I am just back from a trip to New Delhi (along with my colleague, Prabhash Dhyani). The weather was quite hot and humid. Amidst flight delays and apparently unstoppable Delhi traffic, we managed to meet up with some interesting folks and exchanged several ideas. You may be wondering what this has got to do with a security blog, hold on, you will soon find out!
Ban of WEP & TKIP
Wi-Fi Alliance has (finally) decided to take some giant steps in improving the state of wireless security. Starting Jan 2011, TKIP will be disallowed on new APs and from 2012, it will be disallowed on all Wi-Fi devices. Come Jan 2013, WEP will not be allowed on new APs and from 2014, WEP will be disallowed on all Wi-Fi devices. This is the good news. But, let us also get to the “bad” news.
Recently, there have been multiple instances of Wi-Fi issues related to iPads. Apple has also acknowledged some of the issues - e.g.,an iPad may not automatically rejoin a known Wi-Fi network on a dual band router . Also, Princeton university has faced serious network problems due to iPad. This has been attributed to a problem in the DHCP client on iPad. Here is an interesting theory on how the IEEE 802.11 Power Save mode may be playing a role in this. The Wall Street Journal reports that such issues have lead to the ban of iPads at several universities. This is a cause for concern. Read more…
My previous post “WiFi Hots(Honey)pots Go Mobile” (http://blog.airtightnetworks.com/wireless-security-mobile-hotspot/) talked about Palm Pre/Pixi Plus going the hot(honey)pot way.
SIMFI is equally cool – it can convert your cell phone into a hotspot. SIMFI is of the size of a SIM card and has WLAN modem built into it. It can be pretty much used with any phone. Check out http://www.techchee.com/2010/02/13/simfi-wifi-integrated-sim-card-turns-your-cellphone-into-a-wifi-hspa-router/ .
I am looking forward to get my hands onto one of these.
So, looks people don’t need to carry APs anymore to mess around with enterprise security 
Are you already having trouble preventing your enterprise Wi-Fi clients from connecting to some of the existing public Wi-Fi networks (e.g., T-Mobile, Google WiFi)?
Mobile Hotspot with an option to create an Open Network
Guess what – the latest Palm Pre Plus or Pixi Plus can be converted into a cool mobile hotspot. One can easily roam around with this pocket hotspot. (http://www.nytimes.com/2010/01/21/technology/personaltech/21pogue.html)
It is amazing as to how some of these cool technological advances can create new avenues for attacks. Suppose an employee or a visitor wishes to sneak-in a hotspot or a honeypot AP into your enterprise. If you are paraniod, you can possibly think of frisking him for an AP (before allowing him into your premises). But, can you go to the extent of preventing him from carrying a Palm into your enterprise?
The new 802.11 security protocol called 802.11w was recently ratified. Check this 802.11w-Tutorial to know how it works and what it means for your WLAN.
Rouge AP is an unauthorized AP connected to enterprise wired network. It can allow access to the enterprise wired network from its RF spillage outside of the premises. While it is well established in the mainstream that wired-wireless correlation is the only robust technique to detect such rogue APs, there also have been some wireside-only scanning techniques around to detect rogue APs connected to the enterprise wired network. At first sight, wireside-only scanning appears attractive from cost and deployment perspective as it does not require RF scanners. However the reality is that wireside-only scanning fails to detect many common types of rogues on the wired network.
Recently, the PCI Security Standards Council Wireless Special Interest Group published guidelines to clarify wireless security requirements in PCI DSS 1.2. While these guidelines clearly require using wireless analyzer or wireless IDS/IPS, wireside-only scanning is still sometimes touted, albeit incorrectly, as low cost alternative to meet PCI compliance. Not only does wireside-only scanning violate PCI DSS 1.2 in letter as it does not use wireless scanners, but it also violates it in spirit as it fails to detect many common types of rogues on wired network.
To find out more about how wireside-only scanning works and its limitations please view our technical white paper - Drawbacks of Wireside-only Rogue Detection.
“The notion of a hard, crunchy exterior with a soft, chewy interior [Cheswick, 1990], only provides security if there is no way to get to the interior. Today, that may be unrealistic.” – What Firewalls Cannot Do, Firewalls and Internet security
Rogue APs are Access Points (APs) that are deployed in an enterprise network without the consent of the network administrator. In certain cases, the intent behind a Rogue AP may be benign – for example, an employee who wants to access the network from his favorite corner of the office. While in other cases, a Rogue AP can be deployed with a malicious intent – say, by an attacker or his accomplice.
Sneaking in Rogue APs into an enterprise may not be difficult. Pocket size WiFi APs for less than $50 are readily available in retail stores. Due to spillage of RF signal, a Rogue AP enables an attacker sitting in the parking lot to directly access your enterprise wired network. After interacting with some of our customers and prospects, I have realized that they are familiar with Rogue APs but, lack a complete picture of what all damages one can inflict via a Rogue AP. Hence, I thought of compiling this list of “uses” for a Rogue AP (yes, “use” from the perspective of an attacker or an unauthorized user).
In my previous blog post (5 Wireless Intrusion Detection Questions You Need to Worry About), I talked about the key questions that are related to the detection of Wireless (WiFi) based intrusions in your enterprise. Today, let’s turn the focus on to the other important aspect of WiFi security – Intrusion Prevention. Here are the 5 questions you should ask on wireless intrusion prevention in your enterprise. Let me know if your answer to all of these questions is in the affirmative.
If you own an enterprise grade local area network (LAN), you need to be aware that wireless (WiFi) based intrusions can potentially be exploited to create security backdoors into your network. This is true even if you have not rolled out your wireless LAN (WLAN) or have rolled out a WLAN that adopts the best-in-breed cryptographic security.
Today, Chief Security Officers (CSOs), Chief Information Officers (CIOs) and network security administrators have different perceptions on the extent of WiFi based intrusions. Hence, they have adopted different solutions to secure their enterprise network from WiFi intrusions.
Independent of which of the above groups you may belong to, here is my list of 5 intrusion detection questions that you need to worry about. If you don’t agree, I would love to hear your views. Read more…
