Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing the Use of Wireless Fidelity (WiFi) in Libraries


Published on

Lecture presented by Chito N. Angeles at PAARL's Conference on the theme "The Power of Convergence: Technology and Connectivity in the 21st Century Library and Information Services" held on Nov. 11-13, 2009 at St Paul College, Pasig City

Published in: Education, Technology, Business
  • Be the first to comment

Securing the Use of Wireless Fidelity (WiFi) in Libraries

  1. 1. Securing the Use of Wireless Fidelity (WiFi) in Libraries Chito N. Angeles “The Power of convergence: Technology and Connectivity in the 21st Century Library and Information Services”
  2. 2. Wireless Telecommunications Traditional Wireless Networks (TWNs) Using mobile phones Designed as a WAN technology Supports voice and data communication Fixed infrastructure
  3. 3. Wireless Telecommunications Wireless Local Area Networks (WLANs) “Wireless Ethernet” technology e.g., laptops with wireless Ethernet Enabled communication within LANs Supports voice and data communication Fixed infrastructure – using Wireless “Access Points” IEEE 802.11 standard as backbone
  4. 4. Wireless Telecommunications Mobile Ad-hoc Networks (MANETs) Mobile, “short-live” networks Formed on “as-needed” (ad hoc) basis e.g., mobile devices with Bluetooth Operate in the absence of fixed infrastructure Nodes are free to move
  5. 5. What is WiFi? Short for wireless fidelity, is the Wi-Fi Alliance's name for a wireless standard, or protocol, used for wireless communication. The Wi-Fi Alliance is a not-for-profit organization that certifies the interoperability of wireless devices built around the IEEE 802.11 standard.
  6. 6. What is WiFi? • Unlike many other wireless standards, 802.11 runs on "free" portions of the radio spectrum (2.4GHz and 5GHz). • Unlike cell phone communications, no license is required to broadcast or communicate using 802.11
  7. 7. Key Components of WLAN Access Point Wireless Card
  8. 8. Access Point (AP) Consists of a radio transmitter and receiver as well as an interface to a wired network or directly to the Internet. Serves as a base station and a bridge between the wireless network and a larger Ethernet network or the Internet (as in the case of wireless routers).
  9. 9. WiFi Hotspot The term "hotspot" refers to the area or physical location where an Access Point is made accessible to users with Wi-Fi enabled devices. Typically found in coffee shops, airports, hotels, malls, and increasingly, in libraries.
  10. 10. What is IEEE 802.11? A set of standards carrying out wireless local area network (WLAN) computer communication in the 2.4, 3.6 and 5GHz radio frequency bands. Produced and maintained by the Institute of Electrical and Electronic Engineers (IEEE).
  11. 11. Wireless Network Mode 802.11a (1999) Transmits at 5 GHz and can move up to 54 megabits of data per second. Also uses orthogonal frequency-division multiplexing (OFDM), a more efficient coding technique that splits radio signal into several sub-signals before they reach a receiver. This greatly reduces interference.
  12. 12. Wireless Network Mode 802.11b (1999) The slowest and least expensive standard. For a while, its cost made it popular, but now it's becoming less common as faster standards become less expensive. Transmits in the 2.4 GHz frequency band of the radio spectrum. It can handle up to 11 megabits of data per second.
  13. 13. Wireless Network Mode 802.11g (2003) Transmits at 2.4 GHz like 802.11b, but it's a lot faster. It can handle up to 54 megabits of data per second. 802.11g is faster because it uses the same coding technique (OFDM) as 802.11a.
  14. 14. Wireless Network Mode 802.11n (2009) The newest standard that is widely available. This standard significantly improves speed and range. For instance, although 802.11g theoretically moves 54 megabits of data per second, it only achieves real-world speeds of about 24 megabits of data per second because of network congestion. 802.11n, however, reportedly can achieve speeds as high as 140 megabits per second.
  15. 15. Service Set Identifier (SSID) Public name of a WLAN All wireless devices on a WLAN must employ the same SSID in order to communicate with each other. SSID is set on the Access Point and broadcast to all wireless devices in range. SSID is case sensitive; consists of a sequence of alphanumeric characters; has a maximum length of 32 characters.
  16. 16. Service Set Identifier (SSID)
  17. 17. Computer Security The protection of personal or confidential information and/or computer resources from individual or organizations that would willfully destroy or use said information for malicious purposes.
  18. 18. WLAN Security Requirements Authentication – control or limit access to the network. Confidentiality – prevent unauthorized disclosure of data; Data Integrity – ensure that packets have not been modified in transit.
  19. 19. Access Point Authentication Open authentication Does not do any checks on the identify of the station. The AP Allows any station to join the network. Shared authentication Based on the challenge-response system. Stations share a secret key.
  20. 20. Security Problems, Risks, threats Eavesdropping Intercepting information that is transmitted over the WLAN The information intercepted can be read if transmitted in the clear, or easily deciphered if poor encryption is used.
  21. 21. Security Problems, Risks, threats Traffic analysis The attacker gains information by monitoring wireless transmissions for patterns of communication and data flow between parties, and deciphers encrypted traffic that has been captured. Traffic analysis can result in the compromise of sensitive information.
  22. 22. Security Problems, Risks, threats Data Tampering The information transmitted over the WLAN can be deleted, replayed, or modified by the attacker via man-in-the- middle attack. This can result in a loss of data integrity and availability.
  23. 23. Security Problems, Risks, threats Masquerading The attacker gains unauthorized access to the information and network resources within the WLAN or other interconnected network by impersonating an authorized user.
  24. 24. Security Problems, Risks, threats Denial of Service (DoS) The attacker can jam the entire frequency channel that is used for wireless data transmission using a powerful signal generator, microwave, or a massive amount of broadcasted network traffic from a rogue wireless device.
  25. 25. Security Problems, Risks, threats Wireless Client Attacks The attacker can potentially gain access to the information shared or stored in the wireless client when it is connected to an unprotected Ad Hoc WLAN or an untrustworthy third-party WLAN. Additionally, the compromised wireless client can potentially serve as a bridge to the internal network, thus allowing a perpetrator to gain access to or launch attacks against the internal corporate network and its resources.
  26. 26. Security Problems, Risks, threats Rogue Access Points an unauthorized wireless AP within a wireless network. Once a rogue AP without a security feature has been installed, an intruder can get unauthorized access to the entire network. Rogue APs usually use the same SSID as the legitimate network it mimics. A rogue AP can then accept traffic from wireless clients to whom it appears as a valid authenticator. In this way, a rogue AP can seriously harm a network.
  27. 27. Security Problems, Risks, threats Man-in-the-middle Attack a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection when in fact the entire conversation is controlled by the attacker.
  28. 28. Security Problems, Risks, threats Piggybacking If you fail to secure your wireless network, anyone with a wireless-enabled computer within range of your wireless access point can hop a free ride on the internet over your wireless connection.
  29. 29. Security Problems, Risks, threats Unauthorized Computer Access An unsecured wireless network combined with unsecured file sharing can spell disaster. Under these conditions, a malicious user could access any directories and files you have allowed for sharing.
  30. 30. Security Problems, Risks, threats Evil Twin Attacks Attacker gathers information about a public access point, then sets up his or her own system to impersonate the real access point. The attacker will use a broadcast signal stronger than the one generated by the real access point. Unsuspecting users will connect using the stronger, bogus signal. Because the victim is connecting to the internet through the attacker’s system, it’s easy for the attacker to use specialized tools to read any data the victim sends over the internet.
  31. 31. Security Problems, Risks, threats Wireless Sniffing Many public access points are not secured, and the traffic they carry is not encrypted. This can put your sensitive communications or transactions at risk. Because your connection is being transmitted “in the clear,” malicious users can use “sniffing” tools to obtain sensitive information such as passwords, bank account numbers, and credit card numbers.
  32. 32. Security Problems, Risks, threats War-Driving Driving around a city searching for the existence of Wireless LAN (802.11) Networks. It's locating and logging wireless access points while in motion. Often, this task is automated using dedicated wardriving software and a GPS Device.
  33. 33. WLAN Security: Myths SSID Hiding There’s no such thing as “SSID hiding”. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. Might cause problems for WiFi roaming when a client jumps from AP to AP. Hidden SSID also makes WLAN less user- friendly.
  34. 34. WLAN Security: Myths MAC Filtering The MAC address is just a 12-digit long HEX number that can be viewed in clear text with a sniffer. Once the MAC address is seen in the clear, it takes about 10 seconds to cut & paste a legitimate MAC address in to the wireless Ethernet adapter settings and the whole scheme is defeated (“spoofing”).
  35. 35. WLAN Security: Myths Disabling DHCP (routers) DHCP allows the automatic assignment of IP addresses and other configurations. Disabling DHCP has zero security value and is just a waste of time. It would take a hacker about 10 seconds to figure out the IP scheme of any network and simply assign their own IP address.
  36. 36. WLAN Security: Myths Antenna Placement Putting Access Points in the center of the building and putting them at minimal power. Antenna placement does nothing to deter hackers. Remember, the hacker will always have a bigger antenna than you which can home in on you from a mile away. Making a wireless LAN so weak only serves to make the wireless LAN useless. Antenna placement and power output should be designed for maximum coverage and minimum interference. It should never be used as a security mechanism.
  37. 37. Best Practices Securing your WiFi Access Point / Router Change the SSID of your product Change the Default Password For network administrators, periodically survey your site using a tool like “NetStumbler” to see if any “rogue” access points pop up. Don’t buy access points or NICs that only support 64-bit WEP.
  38. 38. Best Practices Securing your WiFi Access Point / Router Disable remote administration. Use this feature only if it lets you define a specific IP address or limited range of addresses that will be able to access the router. Unless you absolutely need this capability, it's best to keep it turned off.
  39. 39. Best Practices Choose a good password Avoid dictionary words or other well- known sequences. Use a combination of alphanumeric characters, upper and lower case letters and special symbols. Use long passwords
  40. 40. Best Practices Use file-sharing with caution If you don’t need to share directories and files over your network, you should disable file sharing on your computers. Keep Your Access Point Software Patched and Up to Date Check the manufacturer’s web site regularly for any updates or patches for your device’s software.
  41. 41. Best Practices Enable firewall on each computer and the router. Turn-off networks during extended periods of non-use. The ultimate in wireless security measures, shutting down your network will most certainly prevent outside hackers from breaking in.
  42. 42. Best Practices When using public WiFi, avoid: online banking online shopping sending email typing passwords or credit card numbers
  43. 43. Security Measures / Best Practices Other Technologies that can be implemented to secure wireless networks: Antivirus software Intrusion and detection systems Vulnerability assessment Tools Web Access Control (WAC) Wireless firewall gateways Personal firewalls Content Filtering (spam filter, proxy, OpenDNS) Hard Drive encryption (e.g., TrueCrypt)
  44. 44. Advanced Wireless Security Enable WiFi Protected Access (WPA) instead of Wired Equivalency Privacy (WEP) WEP encryption has well known weaknesses that make it relatively easy for a determined user with the right equipment to crack the encryption and access the wireless network. WPA provides much better protection and is also easier to use, since your password characters aren't limited to 0-9 and A-Z as they are with WEP.
  45. 45. Advanced Wireless Security Wireless Gateway Provides secure authentication All access is via Secure Socket Layer (SSL) secured Web interface Sample software Connect Manager Dolphin
  46. 46. Advanced Wireless Security Use End-to-End Encryption Means that the whole conversation is encrypted, from your PC to the service you’re talking to. Examples: Secure Socket Layering (SSL) – provides private communication/conversation with web servers. Secure SHell (SSH) – allows remote login to another computer
  47. 47. Advanced Wireless Security Implement Virtual LAN (VLAN) VLAN refers to a group of logically networked devices on one or more LANs that are configured so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments.
  48. 48. Advanced Wireless Security Virtual LAN
  49. 49. Advanced Wireless Security Use Virtual Private Network (VPN) technology All traffic goes through a single encrypted connection.
  50. 50. Advanced Wireless Security Using Remote Authentication Dial In User Service (RADIUS) a networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers to connect and use a network service.
  51. 51. Advanced Wireless Security RADIUS