Securing the Wireless LAN George Ou Network Systems Architect Contributing editor –  ZDNet
Contents <ul><li>Introduction </li></ul><ul><li>Relative risks of Wireless LANs </li></ul><ul><li>Six dumbest ways to secu...
Introduction <ul><li>Wireless security is a huge headache in IT </li></ul><ul><li>Wireless security widely misunderstood <...
Relative risks of Wireless LANs <ul><li>Wireless security is NOT an oxymoron </li></ul><ul><li>Less dangerous than having ...
Six dumbest ways to secure a WLAN Overview <ul><li>MAC “authentication” </li></ul><ul><li>SSID “hiding” </li></ul><ul><li>...
Six dumbest ways to secure a WLAN MAC “authentication” <ul><li>Use of the word “authentication” is laughable </li></ul><ul...
Six dumbest ways to secure a WLAN MAC spoofing
Six dumbest ways to secure a WLAN SSID “hiding” <ul><li>No such thing as “hiding” an SSID </li></ul><ul><li>All that’s hap...
Six dumbest ways to secure a WLAN LEAP authentication <ul><li>Cisco LEAP authentication is  extremely weak </li></ul><ul><...
Six dumbest ways to secure a WLAN Disabling DHCP <ul><li>Disabling DHCP and forcing the use of Static IP addresses is anot...
Six dumbest ways to secure a WLAN Antenna placement and signal suppression <ul><li>Antenna placement and signal suppressio...
Six dumbest ways to secure a WLAN Switch to 802.11a or Bluetooth wireless LANs <ul><li>802.11a is a transport mechanism si...
Six dumbest ways to secure a WLAN Dishonorable mention:  WEP <ul><li>WEP barely missed the six dumbest list because it can...
Tools of the wireless LAN hacker Overview <ul><li>Software </li></ul><ul><ul><li>Auditor CD </li></ul></ul><ul><ul><li>Kis...
Tools of the wireless LAN hacker Auditor CD <ul><li>Bootable Linux CD with every security auditing tool under the sun </li...
Tools of the wireless LAN hacker Kismet <ul><li>Kismet is a Linux wireless LAN audit tool </li></ul><ul><li>Can see “hidde...
Tools of the wireless LAN hacker ASLEAP <ul><li>ASLEAP cracks Cisco LEAP authentication </li></ul><ul><li>Exploits weak MS...
Tools of the wireless LAN hacker Void11, Aireplay, Airedump, and Aircrack <ul><li>New set of tools makes WEP cracking hund...
Tools of the wireless LAN hacker Hardware:  Cheap and compatible cardbus adapters <ul><li>Prism 2/3 based 802.11b adapters...
Tools of the wireless LAN hacker Omni directional high-gain antennas <ul><li>Typically 7 to 9 dB gain </li></ul><ul><li>Ge...
Tools of the wireless LAN hacker Directional high-gain antennas <ul><li>Used to aim and focus in on victim </li></ul><ul><...
Tools of the wireless LAN hacker Off the shelf Laptops <ul><li>Any Laptop or PC can be used for hacking </li></ul><ul><li>...
The best ways to secure the WLAN Overview <ul><li>Good cryptography allows secure communications over unsecured medium </l...
The best ways to secure the WLAN Strong authentication background <ul><li>Strong authentication is often overlooked </li><...
The best ways to secure the WLAN Strong authentication in Wireless LANs <ul><li>Wireless LANs typically use 802.1x and EAP...
The best ways to secure the WLAN Strong authentication and RADIUS servers <ul><li>EAP authentication requires RADIUS suppo...
The best ways to secure the WLAN Strong encryption <ul><li>Encryption is well understood </li></ul><ul><li>No known method...
The best ways to secure the WLAN Strong encryption in Wireless LANs <ul><li>RC4 encryption is known to be weak </li></ul><...
The best ways to secure the WLAN WPA and WPA2 standards <ul><li>WPA used a trimmed down version of 802.11i </li></ul><ul><...
SOHO WLAN implementations <ul><li>Minimum encryption should be TKIP </li></ul><ul><li>Run AES encryption if possible </li>...
Enterprise WLAN implementations WPA and WPA2 standards <ul><li>Minimum encryption should be TKIP </li></ul><ul><li>Run AES...
Enterprise WLAN implementations Wireless Switches <ul><li>Wireless LAN switches manage large numbers of Access Points </li...
Enterprise WLAN implementations Advanced security implementations <ul><li>Multiple Virtual SSID and VLAN support </li></ul...
Upcoming SlideShare
Loading in …5
×

Securing the Wireless LAN

840
-1

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
840
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
63
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Securing the Wireless LAN

  1. 1. Securing the Wireless LAN George Ou Network Systems Architect Contributing editor – ZDNet
  2. 2. Contents <ul><li>Introduction </li></ul><ul><li>Relative risks of Wireless LANs </li></ul><ul><li>Six dumbest ways to secure a WLAN </li></ul><ul><li>Tools of the wireless LAN hacker </li></ul><ul><li>The best ways to secure the WLAN </li></ul><ul><li>SOHO WLAN implementations </li></ul><ul><li>Enterprise WLAN implementations </li></ul>
  3. 3. Introduction <ul><li>Wireless security is a huge headache in IT </li></ul><ul><li>Wireless security widely misunderstood </li></ul><ul><li>Wireless security is everyone’s problem even if you don’t “think” you have a WLAN </li></ul><ul><li>Banning WLANs often result in “improvised” home grown solutions </li></ul><ul><li>Wireless LANs can be secured </li></ul><ul><li>Wireless security applicable elsewhere in IT </li></ul>
  4. 4. Relative risks of Wireless LANs <ul><li>Wireless security is NOT an oxymoron </li></ul><ul><li>Less dangerous than having an Internet connection direct or indirect </li></ul><ul><li>Attacks from the Internet can come from anywhere on the entire globe </li></ul><ul><ul><li>Web/FTP/Mail/DNS Servers </li></ul></ul><ul><ul><li>Back doors R00TK1T5 that can dial home </li></ul></ul><ul><li>Attacks on Wireless LANs are limited to a couple of kilometers </li></ul>
  5. 5. Six dumbest ways to secure a WLAN Overview <ul><li>MAC “authentication” </li></ul><ul><li>SSID “hiding” </li></ul><ul><li>LEAP authentication </li></ul><ul><li>Disabling DHCP </li></ul><ul><li>Antenna placement and signal suppression </li></ul><ul><li>Switch to 802.11a or Bluetooth Wireless LANs </li></ul><ul><li>______________________________________ </li></ul><ul><li>Dishonorable mention: WEP </li></ul>Original article on http://blogs.zdnet.com/Ou
  6. 6. Six dumbest ways to secure a WLAN MAC “authentication” <ul><li>Use of the word “authentication” is laughable </li></ul><ul><li>All that’s happening is MAC address filtering </li></ul><ul><li>MAC addresses are transmitted in clear text </li></ul><ul><li>Extremely easy to capture </li></ul><ul><li>Extremely easy to clone and defeat </li></ul><ul><li>Extremely difficult to manage MAC filtering </li></ul>
  7. 7. Six dumbest ways to secure a WLAN MAC spoofing
  8. 8. Six dumbest ways to secure a WLAN SSID “hiding” <ul><li>No such thing as “hiding” an SSID </li></ul><ul><li>All that’s happening is Access Point beacon suppression </li></ul><ul><li>Four other SSID broadcasts not suppressed </li></ul><ul><ul><li>Probe requests </li></ul></ul><ul><ul><li>Probe responses </li></ul></ul><ul><ul><li>Association requests </li></ul></ul><ul><ul><li>Re-association requests </li></ul></ul><ul><li>SSIDs must be transmitted in clear text or else 802.11 cannot function </li></ul>
  9. 9. Six dumbest ways to secure a WLAN LEAP authentication <ul><li>Cisco LEAP authentication is extremely weak </li></ul><ul><li>LEAP successor EAP-FAST not much better </li></ul><ul><li>Cisco dominates Enterprise WLAN market </li></ul><ul><li>Significant percentage of Cisco shops use LEAP but have started to migrate to EAP-TLS </li></ul><ul><li>LEAP and EAP-FAST are free on client side </li></ul><ul><li>Only Cisco can sell LEAP and EAP-FAST on Access Points </li></ul><ul><li>Cisco APs support all open authentication standards like EAP-TLS and PEAP </li></ul>
  10. 10. Six dumbest ways to secure a WLAN Disabling DHCP <ul><li>Disabling DHCP and forcing the use of Static IP addresses is another common myth </li></ul><ul><li>IP schemes are easy to figure out since the IP addresses are sent over the air in clear text </li></ul><ul><li>Takes less than a minute to figure out an IP scheme and statically enter an IP address </li></ul>
  11. 11. Six dumbest ways to secure a WLAN Antenna placement and signal suppression <ul><li>Antenna placement and signal suppression does nothing to encrypt data </li></ul><ul><li>The hacker’s antenna is bigger than your’s </li></ul><ul><li>Directional high-gain antennas can pick up a weak signal from several kilometers away </li></ul><ul><li>Lowering the signal hurts legitimate users a lot more than it hurts the hackers </li></ul><ul><li>Wi-Fi paint or wall paper not 100% leak proof and very expensive to implement </li></ul>
  12. 12. Six dumbest ways to secure a WLAN Switch to 802.11a or Bluetooth wireless LANs <ul><li>802.11a is a transport mechanism similar to 802.11b or 802.11g </li></ul><ul><li>802.11a has nothing to do with security </li></ul><ul><li>Pray that the hacker doesn’t have 5 GHz 802.11a capable equipment </li></ul><ul><li>Bluetooth is more of a wireless USB alternative </li></ul><ul><li>Can be used for wireless networking but not designed as an 802.11 a or b/g replacement </li></ul>
  13. 13. Six dumbest ways to secure a WLAN Dishonorable mention: WEP <ul><li>WEP barely missed the six dumbest list because it can still hold up for a couple of minutes </li></ul><ul><li>Hacker named “KoreK” releases new WEP analysis tool in August 2004 </li></ul><ul><li>WEP coupled with 802.1x and EAP key rotation (AKA DWEP) is considered broken </li></ul><ul><li>Packet injection techniques lowers WEP cracking times to minutes </li></ul>Article: Next generation WEP cracking tools
  14. 14. Tools of the wireless LAN hacker Overview <ul><li>Software </li></ul><ul><ul><li>Auditor CD </li></ul></ul><ul><ul><li>Kismet </li></ul></ul><ul><ul><li>ASLEAP </li></ul></ul><ul><ul><li>Void11, Aireplay, Airedump, and Aircrack </li></ul></ul><ul><li>Hardware </li></ul><ul><ul><li>Cheap and compatible cardbus adapters </li></ul></ul><ul><ul><li>Omni directional high-gain antennas </li></ul></ul><ul><ul><li>Directional high-gain antennas </li></ul></ul><ul><ul><li>Off the shelf Laptop computer </li></ul></ul>
  15. 15. Tools of the wireless LAN hacker Auditor CD <ul><li>Bootable Linux CD with every security auditing tool under the sun </li></ul><ul><li>Everything needed to penetrate most wireless LAN and more </li></ul><ul><li>Mentioned as a favorite of the FBI </li></ul><ul><li>Relatively easy to use </li></ul>
  16. 16. Tools of the wireless LAN hacker Kismet <ul><li>Kismet is a Linux wireless LAN audit tool </li></ul><ul><li>Can see “hidden” SSIDs </li></ul><ul><li>Can see MAC addresses </li></ul><ul><li>Can see IP schemes </li></ul><ul><li>Can capture raw packet </li></ul><ul><li>GUI version lays everything out </li></ul>
  17. 17. Tools of the wireless LAN hacker ASLEAP <ul><li>ASLEAP cracks Cisco LEAP authentication </li></ul><ul><li>Exploits weak MSCHAPv2 authentication </li></ul><ul><li>Uses pre-computed indexed hash tables </li></ul><ul><li>Checks 45 million passwords a second </li></ul><ul><li>Upgraded to support PPTP VPN cracking </li></ul>
  18. 18. Tools of the wireless LAN hacker Void11, Aireplay, Airedump, and Aircrack <ul><li>New set of tools makes WEP cracking hundreds of times faster </li></ul><ul><li>Void11 forces users to re-authenticate </li></ul><ul><li>Aireplay monitors re-auth session for ARP and then plays back the ARP request to trigger responses from legitimate computers </li></ul><ul><li>Airedump captures all of the raw packets </li></ul><ul><li>Aircrack only needs 200,000 packets instead of 10,000,000 packets from previous tools </li></ul>
  19. 19. Tools of the wireless LAN hacker Hardware: Cheap and compatible cardbus adapters <ul><li>Prism 2/3 based 802.11b adapters </li></ul><ul><li>PrismGT based 802.11 b/g adapters </li></ul><ul><li>Atheros based 802.11 a/b/g adapters </li></ul><ul><li>All typically around $40 to $70 USD </li></ul><ul><li>All compatible with Linux cracking tools </li></ul>
  20. 20. Tools of the wireless LAN hacker Omni directional high-gain antennas <ul><li>Typically 7 to 9 dB gain </li></ul><ul><li>General purpose surveying and war driving </li></ul><ul><li>Can be used to create evil twin access point </li></ul><ul><li>Less than $100 USD </li></ul>
  21. 21. Tools of the wireless LAN hacker Directional high-gain antennas <ul><li>Used to aim and focus in on victim </li></ul><ul><li>Picks up weak signals many kilometers away </li></ul><ul><li>Around $100 USD </li></ul>
  22. 22. Tools of the wireless LAN hacker Off the shelf Laptops <ul><li>Any Laptop or PC can be used for hacking </li></ul><ul><li>New Laptops with good cracking speed are as low as $400 USD </li></ul><ul><li>Wireless hacking is NOT cost prohibitive! </li></ul>
  23. 23. The best ways to secure the WLAN Overview <ul><li>Good cryptography allows secure communications over unsecured medium </li></ul><ul><li>Follow best practice cryptographic principles </li></ul><ul><ul><li>Strong authentication </li></ul></ul><ul><ul><li>Strong encryption </li></ul></ul><ul><li>WPA and WPA2 standards </li></ul>
  24. 24. The best ways to secure the WLAN Strong authentication background <ul><li>Strong authentication is often overlooked </li></ul><ul><li>Well established secure authentication methods all use SSL or TLS tunnels </li></ul><ul><li>TLS is the successor of SSL </li></ul><ul><li>SSL has been used for nearly a decade in E-Commerce </li></ul><ul><li>SSL or TLS requires Digital Certificates </li></ul><ul><li>Digital Certificates usually involves some form of PKI and Certificate management </li></ul>
  25. 25. The best ways to secure the WLAN Strong authentication in Wireless LANs <ul><li>Wireless LANs typically use 802.1x and EAP </li></ul><ul><li>Common standard EAP types are EAP-TLS, EAP-TTLS and PEAP </li></ul><ul><li>LEAP and EAP-FAST are not standard </li></ul><ul><li>EAP-TLS requires server and client certificates </li></ul><ul><li>EAP-TTLS and PEAP only require client-side certificates </li></ul><ul><li>EAP-TTLS created by Funk and Certicom </li></ul><ul><li>PEAP created by Microsoft, Cisco and RSA </li></ul>Details on EAP types at: http:// blogs.zdnet.com/Ou/?p =67
  26. 26. The best ways to secure the WLAN Strong authentication and RADIUS servers <ul><li>EAP authentication requires RADIUS support in Access Point and one or more RADIUS servers </li></ul><ul><li>Microsoft Windows 2003 Server has fully functional RADIUS component called IAS </li></ul><ul><ul><li>Supports EAP-TLS and PEAP </li></ul></ul><ul><ul><li>Windows 2000 only supports EAP-TLS </li></ul></ul><ul><ul><li>Easily integrates in to NT domains or Active Directory </li></ul></ul><ul><li>Funk software makes Steelbelted and Odyssey </li></ul><ul><li>Open source FreeRadius supports broad range of EAP types </li></ul>
  27. 27. The best ways to secure the WLAN Strong encryption <ul><li>Encryption is well understood </li></ul><ul><li>No known methods of breaking good encryption </li></ul><ul><li>DES encryption has never been crypto-analyzed in nearly 30 years and must be brute forced </li></ul><ul><li>3DES still considered solid but slow </li></ul><ul><li>AES is the official successor to DES and is solid at 128, 192, or 256 bits </li></ul>
  28. 28. The best ways to secure the WLAN Strong encryption in Wireless LANs <ul><li>RC4 encryption is known to be weak </li></ul><ul><li>WEP uses a form of RC4 encryption </li></ul><ul><li>Dynamic WEP makes WEP cracking harder </li></ul><ul><li>TKIP is a rewritten WEP algorithm </li></ul><ul><li>No known methods against TKIP yet but some theoretical attacks are on the horizon </li></ul><ul><li>AES encryption mandated in the newest Wireless LAN standards is rock solid </li></ul>
  29. 29. The best ways to secure the WLAN WPA and WPA2 standards <ul><li>WPA used a trimmed down version of 802.11i </li></ul><ul><li>WPA2 uses the ratified 802.11i standard </li></ul><ul><li>WPA and WPA2 certified EAP types </li></ul><ul><ul><li>EAP-TLS (first certified EAP type) </li></ul></ul><ul><ul><li>EAP-TTLS </li></ul></ul><ul><ul><li>PEAPv0/EAP-MSCHAPv2 (Commonly known as PEAP) </li></ul></ul><ul><ul><li>PEAPv1/EAP-GTC </li></ul></ul><ul><ul><li>EAP-SIM </li></ul></ul><ul><li>WPA requires TKIP capability with AES optional </li></ul><ul><li>WPA2 requires both TKIP and AES capability </li></ul>Details on EAP types at: http:// blogs.zdnet.com/Ou/?p =67
  30. 30. SOHO WLAN implementations <ul><li>Minimum encryption should be TKIP </li></ul><ul><li>Run AES encryption if possible </li></ul><ul><li>EAP authentication usually not feasible for Small offices and home offices </li></ul><ul><li>SOHO WLANs usually rely on WPA-PSK </li></ul><ul><li>PSK (pre-shared keys) are easier than WEP with 26 HEX digits </li></ul><ul><li>PSK must be at least 8 alphanumeric random characters </li></ul><ul><li>Zyxel offers Access Points with PEAP RADIUS built-in </li></ul>
  31. 31. Enterprise WLAN implementations WPA and WPA2 standards <ul><li>Minimum encryption should be TKIP </li></ul><ul><li>Run AES encryption if possible </li></ul><ul><li>EAP-TLS authentication recommended </li></ul><ul><li>PEAP or EAP-TTLS authentication at a minimum </li></ul>
  32. 32. Enterprise WLAN implementations Wireless Switches <ul><li>Wireless LAN switches manage large numbers of Access Points </li></ul><ul><li>Much easier to manage </li></ul><ul><li>Wireless switch makers </li></ul><ul><ul><li>Symbol </li></ul></ul><ul><ul><li>Cisco Airespace </li></ul></ul><ul><ul><li>Aruba </li></ul></ul>
  33. 33. Enterprise WLAN implementations Advanced security implementations <ul><li>Multiple Virtual SSID and VLAN support </li></ul><ul><li>VLAN assignment based on group membership </li></ul><ul><li>Guest Wireless LANs that are isolated </li></ul><ul><li>Mitigating WEP security risks for WEP only devices using Firewall or Router ACLs (Access Control Lists) </li></ul><ul><li>Can be done with single device such as the Cisco 851W which is a Firewall, Router, Managed Switch, and Access Point all-in-one </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×