Ban of WEP & TKIP
Wi-Fi Alliance has (finally) decided to take some giant steps in improving the state of wireless security. Starting Jan 2011, TKIP will be disallowed on new APs and from 2012, it will be disallowed on all Wi-Fi devices. Come Jan 2013, WEP will not be allowed on new APs and from 2014, WEP will be disallowed on all Wi-Fi devices. This is the good news. But, let us also get to the “bad” news.
Windows7 Virtual AP – Why is it a big deal now?
Ever since WiFi radios were available, there have been open source and priced software that allowed users to convert their client cards into APs. While these were available only on Linux based operating systems to start with; ‘Soft AP’ drivers and software has been available for most operating systems for at least a few years now. Also available were USB devices that operate as an AP. In addition; the WiFi interface could always have been put into ad-hoc mode, allowing other clients to connect to it, effectively creating the same vulnerability as a soft AP
So, why is soft AP suddenly a big deal when Windows7 provides this as a built in option in the OS? Read more…
Last week AirTight presented the first Webinar designed to educate network administrators and security professionals about the wireless risk introduced with Windows 7. The response was so overwhelming that we are presenting it live again on March 10. I guess we hit a nerve since AirMagnet is bringing up the rear now and presenting a Webinar on the subject. But if you want an in depth look at this topic and solid advice on protecting your network, join AirTight experts for a live encore presentation of our webinar:
Windows 7 – a New Enterprise Wireless Risk
When: Wednesday 10 March 2010, 10:45 AM – 12:00 PM
Time Zone: (GMT-08:00) Pacific Time (US and Canada); Tijuana
Read more…
Much has been said about using ‘Best Practices’ alone to secure enterprise WiFi, including no-WiFi policy. However, as security experts will vouch, most breaches happen because of naive insiders.
Here is a hilarious video that demonstrates the lack of understanding out there regarding WiFi – http://www.youtube.com/watch?v=3cgjvcxn1s4.
Imagine such a person as your employee and ask yourself the following questions.
If these questions are hard to answer, you must consider Wireless Intrusion Prevention System!
When talking about wired security, enterprise IT administrators talk about multiple layers of defense such as internet firewalls, VPNs, admission control, email filtering, content filtering, web application scanning and many others. It is like a hacker has to peel multiple layers of an onion before getting to the core. Each layer of security is independent and is preferably sourced from different vendors. Each layer compounds the amount of work that a hacker has to perform to get in.
When considering the security of a wireless network, the same enterprise IT administrators are content with the basic security mechanisms integrated into the wireless LAN infrastructure by vendors such as Cisco Systems and Aruba Networks. IT departments have a hard time understanding why an inner layer of defense for wireless network security is needed in the form of an advanced wireless intrusion prevention system (WIPS). The wireless network security posture of an organization is the weakest when the security integrated into wireless LAN infrastructure is the only layer protecting the core network. Without an inner WIPS layer, the core network is open to rogue APs, unauthorized client connections, ad-hoc networks, MAC spoofing and many other attacks that the wireless LAN infrastructure security cannot protect against.
“The notion of a hard, crunchy exterior with a soft, chewy interior [Cheswick, 1990], only provides security if there is no way to get to the interior. Today, that may be unrealistic.” – What Firewalls Cannot Do, Firewalls and Internet security
Rogue APs are Access Points (APs) that are deployed in an enterprise network without the consent of the network administrator. In certain cases, the intent behind a Rogue AP may be benign – for example, an employee who wants to access the network from his favorite corner of the office. While in other cases, a Rogue AP can be deployed with a malicious intent – say, by an attacker or his accomplice.
Sneaking in Rogue APs into an enterprise may not be difficult. Pocket size WiFi APs for less than $50 are readily available in retail stores. Due to spillage of RF signal, a Rogue AP enables an attacker sitting in the parking lot to directly access your enterprise wired network. After interacting with some of our customers and prospects, I have realized that they are familiar with Rogue APs but, lack a complete picture of what all damages one can inflict via a Rogue AP. Hence, I thought of compiling this list of “uses” for a Rogue AP (yes, “use” from the perspective of an attacker or an unauthorized user).
Any organization handling payment card data should pay immediate attention to the PCI DSS Wireless Guideline published by the PCI Security Standards Council Wireless Special Interest Group last week.
Wireless Threats That Can Compromise PCI DSS Compliance
The key highlights are:
If you own an enterprise grade local area network (LAN), you need to be aware that wireless (WiFi) based intrusions can potentially be exploited to create security backdoors into your network. This is true even if you have not rolled out your wireless LAN (WLAN) or have rolled out a WLAN that adopts the best-in-breed cryptographic security.
Today, Chief Security Officers (CSOs), Chief Information Officers (CIOs) and network security administrators have different perceptions on the extent of WiFi based intrusions. Hence, they have adopted different solutions to secure their enterprise network from WiFi intrusions.
Independent of which of the above groups you may belong to, here is my list of 5 intrusion detection questions that you need to worry about. If you don’t agree, I would love to hear your views. Read more…
Michael is the Message Integrity Code adapter by the TKIP standard. Michael is actually a weak code which uses simple additions and shift operation which are computationally less expensive, but strong enough as a intermediate solution from WEP. Michael was chosen as MIC in TKIP, so that the already deployed low end Access Points can also be software upgraded to TKIP without any hardware change. This video explains the working of MIC in TKIP.
The Department of Telecommunications (DoT), Govt. of India, has set a June 2009 deadline for complying with its regulation on WiFi security. Here’s a position paper that evaluates the DoT regulation and suggests best practices for secure use of WiFi.
