Transcript Office of the State Auditor North Carolina

Office of the State Auditor North Carolina
Wireless Access and Security
Dr. Lenny Superville, Ph.D
CIO: NC Office of the State Auditor
NC Digital Government Summit
September 13-14, 2005
Office of the State Auditor North Carolina
Focus in this Presentation
•
Why some Government Agencies choose to go with
Proprietary instead of Standards Based Wireless Networks
(WLANs)? Then, why some don’t?
•
Some Well Used Proprietary Wireless Networks – Secret
•
A survey of 802.11 (WI-FI)/WLANs wireless networking
standards -Open
Hackers’ tools used to sniff or intrude WLAN networks Threats
Effective options to keep unauthorized users/hackers out of
WLAN networks- Countermeasures
•
•
•
A Protection Methodology for WLAN Mobile Computing –
While Performing Day-to-Day Operations
Page 2
Office of the State Auditor North Carolina
At the End of this Presentation, you should be able to
understand:
• The major security concerns associated with the various
wireless topologies, especially standards based
• The vulnerabilities of WLAN mobile computing
environments
• The defenses available to protect WLAN mobile computing
environments
• Best Practices to implement and maintain data security
while using wireless data communications in day-to-day
operations
Page 3
Office of the State Auditor North Carolina
Well Known Examples of Secured Proprietary Wireless/Wired
Networks
•
•
•
•
•
Proprietary means (Secret encryption algorithm +
Hardware):
NIPRNET – (DoD) Unclassified but Sensitive Internet
Protocol Router Network (BLUE)
SIPRNET - (DoD) Classified Internet Protocol Router Network
(RED)
Lord Warrior Computer/Radio Subsystem – (Army)
CAISI (Army) – Combat Service Support Automated
Information System Interface.
The lesser known the better security
Beware: This technology requires additional, costly hardware
and IT staff to implement and maintain.
Page 4
Office of the State Auditor North Carolina
Characteristics of Proprietary Enterprise Wireless Secured
Networks – Complete Solution
•
•
•
•
•
•
•
Sophisticated Encryption
Strong Authentication
Stringent Access Control
http://www.airdefense.net/
http://www.cisco.com/
http://www.airmagnet.com/
This combined technology implementation is so successful
because it acts as a secure gateway to numerous networks
that must be accessed
• Questions – 5 minutes
Page 5
Office of the State Auditor North Carolina
WLANS - Wireless Networking/IEEE Standards - Open
WEP/WLAN/Radio Waves
• 802.11 or WI-FI
• 802.11b: 2.4Ghz, 11Mbps
• 802.11a: 5.8Ghz, 54Mbps
• 802.11g: 2.4Ghz, 54Mbps
• 802.11i: Security solution for 802.11a/b/g
802.11a and 802.11g are both 54Mbps; 802.11g –lower
operating frequency, greater range
EAP: Short for Extensible Authentication Protocol, is a general
protocol for authentication
IEEE 802.1x specifies how EAP should be encapsulated in LAN
frames.
Page 6
Office of the State Auditor North Carolina
IEEE 802.11 WLANS (Standards Based - Open)
WEP – Fix Key: Can be broken, Machine Authorization only
•EAP-MD5 – No Certificates, TKIP (Rotating Key - Dictionary
Attack), Human Authentication (802.1x), Server Authorization,
•EAP-LEAP - No Certificates, TKIP
•EAP-TLS - 2 Certificates, TKIP
•EAP FAST – No Certificates (All CISCO)
•EAP-TTLS – 1 Certificates, TKIP
•EAP-PEAP – 1 Certificates, TKIP
•EAP-WPA – 802.11 TKIP?
•EAP-WPA2 – 802.11, CCMP, AES (3 Key sizes)
•AES may be the answer to secure standards based WLANS.
Page 7
Office of the State Auditor North Carolina
Examples of Government Efforts to Implement 802.11 Wireless
Networks (WLANs)
• In the 1990’s Wireless Equivalency Protocol (WEP) protocol was
attempted but in 2001 security exposures were found in IEEE
802.11b networks
• In the 1990’s Data Encryption Standard (DES) was found to be
vulnerable
• As of 2002, Advanced Encryption Standard (AES) with its 3
different key sizes – 128, 192 and 256 bit – may be the solution.
• As of 2005, AES is still the best bet for a secured WLAN.
Page 8
Office of the State Auditor North Carolina
Threats to WLANS - A threat can be the perception of insecurity
War Driving – driving through a street to discover wireless
networks – for possible attack or just for the hell of it.
• Netstumbler is a well known freeware tool used to discover
WLANs if the SSID (network name) is enabled
• Kismet discover WLANs even if the SSID is disabled
• KISMAC – Can be used for Security/Intrusion
Page 9
Office of the State Auditor North Carolina
Examples of War Driving Tools - Intrusion is entry by force or
without permission or welcome
Check http://www.netstumbler.com
• Netstumbler (Windows); Ministumbler (CE/PocketPC)
Check http://www.kismetwireless.net
• Kismet (Linux/Unix)
Check http://www.remote-exploit.org
• Wellenreiter (Linux/Unix)
Page 10
Office of the State Auditor North Carolina
Some Major Threats – You should know
• Wired Mobile LANs used for training at Corp. sites (e.g.
Ethernet)
• Wireless Mobile Wireless LANs used for training at Corp.
sites (e.g. WEP, EAP-WPA2)
• Wireless Internet Service Provider (WISP) – Theft of Service
• Hotspot Hijinks - Pagejacking
• Wireless Sniffing – Interception of Traffic
Note: Wireless Sniffing is passive in nature and hence
undetectable
Page 11
Office of the State Auditor North Carolina
Countermeasures to WLANS - A countermeasure an action taken
to offset another action
A countermeasure is a system (usually for a military
application) designed to prevent weapons
(Threats) from acquiring and/or destroying a
target (WLANs)
Page 12
Office of the State Auditor North Carolina
WLANs Countermeasures: Are they reliable?
•
•
•
•
•
•
•
•
•
Wired Equivalent Privacy (WEP): a security protocol for wireless
local area networks (WLANs)
Attributes:
Defined in the 802.11b standard.
IEEE security for 802.11 – component of
Concerns:
AirSnort, once enough packets are gathered, can guess the
encryption password in less than a second
Uses RC4 encryption
Improper use of IV makes protocol vulnerable
Uses only one key – never changed
Note: 128 bit WEP is not officially part of the standard – some
manufacturer’s key entry methods are incompatible
Page 13
Office of the State Auditor North Carolina
Countermeasures: Reliable? (Cont’d)
• Service set identifier (SSID)/password is also referred to as
a network name
• Attributes:
• Blanks SSID field in 802.11 Beacon Flame
• Disables response to any Probe Request
• No SSID – no association – (T/F)?
• Concerns:
• SSID is broadcast in all client association frames in the clear
• Tools can force client to disassociate and re-associate to
expose the SSID
ESSID-Jack, a freeware tool, can expose a hidden SSID in
seconds
Page 14
Office of the State Auditor North Carolina
Countermeasures: Reliable? (Cont’d)
• MAC Address Filtering: Media Access Control address, a
hardware address that uniquely identifies each node of a
network
• Attributes:
• Place authorized MACs in each AP
- If you don’t have a valid MAC, you can’t get in, (T/F)?
-
Concerns:
MACs are easily sniffed
More than 50% of WLANS in major cities have no security.
Page 15
Office of the State Auditor North Carolina
Countermeasures: Reliable? (Cont’d)
Cisco LEAP (Lightweight Extensible Authentication Protocol):
Attributes:
- Username/Password required for access
- WEP keys rotate, making AirSnort useless
- EAP-MSCHAPv2 can be used as an inner authentication method
with EAP-PEAP and EAP-TTLS.
-
Concern:
Use of MS-CHAPv2 exposes credentials to devastating and
efficient dictionary attack
See: http://asleap.sourceforge.net for additional details
Best Buy and Lowe’s have experienced WLAN security breaches
Page 16
Office of the State Auditor North Carolina
Countermeasures: Reliable? (Cont’d)
IPSec Overlay: IPSec is an Internet standard framework for the
establishment and management of data privacy between
network entities.
Attributes:
NAT and NAPT are techniques used to share and hide
private IP addresses on edge devices like routers and
firewalls.
Concerns:
Unfortunately, when an IPsec session runs through NAT or
NAPT, security is often compromised
1. Broadcast frames unencrypted
2. ARP poisoning…. DoS attack
3. Client protection only after authentication
Page 17
Office of the State Auditor North Carolina
Countermeasures: Reliable? (Cont’d)
802.1x / WPA / 802.11i: Wi-Fi Protected Access for WLANS
Attributes:
• In the 802.11 standard, 802.1x authentication was optional; 802.1x
authentication is required in WPA;
• The 802.11i standard addresses many of the security issues of the
original 802.11 standard.
Concerns:
• Single factor authentication (with few exceptions)
• Multiple EAP types offer questionable security and vendor
incompatibilities
• Attacks already presented against WPA
WPA is a built in security mechanism to prevent authentication
attacks that shut down APs, sometimes up tp one minute.
Questions – 5 minutes
Page 18
Office of the State Auditor North Carolina
Best Practices to implement & maintain data security – While
Performing Day-to-Day Operations with WLANs
• Risk Analysis – Assess vulnerabilities of the Security
Architecture
• Well Written Security Policies
• A Secure Environment for Applications that produce data –
Strong Passwords
• Secure Servers where the data is stored – Robust
Physical/Network Access
• Secure Network Level – Firewall, IPS, IPD, etc
• Protection against Rogue Access Points
Page 19
Office of the State Auditor North Carolina
A Protection Methodology -
Now that some of the risks are understood,
some prevention methods in a network infrastructure will be discussed.
•
•
•
•
a. Host Protection – Remote Users
b. Data Encryption – Remote Users & Internal Network
c. Access Methods – Client vs Clientless VPNs
d. Authentication Technologies – Control Access to
Resources
• e. Endpoint Security Compliance – Minimum Requirements
for Access
• f. Protecting Internal Systems – Modular Approach
• g. Environments Favorable to Working with WirelessFirewalls, Anti-Virus, Strong Authentication, etc.
Page 20
Office of the State Auditor North Carolina
Example of a Secure Wireless/Wired Network Infrastructure
Page 21
Office of the State Auditor North Carolina
a. Host Protection (Remote User) –
A centrally managed anti-virus
platform is key
Protecting a remote host is paramount to protecting corporate data,
assets and services. This can be accomplished by using a
centrally managed anti-virus platform that:
•
•
•
• Provides visibility to remote systems upon connection
• Pushes updates to remote systems
• Synchronizes log information
A centrally managed host firewall platform that resides on the laptops
and also provides some form of intrusion detection/ prevention will
protect a remote host and the internal network.
Visibility on connection attempts and intrusion attempts will enable
system administrators to fine-tune and adjust the technical
controls and strengthen the overall posture of the organization.
Page 22
Office of the State Auditor North Carolina
b. Data Encryption - provides a measure of confidentiality
• Users need to be aware of the risks associated with data on
mobile devices. Ask yourself “what will be the situation if
this device is lost or stolen?”
• Data encryption provides a measure of confidentiality if the
laptop were to be lost, stolen or accessed by an
unauthorized individual.
• This can be accomplished by numerous commercially
available products.
• One drawback to the user of data encryption is the potential
for a user to experience latency while working with
encrypted files.
Page 23
Office of the State Auditor North Carolina
c. Access Methods
– A case for Client VPN (Fat Client)
A traditional virtual private network (VPN) connection that
utilizes industry standard encryption can provide local-like
access to remote resources.
VPNs typically require the use of a client or software utility that
provides the mechanism for remote connectivity.
VPN clients can provide a level of security to the remote host
by disallowing unsolicited connections from unauthorized
hosts
Page 24
Office of the State Auditor North Carolina
c. Access Methods
– A case for Clientless VPN (Thin Client)
Clientless VPNs are becoming more popular and are implemented
using secure sockets layer (ssl) technology. These operate in the
same manner as a secured website (online banking) and can
provide an access capability similar to a client VPN.
There are limitations as to the types of services that can be used, but
many of these limitations can be overcome by implementing
enhancements such as web-enabled application servers.
Web-enabled application services, e.g. Citrix, can also mitigate many
of the issues relative to client VPNs.
This approach provides only a “window” for the remote user to
perform tasks, while using the operating system and resources of
the application server.
System administrators can focus much of their effort on maintaining
the application server and less on the remote hosts.
Page 25
Office of the State Auditor North Carolina
d. Authentication Technologies
- To control access to resources
User authentication is the method used to control access to resources
and ensure that only authorized individuals are permitted access
to internal systems.
A standard username and password are the primary credentials
required for access to most systems. These, however, can be
easily compromised or guessed if a strong password policy isn’t
implemented and enforced.
Two-factor authentication is a method that combines something you
know (word, phrase, or numbers) with something you have (token).
This method of access ensures that only individuals in possession
of a device (token) with the correct pin can gain entry to corporate
resources.
Brute force attacks launched against a corporate asset protected by
two-factor authentication are futile.
Page 26
Office of the State Auditor North Carolina
e. Endpoint Security Compliance
- minimum requirements for access
• Written policy, standards and guidelines are important and
must address such issues as support, operating systems,
minimum browser versions and minimum patch levels.
• This policy should also state what is prohibited, such as
user-installed applications or spyware.
• This security policy enforcement can be accomplished with
technical controls as a user attempts to connect to the
network.
Page 27
Office of the State Auditor North Carolina
e. Endpoint Security Compliance – (Cont’d)
• Hosts can be audited for domain membership, the existence
and status of anti-virus software, patch revision levels,
intrusion detection signature revision levels and operating
system configuration.
• Checks can also be performed to insure that rogue software
is not present on the machine such as peer-to-peer file
sharing applications and instant messaging.
• Checking the remote host “at the door”, prior to allowing
access to internal resources, is a measure that can prevent
the introduction of a multitude of issues to a protected
network.
Page 28
Office of the State Auditor North Carolina
f. Protecting Internal Systems –
modular, VLANS, depth/defense –
A solid network design will take a modular approach by placing
resources in a manageable area that can be monitored and
protected.
The use of virtual local area networks (VLANs) in conjunction with
intrusion detection and intrusion prevention (IDS/IDP) systems can
provide an additional layer of protection from potential attacks via
remotely connected hosts. This method adds an additional layer of
visibility to network activity internal to the organization.
Providing access to internal resources is necessary, but
ensuring that the internal network is protected from the
home/hotel/airport, etc users are oftentimes overlooked.
Page 29
Office of the State Auditor North Carolina
g. Environments Favorable to Wireless Computing -
Firewall
protection, anti-virus and strong authentication
Accessing the Internal Network is possible from many
environments and across many types of potentially hostile
networks.
To protect the remote device and its data while in these hostile
environments, several minimum security controls should be
in place:
Firewall protection, anti-virus and strong authentication for the
remote access technology are essential.
Firewall protection can exist in the form of software on the PC,
or in the form of hardware like the small consumer devices
that are available.
Wireless hotspots, foreign corporate environments, hotel
rooms, home networks and coffee shops are all capable of
being “home” to a remote user, and all present threats to the
“trusted” device while remote
Page 30
Office of the State Auditor North Carolina
Any Questions?
Dr. Lenny Superville, Phd
Chief Information Officer (CIO)
Office of the State Auditor
2 S. Salisbury Street
20601 Mail Service Center
Raleigh, NC 27699-0601
Tele: (919) 807 7625
Fax: (919) 807 7647
[email protected]
Page 31