Security concerns in Wireless LAN Guðbjarni Guðmundsson.
-
Upload
brionna-carnell -
Category
Documents
-
view
217 -
download
1
Transcript of Security concerns in Wireless LAN Guðbjarni Guðmundsson.
![Page 1: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/1.jpg)
Security concerns in Wireless LAN
Guðbjarni Guðmundsson
![Page 2: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/2.jpg)
Wireless Technologies
LAN(Local Area Network)
PAN(Personal Area
Network)
WAN(Wide Area Network)
MAN(Metropolitan Area Network)
PANPAN LANLAN MANMAN WANWAN
StandardsStandards BluetoothBluetooth802.11802.11
HiperLAN2HiperLAN2802.11802.11802.16802.16
GSM, GPRS,GSM, GPRS,CDMA, 1xRTT, 3GCDMA, 1xRTT, 3G
SpeedSpeed < 1Mbps< 1Mbps 11 to 54 Mbps11 to 54 Mbps 11 to 100+ Mbps11 to 100+ Mbps 10 to 384Kbps10 to 384Kbps
RangeRange ShortShort MediumMedium Medium-LongMedium-Long LongLong
ApplicationsApplications Peer-to-PeerPeer-to-PeerDevice-to-DeviceDevice-to-Device
Enterprise networksEnterprise networks T1 replacement, last T1 replacement, last mile accessmile access
Mobile Phones, cellular Mobile Phones, cellular datadata
![Page 3: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/3.jpg)
Momentum is Building in Wireless LANs
• Wireless LANs are an “addictive” technology
• Strong commitment to Wireless LANs by technology heavy-weights–Cisco, IBM, HP, Intel, Microsoft
• Embedded market is growing–Laptop PC’s with “wireless inside”–Also PDA’s, phones, printers, etc.
• The WLAN market is expanding from Industry-Specific Applications, to broad-based applications in Universities, Homes, & Offices
![Page 4: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/4.jpg)
WLAN Security Hierarchy
VirtualPrivate
Network (VPN)
No Encryption, Basic Authentication
Public “Hotspots”
Open Access 40-bit or 128-bitStatic WEP Encryption
Home Use
Basic Security 802.1x,TKIP/WPA Encryption,Mutual Authentication,
Scalable Key Mgmt., etc.
Business
Enhanced Security
Remote Access
Business Traveler,
Telecommuter
![Page 5: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/5.jpg)
Hacking into WEP
Wireless LAN Security Concerns:3 Key Vulnerabilities
Credit: KNTV San Jose
“War Driving”
Employees
![Page 6: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/6.jpg)
1. Concern for Enterpriseabout Wireless: Security
Source: WSJ, 2/5/01
Hacking into WEP
![Page 7: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/7.jpg)
Papers on WEP Weaknesses
University of California, Berkeley
University of Maryland
Scott Fluhrer, Itsik Mantin, and Adi Shamir
Feb. 2001 April 2001 July 2001
Focuses on static WEP; discusses need for key management
Focuses on authentication; identifies flaws in one vendor’s proprietary scheme
Focuses on inherent weaknesses in RC4; describes pragmatic attacks against RC4/WEP
* “In practice, most installations use a single key that is shared between all mobile stations and access points. More sophisticated key management techniques can be used to help defend from the attacks we describe…”- University of California, Berkeley report on WEP security, http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
![Page 8: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/8.jpg)
AirSnort “Weak IV” Attack
• Initialization vector (IV) is 24-bit field that changes with each packet• RC4 Key Scheduling Algorithm creates IV from base key • Flaw in WEP implementation of RC4 allows creation of “weak” IVs
that give insight into base key• More packets = more weak IVs = better chance to determine base key• To break key, hacker needs 100,000-1,000,000 packets
IV encrypted data ICV WEP framedest addr
src addr
![Page 9: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/9.jpg)
Bit-Flipping and Replay Attack
• Hacker intercepts WEP-encrypted packet• Hacker flips bits in packet and recalculates ICV CRC32• Hacker transmits to AP bit-flipped frame with known IV• Because CRC32 is correct, AP accepts, forwards frame• Layer 3 device rejects and sends predictable response• AP encrypts response and sends it to hacker• Hacker uses response to derive key (stream cipher)
message XOR
plain text
1234
stream cipher
XXYYZZ
cipher text
XOR 1234
stream cipher
message
predicted plain text
![Page 10: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/10.jpg)
WEP hacked
• Wireless networks can therefor be vulnerable• “hit-and-run attacks” carried out with laptops • attackers can’t be traced
![Page 11: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/11.jpg)
2. Concern for Enterpriseabout Wireless: Security
Source: WSJ, 2/5/01
“War Driving”
![Page 12: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/12.jpg)
News Clip: Hackers hit the Streets
• “White Hat Hackers” search for vulnerable wireless LANs
• Over 900 companies identified in a single area
Credit: KNTV San Jose
Credit: KNTV San Jose
![Page 13: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/13.jpg)
War Driving
• Originally, WarDriving was when crackers drove around in a car equipped with wireless gear looking for unsecured wireless networks, to gain illicit access.
• Over time, the term has evolved to include harmless types that simply looking for free internet access.
![Page 14: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/14.jpg)
• What are needed for war driving– Device capable of
• receiving 802.11b signal.
• Capable of moving around.
– Software that will log data from the device.• NetStumbler
• Over time, you can build up a database comprised of the network name, signal strength, location, and ip/namespace in use.
War Driving cont.
![Page 15: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/15.jpg)
Netstumbler Screenshot
![Page 16: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/16.jpg)
consume.net
![Page 17: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/17.jpg)
How is the situation in Iceland?(War Driving)
• Less than 1 hours drive –10 Open wireless networks found
•2 Homes•2 School•6 Companies
• SSID gave ALWAYS indication of who owned the network
–Except homes (default SSID of AP)
• 50% gave IP-address via DHCP–Open Access
![Page 18: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/18.jpg)
3. Concern for Enterpriseabout Wireless: Security
Source: WSJ, 2/5/01
Employees
![Page 19: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/19.jpg)
Who Installs Rogue APs?—“Focus on the Frustrated Insider”
Frustrated Insider:• Employee that installs wireless AP in order to benefit from
increased efficiency and convenience it offers• Common because of wide availability of
low cost APs• Usually ignorant of AP security configuration, default
configuration most common
Malicious Hacker:• Penetrates physical security specifically to
install a rogue AP• Can customize AP to hide it from detection tools• Hard to detect—more effective to prevent via 802.1X and
physical security• More likely to install LINUX box than an AP
Jones from Accounting
>99.9% of Rogue APs
James Bond
<.1% of Rogue APs
![Page 20: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/20.jpg)
3 Steps to Solving the Rogue AP Problem
• Step 1: Prevent– Physical Security (prevent unauthorized access to the bldg.)– Develop a company-wide WLAN Policy– Install an IT-sanctioned WLAN
• Step 2: Detect– Intermittent checking with portable wireless sniffers
• AirMagnet, NetStumbler, Sniffer, WildPackets, etc.
– Continuous Monitoring with WLAN management tools– Engage AP’s & Clients in the hunt
• Step 3: Eliminate– Locate the Rogue AP, and physically remove it
Rogue AP
![Page 21: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/21.jpg)
Wireless LAN Security:Lessons
“War Driving”
Hacking into WEP
Lessons:
• Security must be turned on (part of the installation process)
• Employees will install WLAN equipment on their own (compromises security of your entire network)
• WEP keys can be easily broken (businesses need better security)
Employees
![Page 22: Security concerns in Wireless LAN Guðbjarni Guðmundsson.](https://reader031.fdocuments.us/reader031/viewer/2022013003/551768f35503463e368b49cd/html5/thumbnails/22.jpg)
WLAN Security White Papers
To download these White Papers, go to: www.cisco.com/go/aironet/security To download these White Papers, go to: www.cisco.com/go/aironet/security
Wireless LAN Security & the Cisco Wireless Security Suite
SAFE for Wireless(updated Mar.’03)