Functional policy: Guidelines & Baselines

Download Report

Transcript Functional policy: Guidelines & Baselines

NETW 05A: APPLIED
WIRELESS SECURITY
Functional Policy:
Guidelines & Baselines
By Mohammad Shanehsaz
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives
Explain the purpose and goals of the
following wireless LAN security policies:






Password policy
User training
On-going review ( auditing )
Acceptable use & abuse policy
Consistent implementation procedure
Centralized implementation and management
guidelines and procedures
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Objectives
Explain necessary items to include in
the creation and maintenance of a
wireless LAN security checklist
Describe and recognize the importance
of asset management and inventory
procedures for wireless LANs
Explain the importance of including
wireless LANs in existing change
management programs
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Functional policy
Policy Essentials
General Guidelines
Baseline practices
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Policy Essentials
Every security policy should implement the
following topics :






Password policies
Networking staff and end user training
requirement
Acceptable use
Consistent implementation / staging procedures
Readily available implementation and
management procedures
Regular audits and penetration tests by
independent professionals
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Password policies
Passwords are the most widely used method of
authentication and authorization; however there
are number of ways to compromised it such as :
Eavesdropping
Dictionary attack against a network
authentication server
Borrowing a user password
Easy to guess password
Getting it from users who leave them out in the
open ( the sticky note approach )
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Practicing good password
procedures
Use a password that is mixed case, has
punctuation, and uses alpha and numeric digits
Use something that can be remembered
without being written down
Force periodic password changes
Lockout accounts after 5 unsuccessful login
attempts
Make sure all passwords are at least 8
characters in length
Do not allow passwords to be reused
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Networking staff and end user
training
Network staff responsible for wireless LAN security
need to understand many subject areas including
intrusion techniques, wireless security policy, and
solutions, in addition to having a solid grasp on
basic wireless LAN functionality and technology.
End user must have adequate training in order to
properly implement security controls on their
computers and that it only takes one person not
following policy to create a large security hole that
can be exploited by an attacker
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Acceptable use
Wireless LANs are a half-duplex medium,
therefore bandwidth intensive applications
such as FTP, peer-to-peer file sharing, and
streaming video should only performed over
the wired LAN, otherwise it may cause DOS
on APs with many stations
To prevent this, there should be a section in
the policy regarding acceptable use of the
wireless LAN that define what scenarios
constitute proper use as well as abuse
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Consistent implementation /
staging procedures
It is common for a network administrator
to place a wireless LAN infrastructure
device onto the network without having
first staged and configured the device to
meet the organization’s security policy,
which is in effect like placing a rogue AP
on the network, to battle this problem
guidelines on how and when to stage and
install devices should be part of functional
policy
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Readily available implementation
and management procedures
It is important that network
administrator have the information
provided by the company security policy
readily available so that they verify
procedural steps while performing their
daily tasks
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Regular audits and penetration tests
by independent professionals
In order to find security holes internal and
external audits are a necessary part of
wireless network security
Internal audits will usually find most
policy violation, but holes in security
solution will usually require employing an
independent wireless security professional
It should be done unannounced
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
General Guidelines
Wireless network segments should always be
treated as unsecured means of data transit
Follow the following rules when passing data
wirelessly :





Encrypt email
Use HTTPS for web logins where possible
Use SSH2 instead of telnet where possible
Use secure FTP (SSH2 or SSL) for file transfers
Verify the latest operating system updates or
service packs are installed
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Security checklist
It is advisable to make security checklists for
use by network administrators that includes
the following items:
Access point and bridge configuration settings
Client-side software installation and settings
Physical security when mounting access
points and bridges
End user security solution training
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Available Network Resources
Since wireless LANs present security
risk, that added risk may be
significantly reduced by eliminating the
availability of certain services to
wireless segment
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Asset Management
Since enterprise class wireless LAN
hardware can be quite expensive and since
much of it is very small and lightweight,
this equipment can be easily stolen if not
secured, for this reason it is necessary to
record all the wireless hardware for
periodic inventory, and employee should
be required to sign for the hardware they
receive
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Periodic Inventory
It is a good practice to periodically
check infrastructure devices to make
sure they are both present and are the
correct unit
In large organizations, this type of
inventory might be impossible, so other
solutions might have to be implemented
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Change Management
Wireless LANs should be a part of the existing
corporate change management procedures
There are two things to consider:


First the security policy itself should be
periodically evaluated for relevance and modified
when necessary
second once a secure wireless is in place, any
changes to it should be documented and approved
by corporate authorities
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Spot-checks & Accountability
Some of the most effective methods for
ensuring properly implementing wireless
LAN security may include:



Thoroughly training end-users
Spot checking for internal policy adherence
Tying adherence and enforcement of policy
to departmental compensation
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Baseline practices
SSIDs
MAC filters
Static WEP
Default Configuration settings
Firmware Upgrades
Rogue Equipment
Outdoor Bridge Security
RF Cell Sizing
SNMP Community Strings
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Baseline practices continue
Discovery protocols
Remote Configuration
Client Security
IP Services
Switches vs. Hubs
Staging and Testing
Equipment Installation
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
SSIDs
The default SSID should be changed on
all access points, to something cryptic
and not something that could be used
to determine the company to whom the
AP belongs
By default an AP broadcasts SSID, by
not broadcasting SSIDs in beacons
“Closing the system “ prevents intruders
from passively locating the network
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
MAC Filters
MAC address filtering is another method
by which the IEEE 802.11 task group
attempted to secure wireless networks,
traffic is allow or deny based on MAC
address
It is both simple and common for a
hacker to spoof the MAC address of
another NIC
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Using Static WEP
Static WEP may be appropriate for SOHO environment, but
not for enterprise WLAN
When implemented the largest key size available that is
supported by the hardware should be used
When static WEP is used, strong keys should be created that
are unrelated to the following:




Organization’s name, address, or phone number
Wireless LAN’s SSID
Access points’or bridges’ model number(s) or manufacturer’s name
Manufacturer default WEP keys
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Default Configuration settings
The default configuration settings on all
APs should be changed, since an
infrastructure reconfiguration attack can
occurs if an attacker obtain
management access
To prevent attack the default username
and password should be changed on all
infrastructure devices
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Firmware Upgrades
Firmware upgrades can provides new security
functionality as well as bug fixes or security
patches
Firmware should be upgraded for the
following devices:






Access points
Wireless Bridges
Client devices
Client or Workgroup Bridges
Enterprise Wireless Gateways
Enterprise Encryption Gateways
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Firmware Upgrades
It is a good practice to test end-to-end functionality in a
lab environment prior to rolling it out enterprise wide
Firmware upgrades are suggested in order to gain the
following features:









TKIP (or similar key rotation protocol) support
Kerberos support
802.1X/EAP(-TLS,-TTLS,-LEAP,-PEAP)support
WPA compliance
Advanced Encryption Standard (AES) support
VPN support
Rogue access point detection
RADIUS or LDAP support
Role-based access control
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Rogue Equipment
Anytime rogue equipment is present in a network,
the incident should be considered a serious breach
of network security
Eliminating rogue wireless equipment is a multi-step
process which includes:




Setting Corporate Policy Regarding Rogue Equipment
Network Administrator Training
Help Desk & End User Training
Intrusion Detection Systems & Audits
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Outdoor Bridge security
Outdoor WLAN bridge links may often span
miles, this can allow an intruder the
opportunity to remain undiscovered
Bridges may act as both a bridge and an
access point simultaneously, if possible client
connectivity at the bridge should be disabled
Clear text transmission should not be allowed
to pass between bridges at any time.
Wireless bridge installation can be
compromised through rogue bridges
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Outdoor Bridge security
Wireless bridge installation can be
compromised through rogue bridges,
which can be placed onto the network
at a range of several miles
To overcome this a good security must
be chosen and implemented
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
RF Cell Sizing
Accurate cell sizing can aid in preventing war
drivers from being able to locate your
network
You can limit cell by reducing the output
power of the access points and antennas
After WLAN configuration administrator
should attempt a footprint analysis to
determine how easily the network can be
targeted using omni and directional antennas
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
SNMP Community Strings
SNMP community strings should be changed
or disabled, because default read and write
passwords are clearly documented in users
manual
Disable SNMP access if it will not be used, if
used set the read and write community
strings to complex, non-default values that
are not related to network’s SSID, WEP, or
organizational information
Disable SNMP access from outside by using
ACL or firewall filtering
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Discovery Protocols
When discovery protocols (such as CDP)
are not in use they should be disabled
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Remote configuration
If manufacturer feature sets allow for it,
configure APs and bridges so that they
cannot be configured over wireless
network segment, to prevent
compromising authentication
information, unless the wireless link is
encrypted
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Client Security
Wireless security policy should limit any sensitive data on
the client machines that could damage the organization
Shared folders should be limited or even prohibited on
wireless client machine
Using corporate PCs without protection on public access
wireless networks are prohibited
There are many tools such as personal firewalls, VPN
technologies such as, IPSec, that can be used to protect
wireless clients
Make sure that clients don’t use unsecured wireless AP to
VPN to corporate network
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
IP Services
First step in securing IP services is to heighten
general awareness of the possibility of rogue IP
services such as DHCP servers.
Use data-link security mechanisms such as
802.1X/EAP solution to authenticate user prior to
receiving an IP address
Earmarking IP ranges for WLAN segment is
another way to speed location of hacker and to
ease network management
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Switches vs. Hubs
Using switches to connect to the wired segment has
the following benefits:





Support for security and network management tools
such as VLANs
Support for 802.1q VLAN tagging
SSIDs are tied to VLANs as means of logically separating
groups of wireless users
Allows for segmented network design and secure
management over a particular VLAN
Allows for full-duplex connectivity
. Hubs broadcast every frame to all ports, so hacker
can see all the traffics
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Staging and Testing
Staging and testing should occur prior to
deployment, wireless infrastructure devices
should be staged and configured in an
isolated environment for a secure
deployment
Administrator should use approved security
configuration checklists to assure that no
security holes are created due to lack of
following configuration procedures
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Equipment Installation
To prevent theft of wireless network
equipment, devices should be:



Mount out of reach
Bolted down or secured in locked steel boxes
Kept out of plain site
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Summary
Guidelines and baselines of the functional
policy was discussed
Policy cover password policies, training,
usage, implementation and staging,
procedures and audits
General guidelines cover the security
checklist, available network resources,
asset management, change management,
and spot-checks and accountability
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Summary
Baseline practices consist of several
strategic areas such as a basic SSID
changes, MAC filtering inadequacies,
WEP versus EAP/802.1x solutions,
detecting rogue equipment, and
wireless bridge security, that must be
considered when implementing the
wireless LANs
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.
Resources
CWSP certified wireless security
professional, from McGrawHill
This work is supported by the National Science
Foundation under Grant Number DUE-0302909.
Any opinions, findings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect those of the National Science Foundation.