Download presentation
Presentation is loading. Please wait.
Published byAshley McGee Modified over 8 years ago
1
Manage & Secure Your Wireless Connections Ernest Staats Director of Technology and Network Services at GCA Presented for the Nebraska Cyber Security Conference June 2009 MS Information Assurance, CISSP, CWNA, CEH, MCSE, CNA, Security+, I-Net+, Network+, Server+, A+ erstaats@gmail.com Resources available @ http://es-es.nethttp://es-es.net
2
Why Manage? Bandwidth (when downloading or using VoIP) Co-channel interference (phones, microwaves, rogue AP’s) Old Firmware (check for updates every quarter) Management and control frames can’t be encrypted, nor can header values like ESSID and MAC address Stumblers and WEP/PSK crackers Mobile devices DoS attacks (point-and-click raw packet injection tools) Forged messages Demand for more wireless access BackTrack (www.remote-exploit.org)www.remote-exploit.org 802.11n issues
3
Wireless Vulnerabilities
5
Overlooked: Site Survey What types of interference are you going to contend with? What distances do you need to broadcast? What types of data are you going to support over WIFI? (data/voice) network access Set up worst-case scenario for testing Know your signal-to-noise ratio You should expect an interview before any testing is done (how many users, roaming, location of wiring closets) Adapted from: Certified Wireless Network Administrator certification Course available at:: http://www.cwnp.com/ http://www.cwnp.com/
6
Changing Default Settings Change the default logon password and make it long! All defaults are known and published on the Net http://www.phenoelit.de/dpl/dpl.html updated often http://www.phenoelit.de/dpl/dpl.html AP Management Interface HTTP, SNMP, Telnet HTTP login Linksys: UID=blank PW=admin SNMP (disable SNMP or use a management VLAN that is secure) All: PW=public Change default open systems to WPA2: use a long passphrase
7
Cell Sizing How far is your WIFI signal going? (that is called your cell size) Can’t cover whole building? Better antenna MIMO 802.11n Power setting The cell size is usually adjusted by the power setting Go outside and see how far your wireless signal is reaching (you will be surprised)
8
ESSID Naming Identifies network Helps others identify whether or not you have left default settings on Broadcast on by default Once again with the default settings, your wireless device broadcasts its name, saying, “My name is … connect to me” Turning off SSID broadcasting is called “cloaking”; can cause issues in enterprise systems Avoid naming your SSID a private or personal code (It’s not a password!!! Even cloaked ESSID’s are easily discovered )
9
MAC Filtering A MAC address is the hardware number that is network card specific (literally burned into the network card when it is made) Does not scale to large networks Relatively easy to defeat Good option for home users
10
Authentication with 802.1x Authenticates users before granting access to L2 media Makes use of EAP (Extensible Authentication Protocol) PEAP, EAP-TLS, EAP-TTLS, etc. 802.1x authentication happens at L2 – users will be authenticated before an IP address is assigned
11
Encrypt the Data WEP Simple & easy to crack No key management It is worse than no encryption TKIP (Temporal Key Integrity Protocol) WPA/WPA2 Works on legacy hardware Has been cracked AES used in WPA 2 Considered the best option FIPS 140-2 approved (Federal Information Processing Standard) Use with 802.1x
12
Encryption WEP – First Wireless Security Cracked -- Any middle-schooler can crack your WEP key in short order WPA Cracked… but Key changes WPA2 Cracked… but Harder to crack than WPA; don’t use PSK 802.1x Uses server to authorize user Can be very secure 802.11i AES encryption – “uncrackable”
13
Authorize Data Most organizations do a decent job of authentication (who the user is), but a poor job of authorization (what the user is allowed to do); NAC’s/NAP’s and 802.11i help this issue Mobile networks are typically multi-use Authentication provides you with user identity – now use it! Identity-aware firewall policies can restrict what a user can do, based on that user’s needs
14
Home Wireless Overlooked Change default settings -- SSID and passwords Use WPA (or better, WPA2); use long PSK Use a MAC filter Turn off SSID broadcasting Know how far your wireless signal is reaching Turn off wireless when not being used, & turn off DHCP or limit DHCP Disable remote administration Update Firmware on AP and wireless cards semi- annually Secure your home machines Current AV Firewall (if the wireless router has a firewall option, turn it on) Spyware protection Auto update Windows Use VPN Common sense (check the “Secure Your Laptop Section”)
15
Secure Your Laptop Turn your firewall on: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Advanced Tab > Windows Firewall Settings > Select “On” > OK BETTER YET use another firewall (i.e. Kerio, Jetico, or Zone Alarm) Turn ad-hoc mode off: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Wireless Networks Tab > Select Network > Properties > Uncheck “This is a computer-to-computer (ad-hoc) network” > OK Disable file sharing: Start > Settings > Network Connections > Wireless Network Connection > Change Advanced Settings > Uncheck “File and Printer Sharing” > OK Change Administrator password : Click Start > Control Panel > User Accounts. Ensure the Guest account is disabled. Click your administrator user account and reset the password
16
VPN Solutions AnchorFree's Hotspot Shield, a free software download. Install it on a Windows PC AnchorFree's Paid VPN Solutions WiTopia's personalVPN, WiTopia's HotspotVPN (SSL) HotspotVPN VPN connections require installation of a utility on the computer
17
Teach Hotspot Security Use a personal firewall Use anti-virus software (update daily or hourly) Update your operating system and other applications (i.e. Office, Adobe Reader) regularly Turn off file sharing Use Web-based e-mail that employs secure http (https) Use a virtual private network (VPN) Password-protect your computer and important files (make sure your administrator account has a good long password) Encrypt files before transferring or e-mailing them Make sure you're connected to a legitimate access point Be aware of people around you Properly log out of web sites by clicking log out instead of just closing your browser or typing in a new Internet address Use a more secure browser Chrome in private mode
18
TIPS for WIFI at Work Use a wireless system that has a centrally managed controller and reporting system Name all your AP's with the same name so if the signal gets blocked and they then get a stronger signal from another work AP they do not have to re-authenticate to the work wireless network Make sure all your AP's are on the same subnet if you are doing AD authentication Make sure the work network is the only one listed on the preferred networks Use a wireless firewall (Motorola) Know your air space issues (AirMagnet) I prefer the single channel solution
19
TIPS for WIFI at Work (cont.) Make sure laptops are set to infrastructure mode Make sure the “Automatically connect to non- preferred networks” is unchecked Use 802.1x (or better, 802.11i) Use a WIPS (Wireless Intrusion Prevention System); look at log files Use NAC Have WIFI policies Disable WIFI card if plugged into network Have users take home a secure AP that will tunnel back into the corporate network (Aruba, Motorola )
20
A Layered Approach
21
Key Security Principles Principle of Least Privilege Authentication, identity-based security, firewalls Defense in depth Authentication, encryption, intrusion protection, client integrity Prevention is ideal; detection is a must Intrusion detection systems, log files, audit trails, alarms, and alerts “Know your enemies & know yourself” (Sun Tzu) Integrated centralized management
22
Wireless Gold Standard Centralized wireless Have and update WIFI policies Keep clients updated – drivers too! Guest access on separate VLAN / Network Wireless intrusion detection Locate and protect against rogue APs WPA-2 Device authentication using 802.1x and PEAP User authentication using 802.1x and PEAP AES for link-layer encryption Long (not strong) passwords (15 character) Token-card products Protect wireless users from other wireless users Protect sections of the network from unauthorized access
23
Must Have a WIFI Policy At a minimum, the policy should involve continuous review of potential threats and vulnerabilities and should deal with the following: Overall policy Access control Usage management and monitoring Security monitoring Network security Virus protection Encryption Pertinent laws Incident response Enforcement
24
Captive Portals for Guests Browser-based authentication SSL encrypted Use for guest access only Put on separate VLAN or network
25
Controller Dashboard
26
802.11n Issues Frame aggregation Block Acknowledgment 40 MHz channel bonding Spoofed duration fields Only channel 3,9 do not overlap with 40 MHz channels on the 2.4 range AP Placement is 180 0 different
27
What About “NAC”? Identity-based policy control Assess user role, device, location, time, application Policies follow users throughout network Health-based assessment Client health validation Remediation Ongoing compliance Network-based protection Stateful firewalls to enforce policies and quarantine User/device blacklisting based on policy validation We use Bradford for our NAC at GCA Excellent Pricing for Edu’s
28
Shameless Plug Presentations on my site located at www.es-es.net Come join my afternoon lecture @ 1:30pm Session 3: Intrusion Prevention from the Inside Out To learn more about GCA (Georgia Cumberland Academy) www.gcasda.org
29
Resources: Software Air Magnet http://www.airmagnet.com/products/demo- download.php http://www.airmagnet.com/products/demo- download.php Net Stumbler –Free http://www.netstumbler.com/downloads/ http://www.netstumbler.com/downloads/ Mini Stumbler –Free http://www.netstumbler.com/downloads/ http://www.netstumbler.com/downloads/ Aircrack-2.1 802.11 sniffer and WEP key cracker for Windows and Linux. -Free http://www.cr0.net:8040/code/network/ http://www.cr0.net:8040/code/network/
30
Resources: Links CWNP Learning Center has over 1000 free white papers, case studies: http://www.cwnp.com/learning_center/index.htm l http://www.cwnp.com/learning_center/index.htm l free electronic site survey forms (excellent): http://www.cwnp.com/mlist/subscribe.php http://www.cwnp.com/mlist/subscribe.php GUIDE TO MASTERING NEGOTIATIONS: http://common.ziffdavisinternet.com/download/0 /2537/whiteboardtoview.pdf http://common.ziffdavisinternet.com/download/0 /2537/whiteboardtoview.pdf
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.