PCIE IT Roundtable Workshop


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Based on evaluations by TIGTA and NASA OIG
  • Different standards use different frequencies 802.11b – oldest and most widely used 802.11a – newer, faster, shorter range 802.11g – combination (frequency of b, speed of a); not a standard yet but equipment supporting it is already available Bluetooth is another standard (not addressed in this presentation) Used for local device and file sharing Also has potential vulnerabilities Improper use or implementation could also lead to data disclosure, data corruption, denial of service OIGs may want to consider looking into the use and security of other wireless technologies as well
  • Example of an implementation of a wireless network Remote clients: computers, PDAs, etc. with wireless network cards Access point: price range $70 - $1000s; capabilities range from simple connection to different levels of authentication and access control; may or may not support encryption and virtual private networking Gateway to a wired network; could be the access point itself Wireless networks can be isolated and just connect a few wireless users to each other but often they will be connected to a wired network for further network (Internet or Intranet or both) access
  • dislosure: e.g. sending email from laptop could be intercepted or modified DoS: jamming or just interference (e.g. 802.11b uses 2.4GHz, same as microwave ovens) Unauthorized access: just turning your computer on (many new laptops come with wireless cards, on by default) makes you susceptible to hackers breaking into your computer over wireless Agencies spend lots of money and man hours to secure wired networks, hooking up one wireless network can negate all those security measures by opening an unsecured back door Last point – see next slide
  • If the wireless network is connected to a wired network, you have to look at how the networks are connected and if there is any kind of barrier/access control from the wireless network to the wired network. Wireless networks are often less secure than wired networks (or at least security has not been addressed yet) so you need to protect users, servers, data on the wired network from unauthorized access via the wireless network. A wired network often has a secured network perimeter (e.g. with firewalls) and if you put up a wireless network behind that perimeter, you create a potentially less secure back door into the wired network.
  • WEP is supposed to provide protection against data disclosure equivalent to that on a wired network but it doesn’t. With enough data going over a wireless network, an attacker could break WEP encryption in as little as 2 hours or less. Because wireless networks use radio signals that can be jammed with inexpensive equipment, they are very susceptible to denial of services (already talked about earlier)
  • “ Policies often have not been developed.” While this is true, it might be worth noting that some agencies have addressed the use of wireless, specifically the Department of Defense’s wireless restriction on classified information. And because of TIGTA review, the IRS has developed specific policies and guidance on restrictions over the use of wireless technology. (something about NASA Centers/Agency working on policies?) Remember to consult with your own legal Counsel prior to conducting any wireless scanning efforts. While OIGs are generally within their jurisdiction to conduct wireless scans, coordination with your Counsel staff will provide guidance on any agreements needed from the agency, agency personnel subject to scanning efforts (e.g., employees, contractors, and business partners), and legal aspects of intercepting and retaining wireless data packets
  • “Internal scanning to verify the source of signals.” In addition to internal scanning, physical search (i.e., walk through) will provide verification that the wireless equipment resides within the agency’s property. This will ensure the wireless signals you find are not coming from the office or building next door OIG may or may not be able to look at actual data being transmitted over wireless networks (legal issues, etc.). If you can, you can see if sensitive, proprietary or mission critical data is being sent, level of encryption, how easy to crack
  • Most if not all of these tools are readily available and cheap (or free) Laptop Network card: $40 - $150 Antenna (don’t absolutely need one because network cards pick up signals pretty well): $30 – unlimited (range extender, yagi, parabolic grid antenna – different ranges) GPS: $150 and up Sniffing software: used to pick up and identify access points, many are free from the Internet (e.g. Kismet, Netstumbler, Macstumbler) WEP cracking software: e.g. Airsnort, WEPcrack Mapping software: e.g. Mappoint, Stumbverter, Carte; used to map out signal strength and range; very useful for presenting your results, helps to convince management and users of the extent of the problem
  • Wireless networks are easy to install but more difficult to secure. Policies may not be in place yet. So users are putting up networks without help from and maybe without knowledge of IT staff  often security is inadequate NASA’s reviews found numerous unsecured wireless networks. Often the network identifier being sent out by access points was very descriptive of who owned the network, where access points were located, or what kind of hardware was being used. Even though wireless networks are already operational, policy development is lagging behind. Only now starting to enact policies. (e.g. scientists know enough to put up an access point because they want the convenience but they don’t have the time or knowledge to maintain and secure them) (e.g. found one organization that didn’t have a firewall between official wireless network and organizational wired network) TIGTA review identified an unauthorized wireless network that was both unsecured and connected back to the IRS’ internal network. In addition, they found a lack of employee awareness on the agency’s position over the use of wireless networks By their very nature, wireless signals will usually exceed physical boundaries of the organization. The challenge is trying to eliminate the use of unknown wireless networks, limit sensitive data from traversing the wireless network, and control/protect connectivity to the agency’s internal network.
  • PCIE IT Roundtable Workshop

    1. 1. Evaluating Wireless Networks Robert W. Cobb and Staff National Aeronautics and Space Administration IT Roundtable 25 March 2003
    2. 2. Outline <ul><li>Introduction to wireless networks </li></ul><ul><li>Threats and vulnerabilities </li></ul><ul><li>Evaluating wireless networks </li></ul><ul><ul><li>Objectives </li></ul></ul><ul><ul><li>Methodology </li></ul></ul><ul><ul><li>Tools </li></ul></ul><ul><ul><li>Findings </li></ul></ul><ul><ul><li>General recommendations </li></ul></ul><ul><li>Conclusion </li></ul>
    3. 3. Introduction to Wireless Networks <ul><li>Fastest-growing computer communications technology </li></ul><ul><li>Agencies increasingly use wireless networks </li></ul><ul><ul><li>Convenient </li></ul></ul><ul><ul><li>Flexible </li></ul></ul><ul><ul><li>Inexpensive </li></ul></ul><ul><ul><li>Easy to implement </li></ul></ul>
    4. 4. Introduction to Wireless Networks (cont.) <ul><li>Uses radio waves instead of cables </li></ul><ul><li>Consists of </li></ul><ul><ul><li>Access Points </li></ul></ul><ul><ul><li>Wireless clients (e.g. laptops, PDAs) </li></ul></ul><ul><ul><li>Gateways to wired networks </li></ul></ul><ul><li>Major standard </li></ul><ul><ul><li>Institute of Electrical and Electronic Engineers (IEEE) 802.11, Wireless Local Area Networks </li></ul></ul>
    5. 6. Threats <ul><li>Disclosure of sensitive/confidential data </li></ul><ul><li>Denial of service (DoS) </li></ul><ul><li>Unauthorized access to wireless-enabled resources </li></ul><ul><li>Potential weakening of existing security measures on connected wired networks and systems </li></ul>
    6. 8. Vulnerabilities <ul><li>Wired Equivalent Privacy (WEP) encryption standard extremely weak </li></ul><ul><li>Radio signals susceptible to jamming and interference </li></ul><ul><li>Protocol vulnerabilities allow </li></ul><ul><ul><li>Network sessions to be taken over by an intruder </li></ul></ul><ul><ul><li>Injection of invalid data into network traffic </li></ul></ul><ul><ul><li>Network reconnaissance </li></ul></ul>
    7. 9. Evaluating Wireless Networks <ul><li>Wireless networks are </li></ul><ul><ul><li>Easy to implement </li></ul></ul><ul><ul><li>Difficult to secure </li></ul></ul><ul><li>Policies often have not been developed </li></ul>
    8. 10. Evaluation Objectives <ul><li>Assess the current Agency/Department position regarding wireless networks </li></ul><ul><li>Examine the use of wireless technology </li></ul><ul><li>Evaluate the security of wireless network applications including threats to </li></ul><ul><ul><li>Data integrity </li></ul></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>Availability of services and resources </li></ul></ul><ul><ul><li>Security of wired networks </li></ul></ul><ul><li>Determine the level of staff awareness of wireless technology </li></ul>
    9. 11. Evaluation Methodology <ul><li>External scanning to illustrate the ease with which unauthorized persons could intercept wireless signals </li></ul><ul><li>Internal scanning and physical inspection to verify the source of signals </li></ul><ul><li>Traffic analysis to see if sensitive data is being transmitted, if transmissions are encrypted, and how vulnerable the networks are to attack </li></ul><ul><li>Review network topologies to assess connectivity to wired networks and determine measures to protect wired networks </li></ul><ul><li>Meet with wireless users and administrators to assess awareness, employee expertise, and strength of security measures </li></ul>
    10. 12. Evaluation Tools <ul><li>Hardware </li></ul><ul><ul><li>Laptop </li></ul></ul><ul><ul><li>Wireless network card </li></ul></ul><ul><ul><li>Antenna </li></ul></ul><ul><ul><li>GPS </li></ul></ul><ul><li>Wireless sniffing software </li></ul><ul><li>WEP encryption cracking software </li></ul><ul><li>Mapping software </li></ul>
    11. 13. Evaluation Findings <ul><li>Wireless networks with inadequate security </li></ul><ul><li>Ranges of wireless networks exceed physical boundaries of user organizations </li></ul><ul><li>Non-existent or inadequate policies on wireless networks </li></ul><ul><li>IT staff with inadequate enforcement authority over wireless networks </li></ul><ul><li>Insufficient employee awareness on agency position over the use of wireless networks </li></ul>
    12. 14. Example: Many wireless networks do not use WEP or other encryption to protect network traffic. ▲ = Access points using encryption ▲ = Access points without encryption
    13. 15. Example: The radio signal from a wireless network can spill over from the building where access points are located to neighboring buildings, parking lots and public roads.
    14. 16. General Evaluation Recommendations <ul><li>Develop wireless network policies </li></ul><ul><li>Perform risk assessments to determine required level of security </li></ul><ul><li>Limit access to wireless networks through the use of Virtual Private Networks (VPN) </li></ul><ul><li>Maintain logical separation between wireless and wired networks </li></ul><ul><li>Monitor for wireless applications (i.e., actively enforce policies) </li></ul>
    15. 17. Conclusion <ul><li>Wireless network evaluations are easy to conduct using inexpensive or freely available tools. </li></ul><ul><li>Evaluations are very necessary </li></ul><ul><ul><li>Wireless networks are inexpensive, convenient, and simple to use – so people will use them. </li></ul></ul><ul><ul><li>BUT, wireless networks are vulnerable. </li></ul></ul>
    16. 18. Contacts for Wireless Network Evaluations <ul><li>Stephen Mullins </li></ul><ul><li>(916) 408-5573 </li></ul><ul><li>[email_address] </li></ul><ul><li>Jamil Farshchi </li></ul><ul><li>(202) 358-1897 </li></ul><ul><li>[email_address] </li></ul>