WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)
Transcript of WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)
![Page 1: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/1.jpg)
WIRELESS NETWORK SECURITY
SUMMARY AND CONCLUSIONS
![Page 2: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/2.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
AGENDA
REVEIW
RECOMMENDATIONS
COMMENTS
![Page 3: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/3.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEW
![Page 4: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/4.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEW
WIRELESS
RADIO FREQUENCY SPECTRUM
PROPERTIES OF RADIO WAVES
802.11 STANDARDS, A/B/G, WIMAX
POINT-TO-POINT NETWORKS
MESH NETWORKS
![Page 5: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/5.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEW
ACCESS POINTS TO BUILD WIRELESS NETWORKS
CONFIGURATION ACCESS POINTS
ESSID, MODE, CHANNELS, SNMP
ACCESS-POINT MODE V. “STATION”/CLIENT MODE
POWER SETTINGS
BRIDGING
WPA2 POINT-TO-POINT LINKS
UBIQUITI ACCESS POINTS
![Page 6: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/6.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEW
EXTENDING WIRELESS NETWORKS
ADDING ADDITIONAL ACCESS POINTS
SITE DEPLOYMENT ISSUES
POWER/ENVIRONMENTAL CONCERNS
CAPTIVE PORTAL APPROACHES
USING M0N0WALL OR NOCAT TO SECURE A WIRELESS NETWORK
![Page 7: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/7.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEW
M0N0WALL
A GUI-BASED CAPTIVE PORTAL/FIREWALL SOLUTION
INEXPENSIVE (FREE!)
SUITABLE FOR WIRELESS CAPTIVE PORTALS
RUNS ON INEXPENSIVE HARDWARE
![Page 8: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/8.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEW
NETWORK PROTOCOLS
THE MAC LAYER, “LAYER2” IS SIMILAR IN BOTH WIRED AND WIRELESS NETWORKS
THERE IS NO SECURITY BUILT INTO THE ETHERNET OR MAC LAYER
BECAUSE OF THIS, ARP MECHANISMS ARE SUBJECT TO TAMPERING, POISONING, MASQUERADING ATTACKS
![Page 9: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/9.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEW
TCP/IP
SIMILARLY, TCP/IP HAS NO SECURITY BUILT INTO THE PROTOCOLS
BECAUSE OF THAT IP ADDRESSES ARE ALSO SUBJECT TO FORGERY. TCP/IP CAN ALSO BE TAMPERED WITH, ESPECIALLY FOR DENIAL OF SERVICE ATTACKS
LEARNED UNIX TOOLS FOR NETWORK CONFIGURATION: IFCONFIG, NETSTAT, ARP, ARPING, PING, TRACEROUTE, MTR, TCPTRACEROUTE
![Page 10: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/10.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEW
BACKTRACK
LEARNED ABOUT LIVE-CD DISTRIBUTIONS
LOTS OF TOOLS ON THE BACKTRACK LIVE-CD
INSTALLING BACKTRCK ON USB
WIRELESS CONFIGURATION TOOLS: IFCONFIG, IWCONFIG, IWLIST, DHCPCD
![Page 11: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/11.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEW
NETWORK DESIGN
ADDING WIRELESS NETWORKS AND ADDITIONAL SECURITY SYSTEMS WILL REQUIRE NETWORK DESIGN
THIS REQUIRES CAREFUL CONSIDERATION OF THE TOPOLOGY OF THE EXISTING NETWORK
IT ALSO REQUIRES UNDERSTANDING WHAT THE GOAL IS FOR THE NEW DESIGN
![Page 12: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/12.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEW
NETWORK DESIGN (CONTINUED)
SECURITY “ZONES” CAN BE CREATED, OUTSIDE, IN A DMZ, OR INSIDE OF NETWORKS. EX: GUEST V. INTERNAL
CAPTIVE PORTALS (AUTHENTICATION GATEWAYS) CAN BE USED TO CREATE THE EDGE OF A SECURITY ZONE
ACCOUNT MANAGEMENT, AUTHENTICATION, AND ACCESS CONTROL ARE CRITICAL COMPONENTS IN A CAPTIVE PORTAL (AUTHENTICATION GATEWAY)
![Page 13: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/13.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEW
WIRELESS SECURITY STANDARDS
OLDER WIRELESS ENCRYPTION STANDARDS HAVE NOT PERFORMED WELL
WEP IS CRACKABLE USING A NUMBER OF TOOLS
WPA2 APPEARS TO BE THE BEST OF THE CURRENTLY AVAILABLE STANDARDS
WPA2 MAY NOT BE SUPPORTED ON ALL OF YOUR CLIENT MACHINES
A CERTIFICATE/PKI SYSTEM MAY PROVIDE ADDITIONAL SUPPORT FOR AN IMPLEMENTATION
![Page 14: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/14.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEWS
TRAFFIC ANALYSIS
A NUMBER OF FREE TOOLS ARE AVAILABLE
THESE CAN BE USED TO MONITOR THE CONDITION OF YOUR NETWORK
THEY CAN ALSO BE USED TO DO FORENSICS AFTER A BREAKIN HAS OCCURRED
FLOWTOOLS, WIRESHARK, AND NTOP ARE COMMONLY USED BY MANY NETWORK ENGINEERS
![Page 15: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/15.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEW
WIRELESS TOOLS
NETSTUMBLER CAN BE USED TO MAP OUT THE STATE OF THE WIRELESS NETWORK
KISMET CAN BE USED TO ANALYZE THE WIRELESS TRAFFIC IN MORE DETAIL
INEXPENSIVE SPECTRUM ANALYSIS TOOLS, SUCH AS WISPY, CAN BE USED TO ANALYZE RADIO ISSUES
![Page 16: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/16.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEW
UBUNTU
POPULAR, EASY-TO-USE LINIX DISTRIBUTION
PACKAGE MANAGEMENT USING: APT-GET, APT-CACHE, DPKG
USE OF THE ROOT ACCOUNT USING: SUDO, SUDO -S
START/STOP SERVICE USING: /ETC/INIT.D/
![Page 17: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/17.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEW
INFORMATION SECURITY CONCEPTS
INFORMATION SECURITY RESOURCES
NETWORK SECURITY
NETWORK ACCESS CONTROL
![Page 18: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/18.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEW
NETWORK ACCESS CONTROL
NAC SYSTEMS ARE STARTING TO APPEAR THAT BUILD COMPLEX ACCESS CONTROL MECHANISMS
SIMPLER ACCESS CONTROL MECHANISMS ARE POSSIBLE
PROXIES, SSL VPNS, AND IPSEC VPNS ARE A SIMPLE SOLUTION TO THIS PROBLEM IN SOME CASES
CAPTIVE PORTALS (AUTHENTICATION GATEWAYS) PROVIDE MOST OF THE BENEFITS OF NAC, WITHOUT THE HIGH COSTS AND COMPLEXITY
![Page 19: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/19.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEW
NETWORK ATTACKS
ATTACK RESOURCES: CONFERENCES, WEBSITES, MAGAZINES
ATTACK TYPES
DENIAL OF SERVICE
ARP SPOOFING
MAN-IN-THE-MIDDLE
PHISHING ATTACKS
ATTACK TOOLS: DSNIFF, ETTERCAP, AIRCRACK, AIREPLAY
![Page 20: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/20.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
REVIEW
NMAP, NESSUS, AND SNORT
VULNERABILITY ANALYSIS CONCEPTS
INTRUSION DETECTION CONCEPTS
THE USE OF OPEN-SOURCE TOOLS
![Page 21: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/21.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
RECOMMENDATIONS
![Page 22: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/22.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
RECOMMENDATIONS
MONITOR YOUR NETWORK
MANAGE YOUR ACCESS POINTS
GRAPH NETWORK STATISTICS
DEPLOY A FLOWTOOLS OR MONITORING STATION
![Page 23: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/23.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
RECOMMENDATIONS
APPLY ACCESS CONTROLS WHERE NECESSARY
CAPTIVE PORTALS WORK WELL TO SECURE OPEN WIRELESS NETWORKS
![Page 24: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/24.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
RECOMMENDATIONS
MONITOR YOUR WIRELESS ENVIRONMENT
LOOK FOR ROGUE ACCESS POINTS WITH NETSTUMBLER
WATCH OUT FOR ROGUE DHCP SERVERS
ADDRESS ROGUE AP ISSUES QUICKLY
![Page 25: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/25.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
RECOMMENDATIONS
ENCRYPTION
USE ENCRYPTION WHERE IT MAKES SENSE
USE WPA2 OR SIMILAR SOLUTIONS
USE SSL-VPN AND IPSEC VPNS, AND SSH
USE END-TO-END ENCRYPTION, AND PAY ATTENTION TO DATA SECURITY: PGP, AND OTHER TOOLS
![Page 26: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/26.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
RECOMMENDATIONS
ADVANCED NETWORK SETTINGS
USE VLANS TO SEGMENT SUBNETS
ENABLE “ARP INSPECTION” OR “PORT-SECURITY” ON CHALLENGING SUBNETS
ENABLE “DHCP SNOOPING” TO LIMIT THE DAMAGE FROM ROGUE DHCP SYSTEMS
STATIC ARP ON SOME CRITICAL DEVICES
![Page 27: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/27.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
RECOMMENDATIONS
VULNERABILITY SCANNING
PERORM REGULAR SCANS OF YOUR NETWORK
APPLY PATCHES
SUPPORT ANTI-VIRUS FIREWALL SOFTWARE
USE IDS TO DETECT RECENT KNOWN ATTACKS
EDUCATE YOUR USERS
![Page 28: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/28.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
COMMENTS
FEEDBACK IS WELCOME
MORE LAB TIME?
MORE TIME ON SITE PLANNING AND DEPLOYMENT LABS?
MORE TIME ON MESH NETWORKING?
OTHER TYPES OF WIRELESS TECHNOLOGY?
MORE TIME ON DEMONSTRATING CAPTIVE PORTALS?
![Page 29: WIRELESS NETWORK SECURITY - Network Startup Resource Center (NSRC)](https://reader035.fdocuments.us/reader035/viewer/2022081622/613d1bce736caf36b7596989/html5/thumbnails/29.jpg)
SUMMARY AND CONCLUSIONS WIRELESS NETWORK SECURITY
COMMENTS
THANK YOU!