Information Systems Audit & Control Association

Auditing Wireless Networks

Presented by: Deloitte & Touche

May 2005

Agenda u Overview of Wireless Technology • Radio Frequency Spectrum • Wireless Standards & Technology • Advantages of Wireless Networks

u Wireless Security Risks & Deficiencies • • • • • •

Insertion Attacks Jamming Interception & Monitoring of Wireless Traffic Client to Client Attacks Brute Force Attacks Encryption Attacks

u Audit Considerations

2

• • • • • • • • •

Access Point Mapping SSID Broadcasting & Naming Convention Logical Security Architecture Physical Security Radio Frequency Management Default Settings Encryption Authentication Policies & Procedures

The Wireless World

Toys Cordless Phones

Appliances PDAs

3

WLANs

Cell Phones

Radio Frequency Spectrum 0

100

200

300

400

500

600

700

800

900

1GHz

3GHz

5GHz

10GHz

28GHz

802.11a (5 GHz) 802.11b, Bluetooth, Cordless Phones (2.4 GHz) Digital Cellular (1850-1900 MHz) Cordless Phones, Baby Monitors, Toys (900 MHz) Analog Cellular (824-894 MHz) UHF TV (512 – 806 MHz) FM Radio (88 – 108 MHz) VHF TV (174 – 216 MHz) AM Radio (535 – 1605 KHz) 4

Unlicensed Radio Frequencies Licensed Radio Frequencies

Wireless Standards & Technology •

Institute of Electrical and Electronics Engineers (IEEE) – Develops standards for computer and electronics industries – Independent organization – standards internationally accepted – IEEE 802 committee deals specifically with LAN’s • IEEE 802.11 committee created in 1990 to deal with wireless LAN’s

– IEEE 802.11 standard determines: • • • •

How connections are made What frequencies are used Modulation techniques Number of connections possible • Encryption methods

– Allows for interoperability among wireless devices

5

Wireless Network Standards Bluetooth • • •

Used as a short distance replacement for cables (10 meters) 1 Mbps Date Rate 2.4 GHz Frequency Band

802.11a

WiFi5

• • • •

Extension to 802.11 Wireless LAN standard 54 Mbps Data Rate 5 GHz Frequency Band Orthogonal Frequency Division Multiplexing (OFDM)

802.11b • • • •

Extension to 802.11 Wireless LAN standard 11 Mbps Data Rate 2.4 GHz Frequency Band Digital Sequence Spread Spectrum (DSSS)

802.11g

6

• • • • •

Improves the performance of 802.11b Backward compatible with 802.11b Extension to 802.11 Wireless LAN standard 54Mbps Data Rate 2.4 GHz and 5 GHz Frequency Bands

What is a Wireless Network? Wireless Phone

Wireless Network Card Wireless Laptop

Wireless PDA Wireless Access Point

Demilitarized Zone (Firewall, Web Servers)

Internal Network 7

Internal Network

Wireless Technology •

Wireless LAN consists of two major components – Client: Device equipped with wireless network interface card • Lap-top, hand-held device, workstation not connected to wired network

– Access Point (AP): Hub that provides wireless users with access to the network environment

•

Wireless networks operate in two modes – Ad-hoc mode • Connections made between two or more clients without a central AP

– Infrastructure mode • Clients connect to central AP

•

Wireless Access Points broadcast their presence, often containing the Service Set Identifier (SSID) – –

8

SSID is a configurable identification that allows clients to communicate with an appropriate access point. With proper configuration, only clients with the correct SSID can communicate with access points.

Ad-hoc Mode

9

Infrastructure Mode

Client

Wireless Access Point (AP)

10

Server

Sample wLAN Configuration Extend an existing wired LAN without additional wiring

Wired Workstations

AP Server

Clients

11

Advantages of Wireless Networks Wireless Local Area Networks (wLAN) u Provide LAN functionality without wires u Useful in areas where wiring is not possible or cost prohibitive u Hospitals u Leased office space u College campus with many buildings u Disaster Area

u Typically cover small areas u Can be combined with wired networks effectively u Handle data transmission of 1Mbps up to 54 Mbps, which is comparable to wired networks u Easily scalable u Can connect LAN’s in separate buildings when it is not possible to lay wiring

12

Wireless Security Risks & Deficiencies • Insertion Attacks – Attacker connects to a wireless client without proper authorization • If there is no password on the Access Point, intruder can connect to the internal network simply by enabling a wireless client to communicate with the wireless AP – Parking Lot Attacks • Wireless networks do not comply with traditional physical security measures – RF Signal easily passes through walls, windows

• Attackers able to create ‘War-Driving Rigs’ with very little set-up cost – Requires lap-top, wireless card, antenna, packet sniffing software

• ‘Netstumbler’ maintains database of known wireless access points – Identifies SSID, signal strength, AP manufacturer, GPS coordinates, etc.

• Jamming – 2.4 GHz frequency can easily be flooded by attacker with proper equipment • Legitimate traffic cannot reach clients due to overwhelming attacker traffic • Network can cease to function – causing loss of productivity 13

Risks & Deficiencies Cont. • Interception & Monitoring of Wireless Traffic – Attacker must be in range of wireless AP (usually 300 ft. radius). Range can be enhanced with sophisticated equipment – Wireless Packet Analysis • Skilled attacker employs tools to capture the first part of a connection session, typically including data such as user name and password • Information can be used to masquerade as a legitimate user and issue unauthorized commands

– Broadcast Monitoring • If AP is connected to hub instead of switch, any network traffic over the hub can be potentially broadcast over the wireless network • Since Ethernet hub broadcasts all data packets to all connected devices, including the AP, an attacker can intercept sensitive data not intended to be transmitted over the wireless network

14

Risks & Deficiencies Cont. • Client to Client Attacks – Two wireless clients can talk directly to each other, bypassing the access point – Users therefore need to defend clients not just against an external threat but also against each other – File Sharing and Other TCP/IP Service Attacks • Wireless clients running TCP/IP services such as a Web server or file sharing are open to the same exploits and improper configurations as any user on a wired network.

– DOS (Denial of Service) • A wireless device floods other wireless client with bogus packets, creating a denial of service attack. • Duplicate IP or MAC addresses, both intentional and accidental, can cause disruption on the network.

15

Risks & Deficiencies cont. • Brute Force Attacks Against Access Point Passwords – Most AP’s use a single key or password that is shared with all connecting wireless clients – Dictionary attacks compromise key by methodically testing every possible password. • Intruder gains access to the access point once the password is guessed. • Compromised client can expose AP

– Not changing the keys on a frequent basis or when employees leave the organization also opens the access point to attack – Managing a large number of access points and clients only complicates this issue

• Encryption Attacks – WEP Encryption not very secure!

16

Audit Considerations

• • • • • • • • • • 17

Access Point Mapping SSID Broadcasting SSID Naming Convention Logical Security Architecture Physical Security Radio Frequency Management Default Settings Encryption Authentication Policies and Procedures

Auditing – Access Point Mapping The Risk Access points can be monitored and located using freely available software over the Internet. Industry terminology is “War Driving”

18

Auditing – Access Point Mapping The Implication

19

Auditing – Access Point Mapping The Solution

Ensure that security protection mechanisms are implemented to ensure that even if your Access Point is mapped and publicly stored over the Internet you are adequately protected.

20

Auditing – SSID Broadcasting The Risk

The Implication

SS ID

SSID = Company A D SSI

SSID = Company A

21

Service Set Identification (SSID) is essentially the network name of your Wireless LAN.

Auditing – SSID Broadcasting The Solution

Disable the broadcasting of the SSID. This is possible on many enterprise class Access Points such as Cisco. By not having the SSID broadcasted each authenticating device must have this configuration already set.

22

Auditing – SSID Naming Conventions The Risk

The Implication

SSID = tsunami D SSI

Default SSID Cisco = tsunami 3COM = 101

SSID = tsunami

Agere = WaveLAN Linksys = Linksys Dlink = default

23

Auditing – SSID Naming Conventions The Solution

Immediately change the default SSID that comes shipped with the Access Point. Use a creative name that does not make any reference to your company. Setting the SSID to your organizational name will draw unneeded attention to your network.

24

Auditing – Logical Security Architecture The Risk

The Implication Internet

Firewall

Internal Network 25

DMZ (Web Servers, Mail Servers)

Auditing – Logical Security Architecture The Solution

Internet

Firewall

26

Internal Network

DMZ (Web Servers, Mail Servers)

Auditing – Physical Security The Risk

Unauthorized visitor can hijack the network from the inside by manipulating the wireless settings.

Building A

The Solution

27

Wireless Access Points should be placed in secured locations.

Auditing – Radio Frequency Management The Risk

The Implication

Parking Lot

Building A 28

Poor RF management will lead to unnecessary transmission of your RF signal into unwanted areas. Also consider other devices which may cause interference such as 2.4GHz cordless phones or Bluetooth.

Auditing – Radio Frequency Management The Solution

Parking Lot

Building A 29

Use a Wireless Network Scanner to determine your Radio Frequency footprint. By simply rearranging your Access Points you can minimize potential RF leakage.

Auditing – Default Settings The Risk

Most Access Points come with no security mechanisms enabled.

30

Auditing – Default Settings The Solution

Immediately increase your security posture by enabling many of the security features that come with the Access Point. For example: – – – – –

31

Change the default IP Address Change the default password Change the default SSID Disable DHCP Enable Encryption (WEP or LEAP)

Auditing – Default Settings The Solution

32

Auditing - Encryption The Risk

Most Access Points are implemented without using some form of Encryption. The Implication

All network traffic is freely available to someone running a wireless Network Sniffer. Information that could be available include IP Addresses, Passwords, and company information.

Clear Text Passwords IP Addresses Company Data 33

Auditing - Encryption The Solution

Utilize some form of encryption to protect the data being transmitted. 802.11b comes with a built in form of encryption called WEP (Wired Equivalent Privacy). Although it will deter a casual sniffer or intruder, it offers little protection due to its weak design. (It typically requires 500 Meg to 1Gig of data to crack a WEP key) Also consider third party authentication services such as LEAP (Cisco).

34

Auditing - Encryption • Wired Equivalent Privacy (WEP) Encryption – Encryption standard developed by IEEE – Algorithm used to protect wireless communication from eavesdropping – Secondary function to prevent unauthorized access to network • Not explicit goal of WEP • Frequently considered a feature of WEP

– Relies on secret key shared between client and AP • Secret key encrypts packets before transmission • Integrity check used to ensure that packets not modified in transit • In practice, most installations use a single key that is shared between all clients and access points

35

Auditing - Encryption •

Problems with WEP Encryption – Integrity Check field is linear • Allows intruder to change message and correctly adjust the integrity check field to make the message appear valid – Bit Flipping

– Static key must be shared among users and the Access Point. • By using several available hacking tools such as Airsnort, a hacker can decipher a WEP key in less than 90 minutes

– WEP can deter attackers, but should not be relied upon

36

Auditing - Encryption • Lightweight Extensible Authentication Protocol (LEAP) Encryption – Secure alternative to WEP Encryption – Security scheme developed by Cisco Systems – Uses Dynamic WEP and sophisticated key management

• How secure is LEAP? – Tests have been done using AirSnort (one of the best hacking tools available) showing that out of 60,000,000,000 packets intercepted none were found useable

37

Auditing - Authentication The Risk

802.11b does not contain adequate authentication mechanisms. The two forms of authentication included with 802.11b are Open System Authentication (OSA) and Shared Key Authentication (SKA). Open System Authentication •All you need is the SSID •Negotiation is done in clear text

Shared Key Authentication •SSID and WEP Encrypted key requited Request (SSID)

38

Request (SSID)

Challenge Text (WEP)

Accepted (SSID)

Challenge Response (WEP) Accepted (SSID)

Auditing - Authentication The Implication

Authentication only requires an SSID (which is generally known) and the WEP key (which can be cracked). Therefore the identity of the user cannot be authenticated. Take the situation of a stolen laptop. Are you really authenticating the user or device?

Company A

The Solution

Bob’s Laptop

(Not Bob!!)

Utilize third party authenticating devices to enhance the security of a wireless network. For example a RADIUS server will provide user authentication to ensure that someone with a stolen device will still not have access to your network. When authenticating always consider:

39

– What you know (Passwords) – What you have (Secure ID) – What you are (Biometrics)

Auditing – Policies & Procedures

• Wireless Security Policy – Sets the wireless security and controls standards – Separate from corporate security policy

• Routine Perimeter Scans – Regular scans of network perimeter should be performed to identify any rogue AP’s or unknown weaknesses

• Patch Management & Monitoring – Latest security patches and updated should be applied regularly

• Change Management Procedures – Adding new wireless networking devices – Modifying wireless network configuration 40

Summary of Audit Considerations •

SSID Broadcasting – –

•

wLAN Architecture –

•

WEP at minimum. Stronger encryption necessary

Authentication –

•

AP default settings should be changed to make it more difficult to identify and penetrate wireless network

Encryption –

•

AP should be placed in an area that will limit broadcasting of s ignal outside of building Also consider effects of interference of other wireless devices in place

Default Configuration –

•

Wireless AP should be stored in a secure location

RF Management – –

•

Wireless AP should be behind corporate firewall

Physical Security –

•

SSID Broadcasting should be disabled SSID should be changed from default and not specific to company

Utilize third party authenticating devices to enhance the security of a wireless network, eg RADIUS server.

Policies & Procedures –

Ensure client has established policies and procedures specific to wireless networks to ensure they are management consistently with management’s intent.

Final Thoughts What we should be asking during a wireless audit….. Are you running a wireless network? Do you have a wireless strategy? What steps are you taking to secure your wireless network? Have you changed the vendor default settings? Are you broadcasting the SSID? Is your access point outside of the network in the DMZ? Are your access points in a physical secure location? Are your access points in a location that limits RF leakage? Have you enabled encryption? What method of authentication has been configured?

Questions?

THANK YOU!

Please feel free to contact us with any questions

Clayton A. Snyder [email protected] (313) 394-5622

Ryan Riegling [email protected] (313) 396-2493