WEBVTT

00:00.560 --> 00:06.410
If you've been watching all by other episodes and wireless threats you should be significantly concerned

00:06.650 --> 00:10.940
that there could be problems with a typical 8 to 11 wireless network.

00:10.940 --> 00:13.650
And that's what this episode is all about hardening.

00:13.770 --> 00:14.440
To 11.

00:14.450 --> 00:19.340
Now there's a lot to cover here so what I'm going to do is I'm going to break it down into These are

00:19.340 --> 00:24.370
four groups that I use personally when I'm thinking about hardening my 10:52 networks.

00:24.380 --> 00:27.590
Number one is going to be survey installation issues.

00:27.590 --> 00:31.380
Number two is going to be maintaining an existing wireless network.

00:31.400 --> 00:35.900
Number three which is actually a corollary to monitoring a wireless network.

00:35.900 --> 00:38.010
And number four the one that everybody forgets.

00:38.090 --> 00:40.130
How do you defend your wireless client.

00:40.140 --> 00:42.970
So let's go and get started with survey and installation

00:47.380 --> 00:51.070
if you're going to be installing or upgrading a wireless network.

00:51.070 --> 00:55.340
The first question you have to answer is What do I have here right now.

00:55.450 --> 01:01.900
And that's the job of what I call survey tools now survey tools can physically manifest as multi thousand

01:01.900 --> 01:07.750
dollar specialized pieces of hardware that look like tablets to something as simple as absolutely free

01:07.810 --> 01:12.770
open source software that you can install on any laptop and do it yourself.

01:12.860 --> 01:16.720
There's a reason some stuff's free and some stuff's expensive though.

01:16.720 --> 01:23.560
Be that as it may a good site survey program is going to be looking for things like for example SS IDs

01:24.010 --> 01:28.890
the MAC addresses all the different bands it's going to be running on all the different channels.

01:28.900 --> 01:34.360
Hopefully only two things like signal strength and it's going to be taking all this information and

01:34.360 --> 01:40.390
it's going to be documenting it for you in a way with good charts with good graphing with good logs

01:40.480 --> 01:45.010
that help you document everything that is 10:52 around you.

01:45.010 --> 01:48.400
And that's really where good survey tools come into play.

01:48.400 --> 01:54.220
In fact a really good survey tool will often have an added feature called a heat map so here's an example

01:54.220 --> 02:01.570
of one what you're looking at here is the relative signal strength of all the different wireless access

02:01.570 --> 02:04.530
points within this little office environment.

02:04.540 --> 02:07.790
So the more red it is the stronger the signal.

02:07.870 --> 02:11.820
And then it goes out to green where it becomes an extremely light signal.

02:12.960 --> 02:18.090
The end result of all this is that if you're going to be setting up a wireless network you've got to

02:18.090 --> 02:21.920
do some kind of site survey and you need a survey tool.

02:21.930 --> 02:27.960
I'm not going to try to sell you on any particular one Kismet but there's a lot of great tools out there

02:28.350 --> 02:34.090
and these are the core tools that allow you to set up a network so that you can get to the next point.

02:34.110 --> 02:39.810
Maintaining one.

02:39.830 --> 02:43.970
So you've got a new happy 10:42 network up and running well.

02:44.000 --> 02:49.690
Good for you but we need to talk about what we do to maintain that wireless network and in particular

02:49.690 --> 02:51.440
to maintain its security.

02:51.440 --> 02:52.460
The number one rule.

02:52.460 --> 02:58.310
The biggest one in the one nobody seems to do is good wireless documentation take advantage of those

02:58.310 --> 03:05.820
site surveys to have all of your SS IDs Mac addresses associated to whaps physical location heat maps.

03:05.840 --> 03:12.450
All of this organized and easy to get to so that we know exactly how our networks are laid out.

03:12.620 --> 03:16.400
Here's a floorplan example of my total seminars office.

03:16.430 --> 03:19.740
Now you can see here are a couple of wireless access points.

03:19.850 --> 03:25.430
But in this case I only have one SS ID we're just not that big but we know exactly where everything

03:25.430 --> 03:26.020
is.

03:26.030 --> 03:31.540
We know the SS IDs and we know the access point mac addresses now.

03:31.590 --> 03:33.090
Good documentation is great.

03:33.090 --> 03:38.220
So before we get into a little more depth here I want to start off by killing what I call a couple of

03:38.220 --> 03:43.390
old tech tales specially for those of you who have taken other Campania exams.

03:43.410 --> 03:49.110
These may be a bit of a shock to you old tech tail number one turning off broadcast.

03:49.110 --> 03:50.970
SS ID is a good thing.

03:51.000 --> 03:56.490
It really isn't any wireless access point will say turn off broadcast as an ID.

03:56.580 --> 04:01.920
The problem with this is that pretty much any wireless device out there even the clients that come with

04:01.920 --> 04:07.830
Windows systems can see there's an SS ID out there they just don't see the name so it doesn't hide you

04:07.830 --> 04:08.840
very well.

04:09.240 --> 04:16.170
The second thing is MAC filtering to actually set up a wireless access point so that every client is

04:16.170 --> 04:17.040
Mac filtered.

04:17.130 --> 04:20.070
Can happen but it's usually fairly rare.

04:20.070 --> 04:25.860
You would see a situation like in an industrial control system where you only had very specific workstations

04:25.860 --> 04:29.180
that access that particular wireless access point.

04:29.310 --> 04:32.290
In that situation it would work pretty well.

04:32.310 --> 04:36.710
Other than that for example in a coffee shop you have so many different people coming in and out.

04:36.900 --> 04:39.980
The concept of MAC filtering simply doesn't work.

04:40.170 --> 04:45.150
However one that does work well is the idea of a.p isolation.

04:45.150 --> 04:49.800
Every access point out there has a little checkbox that calls a p isolate.

04:49.980 --> 04:56.490
What that means is that all of the wireless devices on that SS ID can all see the access point can all

04:56.490 --> 04:57.570
get to the network.

04:57.630 --> 05:01.170
But unlike a typical Eastment that work they can't see each other.

05:01.200 --> 05:06.690
It's a powerful tool and it's done on just about every access point especially those that are out in

05:06.690 --> 05:14.770
the public now the next thing I want to talk about is a 2.1 X a lot of people will have a WPA to P.S.

05:14.790 --> 05:18.920
K encryption out there and that's great if you're going to do that.

05:18.930 --> 05:25.080
Use long passwords and I mean like 20 characters and avoid using words and phrases like that make it

05:25.080 --> 05:26.240
complicated.

05:26.280 --> 05:32.230
It will make it pretty much impossible for guys like me to be able to crack your WPA or WPA to passwords

05:32.310 --> 05:33.750
if you make them long.

05:33.750 --> 05:37.170
However 8:0 2.1 X is not that hard to implement.

05:37.170 --> 05:40.940
I'm not saying it's the easiest thing in the world you're going to have to bring in an extra server

05:40.940 --> 05:46.920
you are going to do some kind of authentication but it makes for a robust and pretty much uncrackable

05:46.920 --> 05:48.350
wireless network.

05:48.660 --> 05:51.420
OK so your networks up and cooking.

05:51.630 --> 05:57.300
The big danger you have to wireless networks isn't what you know it's things that appear that you don't

05:57.300 --> 05:59.970
know for example a rogue access point.

05:59.970 --> 06:06.360
So what we do on any good wireless network is we do occasional scanning monthly every two weeks it really

06:06.360 --> 06:12.970
depends on how paranoid your security levels are and the scanning really is nothing more than just research

06:13.080 --> 06:17.790
the network going out there listening for SS IDs you don't recognize.

06:17.790 --> 06:23.550
Looking for whaps that are coming out on your SS ID but with a MAC address that you don't recognize

06:24.060 --> 06:29.760
any good wireless network is going to be doing this type of periodic scanning.

06:29.760 --> 06:35.460
In fact it becomes so important that in some situations you pretty much want to be scanned continuously

06:35.730 --> 06:39.070
and that's the job of a wireless intrusion detection system

06:43.920 --> 06:51.090
a wireless intrusion detection system is as the name implies an intrusion detection system that's looking

06:51.090 --> 06:58.520
for things on the ESM bands 2.4 gigahertz and five gigahertz where 18 to 11 lives.

06:58.520 --> 07:05.640
Now a W ID can manifest in a lot of different ways you can get a piece of freeware that you can install

07:05.640 --> 07:11.390
on a laptop or you can spend a lot of money with big third party turnkey systems.

07:11.430 --> 07:20.220
So the important part about new ideas is that it monitors your wireless radios it watches for rogue

07:20.220 --> 07:25.490
access points it knows all the wireless access point MAC addresses.

07:25.500 --> 07:29.030
So if a evil twin were to appear they would recognize it.

07:29.090 --> 07:30.190
A good idea.

07:30.240 --> 07:35.100
If you want it can do stuff like Well we know what protocols are on here so it can actually watch for

07:35.370 --> 07:38.400
the protocols that are supposed to work and not supposed to work.

07:38.400 --> 07:43.140
It can do a lot of very very powerful stuff but it can come at a price.

07:43.140 --> 07:47.400
There's a reason why some ideas are free and some are very very expensive.

07:47.430 --> 07:48.620
Whatever the case may be.

07:48.660 --> 07:50.630
Let me give you one quick example.

07:50.640 --> 07:54.390
Here's the floorplan of my total seminars network.

07:54.390 --> 07:59.120
Now a good w ideas is usually going to start with sensors.

07:59.130 --> 08:04.350
These are physical devices that are placed around your network and they're really nothing more than

08:04.350 --> 08:05.920
wireless access points.

08:05.940 --> 08:07.870
Now they're not actually transmitting.

08:07.920 --> 08:13.860
They're simply listening for things that shouldn't be there if they hear something they'll send that

08:13.860 --> 08:16.840
data to a W idea server.

08:17.010 --> 08:24.120
This is a dedicated box whose only job is to take all this information and get it to a nice log file

08:24.150 --> 08:25.900
so that people can access it.

08:25.950 --> 08:31.120
Now a W idea is is only going to be as good as the way it lets us know.

08:31.230 --> 08:33.240
Intrusions are taking place.

08:33.240 --> 08:40.950
So we're getting these logs that are being built up on the W idea server but that's only so much goodness.

08:40.950 --> 08:46.500
I mean a good idea is you can set it up to send you it and send this text message.

08:46.500 --> 08:48.710
You can set it up to give you an e-mail.

08:48.750 --> 08:53.850
You can even make a phone call and give you a voice text telling you exactly what's happening.

08:53.850 --> 08:57.700
So the really really powerful tools to know how much money you want to spend.

08:57.750 --> 09:04.830
But the important thing for the exam is that you're going to be expected to be able to look at what

09:04.950 --> 09:12.030
we call log files and to be able to have some idea of what type of naughtiness is taking place.

09:12.120 --> 09:14.640
So let's take a look at a couple of examples.

09:14.640 --> 09:18.750
For the first example here's a log output from a hypothetical idea.

09:18.810 --> 09:24.710
Now as you look at this what I want you to notice is that it's noticing that there are a number of log

09:24.720 --> 09:29.890
in failures attempting to access a particular SS server.

09:30.090 --> 09:35.820
Now if we were to look at that we would say that there's probably somebody is trying to hack into the

09:35.820 --> 09:36.670
server.

09:36.720 --> 09:44.560
An example of a very bad thing as a second example on this particular one we see a list of a number

09:44.560 --> 09:49.390
of access points that are working away but if you take a look on one in particular you'll notice that

09:49.390 --> 09:52.810
it says unknown B as as ID.

09:52.840 --> 10:00.460
However it shares the same SS ID as all of the other listings on this particular log which is office.

10:00.580 --> 10:06.760
This would be a great example of an evil twin a good wireless intrusion detection system is absolutely

10:06.760 --> 10:07.590
amazing.

10:07.690 --> 10:12.760
But there's another line of defense I want to talk about and that's the individual clients So let's

10:12.760 --> 10:14.830
talk about hardening your client's

10:19.100 --> 10:23.900
wireless clients aren't something that we actually harden per se in fact they're the things we tend

10:23.900 --> 10:29.030
to defend against in case somebody who's another wireless client is trying to get into a network they

10:29.030 --> 10:29.790
shouldn't.

10:29.810 --> 10:35.960
However there are some situations where the not really the device but that crazy thing that's using

10:35.960 --> 10:42.170
the device the human working that system needs some training to be able to watch out for some particularly

10:42.170 --> 10:43.910
scary situations.

10:43.910 --> 10:46.460
Now you would say to yourself I'm just a wireless user.

10:46.460 --> 10:49.030
I count on the I.T. guys to do all this stuff.

10:49.160 --> 10:50.150
Well that's actually not true.

10:50.150 --> 10:54.680
There's actually some very cool things you can do if you only have the right tool and you've got the

10:54.680 --> 10:55.530
right tool.

10:55.640 --> 11:02.030
If you look at any wireless client all of them have a list of SS IDs that pop up.

11:02.030 --> 11:06.340
Here's an example in Windows Ted.

11:06.390 --> 11:08.100
Here's an example in OS 10.

11:08.100 --> 11:16.350
I love Macs because they give you more detail than Windows does by default in fact even my mobile device

11:16.380 --> 11:25.790
gives me a nice list of essays IDs that I can see the cool part is is that's in essence a survey tool.

11:25.790 --> 11:28.400
It gives you a poor man's survey tool.

11:28.400 --> 11:33.560
It's a casual tool doesn't give you as much information but it gives you enough information to be able

11:33.560 --> 11:36.110
to watch out for scary situations.

11:36.130 --> 11:37.080
That's one example.

11:37.100 --> 11:37.980
No problem.

11:38.200 --> 11:43.700
Let's say that you've been working in your office here for the last two years and you always log in

11:43.700 --> 11:49.260
to this one as I.D. called office one day you just happened to notice when you look at your list of

11:49.260 --> 11:58.520
business IDs that there's a new idea out there and it's called Bob or lynxes or dealing Corps something

11:58.520 --> 11:59.750
like that.

11:59.780 --> 12:04.610
Now you know good and well that there's never been an SS ID like that before.

12:04.640 --> 12:09.720
At least within your office area this could be a great example of a rogue access point somebody has

12:09.740 --> 12:12.740
bought themselves a little Linksys router and plugged it in.

12:12.740 --> 12:15.040
Might be time to call the I.T. Department huh.

12:15.320 --> 12:16.370
Need another example.

12:16.370 --> 12:17.210
No problem.

12:17.390 --> 12:18.700
So let's say you're out on the road.

12:18.710 --> 12:25.550
Now normally you work here in the shop so you always link into an SS I.D. called Shop now.

12:25.640 --> 12:26.230
That's great.

12:26.240 --> 12:32.300
But suddenly you're out on the road and you're giving a sales presentation to some mechanics and suddenly

12:32.300 --> 12:36.470
you realize that you on an SS I.D. called Shop.

12:36.470 --> 12:38.150
Now wait a minute.

12:38.180 --> 12:39.440
First of all what's happening here.

12:39.460 --> 12:45.920
Well number one shop I mean if you're in the auto industry I could imagine a lot of people would coincidentally

12:45.980 --> 12:52.220
all name their SS IDs shop but the other thing that could be happening here is it might be an evil twin

12:52.220 --> 12:52.880
scenario.

12:52.880 --> 12:57.710
Somebody is intentionally set up an SS I.D. called shop to get to you.

12:57.710 --> 12:59.680
So that's something to watch out for.

12:59.690 --> 13:00.600
One more example.

13:00.620 --> 13:01.690
You got it.

13:01.790 --> 13:07.940
Let's say that you've been working for years at a particular location and you've set up your wireless

13:07.940 --> 13:11.870
network and every day you come in with your laptop and everything's great and you're on there and you're

13:11.870 --> 13:13.430
on Google and whatever.

13:13.700 --> 13:20.090
But then suddenly one day you suddenly see that it's asking you for your username and password again

13:20.120 --> 13:26.300
or just for your private shared key whatever it might be in a situation like this unless somebody in

13:26.300 --> 13:29.510
the I.T. Department told you they change the key or something.

13:29.690 --> 13:33.820
You might be a victim of a classic man in the middle attack.

13:33.830 --> 13:35.880
So that's something to watch out for too.

13:35.900 --> 13:43.540
So remember just because you are on a client you're a critical and important part of I.T. wireless security.