Slashdot Mirror
Risk Management of Wireless Networks
An anonymous reader writes "As wireless becomes a bigger part of our networks, those of us charged with maintaining them find ourselves also responsible for keeping drive-by script kiddies with a Pringles can out. BankInfoSecurity.com is running an excellent article on identifying and mitigating risks on wireless networks. The article was written by members of the Office of the Comptroller of the Currency (OCC) for banks, but it's applicable to any network environment and clearly lays out all the key steps to protecting wireless systems." There's nothing new here, really, but it's a good overview of issues to keep in mind when building a wireless net, as well as a good security plan starting point.
Just have your wireless devices set to a DMZ that opens to one page, a VPN portal. Then you have a wireless connection, with VPN providing your security. Voila...a little bit more cumbersome, but isn't your network integrity worth it?
The switch has all inline power ports to power the APs, which may or may not be directly connected. Each AP automatically creates an IPSEC tunnel back to the switch. The switch supports every auth method under the sun (EAP-TTLS being generally most secure) when combined with 802.1x (which includes dynamic WEP/WPA 2.0). The switch itself supports a per-user firewall, integrated, signature-based IDS (that detects things like monkeyjack and netstumbler), and terminates 2 Gbps of IPSEC (which includes the IPSEC client running on each user's machine.
All of this for a couple of grand. Secure wireless is possible, the market is demanding it, and vendors have come to meet that demand.
I agree 100%.
The hoopla about physical access security obscures the point that *all* internet traffic and most intranet traffic is viewable by others. It is a good idea to assume that all your networks are open and to use VPN, ssh, etc. to secure your data. And *never* send plain-text passwords.
If you lock your data down under this assumption (that all network traffic may be intercepted) the impetus for clunky and insecure wireless access restrictions is much diminished.
used to use WiFi between it's checkouts and inventory system. No encryption, SSID broadcasts were switched on and everything, to the extent that we used to sit in the car park and surf the web via their connection for hours on end on Saturday afternoons.
This was a good 18 months ago though. I'd assume they've changed it now. I certainly made a point of telling them why I wasn't shopping there any more, rather than doing the whole 'your network is totally unsecure and I found out why' thing and getting myself arrested...
If you are responsible for a company's security, you should regularly search for wireless nodes within your organization which you are not aware of WHETHER OR NOT you are using wireless as policy.
I have been asked to assess companies and offered a wireless audit. They said "we don't use wireless". I checked anyway, and it turned out they DID have wireless (but didn't know about it) thanks to in one instance, a laptop acting as an AP and in another, a sysadmin who figured he'd plug in a wireless AP with built-in switch instead of a hub or switch, and wireless was turned on. This is all the more problematic as the laptop and wireless device were both inside the firewall and therefore represented a major hole.
Intruders may also leave wireless devices behind to save coming onto the site for subsequent eavesdropping. That is, they will bring your network to them rather than bringing themselves to your network.
In any case, fire up your stumbling application, a GOOD antenna and have a look around your own environment. You may be surprised what you see!
Do you or your partner snore? - Visit www.snoring.com.au
the government will ever allow sensitive or classified information to go on a wireless link, even if it is "secured".. there's just too much freedom in the air between origin and destination.
Drat, what are we going to do with the $8.5 billion we already spent on the satelites?
But what about your neighbors? From my office upstairs in my house I can see 9 wireless networks. 24 hours to get enough data? That's easy. That is what concerns me. You never know who you live around and they have all the time they want to break it.
From what I've seen most of my neighbors don't use their connect enough to get enough traffic but 1 or 2 do. In a test of AirSnort I got close to 1K interesting packets in 2 days for one network. Given a week or two of a system sitting in a corner I bet I could break it.
This is the main reason I totally dropped wireless in the new house. I had it wired with CAT5 for data everywhere I'd need it. I work a lot from home and have a site-to-site VPN and don't want to compromise that.
Your suggestions are good... But turning off SSID broadcast is overrated. As soon as a client associates I can get that. As soon as they associate I can get a MAC address to clone.
(not only do you have to read my posts, you have to read me replying to my own post).
I realized that I over-simplified the re-addressing problem.
From the UCLA paper:
"Active Attack from Both Ends
The previous attack can be extended further to decrypt arbitrary traffic. In this case, the attacker makes a guess about not the contents, but rather the headers of a packet. This information is usually quite easy to obtain or guess; in particular, all that is necessary to guess is the destination IP address. Armed with this knowledge, the attacker can flip appropriate bits to transform the destination IP address to send the packet to a machine he controls, somewhere in the Internet, and transmit it using a rogue mobile station. Most wireless installations have Internet connectivity; the packet will be successfully decrypted by the access point and forwarded unencrypted through appropriate gateways and routers to the attacker's machine, revealing the plaintext. If a guess can be made about the TCP headers of the packet, it may even be possible to change the destination port on the packet to be port 80, which will allow it to be forwarded through most firewalls."
A.
...bringing you cynical quips since 1998
Yeah, I see a lot of people stuck like that with insecure POP, and a lot of people who use the same password for their home account (which is almost always POP only) as they do for their work account. Bad bad bad.
One thing you could do, if you want to be a bit more secure, is to port forward port 110 using SSH to a server at home. Your POP password is still going out in the clear then, but it's going in the clear from your house, which is presumably more secure that going out over open wireless.
the tunnel would be something like this:
ssh -L 110:www.yourhomeserver.com:110 -f -N yourname@www.yourhomeserver.com
Here's a howto that goes into a little more depth.
- "When you want something with all your heart, the entire universe conspires to give it to you" -Paulo Coelho
He'd left it open to facilitate use by visitors, but no longer.
Mencken had it right. So glad that's old news.
So, for kicks, I took my libretto to the office on my next visit and fired up kismet.
They are wide open. No WEP, Windoze boxes (including the domain controllers) all easily accessible. A quick port scan showed all types of vulnerable services and such. I did not take the time to go further, but figure that getting patient records would not be too difficult.
From the port scans, it seems that this small office is also on the same subnet as other businesses in the area. WTF???
So what is one to do? I dare not tell them what I found, what with the risk of being labeled a terrorist and all. I thought that an anonymous letter to them might be best. But how can I be sure that they ever fix the problem?