Underground Networks - ca.ingrammicro.com · Started career designing, ... Be careful of laptops...

© 2013 The Technology Firm WWW.THETECHFIRM.COM

Tony Fortunato Sr Network Performance Specialist

The Technology Firm

Underground Networks

© 2013, The Technology Firm WWW.THETECHFIRM.COM

A bit About Me – Tony Fortunato Teaching Wireshark classes since 2000 and with Wireshark University

since its inception – 2007.

Started career designing, implementing and troubleshooting financial networks in 1989 such as trading floors and banks. Have been working with outdoor wireless for the past 10 years; 900 Mhz, 2.4 and 5 Ghz.

Use commercial and open source tools for troubleshooting and customer knowledge transfer or mentoring services.

Provide onsite customized training, mentoring, design, troubleshooting and training services.

Certified Fluke Network Instructor and Consultant. Certified Wireshark University Instructor.

I do not sell, or resell any of the products I use or mention.

2


Perception Versus Reality

Perception Things are locked up tight.

You think your security and IT policies result in an air-tight, secure environment that protects the corporation.

3


Perception Versus Reality

Reality No system is bullet-proof.

The effectiveness of any system relies on knowing and monitoring where your holes or possible exposures lie.

4


Levels Of Network/Security Issues

Client Your users create a network or security exposure in

an attempt to solve their network access requirements.

IT Department Your IT staff installs a ‘temporary’ network or

solution that becomes permanent or causes temporary exposure since it doesn’t conform to current security practices or policies.

Unfortunately technology has made it easier to build wireless networks.

5


EDUCATION

There is NO substitute for educating your clients/users.

A corporate policy, document or general information should be available to inform users about security and general internet safety.

When people understand the existing policies in place, they are more apt to comply and educate their co-workers.

The consequences need to be clearly explained and defined as well.

6


EDUCATION

Security needs to be a part of the corporate culture.

Policies should be concise and specific detailing what users can and can’t do.

An example of a Wireless security policy can be found at SANS.org or specifically: http://www.sans.org/security-resources/policies/wireless.php

7


Bring Your Own Device (BYOD)

With the proliferation of tablets, ebook readers, smartphones, netbooks and laptops, more companies are being asked to allow employees to bring their own devices into the office.

I suggest you treat this situation the same way in which you would treat an employee bringing a guest in.

For example: Would you allow an employee’s guest to connect to the

corporate wired network? Would you give a guest your building pass to roam around with.

Create separate Wifi or Wired guest networks from your corporate network.

Be careful of laptops wired to the corporate network and Wifi to the BYOD network.

8


Client and Remote Network Access

Many corporations have remote access solutions for their staff.

Technology today has unfortunately made it easier for users to circumvent security policies.

Teamviewer, Gotomypc, VNC and Logmein provides users remote access to their work computers and in turn, the corporate network.

Hamachi can create a VPN network connection to a computer which can act as a gateway to the corporate network directly.

Ensure that users either can not access these sites, block these specific port numbers or limit what clients can install on their computer.

9


Cellular ‘Sticks’

These USB or Bluetooth adapters connect devices directly to the internet.

Another complicated situation since the computer might be property of the corporation, but not the stick.

Secondly, the computer may access the internet via the stick while connected to the corporate network.

PC global policies and third party software can be used to control this.

10


Physical Rogue Access Points Scenario: A client wants to have wireless coverage in a meeting

room or use their personal tablet at work, so they simply connect an Access Point to their network drop.

Unfortunately if you do not have an official wireless deployment, you are more susceptible to this going unnoticed since you won’t be monitoring for Rogue Access Points.

Switch ‘Port Security’, Cisco Network Access/Cisco TrustSec, 802.1x, Wifi Scanners, Netstumbler,, AirMagnet Enterprise, Fluke Network Aircheck, Airwave or WiFi IDS can help as well as Vendors Rogue AP detection settings.

Cisco’s Port security with the ‘mac-address sticky option and max 1 is a good start as well.

11


Physical Rogue Access Points Example of travel AP

USB powered Extremely small Can be easily mistaken for a USB hard drive sitting on your desk

12


Physical Rogue Access Points

This one can easily pass for a usb phone charger

Switch on the top has the following options; Router/AP, Repeater, WiFi Hotspot

13


Fluke Networks AirCheck

14

Hidden AP


AirMagnet WiFi Analyzer

It is important to find a tool that will alert you when a rogue appears.


INSSIDER

16


Now To Check Manually From MS cmd line C:\>netsh wlan show networks mode=bssid Interface name : Wireless Network Connection There are 4 networks currently visible. SSID 1 : tomwep Network type : Infrastructure Authentication : Open Encryption : WEP BSSID 1 : 00:1a:e3:03:6d:60 Signal : 100% Radio type : 802.11g Channel : 10 Basic rates (Mbps) : 1 2 5.5 11 Other rates (Mbps) : 6 9 12 18 24 36 48 54 SSID 2 : 24ghzs Network type : Infrastructure Authentication : WPA2-Personal Encryption : CCMP BSSID 1 : 00:1a:a2:dd:7f:90 Signal : 81% Radio type : 802.11g Channel : 1 Basic rates (Mbps) : 1 Other rates (Mbps) : 2 5.5 6 9 11 12 18 24 36 48 54

17

C:\>netsh wlan show networks | find "SSID" SSID 1 : tomwep SSID 2 : 24ghzs SSID 3 : waters SSID 4 : 24ghz


Software Rogue Access Points

There are applications that users can install on their computer to ‘share’ their network connection.

This is becoming more common for tablet users who want to use their tablets at work.

Examples: Connectify and Intel MyFi.

Proper software installation protocols must be in place to prevent or limit what applications can be installed.

18


Software Rogue Access Points

Connectify features

19


Portable Software Based Access Point http://virtualroutersimplicity.codeplex.com/

Virtual Router Simplicity is a simple and stable virtual router

software. It requires zero configuration to create a virtual WiFi spot.

Portable application

20

http://virtualroutersimplicity.codeplex.com/


Smartphone Hotspots

Today’s cell phone can be configured as a hotspot, so other WiFi devices can get internet access and basically use the phone as a WiFi to Cell modem.

This creates a new challenge since a laptop connected to the corporate wired network, might have a WiFi connection to the internet.

Monitoring for Rogue AP’s and limiting which WiFi networks users can connect to would help.

21


Smartphone Hotspots & Tethering

Android Hotspot

22

Apple Hotspot


Other Issues

You also have to think of various scenarios, for example what happens if someone claims they got a virus while on your network?

Create separate Wifi or Wired guest networks from your corporate network.

Guest networks should have its content filtered as well as a notification to the user when the connect to it.

Be careful of laptops wired to the corporate network and Wifi to the BYOD network.

23


Accessing Non Corporate WiFi

24


Accessing Non Corporate WiFi

Employees might access nearby non-corporate WiFi networks.

Big concern, since the computer is probably wired into the corporate network while simultaneously accessing the Internet via WiFi.

PC policies or products like Wireless Autoswitch or BridgeChecker will disable wireless when a hard wired connection is active.

25


Tethering

Smartphones allow ‘tethering’ where you use the phone as a modem to access the internet.

This one is challenging since the phone might be the employee’s phone, but the computer might be the corporations.

PC configuration changes and promoting corporate policies.

26


Virtual Machines

Virtual Machine applications like Vbox, Vmware and Virtual PC can be used to create a virtual PC that doesn’t conform to your current PC security or configuration policies.

Current software installation policies can be used to block unauthorized applications such as this.

27


Live CD & Live USB

A Live CD or USB is a complete bootable computer operating system which runs in memory.

When you boot from a LIVE CD/USB, the computer is not bound by any of the current login mechanisms that are in place.

Configuring computers to only boot from the hard drive and password protecting BIOS settings.

Another example where user education can help prevent this.

28


Live CD & Live USB Examples

http://livecdlist.com/ http://en.wikipedia.org/wiki/Live_USB

29

Backtrack

http://livecdlist.com/

http://en.wikipedia.org/wiki/Live_USB


Powerline

This technology allows you to send an Ethernet signal through your power/wiring.

Used when a temporary network is created and no wired network connections are available and wireless is not an option.

Powerline networks should be treated the same as a wireless network and configured with authentication and encryption if used in production.

30


Powerline Example With Integrated AP

31


Using Anonymous Proxies

There are online, browser add-ons and separate applications that clients can use to visit websites which may be blocked by your current policy or system.

Examples of these sites/applications are: zend2, hotspot shield, proxify.

These online sites should be added to your blocked sites. Current software management practices should prevent this.

32


Name Resolution Services

These services provide name resolution so people can access their home network when they don’t have a statically assigned IP address.

Examples of these sites/applications are: TZO, DYNDNS, no-ip.

These sites should be added to your list of blocked sites.

33


Special Projects or Temporary Networks

I sarcastically comment that temporary networks results in 2 things: They eventually become permanent or forgotten. They may be installed without the same

measures and policies as the rest of the organization.

Temporary or project networks should have a definite ‘expiry’ or decommission date.

If a project network requires internet access different from the corporate users, or accessed by external staff, it should be setup as a separate network.

34


Vigilance IT staff must be constantly testing new products and applications to

ensure that the ‘low hanging fruit” of technology isn’t deployed by unauthorized staff. For example: When a new remote application is available, staff

should ensure that their current network isn’t vulnerable.

Time must be dedicated to inform users what they can and can’t do. For example: Make it clear that remote access to your computer

is forbidden.

Correspondence to employees identifying current security issues should be in place. For example: Current viruses, malware, phishing scams, etc.

35


Other Tips Some Access Points/Routers will decrease the IP TTL by one.

If you capture packets an know when the IP TTL is supposed to be and its one lower,

you might suspect a AP is forwarding the packets.

The AP MAC address may be in the source or destination MAC address in the packet as well.

36


Thanks for attending

Tony Fortunato, Sr Network Performance Specialist The Technology Firm

www.thetechfirm.com

Underground Networks - ca.ingrammicro.com · Started career designing, ... Be careful of laptops...

Documents

Transcript of Underground Networks - ca.ingrammicro.com · Started career designing, ... Be careful of laptops...