securing wireless networkssecuring wireless networks the myth.pdf · debunking the myths chaffey...
TRANSCRIPT
Securing Wireless NetworksSecuring Wireless NetworksSecuring Wireless NetworksSecuring Wireless NetworksDebunking the MythsDebunking the Myths
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology CenterSteve Siedschlag, Associate ProfessorSteve Siedschlag, Associate Professor
What is a Wireless Network?What is a Wireless Network?What is a Wireless Network?What is a Wireless Network?
The wireless telegraph is not difficult to understand. The ordinary The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat You pull the tail in New York and ittelegraph is like a very long cat You pull the tail in New York and ittelegraph is like a very long cat. You pull the tail in New York, and it telegraph is like a very long cat. You pull the tail in New York, and it meows in Los Angeles. The wireless is the same way, only without the meows in Los Angeles. The wireless is the same way, only without the cat.cat.
Att ib t d t Alb t Ei t iAtt ib t d t Alb t Ei t i-- Attributed to Albert EinsteinAttributed to Albert Einstein
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 22
What is a Wireless Network?What is a Wireless Network?What is a Wireless Network? What is a Wireless Network? (really)(really)
•• It is a LANIt is a LAN•• Extension of Wired LANExtension of Wired LAN
U Hi h F R di W (RF)U Hi h F R di W (RF)•• Uses High Frequency Radio Waves (RF)Uses High Frequency Radio Waves (RF)•• Speed : 2Mbps to 54MbpsSpeed : 2Mbps to 54Mbps•• Distance 100 feet to 15 milesDistance 100 feet to 15 miles (with fancy antennas)(with fancy antennas)•• Distance 100 feet to 15 miles Distance 100 feet to 15 miles (with fancy antennas)(with fancy antennas)
•• Most importantly, It lets you sit on your deck and use Most importantly, It lets you sit on your deck and use your computer while sipping a cocktail of your choiceyour computer while sipping a cocktail of your choice
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 33
Is Wireless Secure?Is Wireless Secure?Is Wireless Secure?Is Wireless Secure?
•• Not ‘Out of the Box’Not ‘Out of the Box’•• There are steps you can takeThere are steps you can take
–– None are a total solutionNone are a total solution–– In combination they may be sufficientIn combination they may be sufficient
D f i d thD f i d th•• Defense in depthDefense in depth•• Making the hackers ‘go next door’Making the hackers ‘go next door’
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 44
What Is This Phenomenon of DriveWhat Is This Phenomenon of Drive by Hacking?by Hacking?What Is This Phenomenon of DriveWhat Is This Phenomenon of Drive--by Hacking?by Hacking?
•• Hacker taps into a network using a wireless rig Hacker taps into a network using a wireless rig that allows him to park in front of a building and that allows him to park in front of a building and
i t t k hil itti i thi t t k hil itti i thgain access to your network while sitting in the gain access to your network while sitting in the car. car.
•• Unsecured wireless can be likened to installing aUnsecured wireless can be likened to installing a•• Unsecured wireless can be likened to installing a Unsecured wireless can be likened to installing a wired LAN jack in your front yard.wired LAN jack in your front yard.
•• Often referred to as “WarDriving”Often referred to as “WarDriving”•• Often referred to as WarDrivingOften referred to as WarDriving
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 55
WarDrivingWarDrivingWarDrivingWarDriving
•• Term derived from War dialing, made popular in Term derived from War dialing, made popular in the movie War Gamesthe movie War Games
•• All that is required are a few readily availableAll that is required are a few readily available•• All that is required are a few readily available All that is required are a few readily available hardware and software componentshardware and software components–– A PC or PDA with a wireless network cardA PC or PDA with a wireless network cardo a o a do a o a d–– Optionally, a GPS and external antennaOptionally, a GPS and external antenna–– Software such as Netstumbler, Kismet, etc.Software such as Netstumbler, Kismet, etc.
F l d l d bl th I t tF l d l d bl th I t t•• Freely downloadable on the InternetFreely downloadable on the Internet•• Easy for the average computer user to installEasy for the average computer user to install
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 66
WarDrivingWarDrivingWarDrivingWarDriving
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 77
WarDrivingWarDrivingWarDrivingWarDriving (continued)(continued)
•• The software logs configuration of detected WiFi The software logs configuration of detected WiFi devices, optionally including the map locationdevices, optionally including the map location
•• Moving the WarDriving rig from place to placeMoving the WarDriving rig from place to place•• Moving the WarDriving rig from place to place Moving the WarDriving rig from place to place will eventually develop a large database of will eventually develop a large database of wireless networks and their locations wireless networks and their locations
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 88
WarDrivingWarDrivingWarDrivingWarDriving
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 99
WarDrivingWarDrivingWarDrivingWarDriving (continued)(continued)
•• IS THIS LEGAL?IS THIS LEGAL?–– Probably, if that is all the farther it goesProbably, if that is all the farther it goes
Accessing a network is another matter entirelyAccessing a network is another matter entirely–– Accessing a network is another matter entirelyAccessing a network is another matter entirely•• Definitely NOT legal if you do not have the owner’s Definitely NOT legal if you do not have the owner’s
permissionpermission•• Even if you ONLY use it to access the InternetEven if you ONLY use it to access the Internet•• Even if you ONLY use it to access the InternetEven if you ONLY use it to access the Internet•• Most Wardrivers do NOT access the networks that they Most Wardrivers do NOT access the networks that they
detectdetect–– Surprised?Surprised?Surprised?Surprised?
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 1010
Why Is It Easy to Get Into a Wireless Network?Why Is It Easy to Get Into a Wireless Network?Why Is It Easy to Get Into a Wireless Network?Why Is It Easy to Get Into a Wireless Network?
•• The most common wireless local area networks The most common wireless local area networks are built based on a standard known as 802.11are built based on a standard known as 802.11
•• The security of this technology has been The security of this technology has been demonstrated to be inadequate when demonstrated to be inadequate when challenged by simple hacking attemptschallenged by simple hacking attemptschallenged by simple hacking attemptschallenged by simple hacking attempts
•• In addition, products sold with this technology In addition, products sold with this technology are usually delivered with security functionalityare usually delivered with security functionalityare usually delivered with security functionality are usually delivered with security functionality disabled.disabled.
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 1111
What if I Change My Network’s Name?What if I Change My Network’s Name?What if I Change My Network s Name?What if I Change My Network s Name?
•• That is more than most do, but it doesn’t make That is more than most do, but it doesn’t make you much more secureyou much more secure–– Your SSID (Service Set ID) is beaconed by your APYour SSID (Service Set ID) is beaconed by your AP–– You can turn off beaconing, but your SSID is still sent You can turn off beaconing, but your SSID is still sent
each time a computer connects and is easily capturedeach time a computer connects and is easily capturedeach time a computer connects and is easily capturedeach time a computer connects and is easily captured•• At least your neighbor will not accidentally connect!At least your neighbor will not accidentally connect!
beacon
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 1212
beacon
beacon
I Also Changed My ChannelI Also Changed My ChannelI Also Changed My ChannelI Also Changed My Channel
•• Once again, that is more than most do, but it Once again, that is more than most do, but it does nothing for securitydoes nothing for security–– Windows xp will automatically scan all the available Windows xp will automatically scan all the available
channels for an active access pointchannels for an active access point•• It is helpful to select a channel that does notIt is helpful to select a channel that does not•• It is helpful to select a channel that does not It is helpful to select a channel that does not
overlap your neighbor!overlap your neighbor!–– This will improve the function of your WLANThis will improve the function of your WLANThis will improve the function of your WLANThis will improve the function of your WLAN–– Most Access Points are set to channel 6 by defaultMost Access Points are set to channel 6 by default
•• Pick 1 or 11 for your APPick 1 or 11 for your AP
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 1313
Does the BuiltDoes the Built--in WEP Encryption Option Make Me in WEP Encryption Option Make Me yp pyp pSecure?Secure?
•• Not if you don’t use it!Not if you don’t use it!–– Less than 50% of detected WLANs have WEP enabledLess than 50% of detected WLANs have WEP enabled–– Many that do, have 64bit rather than 128bit Many that do, have 64bit rather than 128bit
encryptionencryption
•• Even if you use itEven if you use it•• Even if you use it…Even if you use it…–– The algorithms used are well understood and The algorithms used are well understood and
not considered weak, but the way in which not considered weak, but the way in which , y, ythey are used has resulted in a number of they are used has resulted in a number of easily exploitable weaknesseseasily exploitable weaknesses
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 1414
Does the BuiltDoes the Built--in WEP Encryption Option Make Me in WEP Encryption Option Make Me SecureSecure? ? (continued)(continued)
•• WEP weakness WEP weakness –– WEP security flaws were documented in a 2001 UC WEP security flaws were documented in a 2001 UC
B kl t dB kl t dBerkley studyBerkley study•• Weak encryption (never intended for repeated use)Weak encryption (never intended for repeated use)•• Short keys (64bits Short keys (64bits –– 24bit Init Vector = 40 bits)24bit Init Vector = 40 bits)•• Static KeysStatic Keys•• No distribution method (shared key)No distribution method (shared key)
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 1515
Does the BuiltDoes the Built--in WEP Encryption Option Make Me in WEP Encryption Option Make Me SecureSecure? ? (continued)(continued)
•• There are freely distributed programs that can There are freely distributed programs that can crack WEP keys crack WEP keys (but it takes a while)(but it takes a while)
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 1616
What about WPA?What about WPA?What about WPA?What about WPA?
•• WPA is MUCH more secureWPA is MUCH more secure–– Encryption keys are frequently rotatedEncryption keys are frequently rotated
•• Before they can be crackedBefore they can be cracked
–– WPA uses a passphrase as the starting point for the WPA uses a passphrase as the starting point for the key exchangekey exchangekey exchangekey exchange
•• Much more secure if a complex passphrase is usedMuch more secure if a complex passphrase is used–– Several upper & lower case letters, numbers, symbolsSeveral upper & lower case letters, numbers, symbols
Can also be used with enterprise systems (RADIUS)Can also be used with enterprise systems (RADIUS)–– Can also be used with enterprise systems (RADIUS) Can also be used with enterprise systems (RADIUS) for more securityfor more security
•• Not practical in a home or small officeNot practical in a home or small office
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 1717
So WPA Makes Me Secure?So WPA Makes Me Secure?So WPA Makes Me Secure?So WPA Makes Me Secure?
•• Not if you don’t use it!Not if you don’t use it!–– Are you seeing a trend here?Are you seeing a trend here?
•• IF you don’t use too simple a passphraseIF you don’t use too simple a passphrase–– There are tools that will crack passphrases, but it There are tools that will crack passphrases, but it
could take manycould take many yearsyears on a COMPLEX passphraseon a COMPLEX passphrasecould take many could take many yearsyears on a COMPLEX passphraseon a COMPLEX passphrase
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 1818
What is MAC Address Filtering?What is MAC Address Filtering?What is MAC Address Filtering?What is MAC Address Filtering?
•• Every network card ever produced has a unique Every network card ever produced has a unique address that can be used to limit access to your address that can be used to limit access to your
i l t ki l t kwireless networkwireless network•• This feature is disabled by defaultThis feature is disabled by default
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 1919
So…MAC Address Filtering Makes Me So…MAC Address Filtering Makes Me ggSecure?Secure?
•• Not if you don’t use it!Not if you don’t use it!–– OK, so this is getting oldOK, so this is getting old
•• Authorized computers send their MAC address Authorized computers send their MAC address when they attempt to connectwhen they attempt to connect
Thi b l dThi b l d–– This can be loggedThis can be logged•• In spite of what some people believe, MAC In spite of what some people believe, MAC
addresses can be changed on most networkaddresses can be changed on most networkaddresses can be changed on most network addresses can be changed on most network cards (at least temporarily)cards (at least temporarily)
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 2020
Are You Telling Me It’s Hopeless?Are You Telling Me It’s Hopeless?Are You Telling Me It s Hopeless?Are You Telling Me It s Hopeless?
•• NONO–– Most of the security measures we have already Most of the security measures we have already
d ib d k ll h d tld ib d k ll h d tldescribed work well when used correctlydescribed work well when used correctly–– When several are used in conjunction, they are a When several are used in conjunction, they are a
formidable barrier to attackformidable barrier to attackformidable barrier to attackformidable barrier to attack–– Just being better than the status quo is often enough Just being better than the status quo is often enough
to get the hacker to ‘go next door’to get the hacker to ‘go next door’
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 2121
Why Do I Care?Why Do I Care?Why Do I Care?Why Do I Care?
•• Why do I care if somebody uses my connection Why do I care if somebody uses my connection to check their mail?to check their mail?–– If that was all they did, you probably wouldn’t careIf that was all they did, you probably wouldn’t care–– Those engaged in illegal activity on the Internet Those engaged in illegal activity on the Internet
frequently steal network connections to ‘conductfrequently steal network connections to ‘conductfrequently steal network connections to conduct frequently steal network connections to conduct business’business’
•• Try explaining to the FBI or the NSA that you are ‘not a crook’Try explaining to the FBI or the NSA that you are ‘not a crook’
–– Many Viruses, Worms and Denial of Service attacks Many Viruses, Worms and Denial of Service attacks are launched using stolen network connections in are launched using stolen network connections in order to hide the true sourceorder to hide the true source
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 2222
order to hide the true sourceorder to hide the true source
Then What Should I Do?Then What Should I Do?Then What Should I Do?Then What Should I Do?
•• Most modern access points support WEP or Most modern access points support WEP or WPAWPA–– Use the highest level of security that your Access Use the highest level of security that your Access
Point and computer network card supports (they must Point and computer network card supports (they must be the same).be the same).))
•• MAC filtering and disabling beaconing are good MAC filtering and disabling beaconing are good added measuresadded measures–– This will make it difficult for visitors to connect to your This will make it difficult for visitors to connect to your
networknetwork
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 2323
•• Change the channel, password and address of Change the channel, password and address of your APyour AP
HOW ?HOW ?HOW…?HOW…?
•• You will need to spend a little time in the manual You will need to spend a little time in the manual or website for your access pointor website for your access point
•• Some examples follow, but every AP works Some examples follow, but every AP works slightly differentlyslightly differently
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 2424
Wireless LAN Protection StrategiesWireless LAN Protection Strategies
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology CenterSteve Siedschlag, Associate ProfessorSteve Siedschlag, Associate Professor
RecommendationsRecommendationsRecommendationsRecommendations
•• Wireless LAN related ConfigurationWireless LAN related Configuration–– Enable WEP, use 128bit keyEnable WEP, use 128bit key–– Disable SSID BroadcastsDisable SSID Broadcasts–– No SNMP access No SNMP access –– Use MAC (hardware) address to restrict accessUse MAC (hardware) address to restrict access–– NonNon--default Access Point password default Access Point password pp–– Change default Access Point NameChange default Access Point Name–– Use 802.1x / WPA / 802.11i (when available)Use 802.1x / WPA / 802.11i (when available)
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 2626
Wireless LAN related ConfigurationWireless LAN related ConfigurationWireless LAN related ConfigurationWireless LAN related ConfigurationEnable WEP, use 128bit keyEnable WEP, use 128bit key
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 2727
Wireless LAN related ConfigurationWireless LAN related ConfigurationWireless LAN related ConfigurationWireless LAN related ConfigurationEnable WEP, use 128bit keyEnable WEP, use 128bit key
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 2828
Wireless LAN related ConfigurationWireless LAN related ConfigurationWireless LAN related ConfigurationWireless LAN related ConfigurationEnable WEP, use 128bit keyEnable WEP, use 128bit key
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 2929
Wireless LAN related ConfigurationWireless LAN related ConfigurationWireless LAN related ConfigurationWireless LAN related ConfigurationDisable SSID BroadcastDisable SSID Broadcast
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 3030
Wireless LAN related ConfigurationWireless LAN related ConfigurationWireless LAN related ConfigurationWireless LAN related ConfigurationNo SNMP access No SNMP access
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 3131
Wireless LAN related ConfigurationWireless LAN related ConfigurationWireless LAN related ConfigurationWireless LAN related ConfigurationUse 802.1x / WPA / 802.11i (when available)Use 802.1x / WPA / 802.11i (when available)
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 3232
General RecommendationsGeneral RecommendationsGeneral RecommendationsGeneral Recommendations
Al ( i d i l )Al ( i d i l )•• Always (wired or wireless)Always (wired or wireless)–– Install virus protection software plus automatic frequent pattern file Install virus protection software plus automatic frequent pattern file
updateupdate–– Shared folders must impose passwordShared folders must impose passwordp pp p
•• Management IssueManagement Issue–– Prohibit installation of AP’s without authorizationProhibit installation of AP’s without authorization
Disco e an ne APs constantl (NetSt mble is f ee Antenna is cheap)Disco e an ne APs constantl (NetSt mble is f ee Antenna is cheap)–– Discover any new APs constantly (NetStumbler is free, Antenna is cheap)Discover any new APs constantly (NetStumbler is free, Antenna is cheap)–– Power off Access Point when not in usePower off Access Point when not in use–– Carefully select the physical location of your AP, not near windows or Carefully select the physical location of your AP, not near windows or
front doors.front doors.
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 3333
Thank You!Thank You!Thank You!Thank You!
•• Computer Network Security Resources at the Robert Pile Chaffey Computer Network Security Resources at the Robert Pile Chaffey College Chino Information Technology CenterCollege Chino Information Technology Center–– CISCIS--420420 PC Security & PrivacyPC Security & Privacy–– CISNTWKCISNTWK--440440 Fund. Of Network Security (Security+)Fund. Of Network Security (Security+)–– CISNTWKCISNTWK--441441 Firewalls & Intrusion DetectionFirewalls & Intrusion Detection–– CISNTWKCISNTWK--442442 Disaster Recovery PlanningDisaster Recovery Planning–– CISNTWKCISNTWK--445445 Windows Security AdministrationWindows Security Administration–– CISNTWKCISNTWK--447447 Linux Security AdministrationLinux Security Administration
Steve SiedschlagSteve Siedschlag [email protected]@chaffey.eduAssociate ProfessorAssociate Professor
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 3434
Chaffey CollegeChaffey CollegeChino Information Technology CenterChino Information Technology Center 3535