Legacy Security

Transcription

1 Legacy Security

2 Contents Authentication Open System Authentication Shared Key Authentication Wired Equivalent Privacy (WEP) Encryption Virtual Private Networks (VPNs) Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP) Internet Protocol Security (IPsec) Configuration Complexity Scalability MAC Filters SSID Segmentation SSID Cloaking

3 MAC Filters Every network card has a physical address known as a media access control (MAC) address. This address is a 12-character hex number client stations, like all network - enabled devices, each have unique MAC addresses, and access points use MAC addresses to direct frame traffic. Most vendors provide MAC filtering capabilities on their access points and WLAN controllers. MAC filters can be configured either to allow or deny traffic from specific MAC addresses.

4

5 MAC Filters Most MAC filters apply restrictions that only allow traffic from specific client stations to pass through based on their unique MAC addresses. Any other client stations whose MAC addresses are not on the allowed list will not be able to pass traffic through the virtual port of the access point and onto the distribution system medium. It should be noted, however, that MAC addresses can be spoofed, or impersonated, and any amateur hacker can easily bypass any MAC filter by spoofing an allowed client station s address. Many network adapters have the ability to change the MAC address as an option built into the advanced configuration window for the adapter, as shown in Figure 2.8. Entering the new address and re-enabling the network card is all that is needed to change the MAC identity of the computer. Because of spoofing and because of all the administrative work that is involved with setting up MAC filters, MAC filtering is not considered a reliable means of security for wireless enterprise networks. The standard does not define MAC filtering, and any

6 MAC Filters

7 MAC Filters MAC filters are often used as a security measure to protect legacy radios that do not support stronger security. For example, older handheld barcode scanners may use radios that support only static WEP. Best practices dictate an extra layer of security by segmenting the handheld devices in a separate VLAN with a MAC filter based on the manufacturer s organizationally unique identifier (OUI) address (the first three octets of the MAC address that are manufacturer specific).

8 SSID (Service Set Identifier) Segmentation Another technique to provide security in a WLAN environment using older autonomous access points was through SSID and VLAN segmentation. It was common for companies to create different SSIDs for different types of users. (staff/student/visitor) Companies would set up different SSIDs for many different departments or groups of users. In a WLAN environment using enterprise class autonomous APs, SSIDs can typically be mapped to individual VLANs, and users can be segmented by the SSID/VLAN pair, all while communicating through a single access point. Each SSID can also be configured with separate security settings.

9 SSID Segmentation A common strategy, even with newer WLAN controller technology, is to create a guest, voice, and data VLAN. The SSID mapped to the guest VLAN limited or no security, and all users are restricted away from network resources and routed off to an Internet gateway. The SSID mapped to the voice VLAN might be using a security solution such a WPA2-Personal, and the VoWiFi client phones are routed to a VoIP server that provides proprietary QoS services through the VLAN. The SSID mapped to the data VLAN uses a stronger security solution such as WPA2-Enterprise, and the data users are allowed full access to network resources once authenticated.

10 SSID Cloaking Remember in Star Trek when the Romulans cloaked their spaceship but somehow Captain Kirk always found the ship anyway? Well, there is a way to cloak your service set identifier (SSID). Access points typically have a setting called Closed Network or Broadcast SSID. By either enabling a closed network or disabling the broadcast SSID feature, you can hide, or cloak, your wireless network name. The service set identifier (SSID), which is also often called the extended service set identifier (ESSID), is the logical identifier, or logical name, of a WLAN. The SSID WLAN name is comparable to a Windows workgroup name. The SSID is a configurable setting on all radio cards, including access points and client stations. The SSID can be made up of as many as 32 characters and the SSID is case sensitive.

11 SSID Cloaking When you implement a closed network, the SSID field in the beacon frame is null (empty), and therefore passive scanning will not reveal the SSID to client stations that are listening to beacons. The idea behind cloaking the SSID is that any client station that does not know the SSID of the WLAN will not be able to associate. Many wireless client software utilities transmit probe requests with null SSID fields when actively scanning for access points. Additionally, there is a popular and freely available software program called NetStumbler that is used by individuals to discover wireless networks.

12 SSID Cloaking NetStumbler also sends out null probe requests actively scanning for access points. When you implement a closed network, the access point responds to null probe requests with probe responses; however, as in the beacon frame, the SSID field is null, and therefore the SSID is hidden to client stations that are using active scanning. Effectively, your wireless network is temporarily invisible, or cloaked. It should be noted that an access point in a closed network will respond to any configured client station that transmits directed probe requests with the properly configured SSID. This ensures that legitimate end users will be able to authenticate and associate to the AP. However, any stations that are not configured with the correct SSID will not be able to authenticate or associate. Although implementing a closed network will indeed hide your SSID from NetStumbler and other WLAN discovery tools, anyone with a WLAN protocol analyzer can capture the frames transmitted by any legitimate end user and discover the SSID, which is transmitted in cleartext.

13 SSID Cloaking In other words, a hidden SSID can be usually found in seconds with a WLAN protocol analyzer. Many wireless professionals will argue that hiding the SSID is a waste of time, while others view a closed network as just another layer of security. Cloaking the SSID usually keeps the SSID hidden from most WLAN discovery tools that use null probe requests. However, even some of the WLAN discovery tools use alternate methods of discovering a SSID. As shown in Figure 2.10, NetStumbler was able to identify the hidden network with an SSID of CWSP-Hidden2 and was also able to identify that another hidden network exists, but was not able to determine its SSID.

14 SSID Cloaking

15 SSID Cloaking Although you can hide your SSID to cloak the identity of your WLAN from novice hackers (often referred to as script kiddies ) and nonhackers, it should be clearly understood that SSID cloaking is by no means an end - all wireless security solution. The standard does not define SSID cloaking, and therefore all implementations of a closed network are vendor specific. As a result, incompatibility can potentially cause connectivity problems. Some wireless clients will not connect to a hidden SSID, even when the SSID is manually entered in the client software. Therefore, be sure to know the capabilities of your devices before implementing a closed network. Cloaking the SSID can also become an administrative and support issue. Requiring end users to configure the SSID in the radio software interface often results in more calls to the help desk because of misconfigured SSIDs.

16 Summary In this chapter, the different de jure and de facto standards to secure legacy networks Open System and Shared Key authentication encryption and decryption processes of WEP + its shortcomings > deprecated. VPN solutions can and will still provide secure access for a WLAN MAC filters SSID cloaking SSID segmentation