Securing Wireless Part 2 of 2

Table of Contents

Best Practices .................................................................................................................................. 2

Network Security Design ................................................................................................................. 4

Notices .......................................................................................................................................... 15

Page 1 of 15

Best Practices

38

Best Practices

Maintain physical security for APs

Use strong administration passwords on APs

Upgrade all APs to WPA2• TKIP used for legacy WPA clients• CCMP for newer WPA2 capable clients• WPA2-PSK authentication for small networks• 802.1X authentication for large multi-user networks

— Authenticate against existing user database with RADIUS— Configure RADIUS to routinely force re-authentication

War-drive/walk to audit wireless network

**038 But WPA2 is still the standard today. And best practices, maintain physical security for your APs and you can do that a couple of ways. A lot of time the APs are just bolted to the wall or hanging from the ceiling. If you want you can just buy APs that have coaxial connectors on them and if you want you can actually lock up the APs. Lock them in the box. Lock them in the server closet. And then run a coaxial cable out to wherever you want the antenna to wherever you want the antenna to be. Make sure you're using strong administrative passwords. Upgrade all APs to WPA2. And anybody know the difference between WPA2 and

Page 2 of 15

WPA2PSK? Anybody hear of WPA2PSK? Student: No. Joe Mayes: WPA2PSK is the non- enterprise version, it's the home version. In the home version of WPA2 the PSK stands for pre-shared key. So you type a key into the access point. You type the same key into your work station into your laptop. That's not an enterprise solution. The enterprise solution is to use like an active directory or a radius or some other kind of server to provide enterprise authentication. Because in WPA2, what happens? Everybody has got the same key again. All the machines in your house are running WPA2. You type the same password into all of them. That's not an enterprise solution. You don't want a thousand people or ten thousand or a hundred and fifty thousand people all using the same password so WPA2 in the enterprise, everybody gets a unique password. And they get it from the password server or the authentication server. You may think you are typing in the same password, but it's all being converted into unique passwords for each person and you can actually kill an individual account if you want to. So WPA, WPA2, WPA2PSK all three different versions. Of those three which is the only one you should use in an enterprise? Student: WPA2.

Page 3 of 15

Joe Mayes: Which is the only one authorized in military networks? WPA2.

Network Security Design

39

Network Security Design

Build security into the design

Create multiple security zones internally; like internal DMZs• Create rules between the zones to permit only necessary traffic• Make the zones large enough to be scalable as needs change• Enforce multi-layer security (including Layer 7 security)• Use SSH 2.0 instead of Telnet or earlier SSH versions• Use Secure FTP• Use SSO to manage access to servers and network devices• Maintain vigilant patching and updating programs

Document the design… and the as-builts• And use change management/configuration management!

**039 Network security design, build security into design, we talked about that in the past. Create multiple security zones internally. Now let's talk about that and let's talk about something new here, okay? We just looked at some wireless stuff. Where does wireless fit into this network security design then? If we're going to design networks and put things together and plan them upfront before we build them rather than build them and plan it later?

Page 4 of 15

Student: Portability? Joe Mayes: Yeah but on the security side, where is wireless? Where is wireless on the trust? How trusted is a wireless network? Student: Less trusted. Joe Mayes: Less trusted than what? Student: Wired. Joe Mayes: Daniel, how much less trusted? You said outside the firewall. Student: Yeah because I mean theoretically somebody could sniff your packets that travel wirelessly and inject something malicious. Joe Mayes: Well if you put and I'm kind of playing devil's advocate here because this is a thought process to go through, okay? If we put it outside the firewall, then when I connect using my military laptop to the military network, where is my connection flowing? Student: To the firewall. Joe Mayes: But it's also flowing outside the firewall initially and then in, correct? Student: Uh-hum. Joe Mayes: So now anybody on the outside can see my traffic. Student: Unless it's encrypted.

Page 5 of 15

Joe Mayes: Unless it's encrypted in that case they can still see some of it. Let's be more flexible. Do we have to do it just inside or outside or could we create a wireless DMZ? Student: Build another VLAN. Joe Mayes: Or another wireless VLAN, uh-hum. Yep, they actually make wireless VLANs they are called WLANs. And you can control granularly where wireless goes. You control where it starts and ends. You can give it a different IP range so that you can track it differently. The whole idea is that if you are going to use wireless, you have to decide how am I going to securely incorporate that wireless into my network design, not throw the wireless access points up and figure out later how you are going to plug them in. That make sense? So that goes into the next thing. Creating rules between zones. If I am on a wireless network, are there some places I shouldn't be allowed to go? Joe Mayes: Yeah and those are going to vary, right, depending on the organization but if the answer to that question is yes without even understanding the reason for it or the exact need, as long as that answer can be yes, then you have to be able to treat that wireless network different than the wired networks. Which means it has to come in at a different place or it has to be on a different subnet. In some way you have to say this is traffic that originated from a wireless

Page 6 of 15

connection. Does that make sense? So enforce multi-layer security. How do you enforce multi-layer security with a wireless environment? Student: Same as you would with a wired device. Joe Mayes: Same way I would as in the wired? Student: Still need to use the same authentication. Joe Mayes: I can still use the same authentication which would be a CAC, right. How do I make sure that I'm running encrypted? What other way can I make sure that only authorized people using authorized equipment can get onto the wireless network? Student: Make it look like the VPN or something? Joe Mayes: I could do it with a VPN. Student: Add the MAC address list to the table. It just gets messy. Joe Mayes: I could do the MAC address list on the table. How hard is it to fool the MAC address list? Really easy, right? You can actually type in any MAC address you want on any systems. You can change the MAC address of a system. Student: Did you have it set up for 802.1X and some kind of staple inspection?

Page 7 of 15

Joe Mayes: Hey 802.1X is good? And how could I authenticate via 802.1X? Student: Active directory? Joe Mayes: I heard it. You said it over here? Student: Certificates. Joe Mayes: Yeah, how about if I used digital certificates? You can't connect to my network unless you have a digital certificate issued by me. Well it could be on the CAC. It could also be in Windows, Windows 2008 Active Directory can issue certificates to users and to machines automatically. So you can actually take your AD environment, have it issue client site certificates to the laptops, and then only laptops that have that client certificate are allowed onto the network. So if your machine is not a member of the domain, you don't get on the network. Does that make sense? See how these things are all starting to weave together? And you may decide not to do that for desktop machines because it is an extra burden and on your desktop machines you are in control of the switch. In the wireless world you are not necessarily in control of who is going to try to connect to your wireless device, are you? People in the parking lot can try to connect to your wireless device. So raising the bar and saying let's put certificates on and let's require certificates for all

Page 8 of 15

wireless connections, see where that can take you? Okay. SSH 2.0. Why do we use SSH 2.0 for connectivity instead of those other things? What are the other things? Telnet and? What else is up here? Student: Earlier versions. Joe Mayes: Earlier SSH versions. What did we say about earlier SSH versions? Student: The password is in the clear. Joe Mayes: Earlier SSH versions had security flaws. They did encrypt the password but they had security flaws. What did send passwords in the clear? Telnet. Telnet sent passwords in the clear. The earlier SSH versions had security flaws that were fixed in 2.0 so the trick is you should always upgrade to SSH 2.0. Use secure FTP why? Joe Mayes: Regular FTP transmits passwords in the clear. Use single sign on to manage servers and network devices. Why? We have talked about it. The idea has to do with what? There are some things where what becomes the limiting factor in security sometimes? The person behind the set of glasses right? The person behind the set of glasses is who? Student: Us. Joe Mayes: Yeah, me, us, right? Why are we a limiting factor?

Page 9 of 15

Student: Because we are human. Joe Mayes: Because we are human. We can't remember 2000 48-bit passwords, can we? No, we are humans. We don't have a computer built inside. We can't carry a digital certificate around inside of us. Student: So a single sign on is to not encourage user to write down the passwords making them less secure? Joe Mayes: Correct because with single sign on one password will get you in many, many things which means you can probably learn one password at a time where if you have to keep 17 passwords with you, you are going to carry that on by a card. What's another reason? When you leave the organizations how many passwords do I have to kill? How many accounts do I have to kill? Student: One. Joe Mayes: Get the idea? When I leave the organization, I kill one account. I know I've wiped every system on the base because single sign on was what gave you every system on the base taking you out of single sign on removes you from every system on the base. We know about the patching and updating programs. Does that apply to wireless too? And then document the design and the as-builts. What's the difference between the design and the as-built? Student: What the contractor installs.

Page 10 of 15

Student: It may not be what the design document actually showed. Joe Mayes: Right, and what am I talking about? Student: Network topology? Joe Mayes: Network topology. How about logical topology? IP addresses and subnets. It's not just the cables and wire. It's also the IP it's the subnets and routing. How about groups? Active directory groups? What do we do by group? Student: Grant access to certain files, programs, areas. Joe Mayes: Uh-huh, grant access to files programs and areas. Student: Active directories are actually tied to SharePoint. Joe Mayes: Yeah, or SharePoint is tied to active directory. So what's the point here? How many people have ever run Visio? Have you ever noticed in Visio among the things that they have is templates to build from? There's an AD template. So you can build an active directory design. Because you need to keep track of all these things. It's not just where did the cables live? It's not just where are the switches stored at? It's who has permissions and what permissions do they have? What does being in this group get you access to? What does being a member of this O.U. get you access

Page 11 of 15

to? Where is this subnet allowed to go? Where do these wireless access points live and if you connect to wireless what do you have access to? Who has access to the internet and who doesn't? Who has got access to what servers and who doesn't? It's a great thing to know it. It's a better thing to write it down. And what happens is too often who recognizes the term "tribal knowledge"? What is tribal knowledge? Student: It's one of those things where the person who actually does the project or has been there long enough that they know everything and they don't write anything down and then they leave and the next person who comes in is left without anything. Joe Mayes: Yep, or if he's not the only person, it's the four people who put it together or the four people that had been working with it for years. They all know where everything is and one-by-one they transfer out and what happens? Student: Nobody knows. Joe Mayes: Yeah within a couple of years nobody knows how to change anything. Everything works, but nobody knows why or how. They don't even know what the passwords are to go in and change stuff, right? So documenting design, documenting the as-builts, and the last bullet? Change management and configuration management. What does that mean?

Page 12 of 15

Student: It means red tape. Joe Mayes: It means red tape. That kind of attitude won't make change management work any better. You realize this, right? Student: Which one of us said that? Joe Mayes: I can tell you a story. In my recent history I have been hit on the same day by two different change management issues where people didn't follow change management processes. I was teaching a class about a month ago and somebody put a maintenance window in the middle of the class I was teaching. And somebody else decided to migrate all of the class documentation materials the same night that the maintenance window occurred. So for about 14 hours I was blind and I couldn't prepare for the next day's course. And nobody told me this ahead of time. They just said "I'm changing it now." The email goes out saying "This is your change notice. It's already changing." Oh, really? Thank you. Appreciate the thought, right? Another change management issue was when the college here had to change some switches out and decided to change them during a workday and he ended up having a problem with the switches. That wasn't any fun because the idea behind change management is I would much rather deal with a paperwork issue or a red tape issue then to be the guy on the far end of a bad change.

Page 13 of 15

And there is some truth to that. Change management really is something that is a headache and it is a pain in the neck. You have to have change management meetings and people bring up "Don't do this because..." I was in a change management meeting where we wanted to-- no, what happened was I was in a change management meeting, City of Seattle, and they announced that they were upgrading some of the water pipes in the building and that everything from the 23rd floor down would be without water for a day. What we didn't know due to tribal knowledge problem is that what that meant was it was going to turn off all the air conditioning units in the server room that was on the 22nd floor. So they go and start disconnecting the water pipes and they were running new pipes and reconnecting things and our server room was hitting about 105 degrees. We have to go in and shut down three out of four servers in the building just to keep things running all because of a water change. That's what change management is supposed to stop you from running into. Same thing with configuration management. It worked yesterday. It's not working today. Who changed the firewall? And everybody says "Not me." Somebody did. If you talk about those things ahead of time, somebody can say "No, I need that rule. Don't take that rule out." Some guy will see a rule that's been there

Page 14 of 15

for five years, doesn't think anybody is using it, doesn't think it supports anything and says "Here I'm going to clean up my rules table by taking that rule out." And all of a sudden payroll falls over, right?

Notices

2

Notices© 2014 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu.

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

Page 15 of 15