Wireless Security Part 1 3/10/04 Mark Lachniet, Analysts International
-
Upload
tiger-cunningham -
Category
Documents
-
view
14 -
download
0
description
Transcript of Wireless Security Part 1 3/10/04 Mark Lachniet, Analysts International
Introductions
• Mark Lachniet, Technical Director of Analyst International’s Security Services Group
• Technical lead developing for services, methodology, quality control, technical presales
• Certified Information Systems Auditor (CISA) from ISACA
• Certified Information Systems Security Professional (CISSP) ISC^2
• Linux LPIC-1, Novell Master CNE, Microsoft MCSE, Checkpoint CCSE, TruSecure ICSA, etc.
• Former I.T. director of Holt Public Schools• Frequent speaker for local organizations
Agenda
• Overview of Wireless• Wireless frequency types and products• Controlling signal and site surveys• Wireless modes of operation• Wardriving and Warchalking• Basic wireless security features• Advanced wireless security features• Wireless in the network environment• Conclusions• Discussion
Class Logistics
• Frequent breaks, maybe not 20 mins.• I do not mind if you mess around with your
computers while I am talking, in fact I encourage it - you are here because you want to be
• Will attempt to do more hands-on exercises and less talking
• Please speak up! This will be most useful if you ask questions! Don’t wait for the end
• Consider finding a partner, especially one of a higher or lower technical skill level
Class CD-ROM
• I have included a CD-ROM with many tools and utilities on it
• Some of these we will use, some of them we may not
• Most are 30-day expiring demos
• You should go to the web site(s) yourself and download the software, so you can get registered
Classroom Network
EthernetMACUL 2004
LAN
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
Presenter's Laptop192.168.2.171
Windows Hacker Laptop192.168.2.173
Linux hackers Laptop192.168.2.172
Student192.168.2.100-170
Student192.168.2.100-170
Student192.168.2.100-170
USR 8054 AP192.168.2.254
Why Wireless?
• Flexibility• Instructional Potential (mobile labs, data
collection, research in common areas, etc.)• Overcome building limitations (all brick,
asbestos, leased buildings, etc.)• Ubiquitous technology - built into many PDAs
and Laptops• In use in many homes, coffee shops, airports• Many people already have it on their laptop,
making it easy for visits, ad-hoc meetings
Why Not Wireless
• Speed considerations (11mb/s or 54mb/s theoretical throughput - actually much slower than this in reality)
• Security, both real and perceived, especially cost of supporting infrastructure
• Signal interference from other devices• Signal penetration problems through dense
materials• Changing technologies and standards• A little bit too much “fun” for bored students to
hack
Wireless Technology
• Wireless, and especially wireless security operate at many different levels in many different ways
• For the purposes of our class, we will start with the most basic elements of wireless technology (hardware) and work our way up to the most complex (applications)
• One of the best representations of this type of abstraction is the OSI model
The OSI Model
• The OSI Model is used to describe different layers of networks and network services
• Layers 1 and 2 are at the “hardware” level, but in our case there are no wires, but rather signals
• Layer 3, 4 and 5 deal with association and TCP/IP, which may be handled by a wireless Access Point / router
Types of Wireless
• Lets focus first at the lowest levels of the OSI model - frequencies and standards
• Wireless has a few standards:– Frequency Hopping Spread Spectrum (FHSS)
– Direct Sequence Spread Spectrum (DSSS)
– Orthogonal Frequency Division Multiplexing (OFDM)
• FHSS is used in Proxim cards, in industrial applications, barcode scanners, etc.
• DSSS is the most common type, used most in WLAN cards, access devices, etc.
• OFDM is used in modern 54mb/s devices
Direct Sequence Spread Spectrum
• High-speed code sequence manages frequency modulation
• Produces signal centered at carrier frequency
Frequency Hopping Spread Spectrum
• Code function determines “hops” to manage frequency modulation
• Carrier is flat across spectrum
Orthogonal Frequency Division
• Uses multiple carrier waves on different frequencies
• Each wave carries part of the message
• Used for 54mb/s applications (802.11a/g)
• May designate a number of encoding types
Wireless Types and Frequencies
• Frequencies:– 802.11b and 802.11g are both 2.4ghz– 802.11a is 5ghz
• Bandwidth– The 5ghz space has more bandwidth (throughput speed
capability)
• Non-Overlapping Channels (may not match APs)– 802.11/b/g @ 2.4ghz has 3– 802.11a @ 5ghz has 4
• Compatibility– 802.11g is usually backwards compatible with 802.11b @
11mb/s only– 802.11a isn’t compatible
Interference / Penetration / Leakage
• Managing your signal is an important part of Wireless security
• If you can control your signal, keeping it mostly inside, you can worry less about hackers outside of your building
• At the same time, you want to make sure you can penetrate all important areas of your building
• You also need to be aware of interference issues from phones, microwaves, cell towers, etc.
• Use non-overlapping channels wisely• The best way to make these determinations is by
doing a site survey
Performing a Site Survey
• The Site Survey Toolkit– One or more access points– Various antennas and cables– Various WLAN NIC cards– Distance Roller thingy– Tape, ZIP ties, etc.
• One or more people– May need walkie-talkies– Keep people away from the equipment
Performing a Site Survey
• Attempt to find the best configuration of WLAN equipment by setting it up and measuring signal
• Use a blueprint or floor layout map of the target area
• Use the roller to determine distance
• Measure signal characteristics at various locations to develop a signal coverage map
• Should use the exact hardware that will be installed
• Looks at signal strength, signal to noise ratios, and access ranges at specific speeds
• Consider potential usage - 5 users @ 54mb/s or 20 users @ 11mb/s? (lock wireless cards at that speed, and map with this in mind)
Use Built In Tools w/ Laptop
• Analyze signal strength and signal to noise ratio using a client utility (passive mode)
• Lock your card at a specific speed and just walk away until it stops working
• Use the client utility to generate a large number of packets and see how many arrive correctly (active mode)
Create a Layout
Library
ScienceLab #1
ScienceLab #2
Hallw
ayGynmasium / Lunchroom
250' East-West12
5' N
orth
-Sou
th80
' Nor
th-S
outh
10' East-West 25' East-West
40' E
a.
Install AP and Measure Speed
• For example, place it more or less in the middle of the Gym - in this case there is a signal problem in the Library
ScienceLab #1
ScienceLab #2
Hallw
ayGynmasium / Lunchroom
250' East-West
125'
Nor
th-S
outh
80' N
orth
-Sou
th
10' East-West 25' East-West
40' E
a.
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
54mb/s
11mb/s
Library
4mb/s
Multiple AP Placement
ScienceLab #1
ScienceLab #2
Hallw
ayGynmasium / Lunchroom
250' East-West
125'
Nor
th-S
outh
80' N
orth
-Sou
th
10' East-West 25' East-West
40' E
a.
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
54mb/s
11mb/s
Library
4mb/s
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
54mb/s11mb/s 4mb/s
Signal Leakage Risk!
ScienceLab #1
ScienceLab #2
Hallw
ayGynmasium / Lunchroom
250' East-West
125'
Nor
th-S
outh
80' N
orth
-Sou
th
10' East-West 25' East-West
40' E
a.
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
54mb/s
11mb/s
Library
4mb/s
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
54mb/s11mb/s 4mb/s
EVIL HACKER
Directional Antennas
• A directional antenna may help direct signal & stop leaks
ScienceLab #1
ScienceLab #2
Hallw
ayGynmasium / Lunchroom
250' East-West
125'
Nor
th-S
outh
80' N
orth
-Sou
th
10' East-West 25' East-West
40' E
a.
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
54mb/s
11mb/s
Library
4mb/s
CISCO AIRONET 1100 SERIES
WIRELESS ACCESS POINT
Wireless Components
• The most common type of Wireless Local Area Network (WLAN) infrastructure typically involves two components
• An Access Point, which works as a kind of “smart hub” to allow communication
• A Client, which is typically a laptop, desktop or PDA with a wireless NIC
• Within this paradigm are any number of different products, technologies or variations
• The base standard for wireless LAN is 802.11, as determined by the IEEE:http://grouper.ieee.org/groups/802/11/index.html
Ad-Hoc Mode
• In Ad-Hoc mode, all devices can talk to each other directly (if they are in range and on the same frequency)
• Relatively uncommon, used in WAN configurations, LAN Games, impromptu meetings, etc.
• Referred to as an Independent Basic Service Set (IBSS)
Laptop Laptop
LaptopLaptop
Ad-Hoc Mode Definition
• http://www.webopedia.com/TERM/A/ad_hoc_mode.html
• “An 802.11 networking framework in which devices or stations communicate directly with each other, without the use of an access point (AP). Ad-hoc mode is also referred to as peer-to-peer mode or an Independent Basic Service Set (IBSS). Ad-hoc mode is useful for establishing a network where wireless infrastructure does not exist or where services are not required.”
Infrastructure Mode
• The most common type of WLAN is the infrastructure Mode - used most places
• All devices talk to the access point
• Referred to as a Basic Service Set (BSS).
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
Laptop
Laptop
Laptop
Laptop
Infrastructure Mode Definition
• http://www.webopedia.com/TERM/I/infrastructure_mode.html
• “An 802.11 networking framework in which devices communicate with each other by first going through an Access Point (AP). In infrastructure mode, wireless devices can communicate with each other or can communicate with a wired network. When one AP is connected to wired network and a set of wireless stations it is referred to as a Basic Service Set (BSS). An Extended Service Set (ESS) is a set of two or more BSSs that form a single subnetwork. Most corporate wireless LANs operate in infrastructure mode because they require access to the wired LAN in order to use services such as file servers or printers. “
Advanced Infrastructure Mode
• There may be multiple access points in an environment• This raises a number of issues, including mobile clients• Comprised of multiple BSS’ to create an Extended Service Set (ESS)
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
Laptop
Laptop
Laptop
Laptop
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
Extended Service Set
• Uses a 32-char ID to represent the ESS, known as an ESSID (or SSID) such as “USR8054”
• This essentially represents “the network” and is something all users must have configured in some way
SSID Example
• For example, this is how it looks on a USR8054
• Note the ability to turn off the broadcast of the SSID
Wardriving
• One popular hobby for geeks is to “war drive” for wireless networks
• Using special software such as Net Stumbler, drive or walk around looking for access points, frequently “chalking” them and/or recording the location with a GPS (then uploading coordinates to the Internet)
• http://www.netstumbler.com
• Passive scanners will just passively listen for SSID broadcasts
• Active scanners will probe for them
• Scanners will usually tell you if advanced security (encryption) is configured
• Some will even tell you about connected clients
Wardriving Resources
• http://Michiganwireless.org
• http://Netstumbler.com
• http://www.wardriving.com
• http://www.wigle.net/ (locations)• http://packetstormsecurity.org/wireless
• type in ‘war drive’ in google :)
Activity #1: War Driving
• Install a Lucent Wavelan / Orinoco card in your laptop
• Install Net Stumbler from your CD-ROM
• Run the application, observe the local network
• Survey the facilities (?) and win a prize?
Activity #2: Protocol Analyzer
• Install WinPCap
• Reboot
• Install Ethereal on your laptop
• Associate with the access point (it may complain about it being insecure, that is OK)
• Run Ethereal
Basic Wireless Security Features
• There are a number of basic wireless security features and protocols:– Utilize static IP addresses
– SSID Security (not broadcasting SSID)
– MAC Address Filtering
– WEP Encryption
– Signal control and speed locking
– 802.1X Authentication / Encryption
– WPA Authentication / Encryption
– External security (VPN, VLAN, or other things not part of wireless per se
Utilize Static IP
• Although it won’t stop a hacker with a protocol analyzer, using static IP address assignment instead of DHCP will help
• This will stop the casual and/or stupid hackers from automatically getting an IP address and being allowed to surf
• It creates a management burden, as each laptop must be uniquely identified ahead of time
• It also creates an opportunity, as you can figure out what a user is doing on the network very easily
SSID Broadcasting
• For an extremely minimal amount of security, you can turn off SSID broadcasting
• This means that someone must somehow know or discover the SSID in order to use the access point
• May be able to identify the SSID through analyzing network traffic from another user (via. AP Association Frames)
• Active scanners may find this through a “brute force SSID” scan (rare)
• Windows may “remember” the AP/SSID
Activity #3: SSID Broadcast
• Now that I have turned off SSID Broadcast, disassociate with the AP
• Stop and restart Net Stumbler
• Is the access point still visible?
• Can you connect to it anyway through windows by manually typing in the SSID?
• The SSID: USR8054
MAC Address Filtering
• Each network device has a unique hardware identifier built into it, called a MAC address
• In Windows, use ‘ipconfig /all’ to view the current MAC address of your devices
• This can be used for security purposes
Problems with MAC Filtering
• Although MAC addresses are hard-coded, they can be changed in some hardware via software
• Thus, a hacker would only have to sniff enough traffic to learn some “allowed” MAC addresses, and then impersonate that MAC address
• Also, MAC address filtering can be very painful to manage in the long haul:– How do you keep track of all the addresses?
– What about traveling users and visitors?
– What is the maximum # of MAC addresses you access point will allow you to type in?
Activity #4: MAC Filtering
• I will now configure the AP to only allow my own MAC• Try not to lock yourself out of your AP :)
WEP Encryption
• To get around the various wireless security problems, an early solution was WEP
• This allows you to configure a 40bit, 64bit or 128bit key to encrypt traffic
• A WEP key is essentially a password• Normally, the same WEP keys are manually
programmed into the client and access point• If the WEP keys match, the devices can
communicate• WEP encryption is better than nothing but it still
has its problems
WEP Encryption Problems
• First of all, the WEP key must be stored on the client computer (or typed in each time)
• Thus, the security of the client workstation(s) is very important
• It might be possible to steal the WEP key from the registry or some configuration file
• Also, WEP adds a little bit of processing overhead (3% in hardware?)
• Most importantly, the WEP implementation is flawed and WEP encryption can be cracked!
Cracking WEP
• Software such as AirSnort (http://airsnort.shmoo.com/) allows you to monitor encrypted wireless activity and eventually get enough information to crack a WEP key
• The problem is due to a flawed implementation of the RC4 protocol in WEP
• Specifically, while almost everything in the packet is encrypted, a plain-text “Initialization Vector” is used to keep the encryption in sync
• This IV periodically computes in a way that provides interesting information about the key
• Given enough packets, 5-10 million, AirSnort can crack the WEP key
Activity #5: Configuring WEP
• First, we need to configure it on the access point
• Note that the key size may be 40 or 128 bit
• Also note that keys may be in ASCII or HEX format
Activity #5: Configuring WEP
• Now configure the client software (WEP Key is 12345)• Attempt to access something - did it work?
Activity #5: Configuring WEP
• Now try some of our old tools
• Disassociate with the access point (or type in the wrong WEP key)
• Now try Net Stumbler - do you see the icon? That means WEP is enabled
• 1/2 the class run Ethereal without the WEP key, the other half with it
• What are the results?? (your mileage may vary depending upon card, etc.)
Advanced Wireless Security
• After all of the problems with WEP, alternate security systems needed to be devised
• One is 802.1X, which provides– Use of encryption certificates
– Provides port-based controls
– Uses the extensible authentication protocol (EAP). Can use different protocols w/in EAP.
– Mutual authentication
– Automated encryption key management and rotation (TKIP)
– Authentication (username and password) to a back-end RADIUS server
802.1X
• Requires an 802.1X compliant access point (old ones are not!) or high-end Ethernet switches
• Requires compatible clients and RADIUS servers (for authentication purposes)
• The Supplicant is the client - Windows XP SP1 has this built in, other Windows clients require a commercial product
• Macintosh 10.3+ (?) has 802.1X supplicant software built in, some Linux / UNIX support
• The AP is the authenticator, and the RADIUS server is the authentication source
Slides from: http://www.blackhat.com/presentations/win-usa-03/bh-win-03-riley-wireless/bh-win-03-riley.pdf
RADIUS Authentication
• Authentication systems for wireless typically uses encryption-aware RADIUS servers
• Examples include Microsoft IAS, Cisco Secure ACS, and Funk Software products
• RADIUS servers without encryption are very common (Border Manager Authentication Services, etc) but won’t work
• RADIUS is also used in a number of other applications such as VPN authentication, etc.
RADIUS Servers in the Network
• Client talks to AP, AP talks to RADIUS server, which *may* talk to another authentication server
• The RADIUS server may have its own user database• Client and RADIUS *must* talk same EAP protocol
EthernetCISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
Laptop
RADIUS Server Windows 2000Server
NetWare Server
RADIUS Server Types
• The majority of RADIUS servers authenticate to a local or network authentication database
• Some RADIUS servers have advanced security features such as two-factor authentication (like RSA’s SecurID)
• This requires two of three “factors”– Something you have
– Something you know
– Something you are
• For example, a thumbprint reader, or a SecurID token that changes codes, etc.
• Although expensive, this provides a high level of security, as you would have to steal something
802.1X EAP Types
• There are a number of EAP authentication types that 802.1X can use
• They all have different advantages and disadvantages
EAP-MD5 LEAP EAP-TLSServer Authentication
None Password Hash
Public Key (Certificate)
Password Hash
Public Key (Certificate or Smart Card)
EAP-TTLS PEAPPublic Key (Certificate)
Public Key (Certificate)
CHAP, PAP, MS-CHAP(v2), EAP
Any EAP, like EAP-MS-CHAPv2 or Public Key
Dynamic Key Delivery
No Yes Yes Yes Yes
Supplicant Authentication
Password Hash
MitM attack MitM attackSecurity Risks Identity exposed, Dictionary attack, Man-in-the-Middle (MitM) attack, Session hijacking
Identity exposed, Dictionary attack
Identity exposed
LEAP
• Lightweight EAP
• LEAP is a Cisco-Specific protocol
• Its fairly easy to use because it does not require certificates (this can be a big issue)
• It has one disadvantage - people can attempt to brute force your network passwords by guessing each one
• If you are an all-Cisco environment, it may be better than WEP, but its no longer the ideal
EAP-TLS
• EAP with Transport Layer Security
• Requires the use of certificates to prove identities (both the access point and the client)
• A certificate is a bit of text that includes identity and encryption key information
• These must be generated and distributed to all clients
• This requires touching every workstation, something that may not be practical
• Windows 2k/XP/2003 environments have these services and can be integrated (maybe not easily)
• Use MMC->Certificates in windows to view yours
Obtaining Certificates for EAP• Certificates may be automatically generated (i.e., a
machine certificate when a machine joins a domain)• Certificates can also be manually generated, for example
by requesting one from a windows server running IIS and Certificate services
http://www.win2kserver.com/certsrv• For an example of how this would work with the Cisco
Secure ACS server, check out:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml
• Also can use openssl to create certificates under Linux / UNIX operating systems
EAP-TTLS / PEAP
• EAP Tunneled TLS and Protected EAP
• Similar to EAP-TLS, but instead of relying entirely on certificates, can use usernames and passwords via MS-CHAP
• This allows you to authenticate the USER instead of the client machine
• However, you still verify the identity of the authentication server (stops Man in the Middle Attacks) by the certificate
Man In The Middle Attacks
• Use a program like AirSnarf to masquerade as a legitimate access point (http://airsnarf.shmoo.com/)
• As an intermediary, view all network traffic w/out encryption, including passwords
REAL Access Point
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINTCISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
Laptop
SUCKER
Laptop
Laptop
I'm USR8054
No Dude, I'm USR8054
FAKE HackerAccess Point
WPA
• Wifi Protected Access (WPA) is the emerging standard for security
• Includes TKIP and 802.1X features• Soon to be replaced by the 802.11i standard• Allows for a simple version of encryption -
WPA-PSK• Pre-shared keys are similar to WEP keys,
but rotation of the keys will take place, minimizing the risk of cracking
Temporal Encryption Keys
• TKIP is a system that is used to change the encryption in use on the WLAN
• Essentially changes the WEP key so frequently that sniffing the network and cracking the password is not feasible
• This will defeat AirSnort type attacks against the IV
• Not all access points support TKIP
Configure Logging
• In addition to actually performing all of these security functions, make sure that there is also a log of everything that happens
• Many Access Points and RADIUS servers and send log data to a syslog server
• Consider consolidating logs from many APs on to a single log server (such as the Kiwi Syslog server)http://www.kiwisyslog.com/
• Use log analysis and customized alerting to tell you of interesting events (such as failed administrator logon attempts)
• You could even get real-time pages of hacks!
Wireless Network Designs
• Where you put your access point(s) in the network have a huge impact on security
• In terms of network designs, consider the wireless net as hostile as Internet
• The least secure place to connect an access point is to your Internal network
• If possible, put on a dedicated network, and force access through a firewall or VPN appliance
Access Points on a DMZ
• Here you control and log Wireless traffic with a firewall
• It may be possible to limit access to deny all by default, but allow access top specific servers and the Internet
Internal Network
Wireless DMZ
The Internet
Internet Router
Firewall
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
IBM Compatible
RADIUS ServerMacintosh
Laser printer
Wireless Networks
• The wireless network, be it behind a firewall or not, may actually be one large Virtual LAN (VLAN)
• Thus, you could have wireless access points all over the building or organization, but on the same VLAN
• This allow for roaming• It also allows for centralization of all access
points to a single firewall device• Also allows for a single place to monitor all
traffic with a protocol analyzer or IDS
Use an Intrusion Detection System
• An Intrusion Detection System (IDS) might alert you to the presence of attacks
• This is another advantage of using a Wireless VLAN (only one IDS port required)
• There are also IDS systems specifically for wireless
• Can use “honey pots” to emulate vulnerable hosts (and tell you about it)
• Can also use software designed to confuse war drivers by sending hundreds or thousands of bogus SSIDs ala FakeAP
http://www.blackalchemy.to/project/fakeap/
Using a VPN Concentrator
• If you are using a VPN concentrator, you may be able to use totally insecure wireless and force security through existing or new VPN services
Internal Network
Wireless DMZ
Firewall
CISCO AIRONET 350 SERIES
WIRELESS ACCESS POINT
IBM Compatible
RADIUS ServerMacintosh
Laser printer
VPN ConcentratorLaptop
Policies and Procedures
• Due to the difficulty of controlling wireless, it would be wise to establish some policies and procedures to regulate their usage
• Installation should only be performed by the I.T. department (no individuals or departments should ever install them)
• Try to hook into the purchasing process such that wireless purchase orders require authorization from I.T.
• Verify compliance by wardriving your own organization regularly
Policies and Procedures
• Create minimum mandatory standards for all access points (WEP, etc.)
• Require the use of authentication, and use controlled authentication databases
• Require that people not share encryption keys, passwords, etc.
• Require that AP’s be turned off when not in use (especially after-hours)
• Lock down clients that have certificates and keys programmed in to them
Discussion
• This presentation to be available at:http://lachniet.com/powerpoint
Mark LachnietCISSP, CISA, MCSE, MCNE, CCSE, LPIC-1, TICSATechnical Director, Security GroupAnalysts International(517) 336-1004 (voice)(517) 336-1100 (fax)mailto: [email protected]