Wireless Security Part 2

Download Report

Transcript Wireless Security Part 2

Wireless Security
Part 2
Part 2
1
Contents






Wireless Security issues
Explore various security feature available on
Access Points
Look at Encryption and Authorisation with
WEP, WPA, WPA2 (802.11i)
Look at 802.1x Authorisation
Discuss on Hotspot and it’s security
Share wireless security needs/issues of your
schools
Part 2
2
Headlines
Teens charged with breaking into School computer (Jan 2009)
Jonathan To, 18, and another teen were charged with computer theft after a routine audit
discovered a discrepancy between grade reports and school transcripts
Kid hacks school comp on teacher's dare (Jan 2001)
Fifteen-year-old Washington State high school student Aaron Lutes defeated
filtering/security software on a school computer system after his teacher dared the class
to try it
US school cheat hack suspect faces 38 years jail (June 2008)
Tanvir Singh, 18, allegedly conspired with Khan in an abortive attempt to break into
school and steal a test. The dynamic duo were caught by a school caretaker in the
process of trying to log onto a teacher's computer.
Hong Kong student hacks prizes in McDonald's contest (Nov 2008)
Hong Kong student has been convicted for hacking into MacDonald's website to
claim all the prizes on an online competition
Part 2
3
Wireless Weakness or Hazard
Access point weaknesses






Physically insecure installation location
Omni-directional antenna that sends signals in every direction
Signal power level too high allowing radio signals to leak outside of your building
MAC address controls that are easily circumvented
WEP, WPA, or WPA2 not being used or not being used properly
Management interfaces that are publicly-accessible -- often with weak or no
administrator password protection
Wireless client weaknesses




Windows systems not protected by a personal firewall that are sharing drives,
providing various types of remote connectivity and missing critical software
patches
Dual-homed systems that are connected to both the wired and wireless networks
at the same time
Wireless clients with ad-hoc mode enabled
Printers installed on the wired network with wireless connectivity left enabled
Part 2
4
Security needs

Ensure no unauthorised access



Protect the network from illegal client connect to
your network using your resources
“Man in the middle” placed in your network to
capture your network related
Several techniques
 SSID, MAC Address, Authorisation with Passphrase,
Digital certificate, RADIUS server
Part 2
5
SSID – Service Set Identifier




Name given to identify a wireless network
All devices this same name to communicate
Can be up to 32 characters
Broadcast at predetermined time and client
seeks for SSID when joining the network
Disable SSID broadcasting – “Invisible network”
Part 2
6
Workshop – SSID security
1.
2.
3.
4.
AP - set up an SSID (ITEDxx where xx = 01 08) and inform your team member the full
SSID name
Client – Use Windows “Windows Zero
Configuration” connect to the available
wireless network via “available wireless
network”
Repeat the above but hide (disable
broadcasting) the SSID
Can clients connect and is your network
protected?
Part 2
7
MAC Address filter



A MAC (Media Access Control) address
(physical address) is 12 Hex characters.
Example 02-00-54-55-4E-01
Can use MAC address filter to control which
clients can access the wireless network
Administrator enters the list of MAC addresses
into AP
Part 2
8
Workshop – Mac Address
filtering
1.
2.
3.
4.
5.
6.
Group members determine the MAC address
of your wireless network card
AP- Administrator enter the list of MAC into
the AP and set the AP with “Open” security
Client - Use Windows “Wireless Zero
Configuration” connect to your wireless
network
AP- disable MAC address filtering
Client – repeat step 3
Were you able to connect successfully?
Part 2
9
Two security features

Encryption



Prevent the content from read by unauthorised
people
The network traffic is encrypted to a format that is
understood by other party only
Authorisation



2 usage
Authenticate the accessing device or person is the
correct person
Used to verify that the information comes from a
trusted source
Part 2
10
Encryption Standards
Wireless technology transmit information through space hence, security
features have been design into the relevant protocols. Security consideration:
Message Protection
Access Authentication/Authorisation



WEP – Wireless Equivalent Privacy
WPA – WIFI Protected Access
WPA2 equivalent to IEEE 802.11i
Part 2
11
Wireless LAN authorisation



2 basic information
SSID (aka Network Name or Network ID)
“Password” or Share key or “Passphrase”




WEP
WPA
802.11i (WPA2)
Digital Certificate


Radius at backend
CA
Part 2
12
Network Access Protection
To ensure only authorized clients, valid Security Set ID(SSID) must match
An Access Point is required
Select INFRSTRUCTURE setting
Infrastructure mode
SSID of the
Access
Point
Part 2
13
WEP Encryption Key




Wired Equivalent Privacy security
WEP encryption is available on all 802.11a/b/n
protocols
Standard required only 40-bit (64 bits key) but
almost all vendors provide 104-bit (128 bits key)
and some even provide 256-bit WEP key.
WEP uses the RC4 algorithm to encrypt the
packet of information as they are sent out
Part 2
14
Encryption Explained
Each key (“Packet Key”) consist of two parts
Pre-shared Password – supplied by user
Initialised Vector (IV) – random generated
Example: 64 bit key
Pre-shared Password, supplied by the user (40 bits) = A7z9b
= 41377A3962
4
1
3
7
7 A
3
9
6
2
Initalised Vector, random generated by the system (24 bits) = 810
= 383130
Packet Key = Pre-shared Key + IV = A7z9b810
= 41377A3962383130
Part 2
15
Workshop – WEP security



AP – Administrator formulate a 5 character
pre-shared key and enter pre-shared key in
Key 1. Set security = “Static WEP”, share key.
Inform all team member of the SSID and preshare key
Client – Connect with the given SSID and WEP
pre-shared key
Part 2
16
What is WPA?
There is a MAJOR weaknesses in WEP
The encryption code be hacked very easily






The Wi-fi Alliance look into alternative with IEEE
An interim security standard for replacing WEP
A sub set technology that is taken from the IEEE
802.11i
It is designed to secure all versions of 802.11, including
a/b/g/n
New Temporal Key Integrity Protocol (TKIP)
encryption is used
Employ 802.1X authentication with one of the standard
EAP (Extensible Authentication Protocol) – digital cert,
user name and password, smart card.
Part 2
17
TKPI (Temporal Key Integrity
Protocol)





Improvement to WEP
Longer key for encryption – 128bits
Key mixing function for EVERY packet
Each packet transmitted is assigned a 48bits
serial number which increases with each new
packet – to avoid fake AP’s create “replay
attack”
A new base key for each wireless client
associated with AP
Part 2
18
WEP vs WPA
WEP
Encryption
Authentication
WPA
Flawed, cracked by scientists and Fixes all WEP flaws
hackers
40-bit keys
128-bit keys
Static – same key used by
everyone on the network
Dynamic session keys. Per user,
per session, per packet keys
Manual distribution of keys hand typed into each device
Automatic distribution of keys
Flawed, used WEP key itself for
authentication
Strong user authentication,
utilizing 802.1X and EAP
Part 2
19
How Does it Work? (in SOHO)
Step 1
Enter matching
passwords into AP and
Client
Step 2
AP checks client’s password. If
match client joins network. If not a
match client kept off network
Password
*****
Access Point/Router
Internet
Password
*****
Password
*****
Step 3
Keys derived &
installed. Client
and AP exchange
encrypted data
Part 2
20
Workshop – WPA setup with
Passphrase security
1.
2.
3.
4.
AP – Formulate a passphrase (pre-shared key)
8 - 63 characters
Inform all members of the passphrase and
SSID
Client - Connect with the given SSID and WPA
pre-shared key
Were you able to connect successfully?
Part 2
21
IEEE 802.111 (WPA2)





802.11i is the official IEEE attempt to supply
strong security for wireless links
802.11i will use Temporal Key Integrity
Protocol (TKIP) similar to WPA.
Additionally added AES (Advance Encryption
Standard) offering 128 bits, 192 bits and 256
bits block encryption.
Authentication using 802.1x for port access
authentication (EAP-TLS, PEAP, LEAP)
RADIUS for Authentication, Authorisation and
Accounting with default port 1812 for
authorisation and port 1813 for accounting
Part 2
22
Authentication Comparison
EAP – MD5
EAP - TLS
EAP - TTLS
PEAP
LEAP
Mutual
Authentication
NO
YES
YES
YES
YES
Cert - Client
NO
YES
Optional
Optional
NO
Cert - Server
NO
YES
YES
YES
NO
Dynamic Key
Exchange
NO
YES
YES
YES
YES
Credential
Integrity
None
Strong
Strong
Strong
Moderate
Deployment
Difficulty
Easy
Hard
Moderate
Moderate
Moderate
Client ID
protection
NO
NO
YES
YES
NO
EAP –MD5 (Message-Digest Algorithm 5) : One way Authentication, Uses WEP encryption
EAP – TLS (Transport Layer Security): Digital cert used for client and Server authentication, Exchange is done in open
EAP – TTLS (Tunneled Transport Layer Service) : Digital Cert is used only at server side authentication. Client’s user id
and password is sent in secure connection
PEAP (Protected EAP) : Ditial cert is used at server side. But support only EAP-MD5, EAP-MSCHAPv2
LEAP – Lightweight Extensible Authentication Protocol): Cisco’s version of 802.1x
Part 2
23
How Does it Work? (in Enterprise)
Step 1
Enter matching passwords
into AP and Client
Password
*****
Step 2
AP passes the authentication
ID to the RADIUS server
instead of performing
authentication by itself.
Internet
Wired Network
Access Point/Router
Password
*****
Password
*****
ID ?
ID OK !
RADIUS = Remote Authentication Dial In User Service
Part 2
Step 3
Server checks the credential against it’s
records. Grants or denies access
accordingly. Group key is issued to ALL
stations so that they can encrypt data for
sending and receiving.
24
Radius Workshop Network Plan
Step 1
Station is challenged to enter
user ID and Password
Password
*****
Step 2
AP passes the authentication
ID to the RADIUS server
(10.10.13.168)
Internet
Wired Network
Access Point/Router
Password
*****
Password
*****
ID ?
ID OK !
10.10.13.168
Windows 2003 Server
A member of a Domain
running Directory service
Part 2
25
Workshop – Radius
Authentication





AP – set to use RADIUS server IP =
10.10.13.168 for authentication
Set WEP as encryption protocol
RADIUS – set passphrase for the AP to logon
Client – Configure a wireless connection to use
the trainer’s AP .
When connecting to the AP it will challenge
user to enter user ID and Password ( user id
and password = userxx where xx = 01-30)
Part 2
26
Security Summary
Weakest
No Authentication
RADIUS Server
Authentication
No Security
WPA
Static WEP
WPA - PSK
Strongest
WPA2 - PSK
WPA2 (802.11i)
Part 2
27
Other Wireless Securities

VPN (Virtual Private Network)



Creating a virtual connection using IPsec or other
VPN protocols to ensure the transmitted data is
encrypted
Need VPN server
VLAN (Virtual LAN) with multiple SSID
Separate the users access to separate resources on the
network
 Need VLAN supporting switch and AP

Part 2
28
SECURITY EXPERIENCE
SHARING
What wireless network is implemented
&
What security issues you can foreseen
Part 2
29
Wireless Testing Tools
Free Tools

NetStumbler quickly identifies basic wireless devices that will respond to an
"anybody out there?" request.

Kismet roots out wireless devices that have their SSIDs hidden or otherwise won't
respond to basic NetStumbler probes. If you're not into Linux or don't want to
spend hours if not days setting up your wireless card drives in Linux, you can run
Kismet directly from the BackTrack Live CD.

Aircrack is for WEP and WPA pre-shared key cracking.

FakeAP on the BackTrack Live CD mimics a legitimate access point and sets up an
evil twin attack to see how your users carelessly connect to any old access point.

Wireshark Packet capturing tool
Commercial Tools




AiroPeek wireless network analyzer to quickly and easily capture packets, look for
top talkers, discover rogue systems, and more
AirMagnet Laptop Analyzer, among many other things, has a nifty signal strength
meter for determining how close or far away a wireless device is when you're
walking around trying to locate it.
CommView WiFi is for low-cost packet capturing, packet generation and more.
Wfilter an Internet monitoring tool, web, IM,
Part 2
30
Public WiFi and Hotspot

Hong Kong “A Wireless City”


HK Government has a vision
Current players
HK Government with about 3000 APs
 Commercial operators with 5000 APs
 FON, ??
 Free WiFi shopping malls/resturants/café, etc.


Explore security control with public wifi
operators
Part 2
31
Search For register WiFi AP


Registered public AP are registered with
OFTA
You can find out where there are avaiable WiFi
AP at:
https://apps.ofta.gov.hk/apps/clr/content/public_search.asp

Recommendation when using public WiFi
http://www.infosec.gov.hk/english/yourself/wireless_3.html
Part 2
32
Captive Portal

PCCW and Airport

https://hotspot.netvigator.com/airport/login2.html
A commercial web base application that authenticates
user


Once logged in it will allow user to connect to the WiFi
network
Found in Hotel’s, Airport and shopping malls, etc.
Part 2
33
Course Summary


Looked at Wireless LAN standards - IEEE
802.11 a/b/g/n
We have learn how to setup



Ah-hoc
Enterprise
Looked at various type of standard wireless
security
SSID, MAC address filtering
 Encryption – WEP, WPA, WPA2
 Authorisation - 802.1x, RADIUS


Evaluated the advantages and disadvantages
Part 2
34