A Guide to Securing Networks for Wi-Fi (IEEE 802.11 Family).pptx

www.slideproject.com 3
Team
Yousef S. Almatieb
ID:120220023
Prof. Dr. Eng. Mohammad A. Mikki
Supervisor

www.slideproject.com
Outline
4
4
INTRODUCTION
Threat Types
Budget Estimation Guide
Recommended Requirements for Enterprise Wireless Networking
Recommended Requirements for WIDS/WIPS
Recommended Requirements for Wireless Surveys
Threat Remediation
Bluetooth Security Considerations

1. Introduction
5
5
This guide summarizes best practices and technical guidance for securing networks against
wireless threats and for implementing wireless access to networks securely.
Focused on IEEE 802.11 Wi-Fi technology.
This guide does not include commercial mobile networks (e.g., 3GPP,
LTE).
Because Wi-Fi is everywhere, we must think about the risks and how they could affect
confidentiality, availability, and integrity in risk assessments.

Cont.
6
6
https://www.cisecurity.org/controls/service-provider-management
https://www.cisecurity.org/controls/network-infrastructure-management
Due to more network attacks and widespread wireless tech, various security guides
emerged from businesses, the government, and Department of Defense (DoD).
 Two SANS CIS Critical Security Controls
(CSC 12 and CSC 15) target wireless risks.
 SANS Institute (SysAdmin, Audit, Network, and
Security)

Cont.
7
7
 The main recommendation is to deploy wireless intrusion detection
system (WIDS) and wireless intrusion prevention system (WIPS) on all networks,
even if they don't offer wireless access.
 To detect and disconnect unauthorized wireless users.
 CSC 12 and CSC 15 recommend monitoring inter-trust network communication,
emphasizing the use of WIDS in the technical approach.
 (WIPS) : monitors your wireless network traffic and stops any unauthorized network
activity.
 What is the difference between WIPS and WIDS?

2. Threat Types
8
8
Failure to address wireless security exposes enterprise networks to the following
threats:

Cont.
9
9
 Hidden or Rogue Access Points (APs)
– Unauthorized wireless APs attached to the enterprise network may not transmit
their service set identifier (SSID) to hide their existence.
 Evil Twin

Cont.
10
10
 Misconfigured APs
 Examples of a default username/password database for some of the Linksys wireless home devices are
 Some AP configurations are left to factory defaults, like usernames and
passwords or default WLAN's broadcasted (SSID's) and default settings may be
found in manuals of the specific vendor on the internet.

Cont.
11
11
 Banned Devices: devices not allowed on the network by organizational policy
(e.g., wireless storage devices).

Cont.
12
12
 Client Mis-association

Cont.
13
13
 Rogue Clients :unauthorized clients attaching to the network.

Cont.
14
14
 Unauthorized Association
an AP-to-AP association that can violate the security perimeter of the network.

Cont.
15
15
 Ad hoc Connections
a peer-to-peer network connection that can violate the security perimeter of the
network.

Cont.
16
16
 Denial of Service (DoS) Attacks
an attack that seeks to overwhelm the system causing it to fail or degrade its usability.

Cont.
17
17
So, what can we do about it?

Cont.
19
19

Cont.
20
20

Cont.
21
21

3.Threat Remediation
22
22
 (WIDS) and (WIPS) are used to continuously protect a wireless network and in some
cases, a wired network, from unauthorized users.
 A WIDS/WIPS capability provides immediate automated alerts to the enterprise security
operations center (SOC) and can be configured to automatically prevent any clients from
attaching to rogue APs.
 WIDS/WIPS provides the ability to centrally monitor and manage enterprise wireless
security.
 WIDS/WIPS capabilities are also useful for physically locating rogue APs in order to
remove them.

Cont.
23
23
 WIDS and WIPS operate 24/7 and generally require no management or admin
involvement.
 Most of the systems currently available fundamentally act as a WIPS because they re
designed to detect and prevent wireless intrusion.

Recommended Requirements for Enterprise Wireless Networking
24
24
 These requirements are derived from the sources listed in Appendix A
1- Use safe, problem-free existing equipment when you can.
3- Follow National Institute of Standards and Technology (NIST) 800-53 controls compliance
2- Comply with Federal Information Processing Standards (FIPS) 140-2 encryption standards.
4- Utilize PIV card certificates for user authentication to meet OMB HSPD-12 compliance.
Figure The PIV Card
5- Offer an alternative authentication method when PIV cards are unavailable.
https://www.osp.va.gov/PIV_Information.asp

Cont.
25
25
6- Use AES-CCMP sparingly in WAP 2 enterprise networks.
WPA2 replaces RC4 and TKIP with two stronger encryption and authentication mechanisms:
1.Advanced Encryption Standard (AES), an encryption mechanism; and
2.Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), an
authentication mechanism.
Temporal Key Integrity Protocol (TKIP)

5. Recommended Requirements for WIDS/WIPS
26
26
Even wired networks without wireless access should use a WIDS/WIPS solution to detect
rogue APs and unauthorized connections.
 WIDS/WIPS systems should include the following characteristics:
1- Rogue client detection capability.
2- Detect and classify mobile Wi-Fi devices such as iPads, iPods, iPhones, Androids, Nooks, and
MiFi devices..
3- Detect 802.11a/b/g/n/ac devices connected to the wired or wireless network
5- Detect and report additional attacks .
4- Be able to enforce a “no Wi-Fi” policy per subnet and across multiple.
6- Provide customizable reports.

6. Recommended Requirements for Wireless Surveys
27
27
Many integrators of wireless solutions can perform a predictive or virtual site survey as
part of the proposal or estimating process.
This approach utilizes a set of building blueprints or floor plans to determine the optimal
placement of sensors and APs within the facility.
A predictive site survey takes into account the building dimension and structure but cannot
account for potential RF sources because no direct examination of the site is conducted.
This approach may be sufficient for some enterprises and is significantly less expensive
than a more thorough RF site survey

Cont.
28
28
Issues that a wireless survey seeks to identify include
 External and Internal Interference Sources–
RF signals used by Wi-Fi are not the only users in that frequency. Identification of interference
sources assists in designing a solution that achieves the desired coverage in the most efficient manner
 RF Coverage Barriers–
materials used in construction may not transmit RF signals resulting in unexpected
loss of strength and reduced range.
 Multipath Distortion – distortion of RF signals caused by multiple RF reflective
paths between the transmitter and receiver.

Cont.
29
29
Before beginning a wireless survey, the following information should be obtained
1- Where in the facility is Wi-Fi access needed?
2- Will there be more than one wireless network, such as a work and guest network?
3- How many devices and connections will be supported over Wi-Fi?
5- A facility map or floor plan is essential to overlay the survey results
on.
4- What are the data rate needs of these devices over Wi-Fi?

Cont.
30
30
The wireless survey should produce the following documents as a product:
1- Interference sources and strength.
2- Any existing networks’ signal strength and coverage contours.
3- External network sources available in the facility with signal strength coverage contours.
5- Recommended WAP placement.
4- Identification of areas where multipath distortion may occur.
 A facilities map(s) showing wireless coverage with the following indicated:
6- Recommended WIDS/WIPS placement.
7- Indication of signal strength coverage contours using recommended placement.

Cont.
31
31
1- RF interference sources.
2- Measurement of signal-to-noise ratio (SNR).
3- RF power peaks.
4- Wi-Fi channel interference.
 The report should include a RF spectrum analysis that will minimally indicate:
 The survey information enables optimization of AP channels, antenna type, AP transmit power
levels, and placement for the proposed wireless network installation.

7. Budget Estimation Guide
32
32
The following factors should be accounted for to ensure a comprehensive estimate of the
total project costs
1- Site Evaluation
2- Labor
3- Physical and Virtual Infrastructure
4- Maintenance and Support

Cont.
33
33

8. Bluetooth Security Considerations
34
34
Bluetooth technologies (IEEE 802.15) in mobile devices present additional risks for the
loss of data and the potential to eavesdrop on conversations.
This increases confidentiality risks on department and agency devices due to Bluetooth use
during operations on any capable device like laptops, cell phones, and tablets.
Bluetooth tech creates a PAN for connecting devices like audio, keyboards, mice, and data
storage to a system.
All versions of the Bluetooth specification include unsecured modes of connection, and these are typically
the easiest connections to establish
More detailed information on threats and mitigations for Bluetooth technologies can be found in NIST SP
800-121 rev 1.

A Guide to Securing Networks for Wi-Fi (IEEE 802.11 Family).pptx

Related slideshows

More Related Content

A Guide to Securing Networks for Wi-Fi (IEEE 802.11 Family).pptx