Manage & Secure Your Wireless Connections Ernest Staats Director of Technology and Network Services at GCA Presented for the Nebraska Cyber Security Conference June 2009 MS Information Assurance, CISSP, CWNA, CEH, MCSE, CNA, Security+, I-Net+, Network+, Server+, A+ [email protected]Resources available @ http://es-es.net
30
Embed
Manage & Secure Your Wireless Connections Ernest Staats Director of Technology and Network Services at GCA Presented for the Nebraska Cyber Security Conference.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Manage & Secure Your Wireless Connections
Ernest Staats Director of Technology and Network Services at GCA Presented for the Nebraska Cyber Security Conference June 2009MS Information Assurance, CISSP, CWNA, CEH, MCSE, CNA, Security+, I-Net+, Network+, Server+, [email protected] available @ http://es-es.net
Why Manage? Bandwidth (when downloading or using VoIP) Co-channel interference (phones, microwaves, rogue
AP’s) Old Firmware (check for updates every quarter) Management and control frames can’t be encrypted,
nor can header values like ESSID and MAC address Stumblers <CommView> and WEP/PSK crackers Mobile devices DoS attacks (point-and-click raw packet injection tools) Forged messages Demand for more wireless access BackTrack (www.remote-exploit.org) 802.11n issues
Wireless Vulnerabilities
Wireless Vulnerabilities
Overlooked: Site Survey What types of interference are you going
to contend with? What distances do you need to
broadcast? What types of data are you going to
support over WIFI? (data/voice) network access
Set up worst-case scenario for testing Know your signal-to-noise ratio You should expect an interview before
any testing is done (how many users, roaming, location of wiring closets)
Changing Default Settings Change the default logon password and make it long! All defaults are known and published on the Net
http://www.phenoelit.de/dpl/dpl.html updated often AP Management Interface
HTTP, SNMP, Telnet HTTP login
Linksys: UID=blank PW=admin SNMP (disable SNMP or use a management VLAN that is
secure) All: PW=public
Change default open systems to WPA2: use a long passphrase
Cell Sizing How far is your WIFI signal going? (that is called
your cell size) Can’t cover whole building?
Better antenna MIMO 802.11n Power setting
The cell size is usually adjusted by the power setting
Go outside and see how far your wireless signal is reaching (you will be surprised)
ESSID Naming Identifies network Helps others identify whether or not you have left
default settings on Broadcast on by default
Once again with the default settings, your wireless device broadcasts its name, saying, “My name is … connect to me”
Turning off SSID broadcasting is called “cloaking”; can cause issues in enterprise systems
Avoid naming your SSID a private or personal code (It’s not a password!!! Even cloaked ESSID’s are easily discovered )
MAC Filtering A MAC address is the
hardware number that is network card specific (literally burned into the network card when it is made)
Does not scale to large networks
Relatively easy to defeat Good option for home
users
Authentication with 802.1x Authenticates users before
granting access to L2 media Makes use of EAP (Extensible
Authentication Protocol)
PEAP, EAP-TLS, EAP-TTLS, etc.
802.1x authentication happens at L2 – users will be authenticated before an IP address is assigned
Encrypt the Data WEP
Simple & easy to crack No key management It is worse than no encryption
TKIP (Temporal Key Integrity Protocol) WPA/WPA2 Works on legacy hardware Has been cracked
AES used in WPA 2 Considered the best option FIPS 140-2 approved (Federal Information
Processing Standard) Use with 802.1x
Encryption WEP – First Wireless Security
Cracked -- Any middle-schooler can crack your WEP key in short order
WPA Cracked… but Key changes
WPA2 Cracked… but Harder to crack than WPA; don’t use PSK
802.1x Uses server to authorize user Can be very secure
802.11i AES encryption – “uncrackable”
Authorize Data Most organizations do a decent job of
authentication (who the user is), but a poor job of authorization (what the user is allowed to do); NAC’s/NAP’s and 802.11i help this issue
Mobile networks are typically multi-use
Authentication provides you with user identity – now use it! Identity-aware firewall policies can restrict what a user can do, based on that user’s needs
Home Wireless Overlooked Change default settings -- SSID and passwords Use WPA (or better, WPA2); use long PSK Use a MAC filter Turn off SSID broadcasting Know how far your wireless signal is reaching Turn off wireless when not being used, & turn off DHCP
or limit DHCP Disable remote administration Update Firmware on AP and wireless cards semi-
annually Secure your home machines
Current AV Firewall (if the wireless router has a firewall option, turn it on) Spyware protection Auto update Windows Use VPN Common sense (check the “Secure Your Laptop Section”)
Secure Your Laptop Turn your firewall on: Start > Settings > Network Connections >
Wireless Network Connection > Change Advanced Settings > Advanced Tab > Windows Firewall Settings > Select “On” > OK
BETTER YET use another firewall (i.e. Kerio, Jetico, or Zone Alarm)
Change Administrator password : Click Start > Control Panel > User Accounts. Ensure the Guest account is disabled. Click your administrator user account and reset the password
VPN Solutions
AnchorFree's Hotspot Shield, a free software download. Install it on a Windows PC
Paid VPN Solutions WiTopia's personalVPN, HotspotVPN (SSL) VPN connections require installation of a utility
on the computer
Teach Hotspot Security Use a personal firewall Use anti-virus software (update daily or hourly) Update your operating system and other applications
(i.e. Office, Adobe Reader) regularly Turn off file sharing Use Web-based e-mail that employs secure http (https) Use a virtual private network (VPN) Password-protect your computer and important files
(make sure your administrator account has a good long password)
Encrypt files before transferring or e-mailing them Make sure you're connected to a legitimate access point Be aware of people around you Properly log out of web sites by clicking log out instead
of just closing your browser or typing in a new Internet address
Use a more secure browser Chrome in private mode
TIPS for WIFI at Work Use a wireless system that has a centrally managed
controller and reporting system Name all your AP's with the same name so if the signal
gets blocked and they then get a stronger signal from another work AP they do not have to re-authenticate to the work wireless network
Make sure all your AP's are on the same subnet if you are doing AD authentication
Make sure the work network is the only one listed on the preferred networks
Use a wireless firewall (Motorola) Know your air space issues (AirMagnet) I prefer the single channel solution
TIPS for WIFI at Work (cont.)
Make sure laptops are set to infrastructure mode
Make sure the “Automatically connect to non-preferred networks” is unchecked
Use 802.1x (or better, 802.11i) Use a WIPS (Wireless Intrusion Prevention
System); look at log files Use NAC Have WIFI policies Disable WIFI card if plugged into network Have users take home a secure AP that will
tunnel back into the corporate network (Aruba, Motorola)
A Layered Approach
Key Security Principles Principle of Least Privilege Authentication, identity-based security, firewalls Defense in depth Authentication, encryption, intrusion protection,
client integrity Prevention is ideal; detection is a must Intrusion detection systems, log files, audit trails,
alarms, and alerts “Know your enemies & know yourself” (Sun Tzu) Integrated centralized management
Wireless Gold Standard Centralized wireless Have and update WIFI policies Keep clients updated – drivers too! Guest access on separate VLAN / Network Wireless intrusion detection Locate and protect against rogue APs WPA-2 Device authentication using 802.1x and PEAP User authentication using 802.1x and PEAP AES for link-layer encryption Long (not strong) passwords (15 character) Token-card products Protect wireless users from other wireless users Protect sections of the network from unauthorized access
Must Have a WIFI Policy At a minimum, the policy should involve continuous
review of potential threats and vulnerabilities and should deal with the following:
Overall policy Access control <this includes non-enterprise devices> Usage management and monitoring Security monitoring <this includes non-enterprise devices> Network security <this includes non-enterprise devices> Virus protection <this includes non-enterprise devices> Encryption <this includes non-enterprise devices> Pertinent laws <this includes non-enterprise devices> Incident response <this includes non-enterprise devices> Enforcement <this includes non-enterprise devices>
Captive Portals for Guests Browser-based authentication SSL encrypted Use for guest access only Put on separate VLAN or network
Controller Dashboard
802.11n Issues Frame aggregation Block Acknowledgment 40 MHz channel bonding Spoofed duration fields Only channel 3,9 do not overlap with 40 MHz
channels on the 2.4 range AP Placement is 1800 different
What About “NAC”? Identity-based policy control Assess user role, device, location, time, application Policies follow users throughout network Health-based assessment Client health validation Remediation Ongoing compliance Network-based protection Stateful firewalls to enforce policies and quarantine User/device blacklisting based on policy validation We use Bradford for our NAC at GCA Excellent Pricing
for Edu’s
Shameless Plug
Presentations on my site located at www.es-es.net
Come join my afternoon lecture @ 1:30pm Session 3: Intrusion Prevention from the Inside