1Access Control and Site Security (Part 2)(January 25, 2012)© Abdou Illia – Spring 20122Learning Objectives Discuss Site Security Discuss Wireless LAN SecuritySite Security24Building Security Basics Single point of (normal) entry to building Fire doors and alarms Security centers Monitors for closed-circuit TV (CCTV) Videotapes that must be retained (Don’t reuse too much or the quality will be bad) Interior doors to control access between parts of the building Prevent piggybacking, i.e. holding the door open so that someone can enter without identification defeats this protection5Building Security Basics  Phone stickers with security center phone number Prevent dumpster diving by keeping dumpsters in locked, lighted area Training security personnel Training all employees Enforcing policies: You get what you enforce6Reading Questions  Answer Reading Questions 1 posted to the course web site (in Notes’ section)3802.11 Wireless LAN Security8Basic Terminology Accidental Association Wireless device latching onto a neighboring Access Point when turned on. User may not even notice the association Malicious association Intentionally setting a wireless device to connect to a networkInstalling rogue wireless devices to collecting corporate infoWar driving Driving around looking for weak unprotected WLAN9802.11b 802.11a 802.11g2.4 GHz 5 GHz 2.4 GHzUnlicensed Band≤11 Mbps≤ 54 Mbps ≤ 54 MbpsRated SpeedIEEE 802.11 WLAN standards802.11n*2.4 GHz or 5 GHz≤ 300 Mbps* Under development0 HzFrequencySpectrumInfinityAM Radio service band: 535 kHz-1705 kHzFM Radio service band: 88 MHz-108 MHz802.11b WLAN: 2.4 GHz-2.4835 GHz3 12 13# of channels 14802.11g uses Orthogonal Frequency Division Multiplexing (OFDM) modulation scheme to achieve higher speed than 802.11b AM radio channels have a 10KHz bandwidth FM radio channels: 200KHz bandwidth35m/100m25m/75m 25m/75mRange (Indoor/Outdoor)50m/125m Service band 2.4 - 2.4835 GHz divided into 13 channels Each channel is 22 MHz wide Channels spaced 5 MHz apart Channel 1 centered on 2412 MHz. Channel 13 centered on 2472 MHz Transmissions spread across multiple channels 802.11b and 802.11g devices use only Channel 1, 6, 11 to avoid transmission overlap.410802.11 Wireless LAN (WLAN) Security  Basic Operation: Main wired network for servers (usually 802.3 Ethernet) Wireless stations with wireless NICs Access points for spreading service across the site Access points are internetworking devices that link 802.11 LANs to 802.3 Ethernet LANs11802.11 FrameContaining Packet802.11 Wireless LAN operation 802.11 refers to the IEEE Wireless LAN standardsNotebookWith PC CardWireless NICEthernetSwitchAccessPointServer802.3 FrameContaining Packet(2)(3)Client PC(1)12802.11 Wireless LAN operationNotebookWith PC CardWireless NICEthernetSwitchAccessPointServer802.11 FrameContaining Packet802.3 FrameContaining Packet(2)(1)Client PC(3)1. If the AP is 802.11n-compliant, it could communicate with the notebook even if the notebook has a 802.11a NIC. T F2. The Wireless AP needs to have a 802.3 interface T F3. The switch needs to have at least one wireless port. T F4. How many layers should the Wireless AP have to perform its job?513Summary Question (1) Which of the following is among Wireless Access Points’ functions?a) Convert electric signal into radio waveb) Convert radio wave into electric signalc) Forward messages from wireless stations to devices in a wired LANd) Forward messages from one wireless station to anothere) All of the abovef) Only c and d14MAC Filtering The Access Point could be configured to only allow mobile devices with specific MAC addresses Today, attack programs exist that could sniff MAC addresses, and then spoof themAccessPointU1-E2-13-6D-G1-9001-23-11-23-H1-80……………………..10-U1-7Y-2J-6R-11O9-2X-98-Y6-12-TRMAC Access Control List15IP Address Filtering The Access Point could be configured to only allow mobile devices with specific IP addresses Attacker could Get IP address by guessing based on companies range of IP addresses Sniff IP addressesAccessPoint139.67.180.80139.67.180.110……………………..139.67.180.75139.67.180.1/24-139.67.180.30/24IP Address Access Control List616SSID: Apparent 802.11 Security Service Set Identifier (SSID) It’s a “Network name” of up to 32 characters Access Points come with default SSID. Example: “tsunami” for Cisco or “linksys” for Linksys All Access Points in a WLAN have same SSID Mobile devices must know the SSID to “talk” to the access points SSID frequently broadcasted by the access point for ease of discovery. SSID in frame headers are transmitted in clear text SSID broadcasting could be disabled but it’s a weak security measure Sniffer programs (e.g. Kismet) can find SSIDs easily17Wired Equivalent Privacy (WEP) Standard originally intended to make wireless networks as secure as wired networks With WEP, mobile devices need a key used with an Initialization Vector to create a traffic key Typical WEP key length: 40-bit, 128-bit, 256-bitWEP key is shared by mobile devices and Access Points Problems: shared keys create a security hole WEP is not turned-on by default1. Wireless station sends authentication request to AP2. AP sends back a 128 bits challenge text in plaintext3. Wireless station encrypts challenge text with its WEP key and sends result to AP4. AP regenerate the WEP from received result, then compare WEP to its own WEP5. AP sends a success or failure messageWEP authentication processaircrack-ngweplabWEPCrackairsnortOpen Source WEP Cracking software18802.11i and Temporal Key Integrity Protocol (TKIP)  In 2004, the IEEE 802.11 working group developed a security standard called 802.11i to be implement in 802.11 networks.  802.11i tightens security through the use of the Temporal Key Integrity Protocol (TKIP)  TKIP can be added to existing AP and NICs TKIP uses a 128-bit key (that changes) to encrypt the WEP.719Using Authentication server orWi-Fi Protected Access (WPA)AccessPoint1.AuthenticationRequest2.Pass on Request toRADIUS Server3.Get User Lee’s Data(Optional; RADIUSServer May StoreAuthentication Data)4. AcceptApplicant Key=XYZ5. OKUseKey XYZDirectoryServer orKerberosServerRADIUS Server / WAP Gateway RADIUS is an AAA