- Email: [email protected]
Rogue Access Points — threat to enterprise security
issue.qxd
10/04/2003
16:23
Page 4
wireless security
Rogue Access Points – Threat to Enterprise Security
with a tool such as AirMagnet1 or Kismet2. When a rogue AP is detected within your facilities, it should be handled in line with your company’s incident handling procedures.
Bruce Potter
Unlike internal rogue APs which open the door for attackers, an external rogue AP is an active attack against your network. An external rogue AP is deployed by an attacker with an identical SSID (ie: network name) as your corporate wireless network. Since 802.11 management frames are unauthenticated, a client machine is unable to determine the difference between a legitimate enterprise AP and the rogue AP deployed by an attacker. When presented a choice of two APs with the same SSID, a client will automatically associate with the stronger signal strength AP. Once an attacker has forced clients to associate with their AP, they can attempt several different attacks depending on what information they are after. First off, the AP may simply be a ‘black hole’ for traffic. Associated clients try and send traffic but the AP simply drops it. This is an effective denial-of-service attack that has frustrated more than a few network administrators. The AP may act as a man in the middle by relaying traffic back to your corporate network, manipulating interesting data and logging useful information. Finally, the attacker can utilize a bit of social engineering to obtain user credentials. For instance, an attacker may present a Web page to the wireless clients indicating that their wireless session has expired and prompting them to enter their username and password to continue. While simplistic, it only takes one user to fall for this trick to give an attacker something of real value to launch a deeper attack into your network. Detecting and shutting down external rogue APs is difficult. A laptop or PDA acting as an AP can be hidden in a backpack or pocket of someone outside your building. Or using a directional antenna aimed at your building an attacker may be miles away.
This is a new series dedicated to the issues of protecting wireless networks. The column will deal with new threats, standards, products, auditing of wireless networks and secure network architectures.
The number of deployed wireless LAN networks has exploded over the last several years. Much of wireless networking’s popularity can be attributed to the ease of use and inexpensive availability of equipment based on the IEEE 802.11 specifications. Home users and global enterprises have embraced 802.11 as a way to decrease deployment time and increase productivity. Throughout this period of growth, there has also been a focus on wireless security. A wireless network is not constrained by the same physical boundaries as a wired network. The 802.11 specification includes a security mechanism known as Wired Equivalent Privacy (WEP). WEP provides rudimentary authentication and data encryption for wireless clients. Beyond WEP, many vendors implement firewalls and MAC address filtering in an attempt to protect the internal network infrastructure and wireless clients. What is often overlooked, however, is the threat posed by rogue access points. Much effort has been put into securing the known infrastructure from attackers and snoopers. The real threat to your enterprise is the unknown infrastructure deployed either by a malicious attacker or ignorant insider.
Internal rogue Access Points In a properly deployed wireless network, the access points (APs) are on a separate network from the rest of the corporate network. Access from the wireless
4
network to the wired resources is tightly controlled and monitored to prevent unauthorized access. These controls are generally enforced at the gateway to the wireless network. The internal network itself is usually flat and unprotected. This is the soft underbelly of most corporate networks. By plugging an access point directly into the internal network, any security mechanism at the network edge is completely bypassed. An employee may bring in an AP for their own use for many reasons. Maybe the corporate wireless coverage is weak in their area or perhaps they do not have access to specific resources from the wireless network. It may be something as simple as a complete lack of wireless networking in your enterprise and the employee taking it upon himself to deploy a network for the “good of the company.” Whatever the reason, the employee has created a gaping hole into your corporate network. In an effort to keep rogue APs out of your network, your information security policy should explicitly prohibit unauthorized employees from installing wireless equipment. Also, if possible, your network should filter out traffic from all unknown MAC addresses. While this solution will keep rogue APs out of the network, it can be a difficult solution to implement. As part of your standard information security procedure, security personnel should periodically wardrive (or warwalk) your own facilities
External rouge Access Points
issue.qxd
10/04/2003
16:23
Page 5
wireless security Nonetheless, attempting to detect these APs is an important part of your information security procedures. Security personnel should be trained to recognize external rogue APs via foreign MAC addresses or other footprints which are available using tools such as irMagnet or Kismet. Besides detecting external rogue APs, preventing damage from them is critical. First, make sure you are using WEP. Most clients, including Windows XP and Linux, can be configured to only connect to specific SSIDs and further to only connect if the AP supports WEP encryption. Even though WEP keys can be cracked, using WEP raises the bar. The next step is to deploy end-to-end authentication for all client associations. 802.1x, a local network authentication protocol, provides mechanisms for bi-directional verification of both the wireless client and back-end authentication server. 802.1x does not explicitly authenticate the AP. However, when using EAP-TLS, an authentication method within 802.1x, the client is able to verify the authenticity of the back-end server. An external rogue AP will not be
able to connect to the back-end authentication server because it is disconnected from your internal network. The client, unable to successfully authenticate, will not associate with the rogue AP. Finally, educate your user-base to recognize when they may be under a social engineering attack via a rogue AP. Advise them to not enter their credentials into non-standard interfaces, such as an unfamiliar Web page, when they are using the wireless network. They should report any unusual events to information security staff.
Inside or out, detect and prevent When deploying a wireless network, it is important to remember that an attacker can do more than sniff traffic or attempt to gain access to your infrastructure. More and more, attackers are attempting to fool wireless clients by pretending to be a valid access point. Further, your own employees may be installing huge holes in your network disguised as a personal access point brought in from home. By constantly monitoring for
rogue APs and deploying systems in a manner resistant to the threat posed by them, your wireless and wired network will provide a secure foundation for your enterprise’s activities. 1AirMagnet
– An 802.11 network diagnostic tool for Windows and PocketPC – www.airmagnet.com 2Kismet – An 802.11 network analysis tool for Linux. – www.kismetwireless.net
About the Author Bruce Potter has a broad information security background that includes deployment of wireless networks. Trained in computer science at the University of Alaska Fairbanks, Bruce served as a senior technologist at several hi-tech companies. Bruce is the founder and President of Capital Area Wireless Network. In 1999 Bruce founded The Shmoo Group, a group of security professionals scattered throughout the world. Bruce co-authored 802.11 Security published through O'Reilly and Associates. He is co-authoring Mac OS X Security to be published by New Riders Publishing in May of 2003.
Early Alerts – Making Sense of Security Information Overload Kevin Hawkins, Senior Principal Consultant, Symantec Corp. Knowledge is power – never more so than when it comes to security. Knowing what the threats are, and where vulnerabilities lie, will make the difference between a successful defence and an expensive security breach. Speaking from personal experience, the typical security manager is now bombarded with information from a variety of sources, both internal and external, every minute of every hour. There are firewall logs, Intrusion Detection
System (IDS) logs, vulnerability reports and patching levels, not to mention breaches of policy by staff to be dealt with. Making sense of all this information, and acting on it effectively, is a monumental task.
Research shows that a typical medium sized organization will, on average, receive 9.5 million log entries and alerts per month, generated by firewalls and IDS devices across the enterprise. After correlating the data from the various sources, an average of 620 security events will require further investigation. After weeding out the false positives – a major task in itself – some 55 of these will be determined to constitute some sort of security threat.
5
10/04/2003
16:23
Page 4
wireless security
Rogue Access Points – Threat to Enterprise Security
with a tool such as AirMagnet1 or Kismet2. When a rogue AP is detected within your facilities, it should be handled in line with your company’s incident handling procedures.
Bruce Potter
Unlike internal rogue APs which open the door for attackers, an external rogue AP is an active attack against your network. An external rogue AP is deployed by an attacker with an identical SSID (ie: network name) as your corporate wireless network. Since 802.11 management frames are unauthenticated, a client machine is unable to determine the difference between a legitimate enterprise AP and the rogue AP deployed by an attacker. When presented a choice of two APs with the same SSID, a client will automatically associate with the stronger signal strength AP. Once an attacker has forced clients to associate with their AP, they can attempt several different attacks depending on what information they are after. First off, the AP may simply be a ‘black hole’ for traffic. Associated clients try and send traffic but the AP simply drops it. This is an effective denial-of-service attack that has frustrated more than a few network administrators. The AP may act as a man in the middle by relaying traffic back to your corporate network, manipulating interesting data and logging useful information. Finally, the attacker can utilize a bit of social engineering to obtain user credentials. For instance, an attacker may present a Web page to the wireless clients indicating that their wireless session has expired and prompting them to enter their username and password to continue. While simplistic, it only takes one user to fall for this trick to give an attacker something of real value to launch a deeper attack into your network. Detecting and shutting down external rogue APs is difficult. A laptop or PDA acting as an AP can be hidden in a backpack or pocket of someone outside your building. Or using a directional antenna aimed at your building an attacker may be miles away.
This is a new series dedicated to the issues of protecting wireless networks. The column will deal with new threats, standards, products, auditing of wireless networks and secure network architectures.
The number of deployed wireless LAN networks has exploded over the last several years. Much of wireless networking’s popularity can be attributed to the ease of use and inexpensive availability of equipment based on the IEEE 802.11 specifications. Home users and global enterprises have embraced 802.11 as a way to decrease deployment time and increase productivity. Throughout this period of growth, there has also been a focus on wireless security. A wireless network is not constrained by the same physical boundaries as a wired network. The 802.11 specification includes a security mechanism known as Wired Equivalent Privacy (WEP). WEP provides rudimentary authentication and data encryption for wireless clients. Beyond WEP, many vendors implement firewalls and MAC address filtering in an attempt to protect the internal network infrastructure and wireless clients. What is often overlooked, however, is the threat posed by rogue access points. Much effort has been put into securing the known infrastructure from attackers and snoopers. The real threat to your enterprise is the unknown infrastructure deployed either by a malicious attacker or ignorant insider.
Internal rogue Access Points In a properly deployed wireless network, the access points (APs) are on a separate network from the rest of the corporate network. Access from the wireless
4
network to the wired resources is tightly controlled and monitored to prevent unauthorized access. These controls are generally enforced at the gateway to the wireless network. The internal network itself is usually flat and unprotected. This is the soft underbelly of most corporate networks. By plugging an access point directly into the internal network, any security mechanism at the network edge is completely bypassed. An employee may bring in an AP for their own use for many reasons. Maybe the corporate wireless coverage is weak in their area or perhaps they do not have access to specific resources from the wireless network. It may be something as simple as a complete lack of wireless networking in your enterprise and the employee taking it upon himself to deploy a network for the “good of the company.” Whatever the reason, the employee has created a gaping hole into your corporate network. In an effort to keep rogue APs out of your network, your information security policy should explicitly prohibit unauthorized employees from installing wireless equipment. Also, if possible, your network should filter out traffic from all unknown MAC addresses. While this solution will keep rogue APs out of the network, it can be a difficult solution to implement. As part of your standard information security procedure, security personnel should periodically wardrive (or warwalk) your own facilities
External rouge Access Points
issue.qxd
10/04/2003
16:23
Page 5
wireless security Nonetheless, attempting to detect these APs is an important part of your information security procedures. Security personnel should be trained to recognize external rogue APs via foreign MAC addresses or other footprints which are available using tools such as irMagnet or Kismet. Besides detecting external rogue APs, preventing damage from them is critical. First, make sure you are using WEP. Most clients, including Windows XP and Linux, can be configured to only connect to specific SSIDs and further to only connect if the AP supports WEP encryption. Even though WEP keys can be cracked, using WEP raises the bar. The next step is to deploy end-to-end authentication for all client associations. 802.1x, a local network authentication protocol, provides mechanisms for bi-directional verification of both the wireless client and back-end authentication server. 802.1x does not explicitly authenticate the AP. However, when using EAP-TLS, an authentication method within 802.1x, the client is able to verify the authenticity of the back-end server. An external rogue AP will not be
able to connect to the back-end authentication server because it is disconnected from your internal network. The client, unable to successfully authenticate, will not associate with the rogue AP. Finally, educate your user-base to recognize when they may be under a social engineering attack via a rogue AP. Advise them to not enter their credentials into non-standard interfaces, such as an unfamiliar Web page, when they are using the wireless network. They should report any unusual events to information security staff.
Inside or out, detect and prevent When deploying a wireless network, it is important to remember that an attacker can do more than sniff traffic or attempt to gain access to your infrastructure. More and more, attackers are attempting to fool wireless clients by pretending to be a valid access point. Further, your own employees may be installing huge holes in your network disguised as a personal access point brought in from home. By constantly monitoring for
rogue APs and deploying systems in a manner resistant to the threat posed by them, your wireless and wired network will provide a secure foundation for your enterprise’s activities. 1AirMagnet
– An 802.11 network diagnostic tool for Windows and PocketPC – www.airmagnet.com 2Kismet – An 802.11 network analysis tool for Linux. – www.kismetwireless.net
About the Author Bruce Potter has a broad information security background that includes deployment of wireless networks. Trained in computer science at the University of Alaska Fairbanks, Bruce served as a senior technologist at several hi-tech companies. Bruce is the founder and President of Capital Area Wireless Network. In 1999 Bruce founded The Shmoo Group, a group of security professionals scattered throughout the world. Bruce co-authored 802.11 Security published through O'Reilly and Associates. He is co-authoring Mac OS X Security to be published by New Riders Publishing in May of 2003.
Early Alerts – Making Sense of Security Information Overload Kevin Hawkins, Senior Principal Consultant, Symantec Corp. Knowledge is power – never more so than when it comes to security. Knowing what the threats are, and where vulnerabilities lie, will make the difference between a successful defence and an expensive security breach. Speaking from personal experience, the typical security manager is now bombarded with information from a variety of sources, both internal and external, every minute of every hour. There are firewall logs, Intrusion Detection
System (IDS) logs, vulnerability reports and patching levels, not to mention breaches of policy by staff to be dealt with. Making sense of all this information, and acting on it effectively, is a monumental task.
Research shows that a typical medium sized organization will, on average, receive 9.5 million log entries and alerts per month, generated by firewalls and IDS devices across the enterprise. After correlating the data from the various sources, an average of 620 security events will require further investigation. After weeding out the false positives – a major task in itself – some 55 of these will be determined to constitute some sort of security threat.
5