Chapter 14

Wireless Attacks, Intrusion Monitoring, and Policy
Chapter 14

Outline Wireless attacks Intrusion monitoring Wireless security policy

Wireless attacks Rogue Access Point A rogue access point is any Wi-Fi device that is connected to the wired infrastructure but is not under the management of the proper network administrators Because the rogue device has no authorization and authentication security in place, any intruder can now use this open portal to gain access to network resources Ad-hoc networks also have the potential of providing rogue access into the corporate network Besides physical security, there is nothing to prevent an intruder from also connecting their own rogue access point via an Ethernet cable into any live data port provided in a wall place If an 802.1X solution is deployed for the wire network, any new access points would need to authenticate to the network prior to being given access.

Wireless attacks Peer-to-Peer Attacks A personal firewall is often used to mitigate peer-to peer attacks Users associated to the same access point are members of the same basic service set (BSS). Because they reside in the same wireless domain, the users are exposed to peer-to-peer attacks. Public Secure Packet Forwarding (PSPF) is a feature that can be enabled on WLAN access points or switches to block wireless clients from communicating with other wireless clients on the same wireless segment

Wireless attacks Eavesdropping Wireless communications can be monitored via two eavesdropping methods: Casual eavesdropping Malicious eavesdropping Casual eavesdropping is typically considered harmless and is also often referred to as wardriving. Software utilities known as WLAN discovery tools exist for the purpose of finding open WLAN networks

Wireless attacks Eavesdropping Malicious eavesdropping, the unauthorized use of protocol analyzers to capture wireless communications, is typically considered illegal Protocol analyzers are passive devices that work in an RF monitoring mode that captures any transmissions that are within range A strong dynamic encryption solution such as TKIP/RC4 or CCMP/AES is mandatory

Wireless attacks Encryption Cracking Wired Equivalent Privacy (WEP) encryption has been cracked Authentication Attacks LEAP, one of the most commonly deployed 802.1X/EAP solutions, is susceptible to offline dictionary attacks. The hashed password response during the LEAP authentication process is crackable WPA/WPA2 Personal, using pre-shared keys, is also a weak authentication method that is vulnerable to offline dictionary attacks

Wireless attacks MAC Spoofing MAC addresses can be “spoofed,” or impersonated, and any amateur hacker can easily bypass any MAC filter by spoofing an allowed client station’s address MAC filtering is not considered a reliable means of security for wireless enterprise networks and should be implemented only as a last resort

Wireless attacks Management Interface Exploits Devices can be accessed via a web interface, a command-line interface, a serial port, a console connection and/or Simple Network Management Protocol (SNMP) Strong passwords should be used and encrypted login capabilities such as Hypertext Transfer Protocol Secure (HTTPS) should be utilized if available Interfaces that are not used should be disabled

Wireless attacks Wireless Hijacking The attacker configures access point software on a laptop, effectively turning a Wi-Fi client card into an access point. The access point software is configured with the same SSID that is used by a public hotspot access point At this point, the attacker has effectively hijacked wireless clients at layer 2 from the original access point The attacker will typically be configured with a Dynamic Host Configuration Protocol (DHCP) server available to issue IP addresses to the clients. At this point, the attacker will have hijacked the users at layer 3 and now has a private wireless network and is free to perform peer-to-peer attacks on any of the hijacked clients.

Wireless attacks Wireless Hijacking The attacker may also be using a second wireless card with their laptop to execute what is known as a man-in-the-middleattack The second wireless card is associated to the hotspot access point as a client. In operating systems, networking cards can be bridged together to provide routing. The attacker has bridged together their second wireless card with the Wi-Fi card that is being used as the “evil twin” access point. The only way to prevent a hijacking, man-in-the-middle, and/or Wi-Fi phishing attack is to use a mutual authentication solution

Wireless attacks DoS With the proper tools, any individual with ill intent can temporarily disable a Wi-Fi network by preventing legitimate users from accessing network resources The good news is that monitoring systems exist that can detect and identify DoS attacks immediately. The bad news is that there is absolutely nothing that can be done to prevent denial of service attacks other than locating and removing the source of the attack. DoS attacks can occur at either layer 1 or layer 2 of the OSI model

Wireless attacks DoS Layer 1 attacks are known as RF jamming attacks. The two most common types of RF jamming attacks intentional jamming unintentional jamming. Intentional jamming attacks occur when an attacker uses some type of signal generator to cause interference in the unlicensed frequency space Unintentional interference from microwave ovens, cordless phones, and other devices can also cause denial of service The best tool to detect any type of layer 1 interference, whether intentional or unintentional, is a spectrum analyzer

Wireless attacks DoS Layer 2 DoS attacks exist that are a result of tampering with 802.11 frames. The most common involves spoofing disassociation or deauthentication frames. The attacker can edit the 802.11 header and spoof the MAC address of an access point or a client in either the destination address field or source address field. The attacker then retransmits the spoofed disassociation or deauthentication frame repeatedly. Because these types of management frames are notification frames that cannot be ignored, the stations will constantly be denied service. Many more types of layer 2 DoS attacks exist, including association floods, authentication floods, PS-Poll floods, and virtual carrier attacks. A spectrum analyzer is your best tool to detect a layer 1 DoS attack and a protocol analyzer or wireless IDS is your best tool to detect a layer 2 DoS attack

Intrusion Monitoring Wireless intrusion detection system (WIDS) to monitor for attacks Most wireless intrusion monitoring exists at layer 2, but layer 1 intrusion monitoring systems are now also available to scan for potential attacks

Intrusion Monitoring Wireless Intrusion Detection System (WIDS) The typical wireless intrusion detection system is a client/server model that consists of three components: WIDS server A software or hardware server acts as a central point of management. Management consoles Software-based management consoles that connect back to a WIDS Server as clients can be used for 24/7 monitoring of wireless networks. Sensors Hardware- or software-based sensors are placed strategically to listen to and capture all 802.11 communications.

Intrusion Monitoring Wireless Intrusion Detection System (WIDS) Currently, three different WIDS design models exist: OverlayThis model uses an independent vendor’s WIDS and can be deployed to monitor any existing or planned WLAN. The overlay systems typically have more extensive features, but they are usually more expensive. Integration enabled Wi-Fi vendors are currently working to integrate their access points and management systems with the major WIDS vendors. The Wi-Fi vendor access points integrate software code that can be used to turn the APs into sensors that will communicate with the third-party WIDS server. Integrated Many wireless switching vendors have fully integrated WIDS capabilities. The wireless controller acts as the centralized server. The thin access points can be configured in a sensor-only mode or can act as sensors in a minor fashion when not transmitting as an access point. The integrated solution is a less-expensive solution but may not have all the capabilities that are offered in an overlay WIDS

Intrusion Monitoring Wireless Intrusion Prevention System (WIPS) Infrastructure device This classification refers to any client station or access point that is an authorized member of the company’s wireless network. Known device This classification refers to any client station or access point that is detected by the WIPS but is not considered an interfering device or a rogue access point. Rogue device The rogue classification refers to any client station or access point that is considered an interfering device and a potential threat.

Intrusion Monitoring Wireless Intrusion Prevention System (WIPS) The WIPS is using a known layer 2 denial of service attack as a countermeasure Another method of rogue containment uses the Simple Network Management Protocol (SNMP). The WIPS vendors have other proprietary methods of disabling rogue access points and client stations and often their methods are not published.

Intrusion Monitoring Mobile WIDS Several of the wireless intrusion detection/prevention vendors also sell laptop versions of their distributed products Mobile WIDS as a single sensor, server, and console all built into one package The mobile WIDS locks onto the RF signal of the rogue device and then an administrator can locate the transmitting rogue with a directional antenna

Intrusion Monitoring Spectrum Analyzer A spectrum analyzer is a frequency domain tool that can detect any RF signal in the frequency range that is being scanned A spectrum analyzer that monitors the 2.4 GHz ISM band will be able to detect both intentional jamming and unintentional jamming. Some spectrum analyzers can look at the RF signature of the interfering signal and classify the device.

Wireless Security Policy General Security Policy Statement of authority Defines who put the wireless policy in place and the executive management that backs the policy. Applicable audience Defines the audience to whom the policy applies, including employees, visitors, contractors, and so on. Violation reporting procedures Defines how the wireless security policy will be enforced, including what actions should be taken and who is in charge of enforcement. Risk assessment and threat analysis Defines the potential wireless security risks and threats and what the financial impact will be on the company if a successful attack occurs. Security Auditing Defines internal auditing procedures as well as the need for independent outside audits.

Wireless Security Policy Functional Security Policy Policy essentials Defines basic security procedures such as password policies, training, and proper usage of the wireless network. Baseline practices Defines minimum wireless security practices such as configuration checklists, staging and testing procedures, and so on. Design and implementation Defines the actual authentication, encryption, and segmentation solutions that are to be put in place. Monitoring and response Defines all wireless intrusion detection procedures and the appropriate response to alarms

Wireless Security Policy Legislative Compliance HIPAA The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for electronic health care transactions and national standards for providers, health insurance plans, and employers. The goal is to protect patient information and maintain privacy. Sarbanes-Oxley The Sarbanes-Oxley Act of 2002 defines more stringent controls on corporate accounting and auditing procedures with a goal of corporate responsibility and enhanced financial disclosure. GLBA The Gramm-Leach-Bliley Act requires banks and financial institutions to notify customers of policies and practices of disclosing customer information. The goal is protect personal information such as credit card numbers, social security numbers, names, addresses, etc.

Wireless Security Policy 802.11 Wireless Policy Recommendations Remote Access WLAN Policy This policy should include the required use of an IPSec VPN solution to provide device authentication, user authentication, and strong encryption of all wireless data traffic Personal firewalls should also be installed on all remote computers to prevent peer-to-peer attacks. The remote access policy is mandatory because the most likely location for an attack to occur is at a public access hotspot.

Wireless Security Policy 802.11 Wireless Policy Recommendations Rogue AP Policy No end users should ever be permitted to install their own wireless devices on the corporate network. Any users installing their own wireless equipment could potentially open unsecured portals into the main infrastructure network. This policy should be strictly enforced

Wireless Security Policy 802.11 Wireless Policy Recommendations Ad-Hoc Policy End users should not be permitted to set up ad-hoc or peer-to-peer networks. Peer-to-peer networks rarely use encryption, are susceptible to peer attacks, and can also serve as an unsecured portal to the infrastructure network if the computer’s Ethernet port is also in use. Wireless LAN Proper Use Policy A thorough policy should outline the proper use and implementation of the main corporate wireless network. This policy should include proper installation procedures, proper security implementations, and allowed application use on the wireless LAN.

Wireless Security Policy 802.11 Wireless Policy Recommendations IDS Policy Policies should be written defining how to properly respond to alerts generated by the wireless intrusion detection system. An example would be how to deal with the discovery of rogue access points and all the necessary actions that should take place

The END
Chapter 14

Chapter 14

Chapter 14

Presentation Transcript

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14.

Chapter 14

Chapter 14

CHAPTER 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14

Chapter 14