Wireless security standards and protocols fall into 3 categories
Encryption
Ensures privacy of data transmitted through the air
Can be done at Layer 2 (WEP, TKIP, AES) or Layer 3 (VPN)
Authentication
Ensures that only authorized users with proper credentials are allowed to use the network
Authentication methods include EAP, captive portal, VPN
Access Control
Provides a policy enforcement structure to control the traffic of authorized users, including networks, bandwidth, time of day, and protocols
Showing posts with label wireless security. Show all posts
Showing posts with label wireless security. Show all posts
October 17, 2008
August 17, 2008
Define Wireless Network Security Policies
With a wireless network, you must consider security policies that will protect resources from unauthorized people. Let’s take a look at what you should include in a wireless network security policy for an enterprise. Consider the following recommendations:
Activate 802.11 encryption to make data unintelligible to unauthorized users. WEP has weaknesses, making it inadequate for protecting networks containing information extremely valuable to others. There are some good hackers out there who can crack into a WEP-protected network using freely-available tools. The problem is that 802.11 doesn’t support the dynamic exchange of WEP keys, leaving the same key in use for weeks, months, and years. For encryption on enterprise networks, aim higher and choose WPA, which is now part of the 802.11i standard. Just keep in mind that WPA (and WEP) only encrypts data traversing the wireless link between the client device and the access point. That may be good enough if your wired network is physically secured from hackers. If not, such as when users are accessing important information from Wi-Fi hotspots, you’ll need more protection.
Utilize IPSec-based Virtual Private Network (VPN) technology for end-to-end security. If users need access to sensitive applications from Wi-Fi hotspots, definitely utilize a VPN system to provide sufficient end-to-end encryption and access control. Some companies require VPNs for all wireless client devices, even when they’re connecting from inside the secured walls of the enterprise. A “full-throttle” VPN solution such as this offers good security, but it becomes costly and difficult to manage when there are hundreds of wireless users (mainly due to the need for VPN servers). As a result, consider implementing 802.11 encryption when users are operating inside the enterprise and VPNs for the likely fewer users who need access from hotspots.
Utilize 802.1x-based authentication to control access to your network. There are several flavors of 802.1x port-based authentication systems. Choose one that meets the security requirements for your company. For example, EAP-TLS may be a wise choice if you have Microsoft servers.
Establish the wireless network on a separate VLAN. A firewall can then help keep hackers located on the VLAN associated with the wireless network from having easy access to corporate servers located on different, more secured VLANs (i.e., not accessible from the wireless network). In this manner, the wireless network is similar to a public network, except you can apply encryption and authentication mechanisms to the wireless users.
Ensure firmware is up-to-date in client cards and access points. Vendors often implement patches to firmware that fix security issues. On an ongoing basis, make it a habit to check that all wireless devices have the most recent firmware releases.
Ensure only authorized people can reset the access points. Some access points will revert back to factory default settings (i.e., no security at all) when someone pushes the reset button on the access point. We’ve done this when performing penetration testing during security assessments to prove that this makes the access point a fragile entry point for a hacker to extend their reach into the network. As a result, provide adequate physical security for the access point hardware. For example, don’t place an access point within easy reach. Instead, mount the access points out of view above ceiling tiles. Some access points don’t have reset buttons and allow you to reset the access point via an RS-232 cable through a console connection. To minimize risks of someone resetting the access point in this manner, be sure to disable the console port when initially configuring the access point.
Disable access points during non-usage periods. If possible, shut down the access points when users don’t need them. This limits the window of opportunity for a hacker to use an access point to their advantage as a weak interface to the rest of the network. To accomplish this, you can simply pull the power plug on each access point; however, you can also deploy power-over-Ethernet (PoE) equipment that provides this feature in a more practical manner via centralized operational support tools.
Assign “strong” passwords to access points. Don’t use default passwords for access points because they are also well known, making it easy for someone to change configuration parameters on the access point to their advantage. Be sure to alter these passwords periodically. Ensure passwords are encrypted before being sent over the network.
Don’t broadcast SSIDs. If this feature is available, you can avoid having user devices automatically sniff the SSID in use by the access point. Most current computer operating systems and monitoring tools will automatically sniff the 802.11 beacon frames to obtain the SSID. With SSID broadcasting turned off, the access point will not include the SSID in the beacon frame, making most SSID sniffing tools useless. This isn’t a foolproof method of hiding the SSID, however, because someone can still monitor 802.11 association frames (which always carry the SSID, even if SSID broadcasting is turned off) with a packet tracer. At least shutting off the broadcast mechanism will limit access.
Reduce propagation of radio waves outside the facility. Through the use of directional antennas and RF shielding, you can direct the propagation of radio waves inside the facility and reduce the “spillage” outside the perimeter. This not only optimizes coverage, it also minimizes the ability for a hacker located outside the controlled portion of the company to eavesdrop on user signal transmissions and interface with the corporate network through an access point. This also reduces the ability for someone to jam the wireless LAN - a form of denial-of-service attack - from outside the perimeter of the facility. In addition, consider setting access points near the edge of the building to lower transmit power to reduce range outside the facility. This testing should be part of the wireless site survey.
Implement personal firewalls. If a hacker is able to associate with an access point, which is extremely probable if there is no encryption or authentication configured, the hacker can easily access (via the Windows operating system) files on other users’ devices that are associated with an access point on the same wireless network. As a result, it’s crucial that all users disable file sharing for all folders and utilize personal firewalls. These firewalls are part of various operating systems, such as Windows XP and Vista, and 3rd party applications as well.
Control the deployment of wireless LANs. Ensure that all employees and organizations within the company coordinate the installation of wireless LANs with the appropriate information systems group. Forbid the use of unauthorized access points. Mandate the use of approved vendor products that you’ve had a chance to verify appropriate security safeguards. Maintain a list of authorized radio NIC and access point MAC addresses that you can use as the basis for identifying rogue access points.
With these recommendations in mind, you have a basis for forming a solid security policy. When deciding on which techniques to implement, however, be sure to consider actual security needs.
Activate 802.11 encryption to make data unintelligible to unauthorized users. WEP has weaknesses, making it inadequate for protecting networks containing information extremely valuable to others. There are some good hackers out there who can crack into a WEP-protected network using freely-available tools. The problem is that 802.11 doesn’t support the dynamic exchange of WEP keys, leaving the same key in use for weeks, months, and years. For encryption on enterprise networks, aim higher and choose WPA, which is now part of the 802.11i standard. Just keep in mind that WPA (and WEP) only encrypts data traversing the wireless link between the client device and the access point. That may be good enough if your wired network is physically secured from hackers. If not, such as when users are accessing important information from Wi-Fi hotspots, you’ll need more protection.
Utilize IPSec-based Virtual Private Network (VPN) technology for end-to-end security. If users need access to sensitive applications from Wi-Fi hotspots, definitely utilize a VPN system to provide sufficient end-to-end encryption and access control. Some companies require VPNs for all wireless client devices, even when they’re connecting from inside the secured walls of the enterprise. A “full-throttle” VPN solution such as this offers good security, but it becomes costly and difficult to manage when there are hundreds of wireless users (mainly due to the need for VPN servers). As a result, consider implementing 802.11 encryption when users are operating inside the enterprise and VPNs for the likely fewer users who need access from hotspots.
Utilize 802.1x-based authentication to control access to your network. There are several flavors of 802.1x port-based authentication systems. Choose one that meets the security requirements for your company. For example, EAP-TLS may be a wise choice if you have Microsoft servers.
Establish the wireless network on a separate VLAN. A firewall can then help keep hackers located on the VLAN associated with the wireless network from having easy access to corporate servers located on different, more secured VLANs (i.e., not accessible from the wireless network). In this manner, the wireless network is similar to a public network, except you can apply encryption and authentication mechanisms to the wireless users.
Ensure firmware is up-to-date in client cards and access points. Vendors often implement patches to firmware that fix security issues. On an ongoing basis, make it a habit to check that all wireless devices have the most recent firmware releases.
Ensure only authorized people can reset the access points. Some access points will revert back to factory default settings (i.e., no security at all) when someone pushes the reset button on the access point. We’ve done this when performing penetration testing during security assessments to prove that this makes the access point a fragile entry point for a hacker to extend their reach into the network. As a result, provide adequate physical security for the access point hardware. For example, don’t place an access point within easy reach. Instead, mount the access points out of view above ceiling tiles. Some access points don’t have reset buttons and allow you to reset the access point via an RS-232 cable through a console connection. To minimize risks of someone resetting the access point in this manner, be sure to disable the console port when initially configuring the access point.
Disable access points during non-usage periods. If possible, shut down the access points when users don’t need them. This limits the window of opportunity for a hacker to use an access point to their advantage as a weak interface to the rest of the network. To accomplish this, you can simply pull the power plug on each access point; however, you can also deploy power-over-Ethernet (PoE) equipment that provides this feature in a more practical manner via centralized operational support tools.
Assign “strong” passwords to access points. Don’t use default passwords for access points because they are also well known, making it easy for someone to change configuration parameters on the access point to their advantage. Be sure to alter these passwords periodically. Ensure passwords are encrypted before being sent over the network.
Don’t broadcast SSIDs. If this feature is available, you can avoid having user devices automatically sniff the SSID in use by the access point. Most current computer operating systems and monitoring tools will automatically sniff the 802.11 beacon frames to obtain the SSID. With SSID broadcasting turned off, the access point will not include the SSID in the beacon frame, making most SSID sniffing tools useless. This isn’t a foolproof method of hiding the SSID, however, because someone can still monitor 802.11 association frames (which always carry the SSID, even if SSID broadcasting is turned off) with a packet tracer. At least shutting off the broadcast mechanism will limit access.
Reduce propagation of radio waves outside the facility. Through the use of directional antennas and RF shielding, you can direct the propagation of radio waves inside the facility and reduce the “spillage” outside the perimeter. This not only optimizes coverage, it also minimizes the ability for a hacker located outside the controlled portion of the company to eavesdrop on user signal transmissions and interface with the corporate network through an access point. This also reduces the ability for someone to jam the wireless LAN - a form of denial-of-service attack - from outside the perimeter of the facility. In addition, consider setting access points near the edge of the building to lower transmit power to reduce range outside the facility. This testing should be part of the wireless site survey.
Implement personal firewalls. If a hacker is able to associate with an access point, which is extremely probable if there is no encryption or authentication configured, the hacker can easily access (via the Windows operating system) files on other users’ devices that are associated with an access point on the same wireless network. As a result, it’s crucial that all users disable file sharing for all folders and utilize personal firewalls. These firewalls are part of various operating systems, such as Windows XP and Vista, and 3rd party applications as well.
Control the deployment of wireless LANs. Ensure that all employees and organizations within the company coordinate the installation of wireless LANs with the appropriate information systems group. Forbid the use of unauthorized access points. Mandate the use of approved vendor products that you’ve had a chance to verify appropriate security safeguards. Maintain a list of authorized radio NIC and access point MAC addresses that you can use as the basis for identifying rogue access points.
With these recommendations in mind, you have a basis for forming a solid security policy. When deciding on which techniques to implement, however, be sure to consider actual security needs.
July 21, 2006
Summary of WiFi hacking tools
Air Crack
Aircrack is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, thus making the attack much faster compared to other WEP cracking tools. In fact, aircrack is a set of tools for auditing wireless networks.
Air Decap
decrypts WEP/WPA capture files. Part of the aircrack suite.
Air Replay
802.11 packet injection program. Part of the aircrack suite.
Airpwn
Airpwn requires two 802.11 interfaces in the case where driver can't inject in monitor mode (lots of chipsets do nowadays, see HCL:Wireless for a list). It uses a config file with multiple config sections to respond to specific data packets with arbitrary content. For example, in the HTML goatse example, we look for any TCP data packets starting with "GET" or "POST" and respond with a valid server response including a reference to the canonical goatse image.
AirSnarf
Airsnarf is a simple rogue wireless access point setup utility designed to demonstrate how a rogue AP can steal usernames and passwords from public wireless hotspots. Airsnarf was developed and released to demonstrate an inherent vulnerability of public 802.11b hotspots snarfing usernames and passwords by confusing users with DNS and HTTP redirects from a competing AP
Airsnort
AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered.
CowPatty
Cowpatty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol. A while back, Robert Moskowitz published a paper titled "Weakness in Passphrase Choice in WPA Interface" that described a dictionary attack against wireless networks using the TKIP protocol with a pre-shared key (PSK). Supply a libpcap file that includes the TKIP four-way handshake, a dictionary file of passphrases to guess with and the SSID for the network
FakeAP
Black Alchemy's Fake AP generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP's cacophony of beacon frames. As part of a honeypot or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and other undesirables
Genpmk
genpmk is used to precompute the hash files in a similar way to Rainbow tables is used to pre-hash passwords in Windows LANMan attacks. There is a slight difference however in WPA in that the SSID of the network is used as well as the WPA-PSK to "salt" the hash. This means that we need a different set of hashes for each and every unique SSID i.e. a set for "linksys" a set for "tsunami" etc
Hotspotter
Hotspotter passively monitors the network for probe request frames to identify the preferred networks of Windows XP clients, and will compare it to a supplied list of common hotspot network names. If the probed network name matches a common hotspot name, Hotspotter will act as an access point to allow the client to authenticate and associate. Once associated, Hotspotter can be configured to run a command, possibly a script to kick off a DHCP daemon and other scanning against the new victim
Karma
KARMA is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targetted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to services can then capture credentials or exploit client-side vulnerabilities on the host.
Kismet
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic. Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of nonbeaconing networks via data traffic.
Wep_crack
WepAttack is a WLAN open source Linux tool for breaking 802.11 WEP keys. This tool is based on an active dictionary attack that tests millions of words to find the right key. Only one packet is required to start an attack.
Wep_decrypt
a program for decrypting captured 802.11 traffic that is protect with WEP traffic. It reads in a pcap capture file, such as that generated by prismdump, and outputs another pcap capture file with decrypted packets. By default it will read from stdin and ouput to stdout. The key to decrypt with can be specified as a string of hex characters, optionally seperated by spaces or colons, or as a text string. If a text string is specified, the actual keying material will be generated by the string in the (ad hoc) standard fashion used by many drivers.
WifiTap
Wifitap is a proof of concept for communication over WLAN networks using traffic injection. Wifitap allows direct communication with an associated station to a given access point directly, whilst not being associated ourselves or being handled by access point.
Aircrack is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, thus making the attack much faster compared to other WEP cracking tools. In fact, aircrack is a set of tools for auditing wireless networks.
Air Decap
decrypts WEP/WPA capture files. Part of the aircrack suite.
Air Replay
802.11 packet injection program. Part of the aircrack suite.
Airpwn
Airpwn requires two 802.11 interfaces in the case where driver can't inject in monitor mode (lots of chipsets do nowadays, see HCL:Wireless for a list). It uses a config file with multiple config sections to respond to specific data packets with arbitrary content. For example, in the HTML goatse example, we look for any TCP data packets starting with "GET" or "POST" and respond with a valid server response including a reference to the canonical goatse image.
AirSnarf
Airsnarf is a simple rogue wireless access point setup utility designed to demonstrate how a rogue AP can steal usernames and passwords from public wireless hotspots. Airsnarf was developed and released to demonstrate an inherent vulnerability of public 802.11b hotspots snarfing usernames and passwords by confusing users with DNS and HTTP redirects from a competing AP
Airsnort
AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered.
CowPatty
Cowpatty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol. A while back, Robert Moskowitz published a paper titled "Weakness in Passphrase Choice in WPA Interface" that described a dictionary attack against wireless networks using the TKIP protocol with a pre-shared key (PSK). Supply a libpcap file that includes the TKIP four-way handshake, a dictionary file of passphrases to guess with and the SSID for the network
FakeAP
Black Alchemy's Fake AP generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP's cacophony of beacon frames. As part of a honeypot or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and other undesirables
Genpmk
genpmk is used to precompute the hash files in a similar way to Rainbow tables is used to pre-hash passwords in Windows LANMan attacks. There is a slight difference however in WPA in that the SSID of the network is used as well as the WPA-PSK to "salt" the hash. This means that we need a different set of hashes for each and every unique SSID i.e. a set for "linksys" a set for "tsunami" etc
Hotspotter
Hotspotter passively monitors the network for probe request frames to identify the preferred networks of Windows XP clients, and will compare it to a supplied list of common hotspot network names. If the probed network name matches a common hotspot name, Hotspotter will act as an access point to allow the client to authenticate and associate. Once associated, Hotspotter can be configured to run a command, possibly a script to kick off a DHCP daemon and other scanning against the new victim
Karma
KARMA is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targetted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to services can then capture credentials or exploit client-side vulnerabilities on the host.
Kismet
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic. Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of nonbeaconing networks via data traffic.
Wep_crack
WepAttack is a WLAN open source Linux tool for breaking 802.11 WEP keys. This tool is based on an active dictionary attack that tests millions of words to find the right key. Only one packet is required to start an attack.
Wep_decrypt
a program for decrypting captured 802.11 traffic that is protect with WEP traffic. It reads in a pcap capture file, such as that generated by prismdump, and outputs another pcap capture file with decrypted packets. By default it will read from stdin and ouput to stdout. The key to decrypt with can be specified as a string of hex characters, optionally seperated by spaces or colons, or as a text string. If a text string is specified, the actual keying material will be generated by the string in the (ad hoc) standard fashion used by many drivers.
WifiTap
Wifitap is a proof of concept for communication over WLAN networks using traffic injection. Wifitap allows direct communication with an associated station to a given access point directly, whilst not being associated ourselves or being handled by access point.
January 7, 2006
University research aims at more secure wireless network
Researchers at Carleton University, Ottawa, Canada, have reported positive results for a novel means of securing Wi-Fi and other wireless networks from hackers and other unauthorized intrusion.
The technology depends on the RF signal "fingerprints" or profiles that make every wireless transceiver in the world virtually unique. The RF fingerprints are the result of variations in the silicon and other electronic components that comprise the transceiver.
Although the components all fall within the manufacturing tolerances required by the vendor and generate valid signals, the combinations of their variances create unique signal characteristics, says Jeyanthi Hall, a graduate student at the university who is the lead researcher for the project supervised by professors Michel Barbeau and Evangelos Kranakis.
Variances are most evident in the transient signals created when the transceiver attempts to gain access to the network. In a Wi-Fi network, this means the fingerprint is acquired in approximately 2 microseconds.
A probabilistic neural network is used to compare the fingerprint to others stored in the access point (or some central location in the network) that have been verified by the network system administrator as authentic.
The researchers are also exploring the use of self-organizing map technology and clustering technology to reduce the storage capacity required for the authenticated signatures and to speed authentication.
Algorithms from The MathWorks.com MATLAB technical computing software are tuned and used for the authentication process. During the research phase of the project, the transient RF signals from the transceivers are acquired using Anritsu's Signature High Performance Signal Analyzer.
As the technology moves into more refined stages, Hall said, the signal analyzer will be replaced by a DSP-based data acquisition board.
The signal fingerprinting technology being researched at Carleton University complements and utilizes traditional security measures such as MAC-address control lists.
With spoofing techniques, hackers can circumvent the effectiveness of a MAC-address control list. With RF fingerprinting included in the security arrangements, however, a transceiver that dishonestly reports itself as having a specific MAC address can be uncovered by checking its fingerprint against the authenticated transceiver's.
Hall's research still has several hurdles to clear before it can appear as commercial product. Chief among them are scalability and the stability of the algorithms employed to create the fingerprint and compare it to other RF fingerprints.
The technology depends on the RF signal "fingerprints" or profiles that make every wireless transceiver in the world virtually unique. The RF fingerprints are the result of variations in the silicon and other electronic components that comprise the transceiver.
Although the components all fall within the manufacturing tolerances required by the vendor and generate valid signals, the combinations of their variances create unique signal characteristics, says Jeyanthi Hall, a graduate student at the university who is the lead researcher for the project supervised by professors Michel Barbeau and Evangelos Kranakis.
Variances are most evident in the transient signals created when the transceiver attempts to gain access to the network. In a Wi-Fi network, this means the fingerprint is acquired in approximately 2 microseconds.
A probabilistic neural network is used to compare the fingerprint to others stored in the access point (or some central location in the network) that have been verified by the network system administrator as authentic.
The researchers are also exploring the use of self-organizing map technology and clustering technology to reduce the storage capacity required for the authenticated signatures and to speed authentication.
Algorithms from The MathWorks.com MATLAB technical computing software are tuned and used for the authentication process. During the research phase of the project, the transient RF signals from the transceivers are acquired using Anritsu's Signature High Performance Signal Analyzer.
As the technology moves into more refined stages, Hall said, the signal analyzer will be replaced by a DSP-based data acquisition board.
The signal fingerprinting technology being researched at Carleton University complements and utilizes traditional security measures such as MAC-address control lists.
With spoofing techniques, hackers can circumvent the effectiveness of a MAC-address control list. With RF fingerprinting included in the security arrangements, however, a transceiver that dishonestly reports itself as having a specific MAC address can be uncovered by checking its fingerprint against the authenticated transceiver's.
Hall's research still has several hurdles to clear before it can appear as commercial product. Chief among them are scalability and the stability of the algorithms employed to create the fingerprint and compare it to other RF fingerprints.
October 4, 2005
Wireless Network Discovery, Mapping and Traffic Analysis
Subscribe to:
Posts (Atom)