Modul 6 wireless security
Download
Report
Transcript Modul 6 wireless security
Kemudahan wireless:
Kenyamanan: bergerak (mobile) & always
connected, roaming
Lebih murah dan cepat untuk dimiliki dan
diluncurkan
Kecepatan mulai nyaman
Mulai muncul aplikasi wireless
Wireless open by default
Wireless networks “broadcast” data into the
air and anyone can receive the broadcast :
anyone can listen to what you’re doing over the
wireless
Certain steps must be taken to protect “users”
of wireless networks
Monitoring/wardriving Tools
◦
◦
◦
◦
Kismet
AirSnort
WEP Crack
Netsumbler
Spoofing tools
◦ FakeAP
Top 8 Security Issues with 802.11b
1.
2.
3.
4.
5.
6.
7.
8.
Access Point Mapping
SSID Broadcasting
SSID Naming Conventions
Security Architecture
Radio Frequency Management
Default Settings
Encryption
Authentication
Copyright (C) Manageworx 2003
5
1. Access Point Mapping
Access points can be monitored and located
using freely available software, known as ‘war
driving.’
Copyright (C) Manageworx 2003
6
1. Access Point Mapping
Copyright (C) Manageworx 2003
7
2. SSID Broadcasting
SSID = Company A
SSID = Company A
Copyright (C) Manageworx 2003
8
3. SSID Naming Conventions
SSID = tsunami
Default SSID
Cisco = tsunami
3COM = 101
Agere = WaveLAN
SSID = tsunami
Linksys = Linksys
Dlink = default
Copyright (C) Manageworx 2003
9
5. Radio Frequency Management
Parking Lot
Poor RF management will
lead to unnecessary
transmission of your RF
signal into unwanted areas.
Also consider other devices
which may cause interference
such as 2.4GHz cordless
phones or Bluetooth.
Building A
Copyright (C) Manageworx 2003
10
6. Default Settings
Most Access Points come with no security mechanisms enabled.
Copyright (C) Manageworx 2003
11
7. Encryption
Most Access Points are implemented without using some form of Encryption.
Clear Text Passwords
IP Addresses
Company Data
Copyright (C) Manageworx 2003
12
8. Authentication
802.11b does not contain adequate authentication
mechanisms. The two forms of authentication included
with 802.11b are Open System Authentication (OSA) and
Shared Key Authentication (SKA).
Open System Authentication
All you need is the SSID
Negotiation is done in clear
text
Shared Key Authentication
SSID and WEP Encrypted key
required
Request (SSID)
Request (SSID)
Accepted (SSID)
Challenge Text
(WEP)
Challenge Response
(WEP)
Accepted (SSID)
Copyright (C) Manageworx 2003
13
Passive Data
Sniffing
Unathorized
Access
Jamming DoS
Attack/packet
Flood
User Hijacking &
Man In The
Middle
Security Default (change for more secure)
MAC Filtering
Encryption
Authentication Basic
802.1x Authentication
VPN
Change the Default logon password and make it long!
All defaults are known and published on the Net
◦ http://www.phenoelit.de/dpl/dpl.html updated Jan
2007
AP Management Interface
◦ HTTP, SNMP, Telnet
HTTP Login
◦ Linksys: UID=blank PW=admin
◦ DLink: UID=admin PW=blank
◦ Generic: UID=admin PW=admin
SNMP (disable SNMP for home use)
◦ All: PW=public
Change default no Open systems to WPA2 systems for
home use a long passphrase
Turn off SSID broadcasting
Identifies network
Helps others identify whether or not you have left default settings on
Broadcast on by default (turn it off)
◦ Once again with the default settings your wireless device broadcasts
its name saying “my name is … connect to me
◦ Turning off SSID cloaking is called Cloaking
Avoid naming your SSID a private or personal code (don’t
make it your password or your name)
“MAC Filtering” is where you tell your wireless
device what other devices can connect to it.
A MAC address is the hardware number that
is network card specific (literally burned
into the network card when it is made)
Can be spoofed but is still a good option for
homes
WEP – First Wireless Security
◦ Cracked -- Any middle-schooler can crack your
WEP key in short order
WPA
◦ Cracked… but
◦ Key changes
WPA2
◦ Cracked… but
◦ Harder to crack than WPA;
802.1x
◦ Uses server to authorize user
◦ Can be very secure
802.11i
◦ AES encryption – “uncrackable”
WPA: WPA stands for Wi-Fi Protected
Access. WPA is much better than WEP; we
recommend that you put at least WPA on
your wireless. It has been cracked, but it
takes much longer and is almost not worth
the effort.
For “workgroups”, laptop carts, home
users, etc.
Keep “secret” long and obscure (set a long
passphrase of at least 20 random characters. Better yet,
use the full 63 characters by typing a sentence you can
remember—just don't make it something that's easily
guessed, like a line from a movie.)
Additional weakness in social engineering
the “secret”
WPA2: is very effective for keeping most
“normal” people off your wireless.
Changes encryption from RC4 to AES
coWPAtty v4 can attack and crack it
Some hardware may not support it
Firmware upgrade may be necessary
Use it if available
WEP
Encryption RC4
Key rotation None
Key Manually
distribution typed into
each
device
Authentication Uses WEP
key as
AuthC
WPA
WPA2
RC4
AES
Dynamic
session keys
Dynamic
session keys
Automatic
distribution
available
Automatic
distribution
available
Can use
802.1x & EAP
Can use
802.1x & EAP
Open systems authentication
Shared key authentication
EAP / 802.1x
Required by 802.11
Just requires SSID from client
Only identification required is
MAC address of client
WEP key not verified, but device
will drop packets it can’t
decrypt
Utilizes challenge/response
Requires & matches key
Steps
◦ Client requests association to AP
◦ AP issues challenge to client
◦ Client responds with challenge
encrypted by WEP key
◦ AP decrypts clients & verifies
WEAK! Attacker sniffs plaintext AND cipher-text!
Encapsulates EAP traffic over LAN (aka
EAPoL)
EAP: Standard for securely transporting
authC data
Supports a variety of authentication
methods
◦ LEAP, EAP-TLS, etc.
Port-based – only access is to
authentication server until
authentication succeeds
◦ Similar to what’s used on
Ethernet switches
Originally designed for campus-wired
networks
Requires little overhead by access
point
3 entities
◦ Supplicant (e.g., laptop w/wireless
card)
◦ Authenticator (e.g., access point)
◦ Authentication server (e.g.,
RADIUS)
Keys
◦ Unique session key for each client
◦ New WEP key each time client
reauthenticates
◦ Broadcast key
◦
Shared by all clients
◦
Mixed with IV to generate
session keys
◦
Rotated (Broadcast Key
Rotation – BKR) regularly to
generate new key space
Authenticates users before
granting access to L2
media
Makes use of EAP
(Extensible Authentication
Protocol)
PEAP, EAP-TLS, EAP-TTLS,
etc.
802.1x authentication
happens at L2 – users will
be authenticated before an
IP address is assigned
source: nwfusion.com
Browser-based authentication
SSL encrypted
Use for guest access only
Put on separate VLAN or network