- Ernest Staats Network Security Consulting

Download Report

Transcript - Ernest Staats Network Security Consulting

Manage & Secure
Your Wireless
Connections
Ernest Staats
Director of Technology and Network Services at GCA
Presented for the Nebraska Cyber Security Conference June 2009
MS Information Assurance, CISSP, CWNA, CEH, MCSE, CNA,
Security+, I-Net+, Network+, Server+, A+
[email protected]
Resources available @ http://es-es.net
Why Manage?











Bandwidth (when downloading or using VoIP)
Co-channel interference (phones, microwaves, rogue
AP’s)
Old Firmware (check for updates every quarter)
Management and control frames can’t be encrypted, nor
can header values like ESSID and MAC address
Stumblers <CommView> and WEP/PSK crackers
Mobile devices
DoS attacks (point-and-click raw packet injection tools)
Forged messages
Demand for more wireless access
BackTrack (www.remote-exploit.org)
802.11n issues
Wireless Vulnerabilities
Wireless Vulnerabilities
Overlooked: Site Survey
 What types of interference are you going
to contend with?
 What distances do you need to
broadcast?
 What types of data are you going to
support over WIFI? (data/voice) network access
 Set up worst-case scenario for testing
 Know your signal-to-noise ratio
 You should expect an interview before
any testing is done (how many users, roaming,
location of wiring closets)
Adapted from: Certified Wireless Network Administrator certification Course available at:: http://www.cwnp.com/
Changing Default Settings
 Change the default logon password and make it long!
 All defaults are known and published on the Net
http://www.phenoelit.de/dpl/dpl.html updated often
AP Management Interface
 HTTP, SNMP, Telnet
HTTP login
 Linksys: UID=blank PW=admin
SNMP (disable SNMP or use a management VLAN that is
secure)
 All: PW=public
Change default open systems to WPA2: use a long
passphrase





Cell Sizing
 How far is your WIFI signal going? (that is called your cell
size)
 Can’t cover whole building?
 Better antenna
 MIMO
 802.11n
 Power setting
 The cell size is usually adjusted by the power setting
 Go outside and see how far your wireless signal is
reaching (you will be surprised)
ESSID Naming
 Identifies network
 Helps others identify whether or not you have left default
settings on
 Broadcast on by default


Once again with the default settings, your wireless device
broadcasts its name, saying, “My name is … connect to me”
Turning off SSID broadcasting is called “cloaking”; can cause
issues in enterprise systems
 Avoid naming your SSID a private or personal code (It’s
not a password!!! Even cloaked ESSID’s are easily
discovered )
MAC Filtering
 A MAC address is the
hardware number that
is network card specific
(literally burned into the
network card when it is
made)
 Does not scale to large
networks
 Relatively easy to
defeat
 Good option for home
users
Authentication with 802.1x
 Authenticates users before
granting access to L2 media
 Makes use of EAP (Extensible
Authentication Protocol)
 PEAP, EAP-TLS, EAP-TTLS,
etc.
 802.1x authentication
happens at L2 – users will be
authenticated before an IP
address is assigned
Encrypt the Data
 WEP
Simple & easy to crack
 No key management
 It is worse than no encryption
 TKIP (Temporal Key Integrity Protocol)
WPA/WPA2
 Works on legacy hardware
 Has been cracked
 AES used in WPA 2
 Considered the best option



FIPS 140-2 approved (Federal Information
Processing Standard)
Use with 802.1x
Encryption
 WEP – First Wireless Security
Cracked -- Any middle-schooler can crack your WEP
key in short order
 WPA
 Cracked… but
 Key changes

 WPA2
Cracked… but
 Harder to crack than WPA; don’t use PSK
 802.1x
 Uses server to authorize user
 Can be very secure
 802.11i
 AES encryption – “uncrackable”

Authorize Data
 Most organizations do a decent job of
authentication (who the user is), but a poor job of
authorization (what the user is allowed to do);
NAC’s/NAP’s and 802.11i help this issue
 Mobile networks are typically multi-use
 Authentication provides you with user identity –
now use it! Identity-aware firewall policies can
restrict what a user can do, based on that user’s
needs
Home Wireless Overlooked






Change default settings -- SSID and passwords
Use WPA (or better, WPA2); use long PSK
Use a MAC filter
Turn off SSID broadcasting
Know how far your wireless signal is reaching
Turn off wireless when not being used, & turn off DHCP
or limit DHCP
 Disable remote administration
 Update Firmware on AP and wireless cards semiannually
 Secure your home machines






Current AV
Firewall (if the wireless router has a firewall option, turn it on)
Spyware protection
Auto update Windows
Use VPN
Common sense (check the “Secure Your Laptop Section”)
Secure Your Laptop
 Turn your firewall on: Start > Settings > Network Connections >
Wireless Network Connection > Change Advanced Settings >
Advanced Tab > Windows Firewall Settings > Select “On” > OK

BETTER YET use another firewall (i.e. Kerio, Jetico, or Zone
Alarm)
 Turn ad-hoc mode off: Start > Settings > Network Connections >
Wireless Network Connection > Change Advanced Settings >
Wireless Networks Tab > Select Network > Properties > Uncheck
“This is a computer-to-computer (ad-hoc) network” > OK
 Disable file sharing: Start > Settings > Network Connections >
Wireless Network Connection > Change Advanced Settings >
Uncheck “File and Printer Sharing” > OK
 Change Administrator password : Click Start > Control Panel >
User Accounts. Ensure the Guest account is disabled. Click your
administrator user account and reset the password
VPN Solutions
 AnchorFree's Hotspot Shield, a free software
download. Install it on a Windows PC
Paid VPN Solutions
 WiTopia's personalVPN,
 HotspotVPN (SSL)
 VPN connections require installation of a utility
on the computer
Teach Hotspot Security
 Use a personal firewall
 Use anti-virus software (update daily or hourly)
 Update your operating system and other applications









(i.e. Office, Adobe Reader) regularly
Turn off file sharing
Use Web-based e-mail that employs secure http (https)
Use a virtual private network (VPN)
Password-protect your computer and important files
(make sure your administrator account has a good long
password)
Encrypt files before transferring or e-mailing them
Make sure you're connected to a legitimate access point
Be aware of people around you
Properly log out of web sites by clicking log out instead
of just closing your browser or typing in a new Internet
address
Use a more secure browser Chrome in private mode
TIPS for WIFI at Work
 Use a wireless system that has a centrally managed






controller and reporting system
Name all your AP's with the same name so if the signal
gets blocked and they then get a stronger signal from
another work AP they do not have to re-authenticate to
the work wireless network
Make sure all your AP's are on the same subnet if you
are doing AD authentication
Make sure the work network is the only one listed on the
preferred networks
Use a wireless firewall (Motorola)
Know your air space issues (AirMagnet)
I prefer the single channel solution
TIPS for WIFI at Work (cont.)
 Make sure laptops are set to infrastructure







mode
Make sure the “Automatically connect to nonpreferred networks” is unchecked
Use 802.1x (or better, 802.11i)
Use a WIPS (Wireless Intrusion Prevention
System); look at log files
Use NAC
Have WIFI policies
Disable WIFI card if plugged into network
Have users take home a secure AP that will
tunnel back into the corporate network
(Aruba, Motorola)
A Layered Approach
Key Security Principles
 Principle of Least Privilege
 Authentication, identity-based security, firewalls
 Defense in depth
 Authentication, encryption, intrusion protection,




client integrity
Prevention is ideal; detection is a must
Intrusion detection systems, log files, audit trails,
alarms, and alerts
“Know your enemies & know yourself” (Sun Tzu)
Integrated centralized management
Wireless Gold Standard
 Centralized wireless
 Have and update WIFI policies
 Keep clients updated – drivers too!
 Guest access on separate VLAN / Network
 Wireless intrusion detection
 Locate and protect against rogue APs
 WPA-2
 Device authentication using 802.1x and PEAP
 User authentication using 802.1x and PEAP
 AES for link-layer encryption
 Long (not strong) passwords (15 character)
 Token-card products
 Protect wireless users from other wireless users
 Protect sections of the network from unauthorized access
Must Have a WIFI Policy
 At a minimum, the policy should involve continuous review










of potential threats and vulnerabilities and should deal
with the following:
Overall policy
Access control <this includes non-enterprise devices>
Usage management and monitoring
Security monitoring <this includes non-enterprise devices>
Network security <this includes non-enterprise devices>
Virus protection <this includes non-enterprise devices>
Encryption <this includes non-enterprise devices>
Pertinent laws <this includes non-enterprise devices>
Incident response <this includes non-enterprise devices>
Enforcement <this includes non-enterprise devices>
Captive Portals for Guests
 Browser-based authentication
 SSL encrypted
 Use for guest access only
 Put on separate VLAN or network
Controller Dashboard
802.11n Issues
 Frame aggregation
 Block Acknowledgment
 40 MHz channel bonding
 Spoofed duration fields
 Only channel 3,9 do not overlap with 40 MHz
channels on the 2.4 range
 AP Placement is 1800 different
What About “NAC”?
 Identity-based policy control
 Assess user role, device, location, time, application
 Policies follow users throughout network
 Health-based assessment
 Client health validation
 Remediation
 Ongoing compliance
 Network-based protection
 Stateful firewalls to enforce policies and quarantine
 User/device blacklisting based on policy validation
 We use Bradford for our NAC at GCA Excellent Pricing
for Edu’s
Shameless Plug
 Presentations on my site located at

www.es-es.net
 Come join my afternoon lecture @ 1:30pm

Session 3: Intrusion Prevention from the Inside
Out
 To learn more about GCA (Georgia
Cumberland Academy)

www.gcasda.org
Resources: Software
 Air Magnet
http://www.airmagnet.com/products/demodownload.php
 Net Stumbler –Free
http://www.netstumbler.com/downloads/
 Mini Stumbler –Free
http://www.netstumbler.com/downloads/
 Aircrack-2.1 802.11 sniffer and WEP key
cracker for Windows and Linux. -Free
http://www.cr0.net:8040/code/network/
Resources: Links
 CWNP Learning Center has over 1000 free
white papers, case studies:
http://www.cwnp.com/learning_center/index.htm
l
 free electronic site survey forms (excellent):
http://www.cwnp.com/mlist/subscribe.php
 GUIDE TO MASTERING NEGOTIATIONS:
http://common.ziffdavisinternet.com/download/0
/2537/whiteboardtoview.pdf