FrameContaining Packet
(2)
(1)
Client PC
(3)
1. If the AP is 802.11n-compliant, it could communicate with the notebook even if the notebook has a 802.11a NIC. T F
2. The Wireless AP needs to have a 802.3 interface T F
3. The switch needs to have at least one wireless port. T F
4. How many layers should the Wireless AP have to perform its job?
13
Summary Question (1)
Which of the following is among Wireless Access Points’ functions?
a) Convert electric signal into radio wave
b) Convert radio wave into electric signal
c) Forward messages from wireless stations to devices in a wired LAN
d) Forward messages from one wireless station to another
e) All of the above
f) Only c and d
14
MAC Filtering
The Access Point could be configured to only allow mobile devices with specific MAC addresses
Today, attack programs exist that could sniff MAC addresses, and then spoof them
AccessPoint
MAC Access Control List
O9-2X-98-Y6-12-TR
10-U1-7Y-2J-6R-11
U1-E2-13-6D-G1-90
01-23-11-23-H1-80
……………………..
15
IP Address Filtering
The Access Point could be configured to only allow mobile devices with specific IP addresses
Attacker could Get IP address by guessing based on companies
range of IP addresses Sniff IP addresses
AccessPoint
IP Address Access Control List
139.67.180.1/24-139.67.180.30/24
139.67.180.75
139.67.180.80
139.67.180.110
……………………..
16
SSID: Apparent 802.11 Security Service Set Identifier (SSID)
It’s a “Network name” of up to 32 characters Access Points come with default SSID. Example:
“tsunami” for Cisco or “linksys” for Linksys All Access Points in a WLAN have same SSID Mobile devices must know the SSID to “talk” to the
access points SSID frequently broadcasted by the access point for
ease of discovery. SSID in frame headers are transmitted in clear text SSID broadcasting could be disabled but it’s a weak
security measure Sniffer programs (e.g. Kismet) can find SSIDs easily
17
Wired Equivalent Privacy (WEP) Standard originally intended to make wireless networks
as secure as wired networks
With WEP, mobile devices need a key used with an Initialization Vector to create a traffic key Typical WEP key length: 40-bit, 128-bit, 256-bit
WEP key is shared by mobile devices and Access Points
Problems: shared keys create a security hole
WEP is not turned-on by default
1. Wireless station sends authentication request to AP2. AP sends back a 128 bits challenge text in plaintext3. Wireless station encrypts challenge text with its WEP key and sends result to AP4. AP regenerate the WEP from received result, then compare WEP to its own WEP5. AP sends a success or failure message
WEP authentication process
aircrack-ngweplabWEPCrack airsnort
Open Source WEP Cracking software
18
802.11i and Temporal Key Integrity Protocol (TKIP)
In 2004, the IEEE 802.11 working group developed a security standard called 802.11i to be implement in 802.11 networks.
802.11i tightens security through the use of the Temporal Key Integrity Protocol (TKIP)
TKIP can be added to existing AP and NICs
TKIP uses a 128-bit key (that changes) to encrypt the WEP.
19
Using Authentication server orWi-Fi Protected Access (WPA)
AccessPoint
1.Authentication
Request
2.Pass on Request to
RADIUS Server
3.Get User Lee’s Data(Optional; RADIUSServer May Store
Authentication Data)
4. AcceptApplicant Key=XYZ 5. OK
UseKey XYZ
DirectoryServer orKerberos
Server
RADIUS Server / WAP Gateway
RADIUS is an AAA (Authentication, Authorization, Accounting) protocol Once user authenticated, AP assigns user individual key, avoiding shared key.
WPA is an early version of the 802.11i and 802.11x security standards
Applicant(Lee)
20
Protocols used in WPA
Authentication and data integrity in 802.11i and 802.11x rely on the Extensible Authentication Protocol (EAP) which has different options: Wireless Transport Layer Security (WTLS) protocol
Server and mobile devices must have digital certificates Requires that Public Key Infrastructure (PKI) be installed to
manage digital certificates Tunneled WTLS
Digital certificates are installed on the server only Once server is securely authenticated to the client via its
Certificate Authority, a secured tunnel is created. Server authenticates the client through the tunnel. Client could use passwords as mean of authentication
21
Soft Access Point*
NotebookWith PC CardWireless NIC
EthernetSwitch
AccessPoint
Server
802.3 FrameContaining Packet
(2)
(3)
Client PC
(1)
* Also called Rogue Access Point
SoftAP
Usually, a soft AP is a laptop loaded with cracking software Soft AP allow the hacker to get passwords, MAC address, etc.
22
Wireless Intrusion Detection Systems
Monitor the radio spectrum for the presence of unauthorized access points
Conventionally, operate by checking the MAC addresses of the participating access points
Use fingerprinting approach to weed out devices with spoofed MAC addresses
Compare unique signatures exhibited by the signals emitted by each wireless access point against the known signatures of legitimate access points
23
How Cracking Wireless Networks works?
Visit Youtube.com Search for the following video
Video name: Cracking Wireless Networks Posted by: spektral311 Date: 9/8/2006
Copy of video in Review section of website
24
Summary Questions
What is meant by accidental association? Malicious association?
What are the functions of a wireless access point?
What is a SSID? How many SSIDs are needed in a WLAN with 3 wireless access points and 13 mobile stations?
How good security measure is disabling the broadcasting of a WLAN’s SSID?
What is WEP? How secure is a WEP-protected WLAN compared to a WPA WLAN using the 802.11i standard?
What does using TKIP add to a WEP-protected WLAN?
Explain the operation of a WPA WLAN using a RADIUS
What is rogue AP? How can you detect a rogue AP?