Underground Networks - ca.ingrammicro.com · Started career designing, ... Be careful of laptops...
Transcript of Underground Networks - ca.ingrammicro.com · Started career designing, ... Be careful of laptops...
© 2013 The Technology Firm WWW.THETECHFIRM.COM
Tony Fortunato Sr Network Performance Specialist
The Technology Firm
Underground Networks
© 2013, The Technology Firm WWW.THETECHFIRM.COM
A bit About Me – Tony Fortunato Teaching Wireshark classes since 2000 and with Wireshark University
since its inception – 2007.
Started career designing, implementing and troubleshooting financial networks in 1989 such as trading floors and banks. Have been working with outdoor wireless for the past 10 years; 900 Mhz, 2.4 and 5 Ghz.
Use commercial and open source tools for troubleshooting and customer knowledge transfer or mentoring services.
Provide onsite customized training, mentoring, design, troubleshooting and training services.
Certified Fluke Network Instructor and Consultant. Certified Wireshark University Instructor.
I do not sell, or resell any of the products I use or mention.
2
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Perception Versus Reality
Perception Things are locked up tight.
You think your security and IT policies result in an air-tight, secure environment that protects the corporation.
3
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Perception Versus Reality
Reality No system is bullet-proof.
The effectiveness of any system relies on knowing and monitoring where your holes or possible exposures lie.
4
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Levels Of Network/Security Issues
Client Your users create a network or security exposure in
an attempt to solve their network access requirements.
IT Department Your IT staff installs a ‘temporary’ network or
solution that becomes permanent or causes temporary exposure since it doesn’t conform to current security practices or policies.
Unfortunately technology has made it easier to build wireless networks.
5
© 2013, The Technology Firm WWW.THETECHFIRM.COM
EDUCATION
There is NO substitute for educating your clients/users.
A corporate policy, document or general information should be available to inform users about security and general internet safety.
When people understand the existing policies in place, they are more apt to comply and educate their co-workers.
The consequences need to be clearly explained and defined as well.
6
© 2013, The Technology Firm WWW.THETECHFIRM.COM
EDUCATION
Security needs to be a part of the corporate culture.
Policies should be concise and specific detailing what users can and can’t do.
An example of a Wireless security policy can be found at SANS.org or specifically: http://www.sans.org/security-resources/policies/wireless.php
7
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Bring Your Own Device (BYOD)
With the proliferation of tablets, ebook readers, smartphones, netbooks and laptops, more companies are being asked to allow employees to bring their own devices into the office.
I suggest you treat this situation the same way in which you would treat an employee bringing a guest in.
For example: Would you allow an employee’s guest to connect to the
corporate wired network? Would you give a guest your building pass to roam around with.
Create separate Wifi or Wired guest networks from your corporate network.
Be careful of laptops wired to the corporate network and Wifi to the BYOD network.
8
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Client and Remote Network Access
Many corporations have remote access solutions for their staff.
Technology today has unfortunately made it easier for users to circumvent security policies.
Teamviewer, Gotomypc, VNC and Logmein provides users remote access to their work computers and in turn, the corporate network.
Hamachi can create a VPN network connection to a computer which can act as a gateway to the corporate network directly.
Ensure that users either can not access these sites, block these specific port numbers or limit what clients can install on their computer.
9
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Cellular ‘Sticks’
These USB or Bluetooth adapters connect devices directly to the internet.
Another complicated situation since the computer might be property of the corporation, but not the stick.
Secondly, the computer may access the internet via the stick while connected to the corporate network.
PC global policies and third party software can be used to control this.
10
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Physical Rogue Access Points Scenario: A client wants to have wireless coverage in a meeting
room or use their personal tablet at work, so they simply connect an Access Point to their network drop.
Unfortunately if you do not have an official wireless deployment, you are more susceptible to this going unnoticed since you won’t be monitoring for Rogue Access Points.
Switch ‘Port Security’, Cisco Network Access/Cisco TrustSec, 802.1x, Wifi Scanners, Netstumbler,, AirMagnet Enterprise, Fluke Network Aircheck, Airwave or WiFi IDS can help as well as Vendors Rogue AP detection settings.
Cisco’s Port security with the ‘mac-address sticky option and max 1 is a good start as well.
11
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Physical Rogue Access Points Example of travel AP
USB powered Extremely small Can be easily mistaken for a USB hard drive sitting on your desk
12
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Physical Rogue Access Points
This one can easily pass for a usb phone charger
Switch on the top has the following options; Router/AP, Repeater, WiFi Hotspot
13
© 2013, The Technology Firm WWW.THETECHFIRM.COM
AirMagnet WiFi Analyzer
It is important to find a tool that will alert you when a rogue appears.
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Now To Check Manually From MS cmd line C:\>netsh wlan show networks mode=bssid Interface name : Wireless Network Connection There are 4 networks currently visible. SSID 1 : tomwep Network type : Infrastructure Authentication : Open Encryption : WEP BSSID 1 : 00:1a:e3:03:6d:60 Signal : 100% Radio type : 802.11g Channel : 10 Basic rates (Mbps) : 1 2 5.5 11 Other rates (Mbps) : 6 9 12 18 24 36 48 54 SSID 2 : 24ghzs Network type : Infrastructure Authentication : WPA2-Personal Encryption : CCMP BSSID 1 : 00:1a:a2:dd:7f:90 Signal : 81% Radio type : 802.11g Channel : 1 Basic rates (Mbps) : 1 Other rates (Mbps) : 2 5.5 6 9 11 12 18 24 36 48 54
17
C:\>netsh wlan show networks | find "SSID" SSID 1 : tomwep SSID 2 : 24ghzs SSID 3 : waters SSID 4 : 24ghz
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Software Rogue Access Points
There are applications that users can install on their computer to ‘share’ their network connection.
This is becoming more common for tablet users who want to use their tablets at work.
Examples: Connectify and Intel MyFi.
Proper software installation protocols must be in place to prevent or limit what applications can be installed.
18
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Portable Software Based Access Point http://virtualroutersimplicity.codeplex.com/
Virtual Router Simplicity is a simple and stable virtual router
software. It requires zero configuration to create a virtual WiFi spot.
Portable application
20
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Smartphone Hotspots
Today’s cell phone can be configured as a hotspot, so other WiFi devices can get internet access and basically use the phone as a WiFi to Cell modem.
This creates a new challenge since a laptop connected to the corporate wired network, might have a WiFi connection to the internet.
Monitoring for Rogue AP’s and limiting which WiFi networks users can connect to would help.
21
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Smartphone Hotspots & Tethering
Android Hotspot
22
Apple Hotspot
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Other Issues
You also have to think of various scenarios, for example what happens if someone claims they got a virus while on your network?
Create separate Wifi or Wired guest networks from your corporate network.
Guest networks should have its content filtered as well as a notification to the user when the connect to it.
Be careful of laptops wired to the corporate network and Wifi to the BYOD network.
23
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Accessing Non Corporate WiFi
Employees might access nearby non-corporate WiFi networks.
Big concern, since the computer is probably wired into the corporate network while simultaneously accessing the Internet via WiFi.
PC policies or products like Wireless Autoswitch or BridgeChecker will disable wireless when a hard wired connection is active.
25
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Tethering
Smartphones allow ‘tethering’ where you use the phone as a modem to access the internet.
This one is challenging since the phone might be the employee’s phone, but the computer might be the corporations.
PC configuration changes and promoting corporate policies.
26
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Virtual Machines
Virtual Machine applications like Vbox, Vmware and Virtual PC can be used to create a virtual PC that doesn’t conform to your current PC security or configuration policies.
Current software installation policies can be used to block unauthorized applications such as this.
27
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Live CD & Live USB
A Live CD or USB is a complete bootable computer operating system which runs in memory.
When you boot from a LIVE CD/USB, the computer is not bound by any of the current login mechanisms that are in place.
Configuring computers to only boot from the hard drive and password protecting BIOS settings.
Another example where user education can help prevent this.
28
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Live CD & Live USB Examples
http://livecdlist.com/ http://en.wikipedia.org/wiki/Live_USB
29
Backtrack
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Powerline
This technology allows you to send an Ethernet signal through your power/wiring.
Used when a temporary network is created and no wired network connections are available and wireless is not an option.
Powerline networks should be treated the same as a wireless network and configured with authentication and encryption if used in production.
30
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Using Anonymous Proxies
There are online, browser add-ons and separate applications that clients can use to visit websites which may be blocked by your current policy or system.
Examples of these sites/applications are: zend2, hotspot shield, proxify.
These online sites should be added to your blocked sites. Current software management practices should prevent this.
32
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Name Resolution Services
These services provide name resolution so people can access their home network when they don’t have a statically assigned IP address.
Examples of these sites/applications are: TZO, DYNDNS, no-ip.
These sites should be added to your list of blocked sites.
33
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Special Projects or Temporary Networks
I sarcastically comment that temporary networks results in 2 things: They eventually become permanent or forgotten. They may be installed without the same
measures and policies as the rest of the organization.
Temporary or project networks should have a definite ‘expiry’ or decommission date.
If a project network requires internet access different from the corporate users, or accessed by external staff, it should be setup as a separate network.
34
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Vigilance IT staff must be constantly testing new products and applications to
ensure that the ‘low hanging fruit” of technology isn’t deployed by unauthorized staff. For example: When a new remote application is available, staff
should ensure that their current network isn’t vulnerable.
Time must be dedicated to inform users what they can and can’t do. For example: Make it clear that remote access to your computer
is forbidden.
Correspondence to employees identifying current security issues should be in place. For example: Current viruses, malware, phishing scams, etc.
35
© 2013, The Technology Firm WWW.THETECHFIRM.COM
Other Tips Some Access Points/Routers will decrease the IP TTL by one.
If you capture packets an know when the IP TTL is supposed to be and its one lower,
you might suspect a AP is forwarding the packets.
The AP MAC address may be in the source or destination MAC address in the packet as well.
36