Presentation is loading. Please wait.

Presentation is loading. Please wait.

This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

Similar presentations


Presentation on theme: "This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed."— Presentation transcript:

1 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. NETW 05A: APPLIED WIRELESS SECURITY Functional Policy: Guidelines & Baselines By Mohammad Shanehsaz

2 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Objectives Explain the purpose and goals of the following wireless LAN security policies: Password policy User training On-going review ( auditing ) Acceptable use & abuse policy Consistent implementation procedure Centralized implementation and management guidelines and procedures

3 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Objectives Explain necessary items to include in the creation and maintenance of a wireless LAN security checklist Describe and recognize the importance of asset management and inventory procedures for wireless LANs Explain the importance of including wireless LANs in existing change management programs

4 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Functional policy Policy Essentials General Guidelines Baseline practices

5 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Policy Essentials Every security policy should implement the following topics : Password policies Networking staff and end user training requirement Acceptable use Consistent implementation / staging procedures Readily available implementation and management procedures Regular audits and penetration tests by independent professionals

6 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Password policies Passwords are the most widely used method of authentication and authorization; however there are number of ways to compromised it such as : Eavesdropping Dictionary attack against a network authentication server Borrowing a user password Easy to guess password Getting it from users who leave them out in the open ( the sticky note approach )

7 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Practicing good password procedures Use a password that is mixed case, has punctuation, and uses alpha and numeric digits Use something that can be remembered without being written down Force periodic password changes Lockout accounts after 5 unsuccessful login attempts Make sure all passwords are at least 8 characters in length Do not allow passwords to be reused

8 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Networking staff and end user training Network staff responsible for wireless LAN security need to understand many subject areas including intrusion techniques, wireless security policy, and solutions, in addition to having a solid grasp on basic wireless LAN functionality and technology. End user must have adequate training in order to properly implement security controls on their computers and that it only takes one person not following policy to create a large security hole that can be exploited by an attacker

9 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Acceptable use Wireless LANs are a half-duplex medium, therefore bandwidth intensive applications such as FTP, peer-to-peer file sharing, and streaming video should only performed over the wired LAN, otherwise it may cause DOS on APs with many stations To prevent this, there should be a section in the policy regarding acceptable use of the wireless LAN that define what scenarios constitute proper use as well as abuse

10 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Consistent implementation / staging procedures It is common for a network administrator to place a wireless LAN infrastructure device onto the network without having first staged and configured the device to meet the organization’s security policy, which is in effect like placing a rogue AP on the network, to battle this problem guidelines on how and when to stage and install devices should be part of functional policy

11 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Readily available implementation and management procedures It is important that network administrator have the information provided by the company security policy readily available so that they verify procedural steps while performing their daily tasks

12 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Regular audits and penetration tests by independent professionals In order to find security holes internal and external audits are a necessary part of wireless network security Internal audits will usually find most policy violation, but holes in security solution will usually require employing an independent wireless security professional It should be done unannounced

13 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. General Guidelines Wireless network segments should always be treated as unsecured means of data transit Follow the following rules when passing data wirelessly : Encrypt email Use HTTPS for web logins where possible Use SSH2 instead of telnet where possible Use secure FTP (SSH2 or SSL) for file transfers Verify the latest operating system updates or service packs are installed

14 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Security checklist It is advisable to make security checklists for use by network administrators that includes the following items: Access point and bridge configuration settings Client-side software installation and settings Physical security when mounting access points and bridges End user security solution training

15 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Available Network Resources Since wireless LANs present security risk, that added risk may be significantly reduced by eliminating the availability of certain services to wireless segment

16 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Asset Management Since enterprise class wireless LAN hardware can be quite expensive and since much of it is very small and lightweight, this equipment can be easily stolen if not secured, for this reason it is necessary to record all the wireless hardware for periodic inventory, and employee should be required to sign for the hardware they receive

17 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Periodic Inventory It is a good practice to periodically check infrastructure devices to make sure they are both present and are the correct unit In large organizations, this type of inventory might be impossible, so other solutions might have to be implemented

18 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Change Management Wireless LANs should be a part of the existing corporate change management procedures There are two things to consider: First the security policy itself should be periodically evaluated for relevance and modified when necessary second once a secure wireless is in place, any changes to it should be documented and approved by corporate authorities

19 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Spot-checks & Accountability Some of the most effective methods for ensuring properly implementing wireless LAN security may include: Thoroughly training end-users Spot checking for internal policy adherence Tying adherence and enforcement of policy to departmental compensation

20 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Baseline practices SSIDs MAC filters Static WEP Default Configuration settings Firmware Upgrades Rogue Equipment Outdoor Bridge Security RF Cell Sizing SNMP Community Strings

21 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Baseline practices continue Discovery protocols Remote Configuration Client Security IP Services Switches vs. Hubs Staging and Testing Equipment Installation

22 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. SSIDs The default SSID should be changed on all access points, to something cryptic and not something that could be used to determine the company to whom the AP belongs By default an AP broadcasts SSID, by not broadcasting SSIDs in beacons “Closing the system “ prevents intruders from passively locating the network

23 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. MAC Filters MAC address filtering is another method by which the IEEE 802.11 task group attempted to secure wireless networks, traffic is allow or deny based on MAC address It is both simple and common for a hacker to spoof the MAC address of another NIC

24 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Using Static WEP Static WEP may be appropriate for SOHO environment, but not for enterprise WLAN When implemented the largest key size available that is supported by the hardware should be used When static WEP is used, strong keys should be created that are unrelated to the following: Organization’s name, address, or phone number Wireless LAN’s SSID Access points’or bridges’ model number(s) or manufacturer’s name Manufacturer default WEP keys

25 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Default Configuration settings The default configuration settings on all APs should be changed, since an infrastructure reconfiguration attack can occurs if an attacker obtain management access To prevent attack the default username and password should be changed on all infrastructure devices

26 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Firmware Upgrades Firmware upgrades can provides new security functionality as well as bug fixes or security patches Firmware should be upgraded for the following devices: Access points Wireless Bridges Client devices Client or Workgroup Bridges Enterprise Wireless Gateways Enterprise Encryption Gateways

27 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Firmware Upgrades It is a good practice to test end-to-end functionality in a lab environment prior to rolling it out enterprise wide Firmware upgrades are suggested in order to gain the following features: TKIP (or similar key rotation protocol) support Kerberos support 802.1X/EAP(-TLS,-TTLS,-LEAP,-PEAP)support WPA compliance Advanced Encryption Standard (AES) support VPN support Rogue access point detection RADIUS or LDAP support Role-based access control

28 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Rogue Equipment Anytime rogue equipment is present in a network, the incident should be considered a serious breach of network security Eliminating rogue wireless equipment is a multi-step process which includes: Setting Corporate Policy Regarding Rogue Equipment Network Administrator Training Help Desk & End User Training Intrusion Detection Systems & Audits

29 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Outdoor Bridge security Outdoor WLAN bridge links may often span miles, this can allow an intruder the opportunity to remain undiscovered Bridges may act as both a bridge and an access point simultaneously, if possible client connectivity at the bridge should be disabled Clear text transmission should not be allowed to pass between bridges at any time. Wireless bridge installation can be compromised through rogue bridges

30 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Outdoor Bridge security Wireless bridge installation can be compromised through rogue bridges, which can be placed onto the network at a range of several miles To overcome this a good security must be chosen and implemented

31 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. RF Cell Sizing Accurate cell sizing can aid in preventing war drivers from being able to locate your network You can limit cell by reducing the output power of the access points and antennas After WLAN configuration administrator should attempt a footprint analysis to determine how easily the network can be targeted using omni and directional antennas

32 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. SNMP Community Strings SNMP community strings should be changed or disabled, because default read and write passwords are clearly documented in users manual Disable SNMP access if it will not be used, if used set the read and write community strings to complex, non-default values that are not related to network’s SSID, WEP, or organizational information Disable SNMP access from outside by using ACL or firewall filtering

33 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Discovery Protocols When discovery protocols (such as CDP) are not in use they should be disabled

34 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Remote configuration If manufacturer feature sets allow for it, configure APs and bridges so that they cannot be configured over wireless network segment, to prevent compromising authentication information, unless the wireless link is encrypted

35 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Client Security Wireless security policy should limit any sensitive data on the client machines that could damage the organization Shared folders should be limited or even prohibited on wireless client machine Using corporate PCs without protection on public access wireless networks are prohibited There are many tools such as personal firewalls, VPN technologies such as, IPSec, that can be used to protect wireless clients Make sure that clients don’t use unsecured wireless AP to VPN to corporate network

36 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. IP Services First step in securing IP services is to heighten general awareness of the possibility of rogue IP services such as DHCP servers. Use data-link security mechanisms such as 802.1X/EAP solution to authenticate user prior to receiving an IP address Earmarking IP ranges for WLAN segment is another way to speed location of hacker and to ease network management

37 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Switches vs. Hubs Using switches to connect to the wired segment has the following benefits: Support for security and network management tools such as VLANs Support for 802.1q VLAN tagging SSIDs are tied to VLANs as means of logically separating groups of wireless users Allows for segmented network design and secure management over a particular VLAN Allows for full-duplex connectivity. Hubs broadcast every frame to all ports, so hacker can see all the traffics

38 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Staging and Testing Staging and testing should occur prior to deployment, wireless infrastructure devices should be staged and configured in an isolated environment for a secure deployment Administrator should use approved security configuration checklists to assure that no security holes are created due to lack of following configuration procedures

39 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Equipment Installation To prevent theft of wireless network equipment, devices should be: Mount out of reach Bolted down or secured in locked steel boxes Kept out of plain site

40 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Summary Guidelines and baselines of the functional policy was discussed Policy cover password policies, training, usage, implementation and staging, procedures and audits General guidelines cover the security checklist, available network resources, asset management, change management, and spot-checks and accountability

41 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Summary Baseline practices consist of several strategic areas such as a basic SSID changes, MAC filtering inadequacies, WEP versus EAP/802.1x solutions, detecting rogue equipment, and wireless bridge security, that must be considered when implementing the wireless LANs

42 This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect those of the National Science Foundation. Resources CWSP certified wireless security professional, from McGrawHill


Download ppt "This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed."

Similar presentations


Ads by Google