Risk Management of Wireless Networks 109
An anonymous reader writes "As wireless becomes a bigger part of our networks, those of us charged with maintaining them find ourselves also responsible for keeping drive-by script kiddies with a Pringles can out. BankInfoSecurity.com is running an excellent article on identifying and mitigating risks on wireless networks. The article was written by members of the Office of the Comptroller of the Currency (OCC) for banks, but it's applicable to any network environment and clearly lays out all the key steps to protecting wireless systems." There's nothing new here, really, but it's a good overview of issues to keep in mind when building a wireless net, as well as a good security plan starting point.
Banks? (Score:5, Insightful)
Re:Banks? (Score:3, Informative)
Re:Banks? (Score:2, Interesting)
are you sure all is good? (Score:2)
But those cordless phones in use are a yes yes...?
Re: (Score:1)
Re:Banks? (Score:3, Interesting)
And yes, that is one of the things I check from time to time when I want to reassure myself that my system hasn't been compromised
Re:Banks? (Score:1)
Re:Banks? (Score:1)
Re:Banks? (Score:2)
I guess it is possible to sniff that out of the air, but if it is 128bit WEP'ed
Re:Banks? (Score:1)
Re:Banks? (Score:1)
Seriously... the home machine gets infected and then you connect it conveniently into the VPN router and over-the-firewall-and-through-the-woods-to-grandm
VPN's are only as secure as the home user is vigilant. Never will be any better than that.
Re:Banks? (Score:2)
Might as well post it on the web.
Re:Banks? (Score:2)
--Oh, COME OFF IT man. Some of us have better things to do / suck at memorization. I get admin emails in Knoppix saying which MAC addresses have flipflopped or changed anyway, and I don't even have plans to run wireless.
Re:Banks? (Score:2)
Granted, this is one place where standardizing on hardware helps because the first few digits of the MAC address are vendor specific. If you use 100% SMC cards in your organization, you will see a pattern (thus making it easier to spot an outsider.)
Re:Banks? (Score:3, Insightful)
I'd say that one of the most difficult (and dangerous (getting caught-wise)) aspects of getting info off of a network is actually getting yourself into the network. Having a wireless link in removes a great deal of the danger (of getting caught), and leaves the intruder plenty of time to do the job more efficiently (making security's job harder).
A big fat lock on the door keeps most intruders out. (and WEP and MAC filtering don't count as locks)
Doctors (Score:4, Interesting)
So, for kicks, I took my libretto to the office on my next visit and fired up kismet.
They are wide open. No WEP, Windoze boxes (including the domain controllers) all easily accessible. A quick port scan showed all types of vulnerable services and such. I did not take the time to go further, but figure that getting patient records would not be too difficult.
From the port scans, it seems that this small office is also on the same subnet as other businesses in the area. WTF???
So what is one to do? I dare not tell them what I found, what with the risk of being labeled a terrorist and all. I thought that an anonymous letter to them might be best. But how can I be sure that they ever fix the problem?
A doctor replies (Score:5, Insightful)
Explain to him that you're a hardcore networking geek with an interest in security, and that you often run security checks against your own systems. You were there, running one just for kicks, and viola! You are a patient of his presumably, so you already have a relationship and rapport... it would be different if you were some joe-blo off the street who came waltzing into his office running kismet on your Zaurus.
He probably has NO CLUE that whoever set up his network has left it open to be plundered (tech-saavy doctors are rare. Thinking about all my colleagues, I can count the tech-saavy on one hand).
Take him aside privately, and explain to him that you were hesitant to come forward (for obvious reasons... like being labeled a cracker), but that you really felt he should know what was up, not only for the security of your own medical records, but also for the security of everyone else's. Heh... he might even hire you to help fix it.
You will likely find him VERY receptive if you approach him the right way. I'm quite certain he contracts his IT stuff out to somebody, so he probably has ZERO emotional investment in the security of his network... he just wants it to work, and pass HIPAA muster (which it probably doesn't right now).
I bet he'd be receptive.
Re:A doctor replies (Score:1)
insightful? (Score:2)
The zero-risk to yourself approach is to do nothing. Next up is the anonymous letter, and the continuum extends right up to admitting you've used their network...your choice where you draw the line.
Indeed. (Score:2)
Physicians are insanely busy people... busy taking care of patients, busy dealing with insurance companies, busy trying to comply with govt. regulations. No doctor has a legal department sitting on its hands with nothing to do, just waiting to prosecute/sue a patient who happens to fire up his laptop in the waiting room and inadvertantly pick up the open AP. The original poster is a patient of that physician, and did not hack into the open network.. he
Re:Doctors (Score:2)
Re:Doctors (Score:2)
If they blow you off, then I'd actually contact an agency that might care about the privacy laws and just a
Re:Banks? (Score:1)
Re:Pringles Can? (Score:5, Informative)
Risk #1 (Score:1, Funny)
Wireless should not be used for sensitive info (Score:3, Insightful)
Fiber should continue to be used for any info that could be considered sensitive at all.. but then again, who am i kidding.. businesses just want things to be easy, not safe
Re:Wireless should not be used for sensitive info (Score:3, Interesting)
Drat, what are we going to do with the $8.5 billion we already spent on the satelites?
Re:Wireless should not be used for sensitive info (Score:1)
Instead, let me restate as "Current standards of 802.11x wireless internet should not be used, as they are too new, too fraught with holes and problems, etc"
Re:Wireless should not be used for sensitive info (Score:3, Interesting)
If you are running a business with wireless, and you care at all about security, and you allow anything to go over that link unencrypted, you're insane.
The only IP address that should be reachable over your wireless network is the IP address of your IPSec VPN gateway.
Most APs will accept re-addressed packets. This means the perp doesn't have to even crack the keys. All he needs to do is readdress pa
Re:Wireless should not be used for sensitive info (Score:4, Interesting)
I realized that I over-simplified the re-addressing problem.
From the UCLA paper:
"Active Attack from Both Ends
The previous attack can be extended further to decrypt arbitrary traffic. In this case, the attacker makes a guess about not the contents, but rather the headers of a packet. This information is usually quite easy to obtain or guess; in particular, all that is necessary to guess is the destination IP address. Armed with this knowledge, the attacker can flip appropriate bits to transform the destination IP address to send the packet to a machine he controls, somewhere in the Internet, and transmit it using a rogue mobile station. Most wireless installations have Internet connectivity; the packet will be successfully decrypted by the access point and forwarded unencrypted through appropriate gateways and routers to the attacker's machine, revealing the plaintext. If a guess can be made about the TCP headers of the packet, it may even be possible to change the destination port on the packet to be port 80, which will allow it to be forwarded through most firewalls."
A.
Re:Wireless should not be used for sensitive info (Score:5, Insightful)
Back to the point, 802.11 networks are inherently insecure.
WEP is fairly trivial to crack for someone determined to break in. The problem lies in the init vector of the key, not the length of the key.
SSID 'hiding' achieves nothing...the first time your box associates or reassociates, a listener has your SSID.
WPA is not as secure as people think either, even with a PSK. This was covered on
MAC filtering is beyond trivial...most NIC drivers nowdays allow you to set your MAC...which you could easily see on a target network while hunting.
You can make your home network more effort than it's worth to hijack...but for business use, make damned sure you want that traffic exposed...because you simply have to assume it will be. I wouldn't install wireless client access in a work environment without the use of VPN. I've heard some interesting theories about getting past even *that*, but I've never seen or heard a practical way to do it.
Unless and until I see some more thorough reviews of the newer 802.11 security standards (EAP and it's variants) I wouldn't implicitly trust them...however I do get the feeling they are going to be far more difficult to compromise.
As mentioned in a previous post, there are a number of problems with wireless that many people don't think about, especially in a corporate environment. One of the worst is the rogue AP. I've found no less than three unauthorized WAPs on networks I've run in the last three years. Each time it was a (l)user who brought it and just plugged it into their switch port so they could 'use their laptop'. Each time, the AP was completely wide open. So much for the quarter-million-dollar security infrastructure of firewall, VPN, IDS, etc. They might as well have run a wire outside the building and hooked up a PC with a sign that said 'Free Corporate Access!'
There is yet another problem with rogue access points. Someone who brings one into close proximity with your wireless users. Guess what information the blackhat can get in that scenario?
The key to it all is education. (Score:4, Informative)
(And no, "wide open hole" isn't a goatse link
Re:The key to it all is education. (Score:3, Interesting)
I gave a friend of mine a wireless card for her laptop as a graduation present, the idea being she could use it when she's at coffee shops offering wireless connections, or in grad school on campus (she doesn't subscribe to broadband). As it turns out, she has a minimum of 4 options to connect to the internet from her apartment at any given time thanks to her careless neighbors.
Re:The key to it all is education. (Score:2)
Over christmas, I stayed a few nights at my girlfriend's mother's house. I brought a modem along, since they don't have broadband, but just for kicks fired up kismet.
Suffice it to say, I was on a much faster network than dialup, thanks to a friendly neighbor with a default-configured linksys, dhcp and everything :)
VPN (Score:5, Interesting)
SSIDs and WEP (Score:5, Informative)
Security Practicum: Essential Home Wireless Security Practices [arstechnica.com]
Re:SSIDs and WEP (Score:2)
Re: (Score:1)
Re:SSIDs and WEP (Score:3, Insightful)
Re:SSIDs and WEP (Score:2)
1. turn off SSID broadcasting
2. Use WEP 128bit encryption
3. Limit connections to specific MAC addresses
Is that good enough outside setting up VPN between hosts?
I am curious to know
Re:SSIDs and WEP (Score:4, Informative)
Remember - you don't have to be uncrackable, you just have to be harder to crack that the other guy. My WAP has 64bit WEP and that's it - but in my hood there are 4 WAPs, two of which are totally open - it is easier for someone that wants to play to get into those systems than to get into mine.
If security is a serious concern, consider installing (on a different channel) a nearby wireless access point with no encryption, with a SSID that seems to indicate that it is worth hacking into, on a lame box connected to the internet but not on your internal network. Keep your eyes on this box watching for intruders. I think the term is 'honeypot' but I am not overly fond of that term.
Re:SSIDs and WEP (Score:2, Insightful)
As for a honeypot to distract attackers, that may be interes
Re:SSIDs and WEP (Score:2)
perhaps not even connected to the Internet. I occasionally have to work in midtown Manhattan, which is wireless heaven. I do occasionally have to configure stuff by hand, such as guessing the default gateway and using known external DNS servers, but given enough time, I can pretty reliably get service from my office or hotel room.
One particularly annoying connection gave me a 192.168.1 address and let me ping 192.168.1.1 but do absol
Re:SSIDs and WEP (Score:2)
Never attribute to malice, that which is easily explained by ignorance. I would give about 50/50 odds that it was a wireless link between friends (Quake3A/UT/whatever deathmatch), and 50/50 that your first assessment was correct (somebody simply powered it up without plugging it into the Internet) - maybe swiped it from work to use as a network hub. Funny story though, tempts me to
Re:but do absolutely nothing else. (Score:2)
Most likely, neither solution is correct. The WIN box sharing the internet connection is in BSOD and nobody noticed it yet.
POP passwords are the biggest risk I see out there (Score:5, Informative)
It's amazing how many people who should know better are still using plain POP for grabbing their mail. Since most mail client recheck for mail every few minutes, it's quite simple to grab passwords. Using those password, a hacker can then try the same password to enter the network, read the person's e-mail to do subsequent social engineering, or just fish around the person's e-mail for interesting information.
The second thing I think most people don't realize is that on a standard wireless network all the HTTP url's they are surfing to with a web browser are public. This may not be a security risk, but companies also may not want a hacker in the parking lot to know that a server named secretinternaldata.mycompany.com exists.
I set up an SSH tunnel from my laptop to my squid proxy at home just for fun to see if I could fix the issue. It worked well, but of course it's not something the average end-user with a laptop on wireless could manage.
Anyway, that's my
Re:POP passwords are the biggest risk I see out th (Score:5, Interesting)
The hoopla about physical access security obscures the point that *all* internet traffic and most intranet traffic is viewable by others. It is a good idea to assume that all your networks are open and to use VPN, ssh, etc. to secure your data. And *never* send plain-text passwords.
If you lock your data down under this assumption (that all network traffic may be intercepted) the impetus for clunky and insecure wireless access restrictions is much diminished.
Re:POP passwords are the biggest risk I see out th (Score:2)
Re:POP passwords are the biggest risk I see out th (Score:2, Insightful)
Thus, I just choose a mail-only password that I use for POP access. I guess a hacker could read my e-mail and maybe even send mail as me, but I've done what I can to minimize the risk of stupidly designed mailservers.
Re:POP passwords are the biggest risk I see out th (Score:4, Interesting)
One thing you could do, if you want to be a bit more secure, is to port forward port 110 using SSH to a server at home. Your POP password is still going out in the clear then, but it's going in the clear from your house, which is presumably more secure that going out over open wireless.
the tunnel would be something like this:
ssh -L 110:www.yourhomeserver.com:110 -f -N yourname@www.yourhomeserver.com
Here's a howto [tldp.org] that goes into a little more depth.
Re:POP passwords are the biggest risk I see out th (Score:2, Interesting)
many ISPs do not offer any other option
Use your ISP for connectivity and spend $30-35 a year for a better mail service.
For less than 3 bucks a month, you might even get HTTPS webmail thrown in ... some extra storage ... and one of those "lifetime" domain names that gives you some flexibility regarding additional accounts and spam control.
If email matters to you, it is doubtful you can find an ISP for twice the price that gives you mail security and your current level of non-mail speed and features (how
Re:POP passwords ... (Score:2)
Re:Disable wireless ability of wireless router? (Score:3, Informative)
Call me paranoid but I normally disable wireless mode unless I know I or someone else in my family needs it.
-Pat
Re:Disable wireless ability of wireless router? (Score:2, Informative)
Re:Disable wireless ability of wireless router? (Score:2)
Re:oddly shapped tin foil (Score:2)
Reducing Risks of Wireless Networks (Score:5, Informative)
Disclaimer: I work in Information Security.
But, by all means:
We now return you to your regularly scheduled programming.
Re:Reducing Risks of Wireless Networks (Score:5, Funny)
A funny aside:
I was in Park City visiting friends over the holidays. The ISP for the friend that I was staying at went out of business, so I walked around the house looking for another wireless AP.
At one corner of the house, I find one, and the name is the first initial and last name of the person running it. It's not running with any security so I'm able to hop onto the net. So, I feed in his first initial and last name and "park city" into google (on his own wireless, even) and google gives me his home address and phone number.
I felt like calling him to thank him for the free wireless access.
Re:Reducing Risks of Wireless Networks (Score:3, Insightful)
You should have, if he's left his network open for everyone to use and he's bright enough to change the network ID then I'm sure he did this on purpose. I do the same and I expect others to do the same so that we can all get free net anywhere we go.
Re:Reducing Risks of Wireless Networks (Score:1)
One thing to add: I use Secure IMAP, SSH, SCP, and SSL for accessing most things work related. No cleartext passwords being transmitted by me for this exact reason that I'm always on other peoples networks.
Can Linux Do This? (TM) (Score:2)
How do I tell iwconfig not to broadcast the essid?
Re:Reducing Risks of Wireless Networks (Score:2)
WEP, MAC filering and stopping SSID broadcasting aren't really worth anything in terms of security - they might prevent the casual user from drifting in, but it is pretty clear that the security they provide is trivial at best and they are more of a hinderance to
Re:Reducing Risks of Wireless Networks (Score:1)
Funny, me too. I'll only address the things that I disagree with and leave the other points that stand alone.
APs should be configured so as not to broadcast their SSID.
Doesn't matter. It's trivial to determine the SSID. I can either catch a client associating to the AP or force any/all connections to disassociate and then catch the SSID when the card reassociates. I don't even need low-level 802.11b code to do this. A simple connection cutter writte
Re:Reducing Risks of Wireless Networks (Score:1)
While the 802.11x protocols provide little to no effective security within them, my comments were targeted towards the typical
Ultimately though, the most secure WAP is one which isn't turned on, but so
SSID broadcasting. (Score:2)
I got two USB WiFi devcies and they would not work until I re-enabled SSID broadcasting.
When you buy devices it is not obvious if they will work without the SSID being broadcasted.
Perhaps a compilation of devices that are more secure should be gathered somewhere.
It's that time again... (Score:2)
I couldn't resists.
I shall now bathe in the cleansing flame.
What about WPA? (Score:1)
WPA has stronger encryption that WEP and authentication mechanisms built in. I work for a Credit Union processing/software company, and many financial institutions are waiting for WPA to become more mature before they jump into wireless.
For more info, google, or check this [wi-fi.com] out.
Re:What about WPA? (Score:1)
If I knew my bank or anyone else handling my financial information was using wireless to transmit my information I would go somewhere else. I dont trust wireless even if it is secure.
Any encryption that can be dycrypted is instantly insecure.
Re:What about WPA? MOD PARENT UP!!! (Score:1)
All this talk of MAC-address locking, SSID changes, WEP key rotation. (All good steps if you can't use WPA)
And WPA fixes (almost) everything.
So while I give flinxmeister "The Hammer" for hitting the nail on the head, I've got to add my voice to the general theme, BANKS should NEVER go wireless.
Historic building? Asbestos? Cutting quarterly costs to make bonus targets? Fuggedaboutit. There ain't no "safe" wireless vis a vis any financial institution.
But for the rest of us, get the upgrades in
Re:What about WPA? MOD PARENT UP!!! (Score:1)
However, remember the title of the article: "Risk management". There is no safe way of banking or doing business...period. There are only various shades of grey. As long as a financial institution understands the risks and takes appropriate steps to mitigate the risks and shield their customers/members from damage, they can implement a given technology. The question this thread seems to be encountering is "what is
Re:What about WPA? (Score:1)
I work for a wireless switch vendor... (Score:4, Interesting)
The switch has all inline power ports to power the APs, which may or may not be directly connected. Each AP automatically creates an IPSEC tunnel back to the switch. The switch supports every auth method under the sun (EAP-TTLS being generally most secure) when combined with 802.1x (which includes dynamic WEP/WPA 2.0). The switch itself supports a per-user firewall, integrated, signature-based IDS (that detects things like monkeyjack and netstumbler), and terminates 2 Gbps of IPSEC (which includes the IPSEC client running on each user's machine.
All of this for a couple of grand. Secure wireless is possible, the market is demanding it, and vendors have come to meet that demand.
Re:I work for a wireless switch vendor... (Score:1)
I've seen a similar-sounding product from a company called Vernier Networks [verniernetworks.com]. Not only can you control access via a variety of VPN methods (including PPTP, L2TP over IPSEC, and vanilla IPSEC), but it can do limited transparent proxying with HTTP, amongst other things. It was very slick, and to be honest, this kind of network access control technology can be applied to a lot more than just Wi-Fi.
Re:I work for a wireless switch vendor... (Score:2)
A nameless UK store... (Score:3, Interesting)
This was a good 18 months ago though. I'd assume they've changed it now. I certainly made a point of telling them why I wasn't shopping there any more, rather than doing the whole 'your network is totally unsecure and I found out why' thing and getting myself arrested...
Wep isn't bad to begin with. (Score:2, Troll)
Home users are going to generate less traffic than businesses, and so it will take even longer to get enough traffic. Unless you happen to notice a van parked outside your house for a
Re:Wep isn't bad to begin with. (Score:4, Interesting)
From what I've seen most of my neighbors don't use their connect enough to get enough traffic but 1 or 2 do. In a test of AirSnort I got close to 1K interesting packets in 2 days for one network. Given a week or two of a system sitting in a corner I bet I could break it.
This is the main reason I totally dropped wireless in the new house. I had it wired with CAT5 for data everywhere I'd need it. I work a lot from home and have a site-to-site VPN and don't want to compromise that.
Your suggestions are good... But turning off SSID broadcast is overrated. As soon as a client associates I can get that. As soon as they associate I can get a MAC address to clone.
Conduct Wireless Audits (Score:4, Interesting)
I have been asked to assess companies and offered a wireless audit. They said "we don't use wireless". I checked anyway, and it turned out they DID have wireless (but didn't know about it) thanks to in one instance, a laptop acting as an AP and in another, a sysadmin who figured he'd plug in a wireless AP with built-in switch instead of a hub or switch, and wireless was turned on. This is all the more problematic as the laptop and wireless device were both inside the firewall and therefore represented a major hole.
Intruders may also leave wireless devices behind to save coming onto the site for subsequent eavesdropping. That is, they will bring your network to them rather than bringing themselves to your network.
In any case, fire up your stumbling application, a GOOD antenna and have a look around your own environment. You may be surprised what you see!
script kiddies (Score:2, Insightful)
Nevermind the professional hackers with a 12db antenna engaged in corporate espionage...
I mean seriously, I think the scR1pt k1Dd13 n00bs are the least of our problems.
Let's not forget the next-door neighbor (Score:4, Interesting)
He'd left it open to facilitate use by visitors, but no longer.
Give me a break... (Score:1)
Wi-Fi Security Analysis (Score:1)
What Risk? Aside from kiddie pr0n? (Score:1)
I don't care about free riders. I want a few. Let the RIAA claim I have downloaded anything. . . I haven't and neither have my staff. BUT I would love the accusation.
The client data and the electronic filings are all all encrypted (PGP on office systems or SSL in submission to the federal courts where most become a public record) and so is al
Re:What Risk? Aside from kiddie pr0n? (Score:1)
Re:What Risk? Aside from kiddie pr0n? (Score:1)
I also mentioned the bandwidth issue. I monitor system usage and will choke - or kill - all access when the free riders approach 50% saturation.
I have a wifi access point that is available to a few folks in a small town near a big city. The access is limited (by range) and aside from somebody putting a clandestine antenna and cable on my building - I should be able to actually SEE the person who accesses my wifi site.
You
Hmmm... (Score:1)
My company has recently begun implementing wireless
networks, using all Cisco equipment.
Base on my reading, it looks like you should only use Spanning Tree Protocol with wireless
bridges, not with access points. Why is this?
What's the difference between a wireless access point and a wireless bridge?
Re:Hmmm... (Score:1)
APs don't communicate with other over their wireless
interfaces--making for no redundant links. This is why STP is totally unnecessary on APs.
Bridges, however, do communicate with APs or other bridges
making redundant paths a possibilty.
Thanks tomsnetworking.com!
Todd