Wireless Security. Alistair Mutch

Transcription

1 Wireless Security Alistair Mutch

2 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 2 What is the Threat? The nature of Wireless or Simple Radio Transmission Wireless LANs use Radio Frequency (RF) radiation broadcast by a transmitting device RF radiation propagates well in air and can pass through many solid obstacles You can receive at far greater range than you can connect Nothing can prevent a receiver from hearing the transmitted signal if it is in range The distance a receiver can hear the signal can be easily improved using high gain directional antennas Wireless LANs as a result can usually be heard from outside the building in which they are installed Potential eavesdroppers therefore do not need to negotiate the physical security on the building in order to attack a WLAN, thereby removing the first line of Corporate defense The Nightmare Scenario A hacker with a Pringle s can antenna sitting in the parking lot and eavesdropping on and/or actively attacking the Corporate network over the Wireless LAN

3 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 3 RF Signal Propagation Signal emitted from a single AP located in downtown Lawrence, Kansas Source: Wireless Network Visualization Project a collaborative effort between University of Kansas' Information & Telecommunications Technology Center & Kansas Applied Remote Sensing Program

4 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 4 Wi-Fi Mk1 Architecture MS-AD/Radius Proxy/Firewall Untrusted with VPN No management through F/W VPN is insecure at first FW encrypts all payload Complexity of setup Client software No virus protection Additional workload Mobile support staff Session roaming Scalability Performance 100m UTP Internet Charles@school.ac.uk Student@school.ac.uk Charles@school.ac.uk Student@school.ac.uk

5 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 5 Reality of WLAN Attack Equipment Theft, RS232 ports, Certificates on board, IP configuration, Spare UTP sockets, SNMP RF Medium Passive attacks: Sniffing, wired network traffic leakage, breaking WEP and recovering data Active attacks: RF jamming, malicious data insertion and Fuzzing SSID Association AP Impersonation using soft APs, Evil Twin attacks, Denial of Service using deauthentication and disassociation frame spoofing, 802.1X flood attacks, attacks on the AP s local management interface, admin credentials discovery, AP configuration discovery, digital certificates recovery, War Driving for AP discovery and probing (WiGLE) The Client Computer Windows Zero-Configuration Client probing for all Preferred Networks, mobile workers on Hotspots, station impersonation (MAC spoofing), Web service spoofing, direct HD access, attacks on other client devices (voice handsets, printers), attacks on wireless bridges Enumeration PSK recovery, service password sniffing & cracking, hacking password hashes, VPN Man in the Middle (MitM) attacks, Snarfing & Zero-day attacks

6 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 6 Physical Security Clean design Simple PoE 802.3af No RS-232 Port No software load No configuration files No passwords Fully monitored Accurate antenna design Kensington lock Serial number and RSA Encrypted and authenticated management comms No illegal MP on LAN

7 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 7 Content Protection RingMaster SmartPass Staff User Staff AAA 802.1x Client AES/Location Staff VLANs MS Active Dir Internet Consultant 3 4 PAYG PAYG Open/WISP Open No Encryption PAYG Supplier 802.1q Trunk 802.1q Trunk Mobility Point Guest User SmartPass 802.1x AES Contractor VLAN VoWIP Staff AAA MAC/ACL/SVP WEPs VoIP VLAN Encryption None WEP of any sort WPA-PSK (TKIP-PSK) WPA2-PSK (AES-PSK) WEPd-Ent (with 802.1x) WPA-Ent (TKIP)(with 802.1x) WPA2-Ent (AES)(with 802.1x) FIPS Product Options Authentication None MAC Ethernet Address Web Page Authentication 802.1x PEAP-MSCHAPv x EAP-TLS Certificates Machine Authentication on MS-AD Three Factor Secure ID Fob Management Web/HTTPS/TLS1 SNMP V1-3 XML/SSH with certificates Historical Logging

8 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 8 Converge WiFi and Wired to one IP LAN Henry@company.com Internet Proxy/Firewall Charles@contractor.com Unique Auth/Encrypt per user ACL IP Router DHCP Henry@company.com ESSID FHE Charles@contractor.com ) Standard MS 802.1x Client 2) Machine authentication 3) User authentication 4) Client inspection 5) MS-AD/VLAN 6) Layer 2 connection 7) Existing user experience MS-AD/Radius

9 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 9 One IP Network, Cost of Ownership 200 users remain 200 connections Same IP engineering and DHCP Same MS-AD engineering Same Firewall configuration/load Same support procedures Same IDP/IDS functions Same client experience/training Same Routing and ACL 100/user 1000 Setup 1000 VPN 5000 VPN 2000 Workload 5000 IDS Support 1000 changes Improved Client Vision Reduced Patching Reduced Moves and Changes Increased Productivity

10 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 10 Endpoint Integrity with Juniper UAC Encrypted Juniper Infranet Controller (also AAA server) VLAN = 1 VLAN = 2 Enterprise VLAN (1) 802.1X Authentication using Juniper Odyssey Supplicant/UAC Agent X Authentication using WPA/TKIP; policies are met by client 2. Infranet Controller responds with VLAN=1 assignment Quarantine VLAN (2) 3. Endpoint gains access to Enterprise VLAN 4. Infranet Controller detects that DAT files are OUTDATED 5. Endpoint is forced to re-authenticate 6. Infranet Controller updates VLAN assignment to VLAN=2; endpoint can only access Quarantine VLAN

11 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 11 Integrated Cross Location Mobility RingMaster SmartPass MS Active Dir London Mobility Domain Contractor Guest MPLS & Internet Company Wide Network Domain AD & SP to manage VoIP Paris Mobility Domain q Trunk Distribution Switch q Trunk Mobility Point Staff User Staff AAA 802.1x Client AES/Location Staff VLANs Guest Open/WISP SmartPass No Encryption Public DMZ Contractor SmartPass 802.1x AES Public DMZ VoWIP Staff AAA MAC/ACL/SVP WEPs VoIP VLAN VLANs Secure Staff (n) Guest Contractor VoIP/QoS MX-MP

12 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 12 Geographic Permissions Radio Group Senior Senior Staff Offices Radio Group Meeting Rooms Meeting Rooms Radio Group Offices Rooms Standard Rooms Standard Rooms Radio Group Cafe Reception, Restaurant Radio Group Back Office

13 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 13 Trapeze/Juniper Multi-Tiered WLAN Security Endpoint Integrity Check 802.1X Authentication Untrusted Client Juniper UAC AAA + NAC RingMaster LA200 X Rogue AP Intrusion Protection Trusted Client Encrypted X Rogue User Authentication & Encryption 802.1X, EAP-TLS, PEAP, TTLS, MAC, Web,... Endpoint Integrity Trusted Network Connect (Trusted Computing Group) Application Firewall Per user, per station, per group policy enforcement Intrusion Protection Core WIDS/WIPS: scan, detect, locate, disable Rogues i, WPA2, WPA, AES, CCMP DODD and FIPS compliant Juniper Networks Unified Access Control (UAC) Microsoft Network Access Protection (NAP) Application-aware QoS scheduling, location and security filtering Policy enforced closest to the end station Integrates with Juniper IDP Full integration with AirDefense (Market Leader WIDS/WIPS)

14 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 14 Core IDS/IPS Detected Attacks Rogue access points Interfering access points Rogue clients Interfering clients adhoc clients Unknown clients Interfering clients on wired LAN probe request flood authentication flood null data flood mgmt type 6 flood mgmt type 7 flood mgmt type d flood mgmt type e flood mgmt type f flood association flood reassociation flood disassociation flood Weak wep initialization vectors Spoofed access point mac-address attacks Spoofed client mac-address attacks Ssid masquerade attacks Spoofed deauthentication attacks Spoofed disassociation attacks Null probe responses Broadcast deauthentications FakeAP ssid attacks FakeAP bssid attacks Netstumbler clients Wellenreiter clients Active scans Wireless bridge frames Adhoc client frames Access points present in attack-list Access points not present in ssid-list Access points not present in vendor-list Clients not present in vendor-list Clients added to automatic black-list

15 Alien Management SmartPass

16 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 16 Guest Delivery Platform RingMaster SmartPass MS Active Dir London Mobility Domain Contractor Guest MPLS & Internet Company Wide Network Domain AD & SP to manage VoIP Paris Mobility Domain q Trunk Distribution Switch q Trunk Mobility Point Staff User Staff AAA 802.1x Client AES/Location Staff VLANs Guest Open/WISP SmartPass No Encryption Public DMZ Contractor SmartPass 802.1x AES Public DMZ VoWIP Staff AAA MAC/ACL/SVP WEPs VoIP VLAN VLANs Secure Staff (n) Guest Contractor VoIP/QoS MX-MP

17 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 17 SmartPass User Provisioning Software Package Typical Pentium 1Gb PC 50 Account > Unlimited IT Define groups IT define provisioners Provisioning through IE/HTTPS Single User Creation Group Provisioning Bulk Creation for Coupons WebAAA Login 802.1x Login Different VLANs for groups Firewall per user Block P2P traffic Limited/Time of day/port/filtering Full logging and snooping

18 Simple Web Interface Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 18

19 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 19 Access Rule Examples Location based Allow guest SSID users to authenticate in public areas. When a guest user roams to a private area, disconnect session. Time based Between 9:00 AM to 5:00 PM limit per user bandwidth to 1mbps Time & location based At 2:00 PM, in Classroom C, disallow internet usage. On demand Disconnect all guest users now

20 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 20 Authentication Enhancement Location Based Access Control Prevents unauthorized access from outside your space Location Based VLAN tagging Provision Network access based on Identity and Location Wireless Containment Prevents insiders from associating with outside networks Location based IDS Identifies physical location of violations, threats & attacks, rogues

21 Location Integration

22 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 22 LA-200 Capabilities Location How often is the location value correct (Accuracy) 99% How specific can a location be in size (Precision) 1m at boundaries 3-5m in open space How quickly can the system locate (Latency) near real-time How many devices can be tracked (Scalability) 1,500-2,000 devices Management Accepts RF snoop data from up to 100 Trapeze Networks APs Manageable by web interface Able to store location history info for up to 30 days Dashboard viewer for XY location viewing

23 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 23 Location Tracking of WiFi Devices Monitor location of all WiFi devices VoIP handsets PDA Laptop WiFi Tags

24 Location Tracking System Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 24

25 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 25 Access Rule Examples Location based Allow guest SSID users to authenticate in public areas. When a guest user roams to a private area, disconnect session. Time based Between 9:00 AM to 5:00 PM limit per user bandwidth to 1mbps Time & location based At 2:00 PM, in Classroom C, disallow internet usage. On demand Disconnect all guest users now

26 System Control User Monitoring

27 Constant Monitoring and Logging Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 27

28 Comprehensive Report Library Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 28

29 Trapeze Networks, A BELDEN Brand Proprietary and Confidential 15/03/2009 Slide 29 Service Distribution: Radio Groups Radios can be logically grouped by geography Radio groups can be configured to advertise services appropriate to their location, e.g. Radio Group Office Rooms Radio Group Senior Radio Group Meeting Rooms Radio Group Cafe Floor Radio Group Back Office SSIDs: SSIDs: SSIDs: SSIDs: SSIDs: Secure Staff Staff voice VIP only Secure Staff Staff voice Meetings Guest access Secure Staff Staff voice Guest access Walled Garden access Secure Staff Staff voice Secure Staff Staff voice

30 Thank you