Embed Size (px)
Citation preview
Annual Conference
PCIE/ECIE
Evaluating Wireless Networks
Robert W. Cobband Staff
National Aeronautics and Space Administration
IT Roundtable25 March 2003
2
Annual Conference
PCIE/ECIE
Outline
• Introduction to wireless networks• Threats and vulnerabilities• Evaluating wireless networks
• Objectives• Methodology• Tools• Findings• General recommendations
• Conclusion
3
Annual Conference
PCIE/ECIE
Introduction to Wireless Networks
• Fastest-growing computer communications technology
• Agencies increasingly use wireless networks• Convenient• Flexible• Inexpensive• Easy to implement
4
Annual Conference
PCIE/ECIE
Introduction to Wireless Networks (cont.)
• Uses radio waves instead of cables• Consists of
• Access Points• Wireless clients (e.g. laptops, PDAs)• Gateways to wired networks
• Major standard• Institute of Electrical and Electronic Engineers (IEEE)
802.11, Wireless Local Area Networks
5
Annual Conference
PCIE/ECIE
6
Annual Conference
PCIE/ECIE
Threats
• Disclosure of sensitive/confidential data• Denial of service (DoS)• Unauthorized access to wireless-enabled
resources• Potential weakening of existing security
measures on connected wired networks and systems
7
Annual Conference
PCIE/ECIE
8
Annual Conference
PCIE/ECIE
Vulnerabilities
• Wired Equivalent Privacy (WEP) encryption standard extremely weak
• Radio signals susceptible to jamming and interference• Protocol vulnerabilities allow
• Network sessions to be taken over by an intruder• Injection of invalid data into network traffic• Network reconnaissance
9
Annual Conference
PCIE/ECIE
Evaluating Wireless Networks
• Wireless networks are• Easy to implement• Difficult to secure
• Policies often have not been developed
10
Annual Conference
PCIE/ECIE
Evaluation Objectives
• Assess the current Agency/Department position regarding wireless networks
• Examine the use of wireless technology• Evaluate the security of wireless network applications
including threats to• Data integrity• Confidentiality• Availability of services and resources• Security of wired networks
• Determine the level of staff awareness of wireless technology
11
Annual Conference
PCIE/ECIE
Evaluation Methodology
• External scanning to illustrate the ease with which unauthorized persons could intercept wireless signals
• Internal scanning and physical inspection to verify the source of signals
• Traffic analysis to see if sensitive data is being transmitted, if transmissions are encrypted, and how vulnerable the networks are to attack
• Review network topologies to assess connectivity to wired networks and determine measures to protect wired networks
• Meet with wireless users and administrators to assess awareness, employee expertise, and strength of security measures
12
Annual Conference
PCIE/ECIE
Evaluation Tools
• Hardware• Laptop• Wireless network card• Antenna• GPS
• Wireless sniffing software• WEP encryption cracking software• Mapping software
13
Annual Conference
PCIE/ECIE
Evaluation Findings
• Wireless networks with inadequate security• Ranges of wireless networks exceed physical
boundaries of user organizations• Non-existent or inadequate policies on wireless networks• IT staff with inadequate enforcement authority over
wireless networks• Insufficient employee awareness on agency position
over the use of wireless networks
14
Annual Conference
PCIE/ECIE
Example: Many wireless networks do not use WEP or other encryption to protect network traffic.
▲ = Access points using encryption▲ = Access points without encryption
15
Annual Conference
PCIE/ECIE
Example: The radio signal from a wireless network can spill over from the building where access points are located to neighboring buildings, parking lots and public roads.
16
Annual Conference
PCIE/ECIE
General Evaluation Recommendations
• Develop wireless network policies• Perform risk assessments to determine required
level of security• Limit access to wireless networks through the
use of Virtual Private Networks (VPN)• Maintain logical separation between wireless
and wired networks• Monitor for wireless applications (i.e., actively
enforce policies)
17
Annual Conference
PCIE/ECIE
Conclusion
• Wireless network evaluations are easy to conduct using inexpensive or freely available tools.
• Evaluations are very necessary• Wireless networks are inexpensive, convenient, and
simple to use – so people will use them. • BUT, wireless networks are vulnerable.
18
Annual Conference
PCIE/ECIE
Contacts for Wireless Network Evaluations
Stephen Mullins
(916) 408-5573
Jamil Farshchi
(202) 358-1897
