Tài liệu Hack proofing your wireless network

1 YEAR UPGRADE BUYER PROTECTION PLAN ™ Protect Your Wireless Network From Attack • Complete Coverage of Wireless Standards: IEEE 802.15, HomeRF, IEEE 802.11, IEEE 802.16, Bluetooth,WEP, and WAP Christian Barnes Tony Bautts • Complete Case Studies: Using Closed Systems, Deploying IP Over the WLAN, Utilizing a VPN, Filtering MAC Addresses, and More! Donald Lloyd Eric Ouellet Jeffrey Posluns David M. Zendzian Neal O’Farrell • Hundreds of Damage & Defense, Tools & Traps, and Notes from the Underground Sidebars, Security Alerts, and FAQs Technical Editor 182_HPwireless_FM.qxd 2/6/02 12:43 PM Page i [email protected] With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based service that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. [email protected] is an interactive treasure trove of useful information focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author” customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions 182_HPwireless_FM.qxd 2/6/02 12:43 PM Page ii 182_HPwireless_FM.qxd 2/6/02 12:43 PM Page iii 1 YEAR UPGRADE BUYER PROTECTION PLAN Christian Barnes Tony Bautts Donald Lloyd Eric Ouellet Jeffrey Posluns David M. Zendzian Neal O'Farrell Technical Editor 182_HPwireless_FM.qxd 2/6/02 12:43 PM Page iv Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” and “Ask the Author UPDATE®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,”“Hack Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER QJG4TY7UT5 KKLRT5W3E4 PMERL3SD6N AGD34B3BH2 NLU8EVYN7H ZFG4RN38R4 CWBV22YH6T 9PB9RGB7MR R3N5M4PVS5 GW2EH22WF8 PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Hack Proofing Your Wireless Network Copyright © 2002 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-59-8 Technical Editor: Neal O’Farrell Cover Designer: Michael Kavish Technical Reviewer: Jeffrey Posluns Page Layout and Art by: Shannon Tozier Acquisitions Editor: Catherine B. Nolan Copy Editor: Michael McGee Developmental Editor: Kate Glennon Indexer: Ed Rush Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada. 182_HPwireless_FM.qxd 2/6/02 12:43 PM Page v Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, and Frida Yara of Publishers Group West for sharing their incredible marketing experience and expertise. Jacquie Shanahan and AnnHelen Lindeholm of Elsevier Science for making certain that our vision remains worldwide in scope. Annabel Dent of Harcourt Australia for all her help. David Buckland,Wendi Wong, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada. Lois Fraser, Connie McMenemy, Shannon Russell and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada. v 182_HPwireless_FM.qxd 2/6/02 12:43 PM Page vi 182_HPwireless_FM.qxd 2/6/02 12:43 PM Page vii Contributors Donald Lloyd (CCNA, CCSE, CCSA), co-author of Designing a Wireless Network (Syngress Publishing, ISBN: 1-928994-45-8), is a Senior Consultant at Lucent Worldwide Services (Enhanced Services and Sales) and a Regional Leader for their Fixed Wireless Practice. His specialties include network security architecture and wireless network design, as well as the implementation of Juniper routers. Donald’s background includes a successful career with International Network Services, and now Lucent Technologies. Besides “unwiring” corporate offices, Donald has spent considerable time designing and deploying secure wireless networks in remote oil and gas fields.These networks not only carry voice and data traffic, but also help energy companies monitor the pipelines that carry these commodities. David M. Zendzian is CEO and High Programmer with DMZ Services, Inc. He provides senior IT and security solutions to single person startups and multi-national corporations “anywhere the Net touches.” His specialties include large- and small-scale IT and security designs, deployments, infrastructure audits, and complete managed support. David’s background includes positions with Wells Fargo Bank as a Security Consultant where he developed and evaluated platform-specific security standards, assisted with identification of security risks to applications, and designed bank interconnectivity projects that required firewalls, VPNs, and other security devices. He was also a founding partner in one of the first Internet service providers of South Carolina and founder of the first wireless ISP in the Carolinas, Air Internet. David is an active Debian Linux developer who maintains packages for network audio streaming (icecast, liveice) and the PGP Public Keyserver (pks). He has provided patches to several projects, most notably to the Carnegie Mellon Simple Authentication and Security Layer (SASL). David studied computer science at the oldest municipal college in America,The College of Charleston in Charleston, SC. He currently lives in the San Francisco area with his wife, Dana. David would like to thank vii 182_HPwireless_FM.qxd 2/6/02 12:43 PM Page viii Change and N8 for providing support and critical commentary needed to finish this work. Eric Ouellet (CISSP) is a Senior Partner with Secure Systems Design Group, a network design and security consultancy based in Ottawa, Ontario, Canada. He specializes in the implementation of networks and security infrastructures from both a design and a hands-on perspective. Over his career, he has been responsible for designing, installing, and troubleshooting WANs using CISCO, Nortel, and Alcatel equipment, configured to support voice, data, and video conferencing services over terrestrial, satellite relay, wireless, and trusted communication links. Eric has also been responsible for designing some of the leading Public Key Infrastructure deployments currently in use and for devising operational policy and procedures to meet the Electronic Signature Act (E-Sign) and the Health Insurance Portability and Accountability Act (HIPAA). He has provided his services to financial, commercial, government, and military customers including US Federal Government, Canadian Federal Government, and NATO. He regularly speaks at leading security conferences and teaches networking and CISSP classes. He is currently working on two upcoming titles with Syngress Publishing, Building a Cisco Wireless LAN (ISBN: 1-928994-58-X) and Sniffer Network Optimization and Troubleshooting Handbook (ISBN: 1-931836-57-4). Eric would like to acknowledge the understanding and support of his family and friends during the writing of this book, and “The Boys” for being who they are. Christian Barnes (CCNP, CCDA, MCSE, MCP+I, CNA, A+) is a member of the Consulting Staff at Lucent Worldwide Services (Enhanced Services and Sales). He is a contributing author to Designing a Wireless Network (Syngress Publishing, ISBN: 1-928994-45-8) and he currently provides technical consultation to clients in the South Central Region for Lucent Technologies. His areas of expertise include Cisco routers and switches, wide area network architecture, troubleshooting and optimization, network security, wireless access, and Microsoft NT and 2000 networking design and support. Chris has worked with clients such as Birch Telecom,Williams Energy, and the Cerner Corporation. viii 182_HPwireless_FM.qxd 2/6/02 12:43 PM Page ix Randy Hiser is a Senior Network Engineer for Sprint’s Research, Architecture and Design Group, with design responsibilities for home distribution and DSL self-installation services for Sprint’s Integrated On Demand Network. He is knowledgeable in the area of multimedia services and emerging technologies, has installed and operated fixed wireless MMDS facilities in the Middle East, and has patented network communication device identification in a communication network for Sprint. He lives with his wife, Deborah, and their children, Erin, Ryan, Megan, Jesse, and Emily, in Overland Park, KS. Andy McCullough (BSEE, CCNA, CCDA) has been in network consulting for over seven years. He is currently a Distinguished Member of the Consulting Staff at Lucent Worldwide Services (Enhanced Services and Sales). Andy has done architecture and design work for several global customers of Lucent Technologies including Level 3 Communications, Sprint, MCI/WorldCom, the London Stock Exchange, and British Telecom. His areas of expertise include network architecture and design, IP routing and switching, and IP multicast. Prior to working for Lucent, Andy ran a consulting company and a regional ISP. Andy is co-author of Building Cisco Remote Access Networks (Syngress Publishing, ISBN: 1-928994-13-X). He is also an Assistant Professor at a community college in Overland Park, KS, where he teaches networking classes. Tony Bautts is a Senior Security Consultant with Astech Consulting. He currently provides security advice and architecture for clients in the San Francisco Bay area. His specialties include intrusion detection systems, firewall design and integration, post-intrusion forensics, bastion hosting, and secure infrastructure design.Tony’s security experience has led him to work with Fortune 500 companies in the United States as well as two years of security consulting in Japan. He is also involved with the BerkeleyWireless.net project, which is working to build neighborhood wireless networks for residents of Berkeley, CA. ix 182_HPwireless_FM.qxd 2/6/02 12:43 PM Page x Jeffrey A. Wheat (Lucent WaveLAN Wireless Certification, FORE ATM Certification) is a Principal Member of the Consulting Staff at Lucent Worldwide Services. He currently provides strategic direction and architectural design to Lucent Service Provider and Large Enterprise customers. He is an ATM and Testing Methodology Subject Matter Expert within Lucent, and his specialties include convergence architectures and wireless architectures. Jeff ’s background with Lucent includes design engagements with Metricom, Sprint ION, Sprint PCS, Raytheon, and Marathon Oil. Prior to his employment with Lucent, Jeff spent 11 years working for the U.S. Intelligence Agencies as a network architect and systems engineer. Jeff graduated from the University of Kansas in 1986 with a bachelor’s of Science degree in Computer Science and currently resides in Kansas City with his wife, Gabrielle, and their two children, Madison and Brandon. x 182_HPwireless_FM.qxd 2/6/02 12:43 PM Page xi Technical Editor Neal O’Farrell is founder and CEO of security training firm Hackademia Inc., where he oversees the development of more than 30 Web-based security training courses. Neal is a panel expert and regular columnist on SearchSecurity.com and was recently elected Chair of the first Cybercrime on Wall Street Conference. He has written more than one hundred articles and three books, appearing in publications as diverse as Business Week, Information Week, NetWorker, and Wireless Design News. With a career in information security that spans nearly two decades, Neal was recently described by the Institute for International Research as one of the world’s top 20 security experts. Neal got his first taste of wireless security in the mid-1980s when he was asked by the Irish government to develop a security system for the nation’s fledgling cellular network. In 1989 he co-hosted with IBM one of Europe’s first network security conferences, and later helped Nokia incorporate security into their first generation of cellular telephones. As the head of the European crypto firm Intrepid, Neal leads the development of some of the world’s most advanced voice, data, and fax encryption systems, including MilCode, a European rival of the U.S. government’s Secure Telephone Unit (STU 3). xi 182_HPwireless_FM.qxd 2/6/02 12:43 PM Page xii Technical Reviewer Jeffrey Posluns (CISA, CISSP, CCNP, SSCP, GSEC) is an information security specialist with over eight years of specialized experience in security methodologies, audits, and controls. He has extensive expertise in the analysis of hacker tools and techniques, intrusion detection, security policies, and incident response procedures. Jeffrey has held the position of Chief Technology Officer of SecureOps for the past three years, where he has the responsibility of bringing technical vision and strategy to the company, overseeing the development and implementation of all technological initiatives, and being a key resource in the research and development of new practices, methodologies, procedures, and information assets. Jeffrey is a regular speaker at industry conferences organized by such groups as the Information Systems Audit and Control Association (ISACA) and the Association of Certified Fraud Examiners (ACFE). He also speaks regularly for, and participates in, various panels and working groups promoting information security awareness with the Canadian IT, government, and law enforcement industries. xii 182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xiii Contents Foreword Answers to Your Wireless Questions Q: Will i-Mode be available in North America or Europe? A: Although i-Mode parent NTT DoCoMo has ownership stakes in several North American and European cellular operators, it is not expected that i-Mode, as it currently exists, will be offered in these markets. This is primarily due to the limited 9.6 Kbps access rates. Chapter 1 The Wireless Challenge Introduction Wireless Technology Overview Defining Cellular-based Wireless Defining the Wireless LAN The Convergence of Wireless Technologies Trends and Statistics Increasing Use of Information Appliances The Future of Wireless, circa 2005 Understanding the Promise of Wireless Wireless Networking Wireless Networking Applications for Business Wireless Networking Applications for Consumers Understanding the Benefits of Wireless Convenience Flexibility Roaming Mobility Affordability Speed Aesthetics Productivity Facing the Reality of Wireless Today Standards Conflicts Commercial Conflicts Market Adoption Challenges The Limitations of “Radio” Radio Range and Coverage Use of Antennas Interference and Coexistence xxvii 1 2 2 3 3 3 4 5 6 7 9 9 14 16 16 16 18 21 22 22 24 24 24 25 27 27 27 30 30 31 xiii 182_HPwireless_TOC.qxd xiv 2/6/02 11:46 AM Page xiv Contents The Limitations of Wireless Security Cellular-based Wireless Networks and WAP Wireless LAN Networks and WEP Examining the Wireless Standards Cellular-based Wireless Networks Communications Technologies Wireless LAN Networks 802.11 WLAN HomeRF 802.15 WPAN 802.16 WMAN Understanding Public Key Infrastructures and Wireless Networking Overview of Cryptography Summary Solutions Fast Track Frequently Asked Questions Chapter 2 A Security Primer Introduction Understanding Security Fundamentals and Principles of Protection Ensuring Confidentiality Ensuring Integrity Ensuring Availability Ensuring Privacy Ensuring Authentication Ensuring Authorization Ensuring Non-repudiation Accounting and Audit Trails Using Encryption Encrypting Voice Data Encrypting Data Systems Reviewing the Role of Policy Identifying Resources Understanding Classification Criteria 32 34 35 38 38 39 46 47 54 57 60 62 63 68 69 73 75 76 76 77 78 80 81 81 85 87 90 92 92 93 93 96 97 182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xv Contents Tools & Traps… Clear-text Authentication An example of a bruteforce password dictionary generator that can produce a brute-force dictionary from specific character sets can be found at www.dmzs.com/ tools/files. Other brute force crackers, including POP, Telnet, FTP, Web and others, can be found at http://packetstormsecurity .com/crackers. Implementing Policy Recognizing Accepted Security and Privacy Standards Reviewing Security Standards Early Security Standards Understanding the Common Criteria Model ISO 17799/BS 7799 ISO 7498-2 ISO 10164-8 ISO 13888 Reviewing Privacy Standards and Regulations NAIC Model Act Gramm-Leach-Bliley Act HIPAA Electronic Signatures in the Global and National Commerce Act COPPA Civil Liability Law Addressing Common Risks and Threats Experiencing Loss of Data Loss of Data Scenario Experiencing Denial and Disruption of Service Disruption of Service Scenario Eavesdropping Eavesdropping Scenario Preempting the Consequences of an Organization’s Loss Security Breach Scenario Summary Solutions Fast Track Frequently Asked Questions xv 98 101 101 102 104 104 104 104 105 106 106 106 108 111 112 112 113 113 113 114 114 115 117 117 118 119 120 123 182_HPwireless_TOC.qxd xvi 2/6/02 11:46 AM Page xvi Contents Fixed Wireless Technologies In a fixed wireless network, both transmitter and receiver are at fixed locations, as opposed to mobile. The network uses utility power (AC). It can be point-to-point or pointto-multipoint, and may use licensed or unlicensed spectrums. Chapter 3 Wireless Network Architecture and Design Introduction Fixed Wireless Technologies Multichannel Multipoint Distribution Service Local Multipoint Distribution Services Wireless Local Loop Point-to-Point Microwave Wireless Local Area Networks Why the Need for a Wireless LAN Standard? What Exactly Does the 802.11 Standard Define? Does the 802.11 Standard Guarantee Compatibility across Different Vendors? 802.11b 802.11a 802.11e Developing WLANs through the 802.11 Architecture The Basic Service Set The Extended Service Set Services to the 802.11 Architecture The CSMA-CA Mechanism The RTS/CTS Mechanism Acknowledging the Data Configuring Fragmentation Using Power Management Options Multicell Roaming Security in the WLAN Developing WPANs through the 802.15 Architecture Bluetooth HomeRF High Performance Radio LAN Mobile Wireless Technologies First Generation Technologies 125 126 127 127 129 129 130 132 132 134 137 138 139 140 141 141 143 143 145 146 146 147 147 147 148 150 150 153 153 154 155 182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xvii Contents Second Generation Technologies 2.5G Technology Third Generation Technologies Wireless Application Protocol Global System for Mobile Communications General Packet Radio Service Short Message Service Optical Wireless Technologies Exploring the Design Process Conducting the Preliminary Investigation Performing Analysis of the Existing Environment Creating a Preliminary Design Finalizing the Detailed Design Executing the Implementation Capturing the Documentation Creating the Design Methodology Creating the Network Plan Gathering the Requirements Baselining the Existing Network Analyzing the Competitive Practices Beginning the Operations Planning Performing a Gap Analysis Creating a Technology Plan Creating an Integration Plan Beginning the Collocation Planning Performing a Risk Analysis Creating an Action Plan Preparing the Planning Deliverables Developing the Network Architecture Reviewing and Validating the Planning Phase Creating a High-Level Topology Creating a Collocation Architecture Defining the High-Level Services Creating a High-Level Physical Design xvii 156 156 156 157 158 160 160 160 161 162 162 163 164 164 165 166 166 167 168 169 169 169 170 171 171 171 172 172 173 173 173 174 174 175 182_HPwireless_TOC.qxd xviii 2/6/02 11:46 AM Page xviii Contents Defining the Operations Services Creating a High-Level Operating Model Evaluating the Products Creating an Action Plan Creating the Network Architecture Deliverable Formalizing the Detailed Design Phase Reviewing and Validating the Network Architecture Creating the Detailed Topology Creating a Detailed Service Collocation Design Creating the Detailed Services Creating a Detailed Physical Design Creating a Detailed Operations Design Creating a Detailed Operating Model Design Creating a Training Plan Developing a Maintenance Plan Developing an Implementation Plan Creating the Detailed Design Documents Understanding Wireless Network Attributes from a Design Perspective Application Support Subscriber Relationships Physical Landscape Network Topology Summary Solutions Fast Track Frequently Asked Questions Chapter 4 Common Attacks and Vulnerabilities Introduction The Weaknesses in WEP Criticisms of the Overall Design Weaknesses in the Encryption Algorithm 175 175 176 177 177 177 178 178 179 179 180 181 181 182 182 182 183 183 184 186 187 189 191 193 198 201 202 202 203 205 182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xix Contents Notes from the Underground… Lucent Gateways broadcast SSID in clear on encrypted networks It has been announced (www.securiteam.com/ securitynews/5ZP0I154UG .html) that the Lucent Gateway allows an attacker an easy way to join a closed network. Lucent has defined an option to configure the wireless network as “closed.” This option requires that to associate with the wireless network a client must know and present the SSID of the network. Even if the network is protected by WEP, part of the broadcast messages the gateway transmits in cleartext includes the SSID. All an attacker need do is sniff the network to acquire the SSID, they are then able to associate with the network. Weaknesses in Key Management Weaknesses in User Behavior Conducting Reconnaissance Finding a Target Finding Weaknesses in a Target Exploiting Those Weaknesses Sniffing, Interception, and Eavesdropping Defining Sniffing Sample Sniffing Tools Sniffing Case Scenario Protecting Against Sniffing and Eavesdropping Spoofing and Unauthorized Access Defining Spoofing Sample Spoofing Tools Spoofing Case Scenario Protecting Against Spoofing and Unauthorized Attacks Network Hijacking and Modification Defining Hijacking Sample Hijacking Tools Hijacking Case Scenario Protection against Network Hijacking and Modification Denial of Service and Flooding Attacks Defining DoS and Flooding Sample DoS Tools DoS and Flooding Case Scenario Protecting Against DoS and Flooding Attacks The Introduction of Malware Stealing User Devices Summary Solutions Fast Track Frequently Asked Questions xix 208 211 213 213 214 215 216 216 217 217 219 220 220 221 221 223 223 223 224 225 225 226 226 227 227 228 228 230 232 232 237