SonicWALL SWNISG.book Page xxi Tuesday, June 3, 2008 11:00 ...€¦ · SonicWALL_SWNISG.book Page...

Part 1

Planning

SonicWALL_SWNISG.book Page xxi Tuesday, June 3, 2008 11:00 PM

xxii

An individual who is observed to be inconstant in his planning, or perhaps carries on his affairs without any plans at all, is marked at once, by all prudent people, as a speedy victim in his own unsteadiness and folly.1

1. Hamilton, Alexander

SonicWALL_SWNISG.book Page xxii Tuesday, June 3, 2008 11:00 PM

Chapter 1Introduction to Secure Wireless Networking

Sections in This Chapter: • A Short History of Wireless Security Standards and Technology, page 2

• The Growth of Internet Usage, page 7

• The Evolution of Malware, page 9

• Top Five Wireless Threats, page 15

• Chapter Knowledge Check, page 22

IntroductionWireless communication is fast becoming an essential element of the business environment. Wireless devices such as cell phones, PDAs, and laptop computers provide mobility to users and enable them to keep in constant contact with both their work and personal lives. About 40% of computer network usage is now wireless, up from only 3% five years ago. Wireless users also enjoy a rapidly growing selection of devices and applications. Very soon, there will be just as many applications for handheld wireless devices, such as cell phones and PDAs, as there are for personal computers. But without effective network security, the advantages of wireless mobility come with increased risk.

Crackers, spammers, and script kiddies all want a piece of the action. Wireless technology suffers from most of the same vulnerabilities as wired solutions, and others that are unique to wireless. It is essential to have a well thought out and secure wireless solution in order to enjoy the benefits of wireless technology in your organization without having to worry about malware.

To protect your network environment, you must combine gateway security services with endpoint security applications and radio frequency management. SonicWALL Unified Threat Management (UTM) provides content filtering, intrusion prevention, anti-virus, and anti-spyware at the gateway, along with user-class authentication, endpoint security, and radio frequency management to protect all computers, wired and wireless, within the local network.

SonicWALL_SWNISG.book Page 1 Tuesday, June 3, 2008 11:00 PM

2 Introduction to Secure Wireless Networking

A Short History of Wireless Security Standards and Technology

The spread of civilization may be likened to that of fire: First, a feeble spark, next a flickering flame, then a mighty blaze, ever increasing in speed and power. We are now in this last phase of development.2

Tesla wrote those words in 1910, a full seventeen years after he first demonstrated the principles of radio broadcasting. In 1898, Tesla conducted a public demonstration of a radio controlled boat in Madison Square Garden, New York City, New York. Tesla’s musing about the advancement of civilization certainly applies to the advancement of wireless technologies.

As early as 1927, inventor Guglielmo Marconi thought he had the solution to wireless security, stating in an interview with Time magazine that “ordinary wireless waves spray their messages…the beam system directs them, gaining privacy…”3

The twentieth century saw the feeble spark of wireless communications slowly glow into a flickering flame. Today, there is a mighty blaze of rapidly evolving algorithms, standards, terms, and acronyms. Figure 1 shows the evolution of wireless standards (both IEEE and Wi-Fi Alliance) from 1999 to today. Let’s take a few tablespoons of this wireless alphabet soup and try to make sense of these terms from an evolutionary perspective. Pending ratification, draft IEEE 802.11 standards are depicted with an asterisk.

Figure 1 Wireless Security Timeline

2. Tesla, Nikola3. Marconi, Guglielmo

1999

802.11a

802.11b


3A Short History of Wireless Security Standards and TechnologyPart 1: Planning

Spread Spectrum: The BeginningDuring Tesla’s early wireless experiments, he first realized the need for developing methods to avoid interference and secure wireless signals. This led to Tesla filing two patents in 1903 that introduced the concept of frequency hopping, a way of transmitting radio signals over rapidly changing frequencies. Frequency hopping was the first form of a spread spectrum technique. This technology was primarily developed and used by the U.S. Navy for secure wireless radio transmissions. The idea then was the same as it is today—to spread wireless traffic over a large area for the following results:

• Appear as radio frequency noise to anyone who is not looking for it

• Be less susceptible to signal jamming

• Provide security and encryption for privacy by using random keys or codes

Years after its initial development and use as a government tool, spread spectrum became declassified and, thus, publicly available. The spread spectrum Radio Frequency (RF) space eventually became standardized in 1997 when the 802.11 original standard was introduced by the Institute of Electrical and Electronics Engineers (IEEE). Even then, there was still a fundamental flaw in that wireless traffic was treated the same as LAN traffic, but unlike wired LAN, wireless transmissions are susceptible to interception by anyone listening.

Note Although the spread spectrum basis for 802.11 wireless makes traffic look like white noise to those who are not looking, the problem is that many people are looking. The tools for wireless sniffing are not only very advanced and relatively simple to operate, but they are also readily available.

WEP: Security MisstepsAfter the IEEE standardization of the wireless spectrum, the 802.11a/b standard was presented as the first ratification for commercial and personal use. Along with the a/b standard came the first encryption mechanism, Wired Equivalency Protection (WEP), introduced in 1999. However, by 2001, serious flaws in WEP were exposed, including a weakness in the Initialization Vector (IV) key, which was susceptible to being easily cracked. It was soon clear that this new spread spectrum adaptation was not sufficiently secure on its own.



WPA: Patching a Flawed SystemAs a reaction to the flaws of WEP, the IEEE created the 802.11i standard to guide the development of truly secure wireless standards. The 802.11i standard was implemented in two phases:

1. Wi-Fi Protected Access (WPA)

2. WPA2

First, the WPA protocol was ratified in 2003 and covered a subset of the 802.11i requirements. WPA security implemented a Temporal Key Integrity Protocol (TKIP) to dynamically change keys, making it statistically impossible to recover a key through the methods used in previous WEP attacks. In addition to key enhancements, the WPA standard implemented stronger packet protection through the Michael algorithm, making it more difficult to forge wireless packets. The algorithm is effective at detecting forged packets, but has an undesirable side-effect: It brings the network to a momentary halt when forgery attempts are detected. Essentially, instead of a network security breach, we end up with a self-imposed wireless Denial of Service (DoS) attack. Although it is more secure than the standard it replaces, WPA was meant only as a temporary upgrade to the existing WEP infrastructure.

802.11i / WPA2: A New MethodToday, with WPA2 and the new 802.11i wireless security standard, we have a security mechanism called Counter Mode with Cipher Block Chaining Message Authentication Code (CCMP) derived from Advanced Encryption Standard (AES). Although CCMP is the actual algorithm used, this type of wireless security is usually referred to simply as AES. Completely different from the earlier WEP and WPA-TKIP standards, the new AES encryption is implemented as a block cipher. The new authentication technology is also completely extensible, allowing interface with virtually any backend authentication method.

WPA2 has proven to be a secure standard when used with either a strong password in Pre-Shared Key (PSK) mode or with an external authentication server using the Extensible Authentication Protocol (EAP).

Note It is important to note that 802.11i is a set of changing standards for wireless security that can be applied to 802.11a/b/g/n. When 802.11i is mentioned in this and other books, it usually refers to the latest Wi-Fi security standards of the time.

As part of the newest 802.11i standard, the separation of wired and wireless networks is also achieved. Wireless LANs (WLANs) are treated as separate entities from the LAN, with security options tailored to the specific needs of the wireless medium. Your network security plan should also treat these networks separately.

For more on 802.11 wireless standards in the context of your wireless network deployment, see “Choosing a Wireless Standard” on page 26.


5A Short History of Wireless Security Standards and TechnologyPart 1: Planning

Other 802.11 StandardsMost letters of the alphabet are accounted for by the IEEE wireless standards organization. Here are a few of the more prominent standards or amendments:

• 802.11c / 802.1D – Both of these components address wireless bridging methods. 802.11c is an amendment to 802.1D, which defines standards for bridging and inter-network bridging.

• 802.11e – Amends the existing standard for wireless Quality of Service (QoS), including traffic management enhancements to the 802.11e MAC protocol.

• 802.11p – An amendment that adds Wireless Access in the Vehicular Environment (WAVE) specifications. Developed with short-range vehicular communication in mind, one of the major applications for WAVE technology is instant toll collection on roads and bridges.

• 802.11y – An amendment that specifies use of the 3.65Ghz band in the United States for wireless networking. This amendment could result in high-power networks with coverage areas of more than 3 miles (5 kilometers).

WiMAX TechnologyWith more and more users depending on wireless access in urban outdoor situations, Worldwide Interoperability for Microwave Access (WiMAX) aims to fill a niche with its increased range, bandwidth, and roaming capabilities. In addition to outdoor metropolitan networks, WiMAX is often used to provide so-called ‘last-mile’ broadband services to users who are outside the service area of traditional DSL providers.

WiMAX technology is based on the IEEE 802.16-2005 standard. Because of the wide application range, WiMAX technology is generally divided into two specifications, one for mobile users (802.16e-2005) and one for stationary or ‘fixed’ users (802.16d-2005). Technically speaking, these two specifications are amendments to the standard, not standards in their own right.

The fixed version of the standard uses Orthogonal Frequency-Division Multiplexing (OFDM) model, which offers excellent channel separation within the given frequency as well as the ability to spread original packet bits further apart (instead of a traditional compacted stream). These features allow better error correction and resilience to interference, resulting in more reliable long-distance transmissions.

The mobile version of the standard specifies use of an Orthogonal Frequency-Division Multiple Access (OFDMA) model. In short, the technology is a version of the OFDM standard adapted for multiple users.



Mobile 3G and 4G TechnologyWireless Wide Area Networks (WWANs) using 3G and 4G technology provide untethered remote network access through the use of mobile or cellular data networks. While legacy cellular networks, such as GSM, were only able to provide data rates of about 14 Kbps, today's emerging WWAN technologies (such as UMTS and HSDPA) provide theoretical data rates of up to 10 Mbps, rivaling many wired technologies.

The cellular networks powering WWAN have been evolving very quickly, and as a result, comprise many different implementations. Fundamentally, they fall into two protocols:

Global System for Mobile Communication (GSM)The most widely used protocol outside of the Americas. GSM is often regarded as less susceptible to signal degradation indoors. Although GSM is used both in the Americas and the rest of the world, the American implementation operates on a different frequency, and interoperability is not guaranteed unless explicitly supported by the equipment.

Code Division Multiple Access (CDMA)The most widely used protocol in the Americas. CDMA has capacity advantages over GSM, but congestion tends to reduce its operating range.

Evolving StandardsWhen considering your wireless security goals, an understanding of both past and present wireless technology is useful. Historically, people believed the convenience of wireless networks required the trade-off of accepting inherent security risks, primarily due to the well-known flaws of WEP, the predominant security protocol for wireless networks for several years. WEP’s flaws were first documented in 2001, and its replacement, WPA, was not introduced until 2003. However, even before the introduction of WPA, Virtual Private Networks (VPNs) provided secure authentication and encryption for wireless networks. SonicWALL’s Global VPN Client (GVC) used Internet Protocol Security (IPsec) in its proprietary WiFiSec security protocol to provide secure wireless access.

Now with the widespread support for WPA and WPA2, which implements the full IEEE 802.11i standard, wireless networks can be designed to be as secure as wired networks. Beginning in 2005, both Microsoft and Apple implemented support for WPA2. Since March of 2006, Wi-Fi certification has required WPA2 support. With this widespread built-in support, the need for network administrators to distribute client software to all network users has largely been eliminated.


7The Growth of Internet UsagePart 1: Planning

The Growth of Internet UsageSince its adoption by the general public in 1995, use of the Internet has increased almost a hundredfold, from 15 million users to over a billion. Internet Service Providers (ISPs) like AOL and Yahoo were at the forefront of this Internet revolution with the introduction of user-friendly chat and email applications. As Internet use grows, new technologies are introduced, like Skype and Voice over IP (VoIP). The graph in Figure 2 shows the growth of Internet use from 1995 to 2007.

Figure 2 Growth of Internet Use from 1995 to 2007



The graph in Figure 3 shows the global growth of Internet use by global region from 2000 to 2007.

Figure 3 Global Growth of Internet Use from 2000 to 2007 Graph

Along with legitimate applications like chat and email, threats such as viruses, spam, phishing, and identity-theft have increased. Other threats such as worms and viruses have also become more common over time. Wireless applications and technology have experienced growth rates similar to global Internet use, and wireless-specific threats have come along right behind them, underscoring the need for network security.

Africa

Asia

Middle East

Growth in Percentage (2000 - 2007)

Europe

North America

Latin America /

Caribbean

Oceania /

Australia

World Average

700 800 900 1000600500400300200100

920.2%

882.7%

598.5%

346.6%

120.2%

265.6%

231.2%

151.6%

Source: www.internetworldstats.com


9The Evolution of Malware

The Evolution of MalwareMalware is a relatively new term that combines the words “malicious” and “software.” Malware includes all forms of malicious software, including viruses, worms, botnets, and any software that is designed to infiltrate or damage a computer system without the owner’s informed consent. The term is used as an umbrella for hostile, intrusive, disruptive, or annoying program code. Malware began in the form of hacker pranks in the 1980s, but is now a much more harmful parasite, pocketing profits, and draining away time from its victims. The existence, evolution, and prevalence of malware is the primary reason that network security is a growing industry.

Figure 4 shows a timeline of major malware.

Figure 4 Evolution of Malware Timeline

1980 19901985 1995 2000 2005

Elk Cloner Virus (first

large-scale computer

virus)

The term “virus” is

coined by Frederick Cohen

Brain Boot Sector Virus

- SQL Slammer Worm

- Blaster

worm- Welchia Worm

- Sobig Worm

- Sober Worm

Michelangelovirus

Concept Virus(first micro virus)

CIH Virus (first version)

- Melissa Worm- ExploreZip Worm

- HAPPY 1999 WORM

- VBS/Loveletter worm- Zmist metamorphic,

code integrating virus

- Simile Metamorphic

Virus

- Sadmind Worm

- Sircam worm- Code Red Worm

- Code Red II Worm

- Nimda Worm

- Klez Worm

- Vienna Virus

- Lehigh Virus

- Jerusalem virus- SCA Virus

- MyDoom

- Witty Worm- Sasser Worm

- Santy, first Webworm

- Nyxm Worm

- OS X / Leap-A (first

virus for MAC OS X)

- Stration Worm

Storm Botnet

openme.doc

Ply (polymorphic) virus

Morris worm

Festering

ProDOS virus

Hate Apple

- Zotob Worm

- Samy XSS



History of MalwareThe earliest and most well-known form of malware is the infamous computer virus. The term ‘computer virus’ was coined in the early 1980s and the concept was theorized even earlier. Viruses originally spread within a computer by infecting other software and writing themselves on boot disks. Applications at the time ran on floppy disks, and viruses spread when infected disks passed hands. The viruses themselves were usually rather harmless, having been designed as either mental exercises or pranks.

Computers are incredibly fast, accurate and stupid. Humans beings are incredibly slow, inaccurate and brilliant. Together they are powerful beyond imagination.4

The Elk Cloner virus was the first such virus to spread in the wild. It was written by Richard Skrenta, a fifteen-year-old, for the Apple II operating system, which used a floppy as a boot disk. The virus copied itself to other floppies, which were commonly shared among users. You knew your computer was infected by a message it displayed on your console at every 50th bootup, but it was otherwise harmless.

Late 1980sAs long as computers were not connected, viruses needed human action to carry them from one system to another. But as computers networks became more common, the next step in malware was developed: The worm. Worms are infectious programs that actively spread from one machine to another on a network. By the late 1980s, Internet worms used vulnerabilities in network server programs to run independently. Unlike computer viruses that modified other programs to exist, worms are separate, stand-alone processes.

The first significant worm was the Morris Worm in 1988. Robert Tappan Morris, a student at Cornell University, created it to gauge the size of the Internet. It spread itself by taking advantage of weak passwords combined with buffer overrun and other vulnerabilities in the UNIX utilities sendmail, finger, remote shell (rsh), and remote execute (rexec). The intent was benign, but the Morris Worm had an Agent-Smith-from-the-Matrix DoS side effect—one out of seven times, it replicated itself on a system even when it was already running there, slowing down the system until it was unusable. Morris was convicted of computer fraud and abuse, but served no jail time.

Mid 1990sWorms started out on UNIX-based systems, since the majority of networks ran on UNIX systems at the time. But with growing acceptance of Windows-based systems came worms that exploited vulnerabilities in Microsoft products. A new type of virus, the macro virus, began to emerge in the mid-1990s. Macro viruses target template files for programs like Microsoft Word. Once a computer is infected, any document created on that machine will carry the virus. When an infected document is emailed or downloaded, any machine

4. Einstein, Albert



that views that document will in turn become infected. Macro viruses spread dangerously fast due to the homogeneity of networks running the same operating system (OS) and using the same applications.

Late 1990sThe 1999 Melissa virus is an example of a macro virus that is still affecting unprotected Windows machines. It arrives as an email attachment to a seemingly innocuous message telling the users that the attachment is a document he or she requested. When the attachment is opened, the virus copies itself to the hard drive, the Word template file ‘normal.dot’, and the Windows registry. If the victim is running Microsoft Outlook, Melissa clones the email with the attachment to the first 50 contacts. The virus is not overtly destructive, but an outbreak can overload and cripple affected mail servers.

By the late 1990s, protocols like AOL Instant Messenger and email were becoming common. Worms and viruses like Melissa started to exploit vulnerabilities in email protocols to spread themselves as attachments. An unsuspicious user would click to open what looked like a picture, only to have a worm take over and send itself to every contact in the address book.

21st CenturyThe latest development in malware reflects a shift in purpose. Viruses and worms are no longer built by young botmasters for fame or to prove a point. Malware today is maliciously designed for profit. There are many ways botmasters can turn a profit with malware, but this usually requires the botmaster to have a certain degree of control over it, even after it has infected and spread to millions of computers. Bots, short for robots which are herded by botmasters into botnets, let them do just that. Botmasters leverage the fact that infected computers are typically connected to the Internet by programming bots to look for messages from their creators. The original botmaster simply posts a message in a pre-determined chat room or website, and all computers infected by the malware will receive and execute the command.

The Storm Worm was identified in January 2007, disguised as an email containing news about storms in Europe, with an attachment labeled as a film. Infected computers are incorporated into the Storm botnet, where they spread the worm along with spam. This botnet is still active, and has been used in distributed attacks around the world. The FBI is concerned that the Storm botnet is being used for identity theft, bank fraud, and other criminal activity.

Malware can generate profit by manipulating information: stealing it, misdirecting it, or flooding systems with it. Email spam is in part a result of the proliferation of botnets. Some types of botnets use the infected computers to send out spam emails in bulk. Some botnets launch distributed DoS attacks. Other botnets are designed to execute spyware, monitoring the user’s actions and uploading that information periodically to the creator.



Malware is constantly evolving. There is an ongoing race between botmasters and network security specialists, and there is also a cyclical nature to such threats. Due to the relatively short lifetime of malware, most security solutions defend only against recent attacks. Botmasters are known to have some success using older exploits by simply “re-packaging” those exploits. Figure 5 illustrates the evolution of malware exploits and solutions.

Figure 5 Evolution of Malware Exploits and Solutions

A Brief History of FirewallsFor decades, the most basic and important component of any security implementation has been the firewall. Since its invention in the early 1980s, the firewall has been used to block unauthorized network access. As networking technology has advanced, so has the firewall technology protecting it, evolving from simple access controls based on IP lists to a multi-layered system capable of selectively enabling trusted zones while restricting network contagions, such as computer viruses.

1

2 3

StartMalware Spreads

Network

Secured

2

3

1 Weakness discovered

Exploit designed

Weakness neutralized

Solution fully implemented

Exploit executed

Solution designed



With the creation of modern networking, which enabled Ethernet-based Local Area Networks (LANs), firewalls came under attack from a security threat that exploited this new medium: The Internet worm. To combat this new threat, firewalls implemented packet-based filters that processed network traffic at very low layers and compared each packet header to a set of rules defining rudimentary protection based on source and destination of a packet. When the first Internet browsers came on the scene, businesses were able to connect worldwide, and a new generation of firewall technology was needed to create a perimeter defense that validated each network packet against a table of authorized network sessions. Soon, firewalls were extended to inspect packet data and validate other security elements.

As networking technologies such as VPNs and wireless technologies have allowed businesses to extend the corporate network and remove the dependence on a physical cable for Internet access, they have also created more strains on network security. While encrypted VPN has extended the usability of the network, the use of VPN opens up opportunities for botmasters and blended-front viruses to circumvent firewalls. In 2005, VPNs still contained exploitable security flaws; this is especially problematic because most VPN users believe the system to be impregnable, so they may be lax about using additional security measures. In addition, while VPN empowers users with secure remote network access, every new remote connection provides botmasters with another potential point of attack. Despite all of the advances in endpoint security technologies, the cumulative damage and productivity loss attributed to these new exploits has been devastating, equaling billions of dollars.

Blended ThreatsOrganizations today are struggling with viruses and malicious attacks that are incredibly complex and deployed with a multifaceted approach. These blended threats combine the malicious functionality of viruses, worms, Trojans, and other malware technology into an extremely elusive attack vehicle.

A blended threat delivers multiple attacks at once and uses more than one method to spread itself. For instance, a blended threat might compromise executable files, insert a Trojan Horse script into HTML code, change guest account privileges, and edit the Windows registry. To increase propagation, it might send itself in an email attachment to the user’s contacts, while also modifying company webpages with instructions to download itself onto customer computers. These threats often take advantage of typical vulnerabilities, such as default passwords, buffer overflows, or lack of HTTP input field validation to gain access to administrative privileges.

The Nimda, CodeRed, and Bugbear exploits are examples of blended threats. One of the most recent blended threats, Storm Worm, resides in a worldwide network of computers that have been exposed to the worm. Storm Worm carries out large scale attacks at the whim of its creators. Any attempts to track and stop the botnet (and most any other botnet for that matter) almost always end in disaster for the researchers attempting to find it as the worm actively defends itself, protecting its assets by launching retaliatory attacks, like DDoS attacks and others.



While most worms infect a computer silently and allow the user to carry out most tasks with no noticeable impact, other blended threats are not as kind to your system. Threats using “droppers,” such as the Zlob Dropper, will often aim to render a machine completely useless. These types of blended threats do such an efficient job of protecting themselves that most IT administrators elect to reformat the entire system if one is found, forcing the deletion of any local work along with the threat. Nearly unstoppable once they reach a client system, most client-side anti-virus solutions are at a disadvantage. The most efficient way to protect from this new class of threats is by stopping them at the gateway, before they have a chance to reach any type of susceptible client device. This situation, and ones like it, make solutions such as SonicWALL Gateway Anti-Virus absolutely essential in any network deployment.

Threats to ProductivityIn addition to security threats from blended attacks, networks become slower and less effective when the traffic moving through them is not prioritized.

Many of these slowdowns are due to users engaged in non-productive activities, such as using Kazaa, peer-to-peer, instant messenger, and multimedia applications. These types of applications not only contribute to productivity losses and bandwidth consumption, they also create openings for security attacks on the internal network.

Another challenge for organizations is the increasing use of the Internet for business or personal purposes by internal users. The problems associated with lack of control over Internet use includes loss of productivity, monopolizing bandwidth, and legal liability through access to inappropriate or illegal content. Unregulated Internet access can also open the internal network to threats, such as spyware, malicious mobile code, key loggers, VoIP attacks, phishing, and contact with fraudulent websites. Access to information must be controlled on a per-user basis to maintain the integrity of the network.


15Top Five Wireless Threats

Top Five Wireless ThreatsOne fundamental goal of any wireless network must be to ensure network security. SonicWALL believes that network administrators must demand the same level of security from a wireless network that they expect from a wired network. As long as the network is designed using sound security principles, implements modern security measures, and ensures that network users follow proper security practices, this level of security is easily attainable.

When assessing your wireless network options and choices, it is important to understand exactly what your network is up against. A variety of threats have evolved that take advantage of common wireless security deficiencies. This section discusses the top five wireless threats and provides insight on what can be done to combat them. Assessing which threat(s) you are most likely to encounter can help you identify your assets, understand the risks to your network security, and determine your secure wireless goals.

The following sections describe the top five threats that today’s wireless networks face:

• Rogue Access Points, page 15

• Man-in-the-Middle, page 17

• Denial of Service Attack, page 18

• Wireless Eavesdropping and Traffic Analysis, page 20

• Physical Security Deficiencies and Policies, page 21

Rogue Access PointsRogue access points are a real danger in companies where trusted employees have physical access to the production network. The unauthorized wireless access point is one type of rogue access point that can be set up with no malicious intent, and in fact, possibly with the best of intentions. The access point would be simply plugged into the network LAN and set to open access. But without strong security configured, anyone with a laptop, PDA, or other wireless device can associate to the access point. With open access to the local network, there is no telling what damage could result. Outside attackers can steal bandwidth, destroy or steal confidential data, alter company websites, infect company servers with malicious files, or use the network to propagate attacks on others. Figure 6 illustrates a rogue access point scenario.



Figure 6 Rogue Access Point Scenario

Note Another type of rogue access point is one that is set up with malicious intent right from the start. In this case, crackers attempt to take advantage of networks that are not configured to use both client-server and server-client authentication. An access point is made available that presents a login page similar to the real one expected by the user, and the attacker can then dupe the user into giving away their credentials.

Scenario – Your wireless network has an uncertain number of access points. While this may seem like a silly scenario to a network administrator, it is not uncommon for end users. Individuals, especially new employees or guest users, may not be aware of the wireless network’s infrastructure.

Vulnerability – It is difficult for users to determine which access point they should connect to, especially in a crowded wireless space. They typically choose the access point with the best signal strength.

Threat – Unauthorized access points can be mistaken for legitimate ones. Unsecured access points can be set up by employees without their administrator’s knowledge, introducing vulnerabilities into your wireless network.

Impact – Rogue access points can steal your network credentials without your knowledge. Unsecured access points are open doors to your network.

Login Harvesting

Database

AuthenticationServer / Database

Corporate NetworkRogue AP

SSID:ChinnCorp

SSID:ChinnCorp

?



Man-in-the-MiddleMan-in-the-Middle attacks are used by malicious entities to observe your wireless sessions and potentially edit the things you see. The botmaster places his or her computer between the user and the access point, forcing all Internet traffic to pass through his system. The process involves using Domain Name System/Service (DNS) spoofing to redirect the client host to the IP address of the attacker instead of the real server. The attacker then authenticates him or herself as the server to which the user was trying to connect. At the same time, the attacker creates a separate connection to the real server, and allows the traffic to flow between the victim and the server. The attacker has full access to the traffic, all without alerting the victim. The Man-in-the-Middle attack scenario is displayed in Figure 7.

Figure 7 Man-in-the-Middle Scenario

Scenario – A user connects to a wireless access point and uses that connection to browse the Internet, including sensitive materials. Most users do not question the security of the connection. Once connected, they may check their email, do bank transactions, or access private network resources without a second thought.

Vulnerability – The weakness in this scenario is that users place a large amount of trust in the access point to which they connect. If the access point is a simple Internet portal, the transactions occur just as they would within a secure network.

Internet

Login and Corporate LANData Harvesting

WAN

WLANWLAN

WAN


Corporate NetworkMan-in-the-Middle AP

SSID:ChinnCorp

SSID:ChinnCorp

?



Threat – In Man-in-the-Middle attacks, a malicious attacker impersonates an existing access point, waits for unsuspecting users to connect to it, and then forwards the traffic to the real access point. The attacker is able to read, modify, and insert messages between the user and the server without either party knowing that the link between them has been compromised.

Impact – This is a very dangerous situation because the user is unaware that the session is being monitored by an outsider. The attacker can further exploit this weakness by creating ‘evil-twin’ sites. Evil-twin sites are spoofed doppelgängers of legitimate sites, typically ones that require credentials for access, like bank portals. The evil-twin site eventually forwards the user to the real site, but only after collecting the user’s credentials.

Denial of Service AttackA Denial of Service (DoS) attack involves preventing computer resources from being available to legitimate users. The denied resources could include network bandwidth, disk space, CPU cycles, website access, or services provided by a site or server. Typically, a DoS attack takes the form of flooding a network or server with bogus requests or other traffic to keep it too busy to handle anything else. Figure 8 illustrates a DoS scenario.

Figure 8 Denial of Service Scenario

assoc assocassoc

assocassoc

assoc

Single Valid Association

Request

Many Bogus Association

Requests


Corporate Network



Wireless networks are just as vulnerable as wired networks to this type of attack, and are also affected by variations that are specific to wireless. Four common types of DoS attacks on wireless networks are:

• Management frame flood attack – The attacker floods the wireless access points with bogus requests, overloading the system and making it virtually impossible for the server to differentiate a real request from a fake request.

• Broadcasting deauthentication attack – The attacker sends out a flood of forged authentication frames that disconnect users from their access points.

• Unassociated station attack – The attacker sets up a bogus wireless station that picks up authentication requests before they reach an access point.

• Extensible Authentication Protocol over LAN (EAPOL) packet flood attack – The attacker sends out EAPOL packets that disable WPA and WPA2 servers by sending out a flood of information to the access points, resulting in a network overload.

Wireless networks are also susceptible to DoS attacks that target the radio frequency waves required for wireless communication. The attacker simply needs a radio transmitter with a high-frequency antenna (or a whole bunch of microwave ovens!). This is based on the same principle as the cell phone jammer—the intent to inhibit wireless communications.

Scenario – You use multiple access points to extend your wireless network. To reduce the cost of installation, you deploy your access points in a wireless bridge, meaning that some of your access points do not have a physical connection to your LAN.

Vulnerability – You rely on the proper communication between the access points at critical links in your network.

Threat – A DoS attack can easily block the traffic between access points, either by overloading a specific access point with requests, or by drowning out the other access points with radio noise.

Impact – DoS attacks can have a severe impact to your network, temporarily shutting down one or more access points. If these are critical access points, the attack can potentially take down a whole section of your wireless network. Specialized DoS attacks that target access points can be mitigated through smart access point management, but very little can be done to counteract jamming types of attacks.



Wireless Eavesdropping and Traffic AnalysisEavesdropping and traffic analysis is a more passive approach that involves listening, capturing, and analyzing wireless traffic. Wireless networks communicate using radio waves, which are not stopped by conventional walls. All it takes is a good antenna for a client unit to connect to a wireless network from a greater than normal distance. Wireless eavesdropping consists of doing just that: Staying outside the wireless network’s conventional limits, and capturing wireless traffic through the use of a powerful antenna. This makes encrypting your wireless traffic crucial because there is no way to stop others from intercepting it.

Digital files cannot be made uncopyable, any more than water can be made not wet.5

A scenario of Wireless Eavesdropping is illustrated in Figure 9.

Figure 9 Wireless Eavesdropping Scenario

The goal of traffic analysis is to break the encryption around the wireless traffic and be able to read all traffic being transmitted between access points and users. In the worse case scenario, that is if traffic is unencrypted, then anyone can see everything you are sending and receiving. Even a casual attacker could eavesdrop on your network with minimal resources.5. Schneier, Bruce

Wireless

Data Collection

Valid User


Corporate Network

Wireless Eavesdropper

SYN

SSID

WEP KEY

MAC



Scenario – You are connected to a paid wireless access point that offers an authentication procedure, but no encryption. You pay for access with a credit card and the access point gives you access to the Internet using your MAC address as an identity.

Vulnerability – None of your wireless traffic is encrypted (except for the SSL credit card transaction). Even if your traffic is later secured with a VPN tunnel, information such as your MAC address and the Service Set Identifier (SSID) of the access point you are connected to is available to wireless eavesdroppers.

Threat – Your MAC address and access point association information can easily be taken hostage by an eavesdropper who wishes to use your connection.

Impact – Once a botmaster has these small bits of information, he or she can easily assume your computer’s identity with a spoofed MAC address, taking your place and kicking you off of the wireless network that you had paid to use. Ouch!

Physical Security Deficiencies and PoliciesOf all the wireless security threats, physical security deficiencies are one of the most likely to catch network administrators off guard. Physical threats are often left out of the equation while most energy goes into implementing the latest technology, leaving wireless networks susceptible to intrusion with methods like device theft and physical eavesdropping. An example of this is illustrated in Figure 10.

Figure 10 Physical Security Deficiency Scenario

User’sLaptop

User

Cracker orInformationPirate

Coffee ShopFree Wireless Network

Bathroom

Internet

Arrrgh!!!



As wireless devices become smaller and more ubiquitous, it becomes more difficult to keep track of whether or not your company’s wireless equipment has fallen into the wrong hands. Administrators often make the mistake of assuming that stolen equipment is used only for the purpose of profiting from the equipment itself. While this is certainly one of the goals of device theft, there is a wealth of information on today’s wireless-capable devices that can be used to compromise an otherwise secure network. Passwords, keys, and wireless configuration information can abound on client devices if not properly regulated.

Scenario – Employees take critical data with them outside the office on their laptops. They work in various environments: at home, in coffee shops, or airports.

Vulnerability – You must rely on the employees to keep their stored data and passwords physically safe when not in the office.

Threat – A laptop is easily stolen. The first impact is the loss of the physical hardware, but the information stored in the laptop can be more valuable still. Even without stealing the laptop, information about the employee can be stolen by so-called physical eavesdroppers, or “shoulder surfers.”

Impact – Endpoint units can be easily compromised. It takes only a moment to copy the MAC address of an unattended laptop. Someone can look over your shoulder to steal your credentials.

Chapter Knowledge CheckThe following sections review the information covered in this chapter:

• Summary, page 22

• Solutions Fast Track, page 23

• FAQ, page 23

SummaryWireless technology had its first practical application in the spread spectrum technology developed by the military in World War II. Modern wireless network communication essentially began in 1997 with the original 802.11 standard. In 1999, WEP was introduced as the first attempt at a secure algorithm for wireless networks. But by 2001, serious security flaws were found in WEP. WPA was introduced in 2003 as a stop-gap measure that superseded WEP, and was quickly followed by WPA2 in 2004, which fully implemented the 802.11i standard. Other wireless standards have been introduced for wireless bridging, Quality of Service, vehicular use, microwave access, and cellular access.

Malware is an umbrella term for all forms of malicious software—viruses, worms, botnets, and other threats. Malware began as malicious pranks by botmasters, but modern day malware is a much more serious criminal threat to both wired and wireless networks.


23Chapter Knowledge Check

Wireless networks are also susceptible to specialized threats that compromise access points, jam radio frequencies, and take advantage of the physical mobility of wireless devices.

Although wireless security threats have multiplied with the phenomenal increase in Internet usage, network administrators must demand the same level of security from a wireless network that they expect from a wired network. The WPA2 standard has eliminated any excuse for accepting inherent vulnerabilities in wireless networks.

Solutions Fast Track • Wireless technology began its modern phase in 1997 with the original 802.11 IEEE

standard.

• WPA2 and 802.11i are today’s standards. While 802.11i is still evolving, WPA2 has proven to be fully secure when used with either strong passwords or an external authentication server using EAP.

• Wireless standards now exist for wireless bridging, Quality of Service, vehicular use, microwave access, and cellular access.

• Growth in Internet usage has led to the proliferation of threats to both wired and wireless networks.

• The widespread implementation of the WPA2 standard allows network administrators to secure wireless networks without the need for network administrators to distribute client software to all network users.

• Malware has evolved from the pranks of 1980s-era computer viruses into sophisticated tools of organized crime that cause billions of dollars in damage every year.

• Since malware is constantly evolving, it is critical that you maintain current security signatures and regularly re-evaluate your network security policies to ensure they are still relevant.

• Five of the most common threats to wireless networks are rogue access points, Man-in-the-Middle attacks, DoS attacks, wireless eavesdropping and traffic analysis, and physical security deficiencies and policies.

FAQQ: What’s the difference between the IEEE and the Wi-Fi alliance?

A: The Institute of Electrical and Electronics Engineers (IEEE) and the Wi-Fi alliance are two organizations responsible for wireless standards. The IEEE created the 802.11x standards while the Wi-Fi alliance created the WEP/WPA/WPA2 standards. These standards are parallel to each other, just created by different bodies.



Q: What’s the difference between WPA and WPA2?

A: WPA2 is the equivalent of IEEE 802.11i, whereas WPA has no IEEE equivalent. WPA can also use AES, but usually uses TKIP/RC4. And although the RC4 Cipher is also used by WEP, WPA uses it in a different way that resolves WEP’s weaknesses. WPA2 also offers roaming enhancements for users moving between access points through Pair Wise Master Key (PWMK) caching.

Q: What's the difference between Man-in-the-Middle attacks and eavesdropping attacks?A: Man-in-the-Middle attacks involve the user unknowingly associating to an access point controlled by a botmaster. The botmaster then forwards all the traffic through to a real access point and then to the Internet. From the user’s point of view, they have connected to a trusted access point and are using a safe connection to the Internet. The vulnerability is that the botmaster can monitor everything the user does online.

Eavesdropping attacks involve the botmaster passively listening to the user’s wireless communication. The goal of eavesdropping attacks is typically to acquire the user’s credentials as they are broadcasted to the access point when the user authenticates.

Q: Why must firewalls be continuously updated with newer malware protection?A: Malware attacks are always changing to bypass firewall security. Firewalls that rely heavily on malware signature recognition to block viruses are most effective right after they have downloaded signature updates. The older the signature database, the weaker the protection.

Q: How do botmasters appropriate the resources to attack whole businesses?A: Botmasters have been known to launch massive DoS attacks on businesses to crash their servers, either for fame or for extortion. The botmaster does not need large amounts of resources to launch such attacks; instead, the botmaster typically uses a wide array of coordinated botnets.

Because of the wide availability of botnets, it is often the case that everyday computer users are now behind DoS attacks. A home user who dislikes his neighbor can literally rent out botnet resources to take his neighbor’s Internet connection down with relative ease.

The botnets are seeded across the Internet using customized worms that carry the attacker bot malware. The bots then wait quietly for a signal that the botmaster can launch at any time. Once the bots see the signal, which can include the specific target information, all the bots will try to connect to the targeted server. This scenario becomes more and more dangerous as the number of unprotected Internet users grows. Every unprotected computer on the Web is a potential resource to a savvy botmaster.


SonicWALL SWNISG.book Page xxi Tuesday, June 3, 2008 11:00 ...€¦ · SonicWALL_SWNISG.book Page...

Documents

Transcript of SonicWALL SWNISG.book Page xxi Tuesday, June 3, 2008 11:00 ...€¦ · SonicWALL_SWNISG.book Page...