Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy • 802.11 Security Basics • Legacy 802.11 security • Robust Security • Segmentation • Infrastructure Security • VPN wireless Security
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy
Jan 01, 2016
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy. 802.11 Security Basics Legacy 802.11 security Robust Security Segmentation Infrastructure Security VPN wireless Security. Exam Essentials. Understand the risk of the rogue access point. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy
• 802.11 Security Basics
• Legacy 802.11 security
• Robust Security
• Segmentation
• Infrastructure Security
• VPN wireless Security
Exam Essentials• Understand the risk of the rogue access point.
– Be able to explain why the rogue AP provides a portal into network resources. Understand that employees are often the source of rogue APs.
• Define peer-to-peer attacks. – Understand that peer-to-peer attacks can happen via an access
point or through an ad hoc network. Explain how to defend against this type of attack.
• Know the risks of eavesdropping. – Explain the difference between casual and malicious
eavesdropping. Explain why encryption is needed for protection.• Define authentication and hijacking attacks.
– Explain the risks behind these types of attacks. Understand that a strong 802.1X/EAP solution is needed to mitigate them.
Exam Essentials• Explain wireless denial-of-service attacks.
– Know the difference between layer 1 and layer 2 DoS attacks. Explain why these attacks cannot be mitigated and can only be monitored.
• Understand the types of wireless intrusion solutions.– Explain the difference between a WIDS and a WIPS.
Understand that most solutions are distributed client/server models. Know the various components of an intrusion monitoring solution as well as the various models. Understand which attacks can be monitored and which can be prevented.
• Understand the need for a wireless security policy.– Explain the difference between general and functional policies.
Wireless Attacks• Portal to the wired network must be
protected– Limit unauthorized access
• Limit access to management consoles– Don’t want someone changing settings or
passwords
• Peer to peer– Watch out for unsecured netwroks
Pg 470
Rogue Wireless Devices• Non-Authorized on the network
– Not controlled by admin
• Set up by hacker– To get access or passwords
• Set up by user– Ease of use
• Open an unsecured portal to wired network
• 802.1x can also help herePg 471
Peer to Peer• Client attacking client on a WiFi network
– Ad-hoc or infrastructure
• On infrastructure network, you can disable client to client communications– Public Secure Packet Forwarding
• Beware of push to talk
Pg 472
Eavesdropping• Easy to do• Casual
– Wardriving– Looking for wireless networks
• Netstumbler
• Malicious– Protocol analyzers and collection of data– Passive, cannot be detected by WIDS/WIPS– Use encryption to protect network
Pg 472
Cracking!!• WEP has been cracked
• TKIP/CCMP are still secure
• Authentication Attacks– Some systems are less secure than others– Dictionary attacks– PSK is weak as well
• Will let hackers onto AP• Longer passphrases help
Pg 475
MAC Spoofing• MAC Filtering is weak security
• Better than nothing
Pg 477
Management Interface• Don’t let hackers configure your devices
• Disable unused interfaces– SNMP, Telnet, HTTP,
• Use more secure interface– SSH, HTTPS
• General policy is that management should be done from wired interface
Pg 478
Wireless Hijacking• Attacker configures AP to mimic enterprise AP
– Same SSID
• Attacker can then capture traffic• Can then either set up for man in the middle
– Send “real” traffic on and capture details– Bridging the fake AP to real AP
• Also can use WiFi phishing– Setting up a false captive portal
Pg 479
Denial Of Service• Prevent legitimate users from getting access• Hard to prevent
– Need to remove device generating noise/traffic
• Layer 1 jamming• Layer 2
– Deauthentication or deassociation packets– Flooding the AP with requests
• Spectrum Analyzer can help with layer 1• Protocol Analyzer will help with Layer 2
Pg 479
Other Attacks• Vendor Specific
– Buffer overflow that attacks OS
• Social Engineering– Tricking someone into giving away information
• PSK!!!
Pg 481
Intrusion Monitoring• Wireless Intrusion Detection Systems
(WIDs)
• Wireless Intrusion Prevention Systems (WIPS)– Can mitigate or respond
Pg 481
WIDS• Wired ports must be controlled
– Prevent rogue APs
• WIDS often go up before network– Check for rogue APs and usage
• WIDS server
• Management Console
• Sensors
Pg 482
WIDS Sensors• Dedicated AP like devices that listen and
report back to the management console/server
• Can also be APs set into sensor mode– Or APs that scan as well as process traffic
Pg 482
WIDS Sensors
Pg 482
WIDS• Best at watching for layer 2 attacks
• Can set alarms for “risky” traffic
• Set thresholds– Different alert types
• Overlay
• Integrated
• Integration enabled
Pg 482
WIPS• Infrastructure device
– This classification refers to any client station or access point that is an authorized member of the company’s wireless network. A network administrator can manually label each radio as an infrastructure device after detection from the WIPS or can import a list of all the company’s radio card MAC addresses into the system.
• Unknown device – The unknown device classification is assigned automatically to any new
802.11 radios that have been detected but not classified as rogues. Unknown devices are considered interfering devices and are usually investigated further to determine whether they are a neighbor’s devices or a potential future threat.
• Known device – This classification refers to any client station or access point that is
detected by the WIPS and whose identity is known. A known device is initially considered an interfering device. The known device label is typically manually assigned by an administrator to radio devices of neighboring businesses that are not considered a threat.
Pg 485
WIPS• Rogue device
– The rogue classification refers to any client station or access point that is considered an interfering device and a potential threat. Most WIPS define rogue access points as devices that are actually plugged into the network backbone and are not known or managed by the organization. Most of the WIPS vendors use a variety of proprietary methods of determining whether a rogue access point is actually plugged into the wired infrastructure.
• If a client is classified as a rogue, the WIPs can mitigate attack– Deauthenticate, deassociate– Spoof MAC of Rogue
Pg 485
WIPS• Rogue device
– The rogue classification refers to any client station or access point that is considered an interfering device and a potential threat. Most WIPS define rogue access points as devices that are actually plugged into the network backbone and are not known or managed by the organization. Most of the WIPS vendors use a variety of proprietary methods of determining whether a rogue access point is actually plugged into the wired infrastructure.
• If a client is classified as a rogue, the WIPs can mitigate attack– Deauthenticate, deassociate– Spoof MAC of Rogue– Use SNMP to disable the wired port it is connected to
Pg 485
Mobile WIDS• Laptop Version of the products
• Mobile capabilities– Radio Card is sensor
• Use to physically track down a Rogue AP– Some layer 1 functionality built in
Pg 485
Spectrum Analyzer• Use for security as well as surveys
• Many can look at the RF signature and tell you what kind of device it is
• Mobile and distributed– Like WIDs
Pg 487
Wireless Security Policy• How and what are you monitoring
• How often should PSKs change
Pg 487
Wireless Security Policy• General Security Policy
• Functional Security Policy
• Legislative Compliance
Pg 487
Policy Recommendations• General Security Policy
• Functional Security Policy
• Legislative Compliance
Pg 490
Exam Essentials• Understand the risk of the rogue access point.
– Be able to explain why the rogue AP provides a portal into network resources. Understand that employees are often the source of rogue APs.
• Define peer-to-peer attacks. – Understand that peer-to-peer attacks can happen via an access
point or through an ad hoc network. Explain how to defend against this type of attack.
• Know the risks of eavesdropping. – Explain the difference between casual and malicious
eavesdropping. Explain why encryption is needed for protection.• Define authentication and hijacking attacks.
– Explain the risks behind these types of attacks. Understand that a strong 802.1X/EAP solution is needed to mitigate them.
Exam Essentials• Explain wireless denial-of-service attacks.
– Know the difference between layer 1 and layer 2 DoS attacks. Explain why these attacks cannot be mitigated and can only be monitored.
• Understand the types of wireless intrusion solutions.– Explain the difference between a WIDS and a WIPS.
Understand that most solutions are distributed client/server models. Know the various components of an intrusion monitoring solution as well as the various models. Understand which attacks can be monitored and which can be prevented.
• Understand the need for a wireless security policy.– Explain the difference between general and functional policies.
Related Documents
