Information Systems Audit & Control Association
Auditing Wireless Networks
Presented by: Deloitte & Touche
May 2005
Agenda u Overview of Wireless Technology • Radio Frequency Spectrum • Wireless Standards & Technology • Advantages of Wireless Networks
u Wireless Security Risks & Deficiencies • • • • • •
Insertion Attacks Jamming Interception & Monitoring of Wireless Traffic Client to Client Attacks Brute Force Attacks Encryption Attacks
u Audit Considerations
2
• • • • • • • • •
Access Point Mapping SSID Broadcasting & Naming Convention Logical Security Architecture Physical Security Radio Frequency Management Default Settings Encryption Authentication Policies & Procedures
The Wireless World
Toys Cordless Phones
Appliances PDAs
3
WLANs
Cell Phones
Radio Frequency Spectrum 0
100
200
300
400
500
600
700
800
900
1GHz
3GHz
5GHz
10GHz
28GHz
802.11a (5 GHz) 802.11b, Bluetooth, Cordless Phones (2.4 GHz) Digital Cellular (1850-1900 MHz) Cordless Phones, Baby Monitors, Toys (900 MHz) Analog Cellular (824-894 MHz) UHF TV (512 – 806 MHz) FM Radio (88 – 108 MHz) VHF TV (174 – 216 MHz) AM Radio (535 – 1605 KHz) 4
Unlicensed Radio Frequencies Licensed Radio Frequencies
Wireless Standards & Technology •
Institute of Electrical and Electronics Engineers (IEEE) – Develops standards for computer and electronics industries – Independent organization – standards internationally accepted – IEEE 802 committee deals specifically with LAN’s • IEEE 802.11 committee created in 1990 to deal with wireless LAN’s
– IEEE 802.11 standard determines: • • • •
How connections are made What frequencies are used Modulation techniques Number of connections possible • Encryption methods
– Allows for interoperability among wireless devices
5
Wireless Network Standards Bluetooth • • •
Used as a short distance replacement for cables (10 meters) 1 Mbps Date Rate 2.4 GHz Frequency Band
802.11a
WiFi5
• • • •
Extension to 802.11 Wireless LAN standard 54 Mbps Data Rate 5 GHz Frequency Band Orthogonal Frequency Division Multiplexing (OFDM)
802.11b • • • •
Extension to 802.11 Wireless LAN standard 11 Mbps Data Rate 2.4 GHz Frequency Band Digital Sequence Spread Spectrum (DSSS)
802.11g
6
• • • • •
Improves the performance of 802.11b Backward compatible with 802.11b Extension to 802.11 Wireless LAN standard 54Mbps Data Rate 2.4 GHz and 5 GHz Frequency Bands
What is a Wireless Network? Wireless Phone
Wireless Network Card Wireless Laptop
Wireless PDA Wireless Access Point
Demilitarized Zone (Firewall, Web Servers)
Internal Network 7
Internal Network
Wireless Technology •
Wireless LAN consists of two major components – Client: Device equipped with wireless network interface card • Lap-top, hand-held device, workstation not connected to wired network
– Access Point (AP): Hub that provides wireless users with access to the network environment
•
Wireless networks operate in two modes – Ad-hoc mode • Connections made between two or more clients without a central AP
– Infrastructure mode • Clients connect to central AP
•
Wireless Access Points broadcast their presence, often containing the Service Set Identifier (SSID) – –
8
SSID is a configurable identification that allows clients to communicate with an appropriate access point. With proper configuration, only clients with the correct SSID can communicate with access points.
Ad-hoc Mode
9
Infrastructure Mode
Client
Wireless Access Point (AP)
10
Server
Sample wLAN Configuration Extend an existing wired LAN without additional wiring
Wired Workstations
AP Server
Clients
11
Advantages of Wireless Networks Wireless Local Area Networks (wLAN) u Provide LAN functionality without wires u Useful in areas where wiring is not possible or cost prohibitive u Hospitals u Leased office space u College campus with many buildings u Disaster Area
u Typically cover small areas u Can be combined with wired networks effectively u Handle data transmission of 1Mbps up to 54 Mbps, which is comparable to wired networks u Easily scalable u Can connect LAN’s in separate buildings when it is not possible to lay wiring
12
Wireless Security Risks & Deficiencies • Insertion Attacks – Attacker connects to a wireless client without proper authorization • If there is no password on the Access Point, intruder can connect to the internal network simply by enabling a wireless client to communicate with the wireless AP – Parking Lot Attacks • Wireless networks do not comply with traditional physical security measures – RF Signal easily passes through walls, windows
• Attackers able to create ‘War-Driving Rigs’ with very little set-up cost – Requires lap-top, wireless card, antenna, packet sniffing software
• ‘Netstumbler’ maintains database of known wireless access points – Identifies SSID, signal strength, AP manufacturer, GPS coordinates, etc.
• Jamming – 2.4 GHz frequency can easily be flooded by attacker with proper equipment • Legitimate traffic cannot reach clients due to overwhelming attacker traffic • Network can cease to function – causing loss of productivity 13
Risks & Deficiencies Cont. • Interception & Monitoring of Wireless Traffic – Attacker must be in range of wireless AP (usually 300 ft. radius). Range can be enhanced with sophisticated equipment – Wireless Packet Analysis • Skilled attacker employs tools to capture the first part of a connection session, typically including data such as user name and password • Information can be used to masquerade as a legitimate user and issue unauthorized commands
– Broadcast Monitoring • If AP is connected to hub instead of switch, any network traffic over the hub can be potentially broadcast over the wireless network • Since Ethernet hub broadcasts all data packets to all connected devices, including the AP, an attacker can intercept sensitive data not intended to be transmitted over the wireless network
14
Risks & Deficiencies Cont. • Client to Client Attacks – Two wireless clients can talk directly to each other, bypassing the access point – Users therefore need to defend clients not just against an external threat but also against each other – File Sharing and Other TCP/IP Service Attacks • Wireless clients running TCP/IP services such as a Web server or file sharing are open to the same exploits and improper configurations as any user on a wired network.
– DOS (Denial of Service) • A wireless device floods other wireless client with bogus packets, creating a denial of service attack. • Duplicate IP or MAC addresses, both intentional and accidental, can cause disruption on the network.
15
Risks & Deficiencies cont. • Brute Force Attacks Against Access Point Passwords – Most AP’s use a single key or password that is shared with all connecting wireless clients – Dictionary attacks compromise key by methodically testing every possible password. • Intruder gains access to the access point once the password is guessed. • Compromised client can expose AP
– Not changing the keys on a frequent basis or when employees leave the organization also opens the access point to attack – Managing a large number of access points and clients only complicates this issue
• Encryption Attacks – WEP Encryption not very secure!
16
Audit Considerations
• • • • • • • • • • 17
Access Point Mapping SSID Broadcasting SSID Naming Convention Logical Security Architecture Physical Security Radio Frequency Management Default Settings Encryption Authentication Policies and Procedures
Auditing – Access Point Mapping The Risk Access points can be monitored and located using freely available software over the Internet. Industry terminology is “War Driving”
18
Auditing – Access Point Mapping The Implication
19
Auditing – Access Point Mapping The Solution
Ensure that security protection mechanisms are implemented to ensure that even if your Access Point is mapped and publicly stored over the Internet you are adequately protected.
20
Auditing – SSID Broadcasting The Risk
The Implication
SS ID
SSID = Company A D SSI
SSID = Company A
21
Service Set Identification (SSID) is essentially the network name of your Wireless LAN.
Auditing – SSID Broadcasting The Solution
Disable the broadcasting of the SSID. This is possible on many enterprise class Access Points such as Cisco. By not having the SSID broadcasted each authenticating device must have this configuration already set.
22
Auditing – SSID Naming Conventions The Risk
The Implication
SSID = tsunami D SSI
Default SSID Cisco = tsunami 3COM = 101
SSID = tsunami
Agere = WaveLAN Linksys = Linksys Dlink = default
23
Auditing – SSID Naming Conventions The Solution
Immediately change the default SSID that comes shipped with the Access Point. Use a creative name that does not make any reference to your company. Setting the SSID to your organizational name will draw unneeded attention to your network.
24
Auditing – Logical Security Architecture The Risk
The Implication Internet
Firewall
Internal Network 25
DMZ (Web Servers, Mail Servers)
Auditing – Logical Security Architecture The Solution
Internet
Firewall
26
Internal Network
DMZ (Web Servers, Mail Servers)
Auditing – Physical Security The Risk
Unauthorized visitor can hijack the network from the inside by manipulating the wireless settings.
Building A
The Solution
27
Wireless Access Points should be placed in secured locations.
Auditing – Radio Frequency Management The Risk
The Implication
Parking Lot
Building A 28
Poor RF management will lead to unnecessary transmission of your RF signal into unwanted areas. Also consider other devices which may cause interference such as 2.4GHz cordless phones or Bluetooth.
Auditing – Radio Frequency Management The Solution
Parking Lot
Building A 29
Use a Wireless Network Scanner to determine your Radio Frequency footprint. By simply rearranging your Access Points you can minimize potential RF leakage.
Auditing – Default Settings The Risk
Most Access Points come with no security mechanisms enabled.
30
Auditing – Default Settings The Solution
Immediately increase your security posture by enabling many of the security features that come with the Access Point. For example: – – – – –
31
Change the default IP Address Change the default password Change the default SSID Disable DHCP Enable Encryption (WEP or LEAP)
Auditing – Default Settings The Solution
32
Auditing - Encryption The Risk
Most Access Points are implemented without using some form of Encryption. The Implication
All network traffic is freely available to someone running a wireless Network Sniffer. Information that could be available include IP Addresses, Passwords, and company information.
Clear Text Passwords IP Addresses Company Data 33
Auditing - Encryption The Solution
Utilize some form of encryption to protect the data being transmitted. 802.11b comes with a built in form of encryption called WEP (Wired Equivalent Privacy). Although it will deter a casual sniffer or intruder, it offers little protection due to its weak design. (It typically requires 500 Meg to 1Gig of data to crack a WEP key) Also consider third party authentication services such as LEAP (Cisco).
34
Auditing - Encryption • Wired Equivalent Privacy (WEP) Encryption – Encryption standard developed by IEEE – Algorithm used to protect wireless communication from eavesdropping – Secondary function to prevent unauthorized access to network • Not explicit goal of WEP • Frequently considered a feature of WEP
– Relies on secret key shared between client and AP • Secret key encrypts packets before transmission • Integrity check used to ensure that packets not modified in transit • In practice, most installations use a single key that is shared between all clients and access points
35
Auditing - Encryption •
Problems with WEP Encryption – Integrity Check field is linear • Allows intruder to change message and correctly adjust the integrity check field to make the message appear valid – Bit Flipping
– Static key must be shared among users and the Access Point. • By using several available hacking tools such as Airsnort, a hacker can decipher a WEP key in less than 90 minutes
– WEP can deter attackers, but should not be relied upon
36
Auditing - Encryption • Lightweight Extensible Authentication Protocol (LEAP) Encryption – Secure alternative to WEP Encryption – Security scheme developed by Cisco Systems – Uses Dynamic WEP and sophisticated key management
• How secure is LEAP? – Tests have been done using AirSnort (one of the best hacking tools available) showing that out of 60,000,000,000 packets intercepted none were found useable
37
Auditing - Authentication The Risk
802.11b does not contain adequate authentication mechanisms. The two forms of authentication included with 802.11b are Open System Authentication (OSA) and Shared Key Authentication (SKA). Open System Authentication •All you need is the SSID •Negotiation is done in clear text
Shared Key Authentication •SSID and WEP Encrypted key requited Request (SSID)
38
Request (SSID)
Challenge Text (WEP)
Accepted (SSID)
Challenge Response (WEP) Accepted (SSID)
Auditing - Authentication The Implication
Authentication only requires an SSID (which is generally known) and the WEP key (which can be cracked). Therefore the identity of the user cannot be authenticated. Take the situation of a stolen laptop. Are you really authenticating the user or device?
Company A
The Solution
Bob’s Laptop
(Not Bob!!)
Utilize third party authenticating devices to enhance the security of a wireless network. For example a RADIUS server will provide user authentication to ensure that someone with a stolen device will still not have access to your network. When authenticating always consider:
39
– What you know (Passwords) – What you have (Secure ID) – What you are (Biometrics)
Auditing – Policies & Procedures
• Wireless Security Policy – Sets the wireless security and controls standards – Separate from corporate security policy
• Routine Perimeter Scans – Regular scans of network perimeter should be performed to identify any rogue AP’s or unknown weaknesses
• Patch Management & Monitoring – Latest security patches and updated should be applied regularly
• Change Management Procedures – Adding new wireless networking devices – Modifying wireless network configuration 40
Summary of Audit Considerations •
SSID Broadcasting – –
•
wLAN Architecture –
•
WEP at minimum. Stronger encryption necessary
Authentication –
•
AP default settings should be changed to make it more difficult to identify and penetrate wireless network
Encryption –
•
AP should be placed in an area that will limit broadcasting of s ignal outside of building Also consider effects of interference of other wireless devices in place
Default Configuration –
•
Wireless AP should be stored in a secure location
RF Management – –
•
Wireless AP should be behind corporate firewall
Physical Security –
•
SSID Broadcasting should be disabled SSID should be changed from default and not specific to company
Utilize third party authenticating devices to enhance the security of a wireless network, eg RADIUS server.
Policies & Procedures –
Ensure client has established policies and procedures specific to wireless networks to ensure they are management consistently with management’s intent.
Final Thoughts What we should be asking during a wireless audit….. Are you running a wireless network? Do you have a wireless strategy? What steps are you taking to secure your wireless network? Have you changed the vendor default settings? Are you broadcasting the SSID? Is your access point outside of the network in the DMZ? Are your access points in a physical secure location? Are your access points in a location that limits RF leakage? Have you enabled encryption? What method of authentication has been configured?
Questions?
THANK YOU!
Please feel free to contact us with any questions
Clayton A. Snyder
[email protected] (313) 394-5622
Ryan Riegling
[email protected] (313) 396-2493