Wireless Network Security

Why wireless?

Wifi, which is short for wireless fi …

something, allows your computer to

connect to the Internet using magic.

-Motel 6 commercial

2

… but it comes at a price

Wireless networks present security risks far above

and beyond traditional wired networks

Rogue access points

Evil twins

Packet-based DoS

Spectrum DoS

Eavesdropping

Traffic cracking

Compromised clients

MAC spoofing

Ad-hoc networks

Man-in-the-middle

Grizzly bears

ARP poisoning

DHCP spoofing

War driving

IP leakage

Wired/wireless bridging

3

Today’s wireless network

4

Agenda

5

Wireless Networks and Security

Attacking and defending WEP

Attacking and defending WPA/WPA2

Common defense techniques

Summary

Wireless Networks and Security

6

1) What are Wireless Networks?

• A wireless network is the way that a computer is connected to a router without a physical link.

2) Why do we need?

• Facilitates mobility – You can use lengthy wires instead, but someone might trip over them.

3) Why security?

• Attacker may hack a victim’s personal computer and steal private data or may perform some illegal activities or crimes using the victim’s machine and ID. Also there's a possibility to read wirelessly transferred data (by using sniffers)

Wireless Security Methods

7

Three security approaches:

1. WEP (Wired Equivalent Privacy)

2. WPA (Wi-Fi Protected Access)

3. WPA2 (Wi-Fi Protected Access, Version 2)

WPA also has two generations named Enterprise and

Personal.

WEP (Wired Equivalent Privacy)

8

Encryption:

40 / 64 bits

104 / 128 bits

24 bits are used for IV (Initialization vector)

Passphrase:

Key 1-4

Each WEP key can consist of the letters "A" through "F" and

the numbers "0" through "9". It should be 10 hex or 5 ASCII

characters in length for 40/64-bit encryption and 26 hex or 13

ASCII characters in length for 104/128-bit encryption.

WPA/WPA2 Personal

9

Encryption:

TKIP

AES

Pre-Shared Key:

A key of 8-63 characters

Key Renewal:

You can choose a Key Renewal period, which instructs the

device how often it should change encryption keys. The

default is 3600 seconds

Attacking WEP

10

• iwconfig – a tool for configuring wireless adapters. You can use this to ensure that your wireless adapter is in “monitor” mode which is essential to sending fake ARP (Address Resolution Protocol) requests to the target router

• macchanger – a tool that allows you to view and/or spoof (fake) your MAC address

• airmon – a tool that can help you set your wireless adapter into monitor mode (rfmon)

• airodump – a tool for capturing packets from a wireless router (otherwise known as an AP)

• aireplay – a tool for forging ARP requests

• aircrack – a tool for decrypting WEP keys

How to defend when using WEP

11

Use longer WEP encryption keys, which makes the data analysis task more difficult. If your WLAN equipment supports 128-bit WEP keys.

Change your WEP keys frequently. There are devices that support "dynamic WEP" which is off the standard but allows different WEP keys to be assigned to each user.

Use a VPN for any protocol, including WEP, that may include sensitive information.

Implement a different technique for encrypting traffic, such as IPSec over wireless. To do this, you will probably need to install IPsec software on each wireless client, install an IPSec server in your wired network, and use a VLAN to the access points to the IPSec server.

Attacking WPA

12

• macchanger – a tool that allows you to view and/or spoof (fake) your MAC address

• airmon – a tool that can help you set your wireless adapter into monitor mode (rfmon)

• airodump – a tool for capturing packets from a wireless router (otherwise known as an AP)

• aireplay – a tool for forging ARP requests ― Capture WPA/WPA2 handshakes by forcing clients to

reauthenticate

― Generate new Initialization Vectors

• aircrack – a tool for decrypting WEP keys (should be used with dictionary)

How to defend WPA

13

Passphrases – the only way to crack WPA is to sniff the password PMK associated with the handshake authentication process, and if this password is extremely complicated it will be almost impossible to crack

Passphrase Complexity – select a random passphrase that is not made up of dictionary words. Select a complex passphrase of a minimum of 20 characters in length and change it at regular intervals

Common defense techniques

14

Change router default user name and password

Change the internal IP subnet if possible

Change default name and hide broadcasting of

the SSID (Service Set Identifier)

None of the attack methods are faster or effective

when a larger passphrase is used.

Restrict access to your wireless network by

filtering access based on the MAC (Media Access

Code) addresses

Use Encryption

Threat points

15

Network Admission Control (NAC)

Determines the users, their machines, and their

roles

Grant access to network based on level of

security compliance

Interrogation and remediation of noncompliant

devices

Audits for security compliance

16

Firewall (Placement Options)

Source: Cisco, Deploying Firewalls Throughout Your

Organization

Why Placing Firewalls in Multiple

Network Segments?

►Provide the first line of defense in network security infrastructures

►Prevent access breaches at all key network junctures

►WLAN separation with firewall to limit access to sensitive data and protect from data loss

►Help organizations comply with the latest corporate and industry governance mandates

Security Monitoring, Analysis and

Reporting System

►Monitor the network

►Detect and correlate anomalies (providing visualization)

►Mitigate threats

19

Monitoring, Anomalies, & Mitigation

Discover Layer 3 devices on network Entire network can be mapped Find MAC addresses, end-points, topology

Monitors wired and wireless devices Unified monitoring provides complete picture

Anomalies can be correlated Complete view of anomalies (e.g. host names,

MAC addresses, IP addresses, ports, etc.)

Mitigation responses triggered using rules Rules can be further customized to extend

MARS

Rogue Access Points

Rogue Access Points refer to unauthorized

access points setup in a corporate network

Two varieties:

Added for intentionally malicious behavior

Added by an employee not following policy

Either case needs to be prevented

21

Rogue AP Mapping - Cisco

22

Guest Wireless

23

Guest Wifi Benefits

Network segmentation

Policy management

Guest traffic monitoring

Customizable access

portals

24

Compromised Clients

Wifi Threat Security Concern Counter Measure

Ad-hoc Connections Wide-open connections

Unencrypted

Unauthenticated

Insecure

Pre-define ad-hoc policy

Concurrent wired/wifi

connection

Contaminating secure

wired environment

Concurrent wired/wifi

pre-defined policy

Disable wifi traffic if wired

detected

Access to unsecured wifi May lack authentication /

encryption

Risk of traffic cracking,

rogue network devices

Enforce Location based

policies.

Restrict allowed SSIDs

Enforce stronger security

policies

25