Download presentation
Presentation is loading. Please wait.
1
ECE 578: COMPUTER NETWORK AND SECURITY
A TERM PAPER ON Drive-by Hacking ISS is the pioneer and leading provider of enterprise software systems that automatically monitor, detect and respond to security risks on distributed information systems. Much like the sophisticated security systems used to protect homes and businesses, ISS enterprise software systems automatically detect and correct security weaknesses on every system on the network and monitor and terminate real time threats against those systems. Although open systems, like the internet, have many business advantages, their accessibility, and the relative anonymity of users makes these systems, and the integrity of the information stored on them, vulnerable to security threats. In fact, the internet is a criminals dream. To compare this to the physical world, just imagine if every door lock was designed to the same standard with the same combination or key, or the windows in your house had no locks at all,(this is what the open IP standards have provided) and new doors and windows appeared on seemingly random basis (in fact, every time a new user, or new computer, router or business application is added to the network). Now add to that the complication that criminals are ostensibly invisible and change their identity at will? This is the network we call the internet, it is the network that runs every critical industry today, including banking, government, transportation, telecommunications and emergency services …a network with an endless supply of doors and windows, open standards which dictate the same combination to every lock and adversaries who are inconspicuous and change identity. ISS invented the software systems that automatically find the open doors and windows and secure them, and identify and terminate the activity of these otherwise invisible adversaries automatically. This dynamic system has the ability to adapt, to adjust to the dynamic and changing risk conditions on the network and automatically respond to enforce best practice security policy. Shekhar shinde Oregon State University.
2
Contents Background Problem of drive by hacking
Wireless security options Challenges Types of attacks Internet scanner Real life solution to the problem Conclusion References by “wireless” we mean: wireless networking based on the IEEE standard. This definition does not include WAP, 3G, Blackberry, Bluetooth, or other wireless technologies. Organizations adopting wireless want to leverage the productivity gains of wireless networking, but the well-publicized security weaknesses of the standard, and in particular of WEP (Wireless Equivalent Privacy), are causing many to slow or even delay indefinitely deployment. The main concerns for networks with authorized deployments are: Extension of the LAN beyond the physical borders of the organization. Implementation of available security measures. Weakness of WEP protocol. Of equal, if not greater, concern is the unauthorized deployment of ‘rogue’ Access Points which connect directly to the corporate LAN The nightmare scenario here is of an internal user who, with no malicious intent, buys a WLAN access point and installs it on the corporate network, exposing the network to insertion by an outsider. There have been many, many stories on this scenario of ‘war driving’ or ‘stumbling’ in the press and it is the most pervasive wireless security problem. Even companies that do not have an authorized WLAN in place (or plan to deploy one) are concerned about this, b/c it creates a hole that circumvents all the established network security measures (such as firewalls, IDS, VPN, etc.).
3
Background WLAN technology is making its way into organizations, but:
Authorized deployments are hindered by security concerns. Unauthorized (rogue) deployments put the corporate network at risk. Top concerns: Where are the access points? Are they vulnerable to attack? Where is the network perimeter? by “wireless” we mean: wireless networking based on the IEEE standard. This definition does not include WAP, 3G, Blackberry, Bluetooth, or other wireless technologies. Organizations adopting wireless want to leverage the productivity gains of wireless networking, but the well-publicized security weaknesses of the standard, and in particular of WEP (Wireless Equivalent Privacy), are causing many to slow or even delay indefinitely deployment. The main concerns for networks with authorized deployments are: Extension of the LAN beyond the physical borders of the organization. Implementation of available security measures. Weakness of WEP protocol. Of equal, if not greater, concern is the unauthorized deployment of ‘rogue’ Access Points which connect directly to the corporate LAN The nightmare scenario here is of an internal user who, with no malicious intent, buys a WLAN access point and installs it on the corporate network, exposing the network to insertion by an outsider. There have been many, many stories on this scenario of ‘war driving’ or ‘stumbling’ in the press and it is the most pervasive wireless security problem. Even companies that do not have an authorized WLAN in place (or plan to deploy one) are concerned about this, b/c it creates a hole that circumvents all the established network security measures (such as firewalls, IDS, VPN, etc.).
4
Market 1. Vorbereitung: Während dieser Phase werden die Informationen vom Kunden gesammelt und zur Verfügung gestellt, damit ein detaillierter Assessment-Plan erstellt werden kann. In diesem werden der Umfang, die Struktur und die Einschränkungen der Untersuchungen definiert. - Abschliessende Analyse und Kundeneinweisung Während des gesamten Assessments wird der Kunde über jeden durchgeführten Schritt informiert. Besonders bei den High-Risk Schwachstellentests wird der Kunde darauf hingewiesen, dass evtl. kritische Ausfälle auftreten können. Generell werden die Schwachstellen von ISS in folgende 3 Kategorien eingeteilt: · High Risk: Diese Schwachstellen sind die kritischsten. Bei diesen Schwachstellen muss sofort gehandelt werden. Die betreffenden Netzwerke, Systeme oder Daten sollten sofort gesichert werden. · Medium Risk: Diese Schwachstellen können eine potentielle Gefahr für das Netzwerk, die Systeme oder die Daten darstellen. Diese Schwachstellen sollten in absehbarer Zeit behoben werden. · Low Risk: Diese Schwachstellen sollten protokolliert werden und zu einem späteren Zeitpunkt behandelt werden. Diese stellen i.d.R. keine potentielle Gefahr für das Netzwerk dar, sollten aber weiterhin beobachtet und ggf. beseitigt werden. Nach dem Assessment werden die gesamten Daten, die während den einzelnen Phasen gesammelt wurden, zusammengeführt. Diese Daten werden analysiert und abgeglichen. Ein abschliessender Report mit allen erkannten Schwachstellen, Risiken und Empfehlungen wird erstellt und dem Kunden üblicherweise eine Woche nach der Durchführung des Assessments zugesandt. Ferner kann der Kunde auf alle Daten, die während des Assessments gewonnen wurden, zurückgreifen. Nach der Beendigung stehen die ISS Consultants für weitere Fragen zur Verfügung, auf Wunsch kann auch eine abschliessende Präsentation der Ergebnisse durchgeführt werden. Aufgrund der gewonnenen Ergebnisse können die Consultants mit Ihrem tiefen Wissen und Ihrer Erfahrung im Security Bereich den Kunden bei der Planung und Implementierung von Sicherheitslösungen unterstützen. ISS unterstützt eine grosse Anzahl von Kunden bei der Einführung von Schwachstellen-Assessment und Intrusion Detection Systemen.
5
The Problem … “Drive By Hacking”
The Building Less than 1500ft * If the distance from the Access Port to the street outside is 1500 feet or less, then a Hacker could also get access – while sat outside
6
Wireless LAN Security Options
MAC address filtering Vendor specific authentication SSID/Network ID Wired Equivalent Privacy (WEP) Emerging IEEE x
7
Or in other words … The Problem ?? Totally proprietary technology, and therefore vendor specific – and the initial broadcast keys can still be sniffed 1. User runs client software and enters User name & Password Key Valid only for session Valid only for session Key 3. When device wants to connect to a different AP, a new session is created, with a different unique set of keys 2. The request is sent to the RADIUS/EAP Server, RADIUS authenticates the session and sends unique session keys to device & AP
8
The Challenges Rogues Access Points DHCP
Due to low cost, users setting up their own Aps without IT knowledge (ie boardrooms) DHCP One of the advantages of WLAN is the ability to move around the building, therefore moving between IP subnets – therefore DHCP is needed, but very abuse able !! 803.11xx and other technologies (such as Bluetooth & WAP) are all new and so no standards exist, so very vendor specific
9
Types of Attacks Insertion Attacks
Interception and unauthorised monitoring Jamming Client to Client Attacks Brute Force on AP password Encryption Attacks Mis-configurations
10
Types of Attacks Insertion Interception and Unauthorised Monitoring
Deploying un-authorised devices or creating new wireless networks without prior knowledge of IT Interception and Unauthorised Monitoring As with wire networks it is possible to “sniff” the network, but where monitoring agents are required, with WLAN you can get everything. Jamming As name suggests this is a Denial of Service Attack floods the 2.4Ghz range, used by these and other devices, so nothing can communicate
11
Types of Attacks Client to Client Attacks
Once Windows is configured to support Wireless it can be contacted by any other wireless device – so all the usual File Sharing and TCP service attacks work Brute Force on Access Point password The APs use simple usernames and passwords which can be easily brute forced, and key management is not easy Encryption Attacks Although has WEP, vulnerabilities have already been found and the keys can easily be cracked Mis-configurations All major vendors make their units easy to deploy, so they come with insecure, well known pre-configurations, which are rarely changed when installed
12
WLAN Security Challenges
How to Defend against WLAN Threat WLAN Security is similar to the Wired network. Just represents an extension of wired networks Another potential un-trusted entry point into the wired network. Multi-Layer Security Approach Protect WLAN holistically at the network, system, and application layer for clients, access points, and the back-end servers. Apply traditional wired security countermeasures.
13
WLAN Discovery / Assessment/ Monitoring Tools
Internet Scanner 6.2, the market leading network vulnerability assessment tool, was the first to assess many b security checks checks are in several X-Press Updates (XPU 4.9 and 4.10). RealSecure 6.5, the market leading IDS, was the first to monitor many b attacks. Recommend to make sure you are up to the latest X-Press Updates checks for IDS were in XPU 3.1.
14
Internet Scanner 1. Finds the Holes
2. Finds Rogue Access Points or Devices
15
Real Secure Kill !! Kill !!
16
The Solution Wireless Scanner 1.0 is the solution for this problem
Identify b access points. Assess the implementation of available security features. Laptop-based for mobility. “Wireless Scanner provides automated detection and security assessment of WLAN access points and clients.” Note that this is a solution for both wireless-enabled organizations, and for organizations that have not implemented a WLAN but want to make sure there are no unauthorized APs on their premises. Identifying access points includes providing the MAC address, SSID (if detectable), channel, and signal strength information for each detected access point. Assessments include determining if WEP is enabled, checking for known vulnerabilities, performing a brute force attack, and determining if RADIUS authentication is enabled. Because WS is laptop-based, users can carry it around and outside their physical sites to test the real perimeter of their network’s WLAN signals.
17
Target Market Primary market of Wireless Scanner 1.0:
Enterprise customers SMB customers Security consultants / auditors These customers want to: Implement a WLAN without compromising their existing security measures. Protect network from unauthorized APs. In the primary market for the 1.0 release: WLANs are implemented mainly for convenience and cost-effectiveness, rather than to support core business processes. These customers are for the most part already using some infosec measures and possess some degree of security maturity. WLAN security is part of their overall picture and represents an upsell opportunity. Security consultants and auditors are an important market for the 1.0 release, because they are looking for a solution to their clients’ wireless security concerns, especially one that provides usable reporting and does not require a separate Linux laptop to run. The 1.0 release has a secondary market that will not be explicitly targeted, but which represents a significant opportunity, and consists of new customers in retail, manufacturing, and hospitals. These are verticals into with ISS currently has relatively low penetration, and which use – or want to use – technology to increase productivity and support core business processes. Examples: Hospital in which staff uses laptops or based devices to view and manage patient records without sacrificing mobility and ease of use. Retail chain that uses networks in stores to improve customer service and inventory management. The SOHO market is NOT being targeted for the 1.0 release.
18
How it works .. Each device has a WLAN adapter
These communicate back to Access Ports (AP), or Wireless Bridges The technology works like old ethernet bridges by simply passing data on So anyone with a wireless device could, theoretically, connect to your network.
19
Features – Detection Wireless Scanner detects access points…
Wireless Scanner detects access points from inside and outside an organization’s physical site. By listening to wireless traffic, WS can identify the unauthorized, often unsecured access points that can provide attackers a gateway into an organization’s network, as well as track clients, and even detect client attacks against wireless access points. As operators roam their site with Wireless Scanner, audible alerts notify them of the detection of wireless devices while Wireless Scanner records information and vulnerability information. The ability to easily separate detected access points from wireless clients is a feature that none of the freeware tools offer. … and active clients.
20
Features – Security Assessment
Wireless Scanner probes access points to determine their vulnerability to connection and attack by unauthorized users. WS probes discovered access points to determine their vulnerability to attack and connection from an unauthorized user. Assessments detect whether security options such as encryption and authentication are enabled and properly configured. WS operators can direct it to connect to access points, provide management information, and read encrypted traffic.
21
Features – Reporting Multi-level reporting Export options
New Access Points report highlights new b devices discovered in scan. Summary reports provide high-level overview of WLAN security status At-a-glance view of WLAN security Speed communication of critical security issues Technician reports give detailed fix information for WLAN vulnerabilities Speed remediation Help close wireless security knowledge gap in IT staff Wireless Scanner’s reports enable administrators to identify and secure quickly vulnerable access points on their networks. Reports provide formatted and sortable reports that display clear information on WLAN devices, configuration, and vulnerabilities. Graphical summary reports give a high-level view of an organization’s WLAN security status for an at-a-glance understanding of WLAN security issues. Technician reports provide detailed fix information for any vulnerabilities discovered to speed and simplify remediation of wireless security issues.
22
Features – Flexibility
Mobile – users can scan while walking User configurable: Filters Alarms and notifications Encryption keys for scanning Configurations can be saved and loaded Wireless technology projects the network perimeter beyond the physical confines of an organization’s site, and laptop-based Wireless Scanner permits operators take Wireless Scanner outside their building to simulate the activity of an off-site attacker “war driving” or “stumbling” outside their premises. On-site, Wireless Scanner’s mobility allows operators to walk around as they listen for access points and other devices, moving through space to detect signals that are would be inaccessible to a fixed device. For improved mobility and safety scan information can be viewed live or saved to a file for later replay. Combined with numerous user-configurable options that provide it the flexibility to function in any environment, such as: Filters – access point and client filters allow users to look for only new or unknown devices during a scan. New and unknown access points are the #1 concern identified by enterprises. Alarms and notifications – can use predefined alarms, or create your own, for AP detected, vulnerability detected, and successful/failed connection to access point. Encryption keys can be provided for assessing access points that are running WEP. This feature can be used, for example, to test that old or ‘retired’ WEP keys are no longer in use on access points. User configurable Options configurations can be saved and loaded individually, so that a user can select options for a specific site or organization and quickly load them, rather than having to reconfigure the WS for each different scan.
23
References: “Wireless scanner” a white paper by stephen schmid.
Cryptography and Network Security: Principles and Practice, Second Edition by William Stallings Web reference of Cryptography and network security, third edition by William Stallings Fundamentals Of Computer Security Technology by Edward G. Amoroso. Network Security by Mario Devargas. LAN Times Guide To Security And Data Integrity by Marc Farley, Tom Stearns, And Jeffrey Hsu. Computer System And Network Security by Gregory B. White, Eric A. Fisch, Udo W. Pooch.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.