Agenda 10:00 11:00 Securing wireless networks 11:00 11:15 Break 11:15 12:00Patch Management in the Enterprise 12:00 1:00 Lunch 1:00 2:30 Network Isolation using IPSec and Group Policies 2:30 2:15Break 2:15 3:30Detecting the Hacker 3:30 Q&A
Wireless LAN Security Paul Hogan Ward Solutions
Session Prerequisites Hands-on experience with Windows 2000 or Windows Server 2003 Working knowledge of networking, including basics of security Basic knowledge of WLANS Level 300
This sessions are about… …about operational security The easy way is not always the secure way Networks are usually designed in particular ways In many cases, these practices simplify attacks In some cases these practices enable attacks In order to avoid these practices it helps to understand how an attacker can use them
This sessions are NOT … a hacking tutorial Hacking networks you own can be enlightening HACKING NETWORKS YOU DO NOT OWN IS ILLEGAL …demonstrating vulnerabilities in Windows Everything we show stems from operational security or custom applications Knowing how Windows operates is critical to avoiding problems …for the faint of heart
The Sessions
The Network
Why Does Network Security Fail? Network security fails in several common areas, including: Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date
Session Agenda WLANs and WLAN issues WLAN Deployment models Out-of-box Block SSID / MAC address filtering WEP WPA (WPA-PSK) WLAN and Windows Server 2003
Wireless LAN – Good News “Cheap, easy to deploy, high performance radio based technology that does not respect the physical parameters of a building”.
Wireless LAN – Bad News “Cheap, easy to deploy, high performance radio based technology that does not respect the physical parameters of a building”.
Wireless LAN By 2006, 60% of Fortune 1000 companies will be deploying wireless networks By 2010, the majority of Fortune 2000 companies will be heavily dependent on wireless networks. Gartner Group 2003
Wireless Network And Now a Warning….. Corporations turning to wireless, for operational flexibility without considering the security issues, may be carelessly sacrificing the integrity of their systems …
Lets go for a drive “Drive by hacking” Ward Solutions independent analysis Completely non obtrusive Tools Laptop WiFi PCM network card Orinoco driver Netstumbler software Results 65 % Networks not encrypted 55 % NO access controls 45 % Broadcasting network name
What can be done Interception Monitoring Insertion Packet Analysis Broadcast Monitoring Access Point Cloning Jamming Denial of Service Brute Force Reconfiguration
WLAN Deployment: Toaster Install Out of Box Connected to Network Default SSID No Security configurations Could this be happening to you
WLAN Deployment: SSID / Mac Filtering So I blocked SSID and have MAC locking Limitations of MAC Address Filtering Scalability - Must be administered and propagated to all APs. List may have a size limit. No way to associate a MAC to a username. User could neglect to report a lost card. Attacker could spoof an allowed MAC address. SSIDs can be determined even if blocked
Limitations of Wired Equivalent Privacy ( WEP) WEP is inherently weak to due poor key exchange. WEP keys are not dynamically changed and therefore vulnerable to attack. No method for provisioning WEP keys to clients. Generations of WEP APs that filter weak IVs Change keys frequently WEP Cracking tools Airsnort Dwepcrack Aircrack + aireplay + WLAN Deployment: WEP
VPN Connectivity PPTP L2TP Third Party IPSec Many vendors Password-based Layer 2 Authentication Cisco LEAP RSA/Secure ID IEEE 802.1x PEAP/MSCHAP v2 Certificate-based Layer 2 Authentication IEEE 802.1x EAP/TLS Possible Solutions
WLAN Security Type Security Level Ease of Deployment Usability and Integration IEEE LowHigh VPNMedium Low Password-basedMedium High IPSecHighLow IEEE 802.1x TLSHighLowHigh WLAN Security Comparisons
Defines port-based access control mechanism Works on anything, wired and wireless Access point must support 802.1X No special encryption key requirements Allows choice of authentication methods using EAP Chosen by peers at authentication time Access point doesn’t care about EAP methods Manages keys automatically No need to preprogram wireless encryption keys 802.1X
A specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless LAN systems Goals Enhanced Data Encryption (TKIP) Provide user authentication (802.1x) Be forward compatible with (802.11i) Provide non-RADIUS solution for Small/Home offices WPA- PSK Typically a software upgrade and Wi-Fi Alliance began certification testing for interoperability on Wi-Fi Protected Access products in February 2003 WPA2 Wi-Fi Protected Access (WPA)
WEPs IV only 24 bits and so are repeated every few hours WPA increased IV to 24 bits repeated 900 years WPA alters values acceptable as IVs Protects against forgery and replay attacks IV formed MAC address TSC TKIP: New password generated every 10,000 packets WPA-PSK Passphrase WPA 802.ii1 recommend 20-character password Crack is brute force based Wi-Fi Protected Access (WPA)
802.1x and PEAP
WLAN X using EAP/TLS Domain Controller DHCP Exchange File Server Certification Authority RADIUS (IAS) Server Certificate Laptop Domain User/Machine Certificate EAP Connection 1, 2, 6 3, 5, 7 4
Best Practices Use 802.1x authentication Organize wireless users and computers into groups Apply wireless access policies using Group Policy Use EAP/TLS and 128 bit WEP – 802.1x PEAP Set clients to force user authentication as well as machine authentication Develop a method to manage rogue APs such as LAN based 802.1x authentication and wireless sniffers. Microsoft Securing a wireless LAN Security Strategy Securing wireless LANs with PEAP and Passwords
Questions and Answers