W&M 2009 – Best practices for wireless network security

M A R Q U E S TProfessional Services

WLAN Security

Peter MackenzieMarQuest [email protected]

2


© MarQuest Limited

Introductions

• Peter Mackenzie [email protected]– Head of Technical Operations (MarQuest Limited)– Wireless Certifications

• Certified Wireless Network Administrator

• Certified Wireless Security Professional

• Certified Wireless Analysis Professional

• Certified Wireless Network Expert

• Certified Wireless Network Trainer

• • MarQuest Limited

– CWNP Education Centre– WildPackets Academy– Installation– Consultancy

3


© MarQuest Limited

Itinerary

• Wireless Inherently Insecure

• Security Solutions– Default Security (included in 802.11)

– The Security Standard (802.11i)

• WLAN Intrusion

• Detection and Prevention

4


© MarQuest Limited

Inherently Insecure

Confidentiality Authentication Denial of Service

5


© MarQuest Limited

Wireless Attacks

6


© MarQuest Limited

Default Security

• Original 802.11 Standard– Authentication Methods

• Open System• Shared Key

– Encryption• Shared WEP Key

– MAC Authentication (Device Security)

7


© MarQuest Limited

WEP Cracking

8


© MarQuest Limited

MAC Address Filtering

• Mac Spoofing

9


© MarQuest Limited

Standards Security

• WPA (TKIP, RC4)– Personal

• Pre-Shared Key (PSK) • SOHO, no RADIUS server)

– Enterprise• 802.1x/ EAP• Backend RADIUS server

• 802.11i & WPA v2 (CCMP, AES)– Personal

• Pre-Shared Key (PSK) • SOHO, no RADIUS server)

– Enterprise• 802.1x/ EAP• Backend RADIUS server

10


© MarQuest Limited

EAP types comparison

Client Password Authentication

Client Certificate Server Certificate

DynamicExchange

Mutual Authentication

EAP-MD5

LEAP

EAP-TLS

PEAP

EAP-TTLS

11


© MarQuest Limited

CoWPAtty

You only need to capture the

4-way handshake

Dictionary attack

12


© MarQuest Limited

Asleap

Fast dictionary

attack

Can not get strong password

13


© MarQuest Limited

A strong password policy?

If users can’t remember their password what

do they do?

14


© MarQuest Limited

EAP – Generic Method

Supplicant (Client) Authenticator (AP) Authentication Server (RADIUS)

Identity: Peter

Challenge Response: Cipher Text

Access Request: Peter

Request Identity

Challenge: TextChallenge: Text


Access AcceptAccess: Success

Exchange keys

15


© MarQuest Limited

PEAP

Supplicant (Client) Authenticator (AP) Authentication Server (RADIUS)

Identity: Dummy Access Request: Dummy

Request Identity

Authenticate Server CertificateAuthenticate Server Certificate

Establish Encrypted tunnel using certificate

Identity: Peter


Access Request: Peter

Challenge: TextChallenge: Text


Access AcceptAccess: Success

Exchange keys

16


© MarQuest Limited

Client Configuration Weakness

17


© MarQuest Limited

Evil Twin

SSID: ABC

SSID:ABC

IntruderWireless AnalyserSoft Access Point

DHCP Server SoftwareSignal Generator

Channel 1Channel 11

Key:

18


© MarQuest Limited

No Wi-Fi Policy

“It’s ok, we have a no

Wi-Fi Policy”

How do you enforce that policy?

How do you know you don’t

have any Wi-Fi?

Do you have any laptops with inbuilt

Wi-Fi Clients?

20


© MarQuest Limited

Identification and Protection

• Wireless Analysis

• Wireless ISP

• Training

• Penetration Testing

21


© MarQuest Limited

WildPackets’ OmniPeek

•Wireless LAN environment scan•Rogue access point and station detection•Intrusion detection•Station Location•Ensuring wireless LAN policy

What does your wireless environment really look like?

22


© MarQuest Limited

AirDefense IDS/IPS

•Intrusion Detections/Protection System•Sensors report back to Server•Alarms and notifications•Countermeasures

23


© MarQuest Limited

AirDefense Protects Wireless Networks

Hacker

INTRANET

INTERNET

Desktop

1 Identifies & Terminates Rogue APs

4 Monitors for Non-Compliant APs

5 Protects Users

Muni Wi-Fi

3 Stops Leaked Wired Traffic & Insertion

2 Prevents Hotspot Phishing

Hotspot Evil Twin

Mobile User

Laptop

AP

Server

Courtesy of AirDefense

24


© MarQuest Limited

Automated Policy-Based Active Defences

X

Managed Switch

AirDefense Server

On-command Suppression Policy-Based Suppression Device Reconfiguration

Wired-side Mitigation

On-command Disconnect Policy-Based Disconnect

Authorization Required, Audit Trail Maintained

Mitigation of the right target due to accurate detection

Wireless Mitigation

Public AP

Laptop: Wired-Wireless

Bridge

ALERT!Detected by AirDefense

Accidental Association

TERMINATED!By AirDefense

Accidental Association

ALERT!Detected by AirDefense

Rogue AP on Network

PORT SUPPRESSED!By Managed Switch

Rogue AP on Network

25


© MarQuest Limited

Training

Training is key to a successful security solution

Which security solution should I use?

What monitoring should I be doing?

Do I need a security audit?

What should be included in a wireless security policy?

Which staff need training?

26


© MarQuest Limited

Penetration Testing

•Information gathering•Social engineering•Eavesdropping•Active attacks•Rogue AP placement•Denial of Service

W&M 2009 – Best practices for wireless network security

Technology

Transcript of W&M 2009 – Best practices for wireless network security