Developing a Secure Wireless Infrastructure - Pt. 4

 Extensible Authentication Protocol

EAP. This protocol is used for message exchange during the authentication process. It utilizes 802.1x Server Technology to authenticate users via a RADIUS server (Remote Authentication Dial-In User Service). Enterprise authentication via EAP Transport Layer Security (EAP-TLS), Lightweight EAP (LEAP), Protected EAP (PEAP), or EAP Tunneled TLS (EAP-TTLS) is advised. EAP is a standard authentication framework, of which there are about 40 different methods, such as the afore-mentioned. EAP supplies common functions and a negotiation mechanism, but not a specific authentication method. It works from the link layer without requiring IP and therefore includes its own support for delivery and retransmission.

  • Cisco's Lightweight EAP (LEAP) uses mutual password authentication between the station and AP, however LEAP’s challenge/response is not encrypted, thus it is vulnerable to offline dictionary attacks.
  • EAP-TLS requires mutual certificate authentication between stations and servers. EAP is protected from eavesdropping by a TLS tunnel.
  • EAP-TTLS and Protected EAP (PEAP) authenticate servers by certificate and stations by passwords, made safe by tunneling over TLS.

 

Enable MAC filtering. The Media Access Control (MAC) address is a unique identifying number assigned to each network device. Enabling MAC filtering in your AP improves your network's security by accepting transmissions only from PCs with specific MAC addresses. You can also prevent certain MAC addresses from accessing the network.

To obtain the MAC address of the machine that you are sitting at, you may execute “getmac” in the command line. To ascertain the MAC addresses of other computers on your network, you would execute “arp –a”.

However, be mindful that it may be possible for an attacker to do the same, and once they have those MAC addresses they may use a third party utility, such as SMAC, SpoofMac, XArp, QuickSpoof, Mac Makeup, MacIP Change, et cetera. Additionally, some NICs will allow you to change the physical address in the advanced properties section, or in the Registry.

To change your MAC address in Linux takes two easy to script commands:

    ifconfig eth0 down hw ether 00:00:00:00:00:01

    ifconfig eth0 up

These two commands would set your eth0 interface to use the MAC 00:00:00:00:00:01. Plug in the NIC you want to set and the MAC address you want to use into the commands above and you are done.

To change MACs in the Cisco IOS:

show mac-address-table - reveal the MAC table

mac-address xxxx.xxxx.xxxx - change the MAC address

Wireless Usage

Remote Access

There are a number of methods for the mobile worker to communicate with the home office. There are applications such as LogMeIn, Teamviewer, products from Citrix, and the RDP utility built-in to the Windows OS.

Mobile workers using guest WLANs and hot spots should use VPNs to protect themselves, no matter what local measures are employed by the visited network.  A tunnel controls access to the visitor's own network; 802.1X controls access to the guest WLAN. A tunnel prevents eavesdropping from end to end; WPA/TKIP prevents eavesdropping on the air link only.

We are also seeing enterprises using the cloud for mobile workers, a concern with this are that if the cloud is not owned and under the direct control of the business entity, there is the risk that the data may be lost, corrupted, or open to interception.

 Wireless personal area network (WPAN). WPANs are very useful to the mobile worker, and we are seeing its implementation more frequently. A WPAN is a personal area network, for interconnecting devices centered on an individual person's workspace, in which the connections are wireless. Typically, a WPAN uses some technology that permits communication from a few inches to within about 10 meters (33 feet).  A few of the common technologies are Wi-Fi, Bluetooth, and ZigBee. These technologies operate in the unlicensed 2.4 GHz band, known as the industrial, scientific and medical ISM band.

WPAN issues. While wireless networks are exposed to many of the same risks as wired networks, they are vulnerable to additional risks as well. Wireless networks transmit data through radio frequencies, and are open to intruders unless protected. Intruders have exploited this openness to access systems, destroy or steal data, and launch attacks that tie up network bandwidth and deny service to authorized users. Another risk is the theft of the small and portable devices themselves.

An additional concern is that MACs are sent via plaintext in the air. A wireless access point such as a router will be given a unique MAC address, as will Wi-Fi equipped laptops, mobile phones and even printers. An important and necessary feature of the MAC address, for the proper functioning of a wireless communications network, is that it be visible in communicated data frames, whether or not the wireless network is encrypted (“Wi-Fi Positioning Systems: Beware of Unintended Consequences 2011”).

Via Wi-Fi Positioning Systems (WPS), the MAC address for a Wi-Fi access point becomes an index for a geo-location reference point.  Companies known as location aggregators are building and/or maintaining databases of the MAC addresses of these Wi-Fi access points for commercial purposes, and provide access to third parties interested in location-based applications and advertising. Since the MAC address was designed to be persistent and unique over the lifetime of a Wi-Fi device, in a WPS, it identifies Wi-Fi devices that are closely associated with individuals – not only stationary routers, but also personal laptops and mobile phones.

For all of the afore-mentioned, we should have policies that clearly state which forms of dual connections are prohibited for WLAN client devices, and enforce these policies through the appropriate security controls. If an attacker gains unauthorized wireless access to a dual-connected client device, the attacker could then use it to access or attack resources on the wired network. Organizations should consider the risks posed not only by the traditional form of dual connections, but also by other forms involving multiple wireless networks. It is common today for client devices to connect to multiple wireless networks simultaneously, such as cell phone, WiMAX, Bluetooth, and WLAN networks. (“Guidelines for Securing Wireless Local Area Networks", 2012).

Armed Forces

As regards the military, enemy forces could eavesdrop on, or jam communication, by scanning the frequency spectrum and monitoring for “spikes” in the spectrum, which are indicative of a carrier signal. Once that is determined, they may set their receiver to same carrier frequency, listen in on communications, intercept, or pretend to be part of friendly forces

Mitigation. One technique to mitigate against this is by using (FHSS) frequency-hopping spread spectrum. FHSS is a method of transmitting radio signals by rapidly switching a carrier among many frequency channels, using a pseudo-random sequence known to both transmitter and receiver.

These radios constantly switch from one frequency to another during the transmission, and they automatically synchronize between radios. If you were trying to listen in, and monitored any single frequency during the discussion, as a scanner would, all that would be heard is a microsecond blip of noise. In addition, spread-spectrum signals are highly resistant to deliberate jamming, unless the adversary has knowledge of the sequencing algorithms. This is reminiscent of the capture of the Enigma, German code ciphering machine, with that in hand the Allies were privy to the Axis power communications.

While FHSS is very useful, its traffic is not encrypted, and there are methods to determine the algorithm in use for the sequencing of frequencies. Thus in conjunction with FHSS for added security and encryption, the military has used: NSA-supplied sequence generators with HAVE QUICK, SINCGARS (Skinner).  Other encryption devices that the NSA has deployed for the US government are; the KY-5 (Vinson, n.d.), and in 2012 it deployed “Fishbowl”, a secure VOIP phone (Best, n.d.).

Police

Hand–held transceivers, and vehicular computer-based communication systems, allows law enforcement to communicate with each other and to any necessary databases, and aids them in making life or death decisions in an instant. One such example is a system offered by Cisco (“Mobile communication brings the office to the patrol car”).

The basis for the mobile communication system is a local IP network in the patrol vehicles with a mobile IP router as the core. The terminal and peripheral devices are linked via Ethernet connections. In addition to pre-installed car PCs or laptops in the vehicles, other possible devices may include IP video cameras, scanners, printers or VOIP phones. Communication with the police central servers is via HSDPA, which offers an average 500 kbit/s bandwidth for downloads and 250 to 350 kbit for uplinks. If the police vehicle finds itself out of HSDPA range, then transmissions will rollover to Edge GSM technology automatically.

Fire and Emergency Personnel

The communication needs of fire and emergency personnel are unique. Fire fighters face a wide variety of environmental challenges: temperature extremes, wet and humid atmospheres, they may be under or above ground, loud noise from apparatus, warning devices, tools and the fire itself. Some of the newer features that increase firefighter safety are:

· Portable Radio Selection and Use Voice channel announcement — This feature uses prerecorded voice prompts to notify the firefighter what channel the radio is on as the channel select knob is moved.

· Emergency indications — Radios on the fire-ground receive an indication of emergency activations on the assigned channel.

· Personnel accountability — In new systems there are more radio ID numbers available. This makes it possible for each radio to have an individual ID code enabling identification of the unit and specific position of the unit on an emergency activation. If tied to roster information in a computer-aided dispatch (CAD) system, identification of the individual firefighter is possible.

· Tones — Many radios use tones as an indication of trunked system access, out of range, repeater access, encrypted channel, and others. Use of tones may provide added awareness to the firefighter and, thus, increase safety. (“Voice Radio Communications Guide for the Fire Service”)

Radio Frequency Identification

Passports. There are the RFID tags on many everyday items. They are on items that we purchase, which assist in inventory control, and loss prevention, and are on our drivers’ licenses and passports. The Department of Homeland Security (DHS) announced in January 2006 the PASS System (People, Access Security Service), that would utilize vicinity radio frequency identification (RFID) technology at land border ports of entry. The credit card-sized passport card contained vicinity RFID, which will use a number to link to secure databases, allowing Customs and Border Protection (CBP) officers to determine a traveler’s citizenship and identity when entering the U.S. land and sea ports of entry.

However, researcher Chris Paget built a device at a cost of $250, which was able to sniff and then clone the RFIDs of passports. He says has read the tags at 217 feet, but he believes the same apparatus set up under better conditions could read them at 1,000 feet.

Paget's device consisted of a Symbol XR400 RFID reader, manufactured by Motorola. A Motorola AN400 patch antenna mounted to the side of his car, and a Dell 710m connected to the RFID reader by Ethernet cable. The laptop runs a Windows application Paget developed that continuously prompts the RFID reader to look for tags and logs the serial number each time once detected, he bought most of the gear via auctions listed on eBay.

Passive RFID chips turn on by power in radio waves sent to them, and they then use that power to respond with a signal picked up by a receiver associated with the transmitter. "The tag needs a burst of power to turn on, then drops down in power," he says.

The chips used in the Black Hat demo, responded by tuning the radio waves that they reflect, absorbing some of them to power the chip, which then determines how much of the signal to reflect back at the transmitter. The chips operate in the 900MHz (ISM) frequency band, in RFID applications; the maximum power used to transmit radio waves to the chips is 1 Watt (Koscher, 2008).

Conclusion

 Whatever the protocol, encryption or delivery method, consideration must be given to the key tenets of Confidentiality, Integrity and Availability. Where there are potentially millions of users on a network, the attendant risks rise exponentially. With such a large network, the results could be catastrophic if malware were to be introduced into the network, and disseminated to millions of end-users. Thus, great care must be taken to ensure that all data on the network remain confidential. One method of implementing this is via ACL, and file and volume encryption.

The same proviso holds true for the integrity of the data. The key to this component of the CIA Triad is protecting data from modification or deletion by unauthorized parties, and ensuring that when authorized people make changes, that the changes are not irreversible. To protect the integrity of the data, muni systems may find themselves backing up the data of the citizen, much like a web hosting company might. Here again, ACL, and file and volume encryption may be implemented. These issues influence network performance and availability to other end-users, and provide technical and legal conundrums that must be addressed.

Click here for references