Post on 20-May-2015
M A R Q U E S TProfessional Services
WLAN Security
Peter MackenzieMarQuest Limitedwww.MarQuest.compmackenzie@marquest.com
2
M A R Q U E S TProfessional Services
© MarQuest Limited
Introductions
• Peter Mackenzie pmackenzie@marquest.com– Head of Technical Operations (MarQuest Limited)– Wireless Certifications
• Certified Wireless Network Administrator
• Certified Wireless Security Professional
• Certified Wireless Analysis Professional
• Certified Wireless Network Expert
• Certified Wireless Network Trainer
• • MarQuest Limited
– CWNP Education Centre– WildPackets Academy– Installation– Consultancy
3
M A R Q U E S TProfessional Services
© MarQuest Limited
Itinerary
• Wireless Inherently Insecure
• Security Solutions– Default Security (included in 802.11)
– The Security Standard (802.11i)
• WLAN Intrusion
• Detection and Prevention
4
M A R Q U E S TProfessional Services
© MarQuest Limited
Inherently Insecure
Confidentiality Authentication Denial of Service
5
M A R Q U E S TProfessional Services
© MarQuest Limited
Wireless Attacks
6
M A R Q U E S TProfessional Services
© MarQuest Limited
Default Security
• Original 802.11 Standard– Authentication Methods
• Open System• Shared Key
– Encryption• Shared WEP Key
– MAC Authentication (Device Security)
7
M A R Q U E S TProfessional Services
© MarQuest Limited
WEP Cracking
8
M A R Q U E S TProfessional Services
© MarQuest Limited
MAC Address Filtering
• Mac Spoofing
9
M A R Q U E S TProfessional Services
© MarQuest Limited
Standards Security
• WPA (TKIP, RC4)– Personal
• Pre-Shared Key (PSK) • SOHO, no RADIUS server)
– Enterprise• 802.1x/ EAP• Backend RADIUS server
• 802.11i & WPA v2 (CCMP, AES)– Personal
• Pre-Shared Key (PSK) • SOHO, no RADIUS server)
– Enterprise• 802.1x/ EAP• Backend RADIUS server
10
M A R Q U E S TProfessional Services
© MarQuest Limited
EAP types comparison
Client Password Authentication
Client Certificate Server Certificate
DynamicExchange
Mutual Authentication
EAP-MD5
LEAP
EAP-TLS
PEAP
EAP-TTLS
11
M A R Q U E S TProfessional Services
© MarQuest Limited
CoWPAtty
You only need to capture the
4-way handshake
Dictionary attack
12
M A R Q U E S TProfessional Services
© MarQuest Limited
Asleap
Fast dictionary
attack
Can not get strong password
13
M A R Q U E S TProfessional Services
© MarQuest Limited
A strong password policy?
If users can’t remember their password what
do they do?
14
M A R Q U E S TProfessional Services
© MarQuest Limited
EAP – Generic Method
Supplicant (Client) Authenticator (AP) Authentication Server (RADIUS)
Identity: Peter
Challenge Response: Cipher Text
Access Request: Peter
Request Identity
Challenge: TextChallenge: Text
Challenge Response: Cipher Text
Access AcceptAccess: Success
Exchange keys
15
M A R Q U E S TProfessional Services
© MarQuest Limited
PEAP
Supplicant (Client) Authenticator (AP) Authentication Server (RADIUS)
Identity: Dummy Access Request: Dummy
Request Identity
Authenticate Server CertificateAuthenticate Server Certificate
Establish Encrypted tunnel using certificate
Identity: Peter
Challenge Response: Cipher Text
Access Request: Peter
Challenge: TextChallenge: Text
Challenge Response: Cipher Text
Access AcceptAccess: Success
Exchange keys
16
M A R Q U E S TProfessional Services
© MarQuest Limited
Client Configuration Weakness
17
M A R Q U E S TProfessional Services
© MarQuest Limited
Evil Twin
SSID: ABC
SSID:ABC
IntruderWireless AnalyserSoft Access Point
DHCP Server SoftwareSignal Generator
Channel 1Channel 11
Key:
18
M A R Q U E S TProfessional Services
© MarQuest Limited
No Wi-Fi Policy
“It’s ok, we have a no
Wi-Fi Policy”
How do you enforce that policy?
How do you know you don’t
have any Wi-Fi?
Do you have any laptops with inbuilt
Wi-Fi Clients?
19
M A R Q U E S TProfessional Services
© MarQuest Limited
Client Hijacking
Home Work
SSID: LINKSYS
Probe: LINKSYS
SSID: LINKSYS
20
M A R Q U E S TProfessional Services
© MarQuest Limited
Identification and Protection
• Wireless Analysis
• Wireless ISP
• Training
• Penetration Testing
21
M A R Q U E S TProfessional Services
© MarQuest Limited
WildPackets’ OmniPeek
•Wireless LAN environment scan•Rogue access point and station detection•Intrusion detection•Station Location•Ensuring wireless LAN policy
What does your wireless environment really look like?
22
M A R Q U E S TProfessional Services
© MarQuest Limited
AirDefense IDS/IPS
•Intrusion Detections/Protection System•Sensors report back to Server•Alarms and notifications•Countermeasures
23
M A R Q U E S TProfessional Services
© MarQuest Limited
AirDefense Protects Wireless Networks
Hacker
INTRANET
INTERNET
Desktop
1 Identifies & Terminates Rogue APs
4 Monitors for Non-Compliant APs
5 Protects Users
Muni Wi-Fi
3 Stops Leaked Wired Traffic & Insertion
2 Prevents Hotspot Phishing
Hotspot Evil Twin
Mobile User
Laptop
AP
Server
Courtesy of AirDefense
24
M A R Q U E S TProfessional Services
© MarQuest Limited
Automated Policy-Based Active Defences
X
Managed Switch
AirDefense Server
On-command Suppression Policy-Based Suppression Device Reconfiguration
Wired-side Mitigation
On-command Disconnect Policy-Based Disconnect
Authorization Required, Audit Trail Maintained
Mitigation of the right target due to accurate detection
Wireless Mitigation
Public AP
Laptop: Wired-Wireless
Bridge
ALERT!Detected by AirDefense
Accidental Association
TERMINATED!By AirDefense
Accidental Association
ALERT!Detected by AirDefense
Rogue AP on Network
PORT SUPPRESSED!By Managed Switch
Rogue AP on Network
25
M A R Q U E S TProfessional Services
© MarQuest Limited
Training
Training is key to a successful security solution
Which security solution should I use?
What monitoring should I be doing?
Do I need a security audit?
What should be included in a wireless security policy?
Which staff need training?
26
M A R Q U E S TProfessional Services
© MarQuest Limited
Penetration Testing
•Information gathering•Social engineering•Eavesdropping•Active attacks•Rogue AP placement•Denial of Service
27
M A R Q U E S TProfessional Services
© MarQuest Limited
Thank You!
Stand Number
704
Any Questions?