家居无线网络的安全

Mr.KenK.K.FongViceChairman,HongKongWirelessTechnologyIndustryAssociation(WTIA)Mr.SangYOUNGChairperson,ProfessionalInformationSecurityAssociation(PISA)©2005PISA&WTIA:AllrightsreservedAgenda{IntroductiontoWirelessNetwork{WirelessLANSecurityRisks{WirelessLANBasicDefenseStrategiesIntroductiontoWirelessNetwork©2005PISA&WTIA:AllrightsreservedWirelessNetworkAreaDefinitionsWANWAN-MANMANPico-CellMAN-LANPANLAN-PAN0km~50km~2km~10mCourtesyofIEEE802.15PressKit.Jan.2001BluetoothIEEE802.11HyperLanGSMGPRSCDMA©2005PISA&WTIA:AllrightsreservedWideAreaMetropolitanAreaLocalAreaPersonalAreaLAN:collectionofsecure“hotspot”connections,providingbroadbandaccesstotheInternetPAN:collectionofsecureconnectionsbetweendevicesina“very”localareaWAN:everywhereoutsideofthehotspots,wherewirelessInternetconnectionareprovidedBluetooth;800Kb/s–30ft,10m802.11b;802.11a;802.11g2M54Mb/s–300ft,100mGPRS,3G–UMTS,HSDPA400Kb/s–xxMls,KmsMAN:BuildingtoBuildingconnectionMMDS;LMDS;802.16/WiMax10M155Mb/s-Kms©2005PISA&WTIA:AllrightsreservedWLAN/802.11existingfamily{802.11z2.4GHz;1to2Mbps;FHSSorDSSS{802.11bzWi-Fi;2.4GHZ;11Mbps;DSSS{802.11az5GHZband;54Mbps,OFDM{802.11gz2.4GHz;54MbpsAllfourusetheEthernetprotocolandCSMA/CA(carriersensemultipleaccesswithcollisionavoidance)forpathsharing{802.11izEnhancedSecurityandAuthenticationmechasnismzAdvancedEncryptionStandard(AES)securityprotocol©2005PISA&WTIA:AllrightsreservedStandardandRegulatoryinHK{IEEEStandardsz802.11b/802.11g{3nonoverlappingchannelsinHK{2.4-2.4835GHzz802.11a{12nonoverlappingchannelsinHK{5.15-5.25(4);5.25-5.35(4);5.75-5.85(4-5){WorldwideRegulatoryProgresszITUWorldRadioConference(WRC-03)zAgendaItem1.5:setaglobalallocation:5.15-5.35;5.47-5.725zTotal455MhzzPlusexisting5.75-5.85580Mhz;i.e.24non-overlappingchannelin5GHzWLANSecurityConcern{Authentication:RiskofunauthorizedaccesstocompaniesnetworkfromrogueWi-Fi™station{Privacy:RiskofeavesdroppingonWLANdatatraffic©2005PISA&WTIA:AllrightsreservedTheDarkSidecausedbysecurityflaw{Signalcoverage(200-1000m)PhysicalboundaryMaliciousclientPhysicalBoundaryNormalSignalBoundaryMaliciousclientw/AntennaRogueAP©2005PISA&WTIA:AllrightsreservedAPDiscoveryorHackingfromadistance{PISAandWTIASurveys{Survey2002zFirstSurveyinHKz~180APsdetectedalongthetramwayz77%ofAPsmightbehackedintoit{Survey2003zVictoriaPeak:257APsdiscovered,somemightbe10kmaway{Survey2004-05zInternetBrowsinginthemiddleofsea,longdistanceaccessprovedz~1,000APsdetectedalongthetramway+18dBgainantennaeusedinVictoriaPeakWarSailinginVictoriaHarbour2004-05DetailReportcanbefoundat©2005PISA&WTIA:AllrightsreservedWLANRisksinGeneral{Interceptionandunauthorizedmonitoringofwirelesstraffic{Client-to-ClientAttacks{Jamming(DoS)MaliciousclientJammingClient-to-clientattackJamming©2005PISA&WTIA:AllrightsreservedOtherWLANRisk{“Sharing”ofbandwidth{HigherISPbill{Informationleakage,InvadePrivacy{Worm/VirusSpread{NetworkbeingusedforattackzLegalliabilityforhosting“on-site”attacker{NetworkbeingusedforillegaldownloadanduploadBasicWLANProtectionStrategies©2005PISA&WTIA:AllrightsreservedDefense:PhysicalSecurity{DonotputAPneardoororwindows.{LowerAccessPointpower{PoweroffAPwhennotinuse©2005PISA&WTIA:AllrightsreservedWeakConfigurationDefaults{Encryptionisoff{WellknownSSIDisusedandbroadcastedzlinksysÆLinksysbrandztsunamiÆCiscobrandzdefaultÆToomanybrandusingthis/{AdministrativeAccesseasyzWeb,telnet,snmparenotfilteredzWellknownAdminIDandpasswordisusedzSNMPCommunityString{Defaultstrings:public&private{Accessright:RO&RW{DHCPforallclients©2005PISA&WTIA:AllrightsreservedSnapshotofInsecureAPDefaultSSID,SSIDcanbeseenNoEncryption©2005PISA&WTIA:AllrightsreservedDefense:ConfigurationDefaults{HardenSSIDzChangeSSIDzDisableBroadcastingSSID{Closenetwork{HideSSIDBeacon{UseWEPand128bitkeyzChoosethisoptiononlywhenAPhasnoWPA-PSKzNeveruse64bitkey{UseWPA-PSKzPleaseusethestrongkey(password)too!!Hardenmeansdoingbothsettings©2005PISA&WTIA:AllrightsreservedDefense:ConfigurationDefaults{MACAddressFilteringzonlyusers’trafficprovidingthecorrectMACaddressisbridged(RadiususersdatabaseortableinAP){HardenAdminaccesszTurnoffunnecessaryadminaccess,e.g.telnet,webzChangedefaultadminID&password;Choosehard-to-guessadminpasswordzTurnoffSNMPaccess{InstallSecurityPatchsoftwarefromvendors©2005PISA&WTIA:AllrightsreservedSnapshotofSecureAPNoSSIDcanbeseenEncryptionEnabled©2005PISA&WTIA:AllrightsreservedConclusionforHomeWLANSecurity{ToSecureHomeWirelessLANzConsiderPhysicalIssuezConsiderAccessPointConfigurationzOngoingManagement{Thereisno100%secure!However,theyaredeterringfactorsthatshouldbeapplied.{NotedthatSecurityIssuespresentedinhereisforhomewirelessLANonly.©2005PISA&WTIA:AllrightsreservedForAdvanceUser{Enable802.1xzAddresstheWLANAuthenticationfunction{WPA(Wi-FiProtectedAccess)zAddresstheweaknessofWEPbyincorporatingTKPI(TemporalKeyIntegrityProtocol){TheNewStandardzWPAPlus(Wi-FiAlliance)&802.11i(IEEE)zAES(AdvancedEncryptionStandard);messageintegrity;fastroamingsupport©2005PISA&WTIA:AllrightsreservedForAdvanceUser{NetworkSecurityzPlaceafirewallbetweenthewirelessnetwo