Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Wireless LAN Deployment Best Practices

8,296 views

Published on

Wireless LAN Deployment Best Practices presentation for ISACA Singapore 2005/08/19

Published in: Technology, Business
  • Be the first to comment

Wireless LAN Deployment Best Practices

  1. 1. Wireless LAN Deployment Best Practices Michael Boman IT Security Researcher & Developer http://proxy.11a.nu | proxy@11a.nu
  2. 2. What We Will Cover <ul><li>Wireless Concepts </li></ul><ul><li>Security Issues with Wireless Networks </li></ul><ul><li>Attacks against Wireless Networks </li></ul><ul><li>Countermeasures </li></ul><ul><li>Q & A </li></ul>
  3. 3. Wireless Basics <ul><li>802.11 - “WiFi” networks are typically implemented as either a standalone network solution, or to extend the capabilities of an existing wired network. </li></ul><ul><li>The most common wireless configurations found today are: </li></ul><ul><ul><li>Ad Hoc </li></ul></ul><ul><ul><li>Infrastructure modes </li></ul></ul>
  4. 4. Terminology <ul><li>Frame – data transmitted by the physical medium </li></ul><ul><li>Access point – a device attached to wired network providing wireless access to users </li></ul><ul><li>Service set – a series of access points working in conjunction to provide access </li></ul><ul><li>SSID – string identifying a service set </li></ul><ul><li>BSSID – MAC address of AP in question </li></ul>
  5. 5. The different 802.11 Standards <ul><li>802.11b </li></ul><ul><ul><li>Operating in the 2.4 GHz band </li></ul></ul><ul><ul><li>Maximum theoretical data rate of 11 Mbps </li></ul></ul><ul><ul><li>In a typical office environment, its maximum range is 75 meters at the lowest speed, but at higher speed its range is about 30 meters. </li></ul></ul>
  6. 6. The different 802.11 Standards <ul><li>802.11a </li></ul><ul><ul><li>Operating in the 5 GHz band </li></ul></ul><ul><ul><li>Maximum theoretical data rate of 54 Mbps </li></ul></ul><ul><ul><li>In a typical office environment, its maximum range is 50 meters at the lowest speed, but at higher speed, the range is less than 25 meters. </li></ul></ul>
  7. 7. The different 802.11 Standards <ul><li>802.11g </li></ul><ul><ul><li>Operating in the 2.4 GHz band </li></ul></ul><ul><ul><li>Maximum theoretical data rate of 54 Mbps </li></ul></ul><ul><ul><li>Backward compatibility with 802.11b </li></ul></ul>
  8. 8. <ul><li>802.11i </li></ul><ul><ul><li>Supplemental draft standard is intended to improve WLAN security. </li></ul></ul><ul><ul><li>Describes the encrypted transmission of data between systems of 802.11a and 802.11b WLANs. </li></ul></ul><ul><ul><li>Defines new encryption key protocols including the Temporal Key Integrity Protocol (TKIP) and the Advanced Encryption Standard (AES). </li></ul></ul>The different 802.11 Standards
  9. 9. The different 802.11 Standards <ul><li>802.1X </li></ul><ul><ul><li>IEEE standard for access control for wireless and wired LANs, 802.1X provides a means of authenticating and authorizing devices to attach to a LAN port. </li></ul></ul><ul><ul><li>This standard defines the Extensible Authentication Protocol (EAP), which uses a central authentication server to authenticate each user on the network. </li></ul></ul>
  10. 10. Concepts of the 802.11 MAC layer <ul><li>Three types of frames </li></ul><ul><ul><li>Management </li></ul></ul><ul><ul><ul><li>Access control: authentication, association </li></ul></ul></ul><ul><ul><ul><li>Media detection: beaconing, probing </li></ul></ul></ul><ul><ul><li>Data </li></ul></ul><ul><ul><ul><li>Transmit higher layer data to or from access point </li></ul></ul></ul><ul><ul><li>Control </li></ul></ul><ul><ul><ul><li>Acknowledge receipt of data frames </li></ul></ul></ul><ul><ul><ul><li>Reserve media for long frame exchanges </li></ul></ul></ul>
  11. 11. Concepts of the 802.11 MAC layer <ul><li>Client authenticates to a service set </li></ul><ul><ul><li>Before access, not throughout </li></ul></ul><ul><ul><li>Shared secret key or no key </li></ul></ul><ul><li>Client associates to an access point </li></ul><ul><li>Clients disassociate with an AP, re-associate with another as they move </li></ul>
  12. 12. Ad Hoc Networks <ul><li>Also referred to as “Independent Basic Service Set” (IBSS) </li></ul><ul><li>Provides peer-to-peer communication links between two or more wireless devices without the use of an AP </li></ul><ul><li>This is the default setting on most wireless cards </li></ul>
  13. 13. Ad Hoc mode or IBSS configuration CELL Wireless Laptop Computers
  14. 14. Infrastructure Networks <ul><ul><li>Also known as “Basic Service Set” (BSS) </li></ul></ul><ul><ul><li>Requires an Access Point and at least one wireless client </li></ul></ul><ul><ul><li>Connections are initiated with the proper Service Set Identifier (SSID) - Shared secret manually entered on the AP and each client (Not scalable) </li></ul></ul><ul><ul><li>Sometimes Wired Equivalent Privacy (WEP) encryption keys are also configured (Used about 30% of the time) </li></ul></ul>
  15. 15. Infrastructure mode or BSS configuration Wireless Access Point Wireless Laptop Computer Wireless Laptop Computer Internal LAN
  16. 16. <ul><li>Security Issues </li></ul>
  17. 17. Antenna Signal <ul><li>Walls and doors do not provide sufficient containment of the wireless signal. An Access Point (AP) placed inside a typical office can transmit a signal anywhere up to 300 meters. </li></ul><ul><ul><li>100 meters in any direction will usually put you on a road, in a neighboring office or parking lot. </li></ul></ul><ul><ul><li>Vertical threats such as offices above and below should also be taken into consideration when selecting your AP’s location. </li></ul></ul><ul><ul><li>Hackers will War-Drive at lunch looking for AP’s used in conference rooms. </li></ul></ul>
  18. 18. Antenna Signal <ul><li>An attacker can compensate your weak signal by using a directional antenna and/or amplifier </li></ul><ul><li>At DefCon 13 earlier this month, a group of enthusiasts was able to set up an un-amplified 802.11 network at a distance of 201 km. </li></ul>
  19. 19. 802.11 Design Flaws <ul><li>MGMT, CTRL frames not encrypted </li></ul><ul><ul><li>Can be spoofed w/o knowledge of WEP key </li></ul></ul><ul><li>Weak authentication of station </li></ul><ul><ul><li>Easy to get access to wireless medium </li></ul></ul><ul><li>No authentication of AP to station </li></ul><ul><ul><li>Can prove an AP is legitimate </li></ul></ul><ul><li>Limited # of stations can use a single AP </li></ul><ul><ul><li>We can overflow an AP to prevent wireless access </li></ul></ul>
  20. 20. SSID <ul><li>Some believe that by using a complicated SSID an unauthorized user will have difficulty in gaining access to their AP. </li></ul><ul><ul><li>SSID’s are passed in the clear, even when WEP is enabled. </li></ul></ul><ul><ul><li>It is a trivial matter to download free software off the Internet that is designed to intercept SSID’s from a wireless communication session. </li></ul></ul>
  21. 21. SSID
  22. 22. SSID
  23. 23. Access Control <ul><li>Access Control at the MAC (Media Access Control) </li></ul><ul><li>Most administrators feel that MAC layer filtering provides adequate security by allowing clients with non-restricted MAC addresses to connect to the wireless network. </li></ul><ul><ul><ul><li>MAC addresses are passed in the clear </li></ul></ul></ul><ul><ul><ul><li>MAC addresses can easily be changed </li></ul></ul></ul>
  24. 24. Wired Equivalent Privacy (WEP) <ul><li>Should be “What on Earth does this Protect” </li></ul><ul><li>Provides encryption to data frames only </li></ul><ul><li>Probably fine on small, limited use networks </li></ul><ul><li>Don’t depend on it for data security </li></ul><ul><li>WEP gives administrators a false sense of security. </li></ul>
  25. 25. Wired Equivalent Privacy (WEP) <ul><li>Even when WEP is properly configured and deployed on a wireless network, it is still a trivial matter to break the encryption and gain access to the AP. </li></ul><ul><ul><li>WEP keys are static and configured manually (Not a scaleable solution) </li></ul></ul><ul><ul><li>WEP requires the same secret key be shared by all wireless users within the cell </li></ul></ul><ul><ul><li>Free software on the Internet is available that is used to crack the encryption </li></ul></ul>
  26. 26. Wi-Fi Protected Access (WPA) <ul><li>The Wi-Fi Alliance put together WPA as a data encryption method for 802.11 wireless LANs. </li></ul><ul><li>WPA is an pre-standard version of 802.11i utilizing the Temporal Key Integrity Protocol (TKIP), which fixes the problems of WEP (including using dynamic keys). </li></ul><ul><li>WPA will serve until the 802.11i standard is ratified. </li></ul>
  27. 27. Extensible Authentication Protocol (EAP) <ul><li>EAP is an 802.1X standard that allows developers to pass security authentication data between RADIUS and the access point (AP) and wireless client. </li></ul><ul><li>EAP has a number of variants, including: </li></ul><ul><ul><li>EAP MD5 </li></ul></ul><ul><ul><li>EAP-Tunneled TLS (EAP-TTLS) </li></ul></ul><ul><ul><li>Lightweight EAP (LEAP) </li></ul></ul><ul><ul><li>Protected EAP (PEAP). </li></ul></ul>
  28. 28. User Network Access Controls <ul><li>One area that is commonly overlooked is the ability to regulate internal network access. </li></ul><ul><ul><li>Most users have varying levels of access to internal resources. </li></ul></ul><ul><ul><li>All wireless users could potentially be entering the network by the same wireless AP. </li></ul></ul>
  29. 29. Business Risks of Wireless LANs <ul><li>A wireless attacker could affect you business in the following ways: </li></ul><ul><ul><li>Ability to destroy data </li></ul></ul><ul><ul><li>Ability to steal proprietary data from client workstations and servers </li></ul></ul><ul><ul><li>Disruption of network service through corruption of network devices </li></ul></ul><ul><li>RISK: Inability to meet core business and customer needs that could lead to loss of revenue </li></ul>
  30. 30. Security Risks INTRODUCED by Wireless Technology <ul><li>Rogue Access Points </li></ul><ul><li>Clients Communicating in Ad Hoc Mode </li></ul>Computerworld survey estimate at least 30 percent of businesses have rogue wireless LANs.
  31. 31. Rogue Device Threat <ul><li>Can make your network vulnerable… </li></ul><ul><li>Even with a secure wireless network </li></ul><ul><li>Even if you have no wireless network </li></ul><ul><li>Both Access Points and Clients are dangerous </li></ul><ul><li>Goal </li></ul><ul><li>Protect network jacks </li></ul><ul><li>Identify unauthorized wireless devices </li></ul>
  32. 32. <ul><li>Placing an AP on the inside of your network will extend its access past any physical barriers or controls. </li></ul><ul><ul><li>AP are small and only take a few minutes to connect to your internal network </li></ul></ul><ul><ul><li>The level of sophistication needed to install an AP is low </li></ul></ul>Rogue Access Points
  33. 33. Denial of Service <ul><li>A user with malicious intent could configure a client to bombard the AP with thousands of connection requests eventually leading to the complete shutdown of the targeted AP. </li></ul><ul><li>RF noise generation – Arc Welder – homemade jamming device </li></ul><ul><li>Eventual saturation of RF devices – Bluetooth, 802.11b and g devices, etc. </li></ul>
  34. 34. Security Risks of Wireless LANs <ul><li>Easier for unauthorized devices to attach to wireless network </li></ul><ul><ul><li>Don’t need physical access </li></ul></ul><ul><ul><li>Many organizations don’t apply security </li></ul></ul><ul><ul><li>Presence of free wireless hacking tools </li></ul></ul><ul><li>Internal systems are usually not as secure as external or DMZ systems </li></ul>
  35. 35. Wireless is insecure by its very nature The point?
  36. 36. <ul><li>Tools of the Trade </li></ul>
  37. 37. Hardware Wireless Card and Antenna
  38. 38. Hardware <ul><li>War-Driving Rig – Laptop, wireless card and Antenna </li></ul>
  39. 39. Software <ul><li>Types of Monitoring tools </li></ul><ul><ul><li>Stumbling </li></ul></ul><ul><ul><li>Sniffing </li></ul></ul><ul><ul><li>Handheld </li></ul></ul><ul><li>Hacking tools </li></ul><ul><ul><li>WEP Cracking </li></ul></ul><ul><ul><li>ARP Spoofing </li></ul></ul>
  40. 40. Stumbling Tools <ul><li>Stumbling tools identify the presence of wireless networks. They look for beacons from access points, and also broadcast client probes and wait for access points to respond. </li></ul>
  41. 41. Sniffing Tools <ul><li>Sniffing tools capture the traffic from a wireless network and can view the data passed across the air. </li></ul>
  42. 42. Handheld Tools <ul><li>Handheld tools are more portable and provide wireless network identification and network status monitoring. </li></ul>
  43. 43. Hacking Tools <ul><li>Hacking tools are for pointed attacks to gain access to secured wireless networks. </li></ul>
  44. 44. Attacks against Wireless Networks
  45. 45. Leeching access <ul><li>Easy to do </li></ul><ul><ul><li>Laptop and wireless card </li></ul></ul><ul><ul><li>Scanning tools help, but not required </li></ul></ul><ul><li>Hard to track down </li></ul><ul><ul><li>Who wants / can afford to triangulate a signal? </li></ul></ul><ul><li>Biggest security implication </li></ul><ul><ul><li>Joe Kiddie (not Osama) can run scans & exploit hosts </li></ul></ul><ul><ul><li>Won’t get traced back to daddy’s cable modem </li></ul></ul><ul><li>But admins can “cripple” wireless segment </li></ul><ul><ul><li>Rate limiting </li></ul></ul><ul><ul><li>Filter naughty packets </li></ul></ul>
  46. 46. Wireless Auto Configuration Algorithm <ul><li>First, Client builds list of available networks </li></ul><ul><ul><li>Send broadcast Probe Request on each channel </li></ul></ul>
  47. 47. Wireless Auto Configuration Algorithm <ul><li>Access Points within range respond with Probe Responses </li></ul>
  48. 48. Wireless Auto Configuration Algorithm <ul><li>If Probe Responses are received for networks in preferred networks list: </li></ul><ul><ul><li>Connect to them in preferred networks list order </li></ul></ul><ul><li>Otherwise, if no available networks match preferred networks: </li></ul><ul><ul><li>Specific Probe Requests are sent for each preferred network in case networks are “hidden” </li></ul></ul>
  49. 49. Wireless Auto Configuration Algorithm <ul><li>If still not associated and there is an ad-hoc network in preferred networks list, create the network and become first node </li></ul><ul><ul><li>Use self-assigned IP address (169.X.Y.Z) </li></ul></ul>
  50. 50. Wireless Auto Configuration Algorithm <ul><li>Finally, if “Automatically connect to non-preferred networks” is enabled ( disabled by default ), connect to networks in order they were detected </li></ul><ul><li>Otherwise, wait for user to select a network </li></ul><ul><ul><li>Continue scanning for networks </li></ul></ul>
  51. 51. Attacking Wireless Auto Configuration <ul><li>Attacker spoofs disassociation frame to victim </li></ul><ul><li>Client sends broadcast and specific Probe Requests again </li></ul><ul><ul><li>Attacker discovers networks in Preferred Networks list (e.g. linksys, MegaCorp, t-mobile) </li></ul></ul>
  52. 52. Attacking Wireless Auto Configuration <ul><li>Attacker creates a rogue access point with SSID MegaCorp </li></ul>
  53. 53. Attacking Wireless Auto Configuration <ul><li>Victim associates to attacker’s fake network </li></ul><ul><ul><li>Even if preferred network was WEP (XP SP 0) </li></ul></ul><ul><li>Attacker can supply DHCP, DNS, …, servers </li></ul>
  54. 54. Wireless Auto Configuration Attacks <ul><li>Join ad-hoc network created by target </li></ul><ul><ul><li>Sniff network to discover self-assigned IP (169.X.Y.Z) and attack </li></ul></ul><ul><li>Create a more Preferred Network </li></ul><ul><ul><li>Spoof disassociation frames to cause clients to restart scanning process </li></ul></ul><ul><ul><li>Sniff Probe Requests to discover Preferred Networks </li></ul></ul><ul><ul><li>Create a network with SSID from Probe Request </li></ul></ul><ul><li>Create a stronger signal for currently associated network </li></ul><ul><ul><li>While associated to a network, clients sent Probe Requests for same network to look for stronger signal </li></ul></ul><ul><li>You can be 0wned (=compromised) while watching a DVD on a plane! </li></ul>
  55. 55. A Tool to Automate the Attack <ul><li>Track clients by MAC address </li></ul><ul><ul><li>Identify state: scanning/associated </li></ul></ul><ul><ul><li>Record preferred networks by capturing Probe Requests </li></ul></ul><ul><ul><li>Display signal strength of packets from client </li></ul></ul><ul><li>Target specific clients and create a network they will automatically associate to </li></ul><ul><li>Compromise client and let them rejoin original network </li></ul><ul><ul><li>Connect back out over Internet to attacker </li></ul></ul><ul><ul><li>Launch worm inside corporate network </li></ul></ul><ul><ul><li>Etc. </li></ul></ul>
  56. 56. Creating An ALL SSIDs Network <ul><li>Can we attack multiple clients at once? </li></ul><ul><li>Want a network that responds to Probe Requests for any SSID </li></ul><ul><li>PrismII HostAP mode handles Probe Requests in firmware, doesn’t pass them to driver </li></ul><ul><li>Atheros has no firmware, and HAL has been reverse engineered for a fully open-source “firmware” capable of Monitor mode, Host AP </li></ul>
  57. 57. Creating a FishNet <ul><li>Want a network where we can observe clients in a “fishbowl” environment </li></ul><ul><li>Once victims associate to wireless network, will acquire a DHCP address </li></ul><ul><li>We run our own DHCP server </li></ul><ul><ul><li>We are also the DNS server and router </li></ul></ul>
  58. 58. FishNet Services <ul><li>When wireless link becomes active, client software activates and attempts to connect, reconnect, etc. without requiring user action </li></ul><ul><li>Our custom DNS server replies with our IP address for every query </li></ul><ul><li>We also run “trap” web, mail, chat services </li></ul><ul><ul><li>Fingerprint client software versions </li></ul></ul><ul><ul><li>Steal credentials </li></ul></ul><ul><ul><li>Exploit client-side application vulnerabilities </li></ul></ul>
  59. 59. Client-Side Application Vulnerabilities <ul><li>Recent client-side vulnerabilities </li></ul><ul><ul><li>Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege </li></ul></ul><ul><ul><li>Vulnerability in JView Profiler Could Allow Remote Code Execution </li></ul></ul><ul><ul><li>Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution </li></ul></ul><ul><ul><li>Vulnerability in Server Message Block Could Allow Remote Code Execution </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>Exploits can make use of fingerprinting info </li></ul>
  60. 60. Beating access control <ul><li>MAC address spoofing </li></ul><ul><ul><li>Sniff or brute force legitimate MAC addresses </li></ul></ul><ul><ul><li>Return and use those addresses later </li></ul></ul><ul><li>Crack WEP key w/ known tools (hours, days) </li></ul><ul><ul><li>Or just find one among the multitude of available APs without WEP… </li></ul></ul>
  61. 61. Denial of service <ul><li>Forge disassociations </li></ul><ul><ul><li>Deny an individual station access </li></ul></ul><ul><ul><li>Used also to hijack sessions </li></ul></ul><ul><li>Forge lots of associations </li></ul><ul><ul><li>Saturate an access point </li></ul></ul><ul><ul><li>Access point will stop accepting associations </li></ul></ul><ul><li>Forge lots of beacon frames </li></ul><ul><ul><li>Creates illusion of access points that don’t exist </li></ul></ul><ul><ul><li>Can also throw off a war driver seeking access </li></ul></ul>
  62. 62. Session hijacking <ul><li>Disassociate client </li></ul><ul><li>Take over any desired existing network sessions </li></ul><ul><li>New venue for known transport session hijacking </li></ul>
  63. 63. Man in the middle <ul><li>Impersonate an access point </li></ul><ul><li>Tamper with data </li></ul><ul><li>Pass on to legitimate access point </li></ul><ul><li>Implemented SSH, SSL and other MITM also have new venue on 802.11 </li></ul>
  64. 64. Home Users Wireless Access Point Hack-me Hack-me
  65. 65. Corporate Networks Accounting Payroll Wireless Access Point Wireless Hacker Switch
  66. 66. Corporate Networks Accounting Payroll Wireless Access Point Wireless Hacker Switch
  67. 67. <ul><li>ARP Cache Attacks can also be launched against: </li></ul><ul><li>Wireless Clients connected to the AP </li></ul><ul><li>Wireless Clients and Wired Clients </li></ul><ul><li>Wireless Home Users (Couch Networks) </li></ul><ul><li>And may other combinations </li></ul>Corporate Networks
  68. 68. Telecommuters
  69. 69. <ul><li>Countermeasures </li></ul>
  70. 70. SEC- -Y U - R - IT If not you, who? If not now, when? The key to security awareness is embedded in the word security…
  71. 71. Countermeasures <ul><li>Holistic Approach </li></ul><ul><ul><li>Prevention </li></ul></ul><ul><ul><li>Identification </li></ul></ul><ul><ul><li>Response </li></ul></ul>
  72. 72. Prevention <ul><li>Create a completely separate wireless security policy </li></ul><ul><li>Do a complete Site Survey before placement of AP’s </li></ul><ul><li>Wireless networks should always be treated as un-trusted and never placed behind corporate firewalls </li></ul><ul><li>Use MAC layer filtering </li></ul><ul><li>Be sure to change the SSID from the default value and disable broadcasting if possible </li></ul>
  73. 73. Prevention <ul><li>Use encryption, even WEP - (Low hanging fruit theory) </li></ul><ul><li>Static IP’s vs DHCP </li></ul><ul><li>Use third party software for additional security – Authentication, VPN encryption </li></ul><ul><li>Use personal Firewall software on and anti-malware your wireless clients systems </li></ul><ul><li>Install the latest security patches and firmware updates on you wireless equipment </li></ul>
  74. 74. Prevention <ul><li>Do regular audits of deployed wireless equipment </li></ul><ul><li>Perform regular sweeps for un-authorized wireless equipment </li></ul><ul><li>Perform regular Penetration Tests against your whole infrastructure, including the wireless segments (alternative: concentrate on perimeter and wireless segments) </li></ul>
  75. 75. Identification <ul><li>Deploy Wireless IDS sensors </li></ul><ul><li>Identify your signal range – clients with antennas can pick up you signal further away than without one </li></ul><ul><li>Periodically scan your facility for rouge access points using the same software attackers are using </li></ul><ul><li>Check your internal logs for strange anomalies concerning MAC addresses </li></ul>
  76. 76. Response <ul><li>Have an adequate response plan in place to deal with malicious activity </li></ul><ul><li>Have the ability to log activity of a malicious user to aid in prosecution </li></ul><ul><li>Have the ability to control and reconfigure your Access Points on the fly </li></ul>
  77. 77. Countermeasures - Antenna Signal <ul><li>Proper selection of Antenna – Parabolic, etc. </li></ul><ul><li>Attenuate the signal by reducing transmitter power if possible </li></ul><ul><li>Ground interior walls (If metal construction) </li></ul><ul><li>Thermally Insulate exterior glass using metallic window treatments </li></ul><ul><li>Smart positioning of AP’s </li></ul><ul><li>Lining closets housing the AP with aluminum foil </li></ul><ul><li>Use of metallic paints – Extreme </li></ul>
  78. 78. Countermeasures - SSID <ul><li>Turn off SSID broadcasting at the AP if possible (Not all AP vendors allow this) </li></ul><ul><li>Understand that SSID’s provide “Zero” security </li></ul><ul><li>Avoid using a SSID that gives away information about your network. (“TaxNet1” or “Kennedy:Mailroom”) </li></ul>
  79. 79. Countermeasures - MAC ACL <ul><li>Do not depend on MAC layer filtering as your only security solution for providing secure AP access </li></ul><ul><li>Use Intrusion Detection Servers (IDS) to alert you when an excessive number of unsolicited ARP replies are detected on the network </li></ul><ul><li>Use the tool “arpwatch” - This tool will provide E-mail notification when IP to MAC bindings change. </li></ul>
  80. 80. Countermeasures - WEP <ul><li>Proprietary solutions offered by certain vendors are all incorporating dynamic key management into their products. (Cisco, Enterasys, AVAYA, etc.) Be careful not to commit yourself to a single vendor specific solution. </li></ul><ul><li>Use IPSec VPN software </li></ul><ul><li>EAP/802.1X Extensible Authentication Protocol (EAP) to provide centralized authentication – (RADIUS, etc.) and dynamic key distribution </li></ul>
  81. 81. Countermeasures - User Access Control <ul><li>Use multiple AP’s to access different segments of the network each with a unique SSID’s. </li></ul><ul><li>Use a third party VPN solution to connect the users to the appropriate network segment. </li></ul><ul><ul><li>This solution can be used through a single AP for all users. Each user would be routed internally to the appropriate VPN endpoint within the corporate network. </li></ul></ul>
  82. 82. Countermeasures - Access Point (AP) <ul><li>Update your corporate policy to prohibit the installation an AP without the approval of internal security or the IT department </li></ul><ul><li>Always place AP’s outside a firewall, inside a DMZ, or within a sandbox network. </li></ul><ul><li>Disable unused ports on the internal switches until needed (especially in conference rooms) </li></ul><ul><li>Monitor any new MAC address’s on the internal network that are discovered – “ArpWatch” </li></ul>
  83. 83. Countermeasures - DOS <ul><li>Shield the perimeter of your building </li></ul><ul><li>This will help in two ways: </li></ul><ul><ul><li>Help contain your wireless signal within a defined perimeter </li></ul></ul><ul><ul><li>Reduce the risk of outside RF interference </li></ul></ul>
  84. 84. Wireless can be Secure <ul><li>Apply all security features of products </li></ul><ul><li>Require Authentication and Authorization and Encryption </li></ul><ul><li>Use the same well known network security solutions as wired networks including: </li></ul><ul><ul><li>Network segmentation </li></ul></ul><ul><ul><li>Use of personal firewalls </li></ul></ul><ul><ul><li>Well defined, trainable, and enforceable security policy </li></ul></ul><ul><li>Perform Wireless Security Monitoring </li></ul>
  85. 85. Putting it all together Wireless Laptop Computer VPN Gateway Authentication Server Internal LAN With personal Firewall & VPN Software WEP MAC Filtering Unique SSID (If Broadcasting is not disabled) IP Protocol 50,51 UDP port 500 Wireless Access Point Firewall IDS WIDS WIDS
  86. 86. <ul><li>Questions? </li></ul>

×