Security-Paradigmenwechsel durch WLAN: Neues Einflugloch und ...

14 downloads 5446 Views 12MB Size Report
Automatic network selection in Windows (Zero Configuration Client) and MACs is dangerous ..... Automated & manual termination .... http://www.aircrack-ng.org/.
Security-Paradigmenwechsel durch WLAN: Neues Einflugloch und Spielwiese

16. Oktober 2007 47. DFN-Betriebstagung Berlin Andreas Richter, Systems Engineer D/A/CH

www.airdefense.net www.airdefense.net

WLAN Evolution......

„WLAN“ Historisch

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Einige Gedanken zum Beginn.... 

Sind Sie sich wirklich sicher, dass die von Ihnen betriebenen Datennetze nicht der „örtliche“ Rundfunk für sensible Forschungs- und wissenschaftliche Daten sind?



Ah......Sie betreiben keine WLANs aktiv... >>> sind Sie sich da wirklich sicher, das keine WLAN s existieren?



Es gibt immer mindestens einen Interessenten für wertvolle Daten.



Wie sind die Prüfungsdaten und Personaldaten geschützt?



Sind die für wissenschaftliche Arbeiten erhobenen statistischen Daten hinreichend geschützt?.... Denn... deren Erhebung ist aufwendig und teuer!



Ingenieurwissenschaftliche Fakultäten: Wie sind die Daten dort geschützt, die in ein Patent münden sollen?



Bei dem Thema IT & IT Security geht es nicht um die IT selbst, sondern darum, unter Einsatz von IT sichere Betriebsabläufe zu gewährleisten.



Am Ende geht es um deutsche Universitätsstandorte , deren Image und um Geld, bzw. um wirtschaftliche Belange.



Hören Sie nun, wie Sie Ihre IT- Datennetze richtig vor unbefugtem Zugriff schützen können, bevor Ihnen Daten „abhanden“ kommen, oder über Ihre Netze Strafdaten ausgeführt werden. Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Es geht nicht mehr ohne…WLAN

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Pressenotizen.... Datendiebe an WLAN-Hotspots PC Professionell, 15.März 2007:

Computerbild/Symantec 7/2007: Datendiebstahl im Internet … ein milliardenschwerer Markt

http://www.virenschutz.info/beitrag_Datendiebe+an+WLAN+Hotspots_252.html

http://www.computerbild.de/artikel/cb-Aktuell-Internet-Datendiebstahl-im-Internet-milliardenschwerer-Markt_1678449.html

Unverschlüsseltes WLAN hat Folgen 9/2006 http://www.heise.de/newsticker/meldung/77921

Kölner Stadtanzeiger 8.10. 2007

Gartner: Sicherheitsverantwortliche müssen die "Konsumerisierung" der IT mit einplanen 15.06.2007

CIO.de: Bösartige Angriffe: Deutschland weltweit auf Platz 3 Phishing-Köder immer raffinierter...

http://www.computerwoche.de/knowledge_center/it_security/ 594455/?NLC-Newsletter&nlid=594455%20Nachrichten%20mittags

http://www.cio.de/knowledgecenter/security/835235/index.html

Kölner Stadtanzeiger 5.10. 2007

CIO.de:.... „Die Folge wäre, dass Unternehmen keinen gehärteten Perimeter mehr haben werden.” VDI Nachrichten 14.09. 2007

Quelle: http://www.cio.de/knowledgecenter/security/837927/index.html Copyright © 2002-2007 AirDefense Proprietary and Confidential.

AirDefense is at the Center of It All Security  Rogue Protection  Intrusion Detection & Active Defenses  WEP Cloaking protects legacy protocols  Forensic Analysis

Administration WIRELESS  Integration with Infrastructure for combined solution  LiveRF assists in remote troubleshooting

Security

Administration

 Network Usage & Performance

Compliance Compliance

 Enterprise Policy Compliance  Regulatory Compliance for Retail (PCI), Corporate (Sarbanes-Oxley) and other

WIRELESS

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

6

AirDefense Highlights Market Leadership

 #1 Wireless Security Platform  Deployed in 30 countries across 5 continents  Partnered with IBM, Motorola, CSC, BT, Symantec, Symbol, Trapeze etc.

Technology Innovation

 Pioneered Wireless IDS/IPS market  25 Patents pending/granted  NIAP Common Criteria (EAL-2) certified

Enterprise Customers

 700+ enterprise customers in all areas, including education and goverments  Deployed in federal, healthcare, retail, transportation, telecom etc. verticals  Securing over 1 million devices worldwide

Industry Recognition

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

7

Wired Network Security Architecture Attackers SECURE ENTERPRISE PERIMETER

Server

INTERNET

INTRANET

Virus & Malware Desktop

Inside Threat Data Theft

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

8

Wireless changes the Security Paradigm 2 Hotspot Phishing Hotspot

1 Rogue AP Connected to Network

Evil Twin

Hacker

3 Leaked Wired Traffic & Insertion

Server Mobile User AP INTERNET INTRANET

Laptop

Desktop

4 Non-Compliant AP

5 Users Bypassing Network Security Controls Muni Wi-Fi Copyright © 2002-2007 AirDefense Proprietary and Confidential.

9

The AirDefense Solution

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Increasing Sophistication of Attacks Attack Sophistication

Wireless LAN Security Stories

SMBrelay

High

Karma

Wireless hacking bust in Michigan when two men cracked a retail store’s nationwide network; at point crashed the point of sale terminals

airbase ASLEAP

Security lapses caused electronics retailer to ban wireless cash registers A person broke into the computer system of a North Carolina medical consulting firm & illegally accessed information of hundreds of patients, including checks and insurance forms

CoWPAtty Lorcon

A wholesale club was hacked & credit card data stolen & used upto the tune of ~$ 20M

Low 2007

2002

Knowledge Required by Intruder

War drivers broke into a retail giant’s network & over 4 month period, stole credit info of more than 1 million customers

Wireless LAN Security Videos Denver News

ABC News

CNN

Fox News

Minneapolis News

At a California public school district, unprotected WLAN allowed full unauthorized access to sensitive files & enabled hackers to upload their own files into servers

http://www.airdefense.net/education/video/

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

11

Characteristics of Wireless Networks 1

Vs.

AIR

Shared, Uncontrolled Media  Invisible & Airborne Threats are hard to control vs. Wired

Network

Self-Deploying & Transient Networks 2

 

Simplicity of Self Discovery Create Security Challenges Mobile Nature of Wireless LAN Devices and Users Require In-depth Forensics capability to Address Security Breaches

User Indifference 3

4



Invisible Connectivity & True Distributed Nature Gives a Faulty Sense of Security

Easier to Attack  Lax WLAN Security is the Lowest Hanging Fruit for Hackers.

Dozens of Tools Readily Available to Exploit these Holes

Wireless Networks Pose Higher Risks than Wired Networks Copyright © 2002-2007 AirDefense Proprietary and Confidential.

12

802.11 Frame Format vs. 802.3 802.11

802.3 frames

 Layer 1 is the AIR

 Layer 1 is a cable  Layer 2 - single data frame

 Layer 2 - three different frames me Fr a s

BSSID

AC

WEP

Ke y

MAC

M

Need

Vendor

e rat

• Management frames • Control frames • Data frames

• 3 step handshake

SSID l Channe b

Important: • Encryption (WEP, WPA2 ...) is only valid for the „Data Frame“ • „Management/Control Frames“ are NOTencryptable, which means transparent and always visible, ( even 802.11 w WILL NOT HELP!) Copyright © 2002-2007 AirDefense Proprietary and Confidential.

13

802.11 Working Groups 

802.11a:

5.0 GHz, 54 Mbps Physical Standard – Ratified 1999



802.11b:

2.4 GHz, 11 Mbps Physical Standard – Ratified 1999



802.11c:

Wireless Bridge Operation – Ratified 2001



802.11d:

802.11b International Compatibility – Ratified 2001



802.11e:

Quality of Service – Expected Q1 2005



802.11f:

AP Interoperability – Recommended Practice 2003



802.11g:

2.4 GHz, 54 Mbps Physical Standard – Ratified 2003



802.11h:

802.11a International Compatibility – Ratified 2003



802.11i:

Security – Ratified June 2004



802.11j:

802.11a in Japan – Expected Q4 2004



802.11k:

Radio Resource Management – Expected 2005



802.11l:

(Reserved, typologically unsound)



802.11m:

Standards Maintenance – On going



802.11n:

“True 100Mbps Throughput” – Expected 2006~2007



802.11o:

(Reserved, typologically unsound)



802.11p:

WAVE – Wireless Access for the Vehicular Environment (such as ambulances & passenger cars)



802.11q:

(Reserved, typologically unsound, can be confused with 802.1Q VLAN trunking)



802.11r:

Fast roaming (VOIP) – Expected Late 2006



802.11s:

ESS Mesh Networking (Mesh Standard / Interoperability)



802.11t:

Wireless Performance Prediction (WPP) - test methods and metrics



802.11u:

Interworking with non-802 networks (e.g., cellular)



802.11v:

Wireless network management (new)



802.11w:

Protected Management Frames (Security (Again))



802.11x:

(Not Used)



802.11y:

Inclusion of 3.65-3.7 GHz bands for 802.11 networks



802.11z:

Not Used YET ☺ Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Need to know: Is also used by microwave ovens, cordless home telephones, baby monitors, and wireless video cameras, Bluetooth

a 802.11 a/b/g Country Channel 802.11 b/g channels Channel Nummer

802.11 a channels

Middlefrequency (GHz)

Valid in

1

2,412

USA FCC, Europa ETSI, Japan

2

2,417

USA FCC, Europa ETSI, Japan

3

2,422

USA FCC, Europa ETSI, Japan

4

2,427

USA FCC, Europa ETSI, Japan

5

2,432

USA FCC, Europa ETSI, Japan

6

2,437

USA FCC, Europa ETSI, Japan

7

2,442

USA FCC, Europa ETSI, Japan

8

2,447

USA FCC, Europa ETSI, Japan

9

2,452

USA FCC, Europa ETSI, Japan

10

2,457

USA FCC, Europa ETSI, Japan

11

2,462

USA FCC, Europa ETSI, Japan

12

2,467

Europa ETSI, Japan

13

2,472

Europa ETSI, Japan

14

2,484

Japan Copyright © 2002-2007 AirDefense Proprietary and Confidential.

36 40 44 48 52 56 60 64 100 104 108 112 116 120 124 128 132 136 140 147 151 155 167

5,18 EU, USA, Japan 5,2 EU, USA, Japan 5,22 EU, USA, Japan 5,24 EU, USA, Japan 5,26 EU, USA 5,28 EU, USA 5,3 EU, USA 5,32 EU, USA 5,5 EU 5,52 EU 5,54 EU 5,56 EU 5,58 EU 5,6 EU 5,62 EU 5,64 EU 5,66 EU 5,68 EU 5,7 EU 5,735 USA 5,755 USA 5,775 USA 5,835 USA

Understanding Probes & Beacons User Station

PROBES:  A Station sends a probe request frame when it needs to obtain information from another station. (For example, a station would send a probe request to determine which access points are within range.)

Probes

BEACONS:

Beacons

 The Access point (AP) periodically sends a beacon frame to announce its presence and relay information, such as timestamp, SSID, and other parameters regarding the access point Access Point

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

16

Beacons what they Tell ME about you  Beacons disclose Encryption  Authentication  Flaws in Design  Older Firmware  Showing the Hacker the Weak Points  THAT you NEVER SEE  See Client Issues  See your IPS and Management

Beispiel eines Beacons von einem Cisco AP

Beacons are the RED CARPET of Wireless From:www.fotosearch.de

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

17

Wireless Attack Surface

Signal emitted from a single access point. Copyright © 2002-2007 AirDefense Proprietary and Confidential.

18

Content Filtering

SSL VPN Firewalls Secure Perimeter

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

AirDefense

Anti Virus

Damage

Attack Sophistication

Wired Networks

Wired Security Tools

Layered Approach to Security Wireless Networks

Increased Vulnerability For Upper Layers

Predominant Attacks

19

Why Hack Wireless Networks?  Direct access to internal network  Get “inside the door” and “on the wire”  Attacks bypass traditional security barriers

 Complete anonymity  No risk of being traced  Not being watched

 Tools abundant, cheap & easy to use  Mobility adds capability & cover  Huge attack surface

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

20

Wireless Sniffing Why & What Happens  Any clear-text is heard by everyone  If you are using WEP, remember everyone has YOUR key  Very common at hotspots  Hashes are clear-text  Most Service, still authenticate over clear-text no tunnels  Internal/Corporate servers are at higher risk due to lower security

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

21

Enterprises Drowned in Insecure Wi-Fi Open APs around an office park

Wigle.net over 12 mio GPS tagged WiFi networks

 Enterprises already have to deal with lots of unmanaged outbound wireless access  Municipal Wi-Fi compounds the problem Copyright © 2002-2007 AirDefense Proprietary and Confidential.

22

Just a little Wigle

Over 12 Million Networks... With GPS… I know all your secrets!

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Auszug aus Wigle, Blick auf Berlin

Demo of Wigle On Google earth Show „hpsetup, wireless, wlan“

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Security is Never ABOUT Just Good Enough Security is Never ABOUT JUST GOOD ENOUGH… Would you run your firewall for 6 minutes a day? Would you turn off your IDS? Would you allow All Traffic through your firewall? Would you leave Doors unlocked? Would you leave Keys in the Car?

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

25

What in the Air can Kill You? #1 Corporate Vulnerability 

Even if the data is encrypted, the services that are run by the MAC address can be detected



Remember wireless is LAYER 2; it will send out all Layer 2 traffic 

VRRP, HSRP, Spanning Tree, OSPF, VTP/VLAN, CDP



VLAN don’t help unless filtered



MOST USE HASHES or PASSWORDS Clear-Text



Broadcast/Multicast key rotation is OFF by Default



Client devices using static WEP cannot use the access point when you enable broadcast key rotation

It’s a two-way street, what goes out can also come in! Just an example, any other LAN switch will act similar. Copyright © 2002-2007 AirDefense Proprietary and Confidential.

26

Do you know what your Leaking  Access points Are Bridges  Not Routers  Not Firewalls  Not Filters

 Job is to forward all traffic to other side  Forwards All Broadcast  Netbios  Windows

 Forwards All Multicast  CDP  Routing

 Information Used Copyright © 2002-2007 AirDefense Proprietary and Confidential.

27

Injection of Traffic 

Yersinia is a network tool designed to take advantage of some weaknesses in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.

 http://www.yersinia.net 

Attacks         

Spanning Tree Protocol (STP) Cisco Discovery Protocol (CDP) Dynamic Trunking Protocol (DTP) Dynamic Host Configuration Protocol (DHCP) Hot Standby Router Protocol (HSRP) 802.1q 802.1x Inter-Switch Link Protocol (ISL) VLAN Trunking Protocol (VTP)

Exampes of current Exploits  Cisco CatOS VLAN Trunking Protocol Remote Command Execution Vulnerability Cisco IOS Multiple VLAN Trunking Protocol Code Execution and DoS Vulnerabilities Cisco Intrusion Prevention and Detection Systems DoS and Security Cisco Access Point Web-browser Interface Unauthorized Administrative Access and Bypass Issue Copyright © 2002-2007 AirDefense Proprietary and Confidential.

28

Yersinia….continued

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Access Point  Wireless access point (WAP or AP) is a device that connects wireless communication devices together to form a wireless network.  Provides the Physical Medium to Clients and other AP’s  Creates the Ethernet Cables in the AIR  Using Control and Management Frames to Build  SHARED MEDIUM  Data is sent using data frames  Can not Transmit and Receive at the same time  Only on 1 Channel

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Radio Firmware Radio Software

AP Firmware AP Software

802.3 Bridge

30

Part time Scanning = Part time Security •Part-Time Firewall •Part-Time Antivirus •Part-Time Content Filtering •Do you look at just Port 80 •Does Windows never need to be patched Total Time in the Day is 6 Minutes of scanning Copyright © 2002-2007 AirDefense Proprietary and Confidential.

31

What about 802.11w or MFP?

(Management Frame Protection)

 IEEE to the rescue…….Again  Client has to Understand them!  Hmmm…What about Control Frames?  CTS/RTS Floods  Control Frame are more import than Management Frames for continual communication to the Client

 802.1x is not covered in it as well  Flawed at the start, protection will not help after

 Cisco MFP is NOT 802.11w  Its just Signed Beacon’s using MIC (Message Integrity Checking)  It’s a Standard and will change MFP = 802.11w NOT!

 Really just stop SIMPLE DOS attacks and Phishing Attacks  Allows vendors to force standardize clients Copyright © 2002-2007 AirDefense Proprietary and Confidential.

32

Soft AP: Make any Laptop an AP Linux allows for any wireless device to become an AP

 No special firmware required for the wireless LAN card  Supports normal laptop in Infrastructure and Ad hoc  Soft APs come and go http://www.quetec.net Windows Drivers (Some cards still have it) http://www.pctel.com

Bootable Floppy disk AP’s The ZyXEL AG-225H is the ultimate tool for the road warrior. It combines an 802.11a/b/g/Draft11n hotspot detector with an 802.11a/b/g USB 2.0 adapter all in a sleek device small enough to fit into any pocket. On the road, an instant Hot Spot can be created using the Software Access Point feature that is included in each and every AG-225H.

http://www.cqure.net/ , http://www.coyotelinux.com/

Monitor for Soft APs

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

33

Clients  All Shapes and Sizes  Hotspots  Wi-Fi Phones  Free Access via OUI

 Many ways to attack clients  Scan  Exploit  Repeat

 But why do you have to?  Have the client come to you!  YOU KNOW WHAT THEY WANT!!!!!!!  Probe Request

 Soft AP to the Probe Request

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

34

Attacking Wireless Clients  Packets of Death  Plenty of them from handheld devices to laptops  Most are BAD packets  Usually Management or Control Frames  Some are Data  WEP Cracking is adding to the packets  Fuzzing

 Most are using cut through data rates (5.5 for Beacon Frames)  Most are simple buffer overflows  Lots of things that go BOOM  Client Software  Authentication  Supplicates

http://www.802.11mercenary.net/lorcon/ Copyright © 2002-2007 AirDefense Proprietary and Confidential.

35

Client MAC Address Spoofing 1. Find MAC address 2. Change MAC (SMAC, regedit)

MAC: 00 02 2D 50 D1 4E (Cisco 350)

User Station

3. Re-initialize card 4. Associate

AP

1

2 NEW MAC: 00 02 2D 50 D1 4E ORIGINAL MAC: 00 12 2D 50 43 1E (Orinoco Gold)

3

4

Hacker

www.klcconsulting.net/smac SMAC is a MAC Address Modifying Utility (spoofer) for Windows 2000/XP and Server 2003 systems, regardless of whether the manufactures allow this option or not.

MAC filtering is not enough Copyright © 2002-2007 AirDefense Proprietary and Confidential.

36

Windows Wireless Zero Configuration 1.

Wireless Auto Configuration attempts to connect to the preferred networks that appear in the list of available networks in the preferred networks preference order

2.

If there are no successful connections, Wireless Auto Configuration attempts to connect to the preferred networks that are hidden wireless network. (No Beacon SSID)

3.

If there are no successful connections and there is an ad hoc network in the list of preferred networks that is available, Wireless Auto Configuration tries to connect to it

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

37

Wireless Phishing



Tools such as Karma can respond to ANY client probe request 

Variety of services (POP, FTP and HTTP) to lure unsuspecting users



No authentication of “pervasive wireless cloud”



Automatic network selection in Windows (Zero Configuration Client) and MACs is dangerous 

Enterprises need to manage centralized policies



Karma (http://theta44.org/karma/index.html)



AirSnarf (http://airsnarf.shmoo.com/) Copyright © 2002-2007 AirDefense Proprietary and Confidential.

38

One-way Injection Airpwn  Monitors wireless traffic & responds with content as configured  Response from airpwn is faster than real network  With airpwn, you are the network!

Request

Request

Answer in x ms

Answer

Answer in less than x ms

http://sourceforge.net/projects/airpwn/ Copyright © 2002-2007 AirDefense Proprietary and Confidential.

39

Man-in-the-Middle Attack: WLAN Jack & Air-Jack Tools Allows attacker to:  Intercept ALL communications between the client & AP  Pretend to be the client without disrupting the client’s session at Layer 2

Possible due to:  Management frame’s lack of authentication/ Lack of AP authentication

 Step 1: Disassociation of Target station from AP by spoofing the MAC of the AP and sending Disassociate & Deauth Frames  Step 2: Attacker re-associates target to Malicious station and connects to AP

AP

Server

Target

Dual-Card Attacker Copyright © 2002-2007 AirDefense Proprietary and Confidential.

40

Data Seepage  Your notebook is not location-aware  Office or Home or Hotspot

 Interfaces are Active by order  Last Interface is usually Wifi

 Wants to always connect to something  Just someone to offer you a connection

Office

All data is same  Company Name

What am I connected to?

 Servers Home

 Email  Clients  Applications  And More…..

Hotspot Copyright © 2002-2007 AirDefense Proprietary and Confidential.

41

Your Interfaces and YOU!  Last Interface Active becomes primary Interface  Requires an Default Route to be set or Given (DHCP)

 Your Wireless is not ACTIVE until it connects  Did you see the bubble?  Now ALL traffic will go out that Interface

 I control your Interface I control the client  Oh, Your Firewall will not protect you, since YOU asked for this connection

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

42

Printers  HP Printers  Jet Direct Cards come Wirelessly Enabled  Bluetooth and 802.11  Support for WPA, WEP, 802.1x/EAP  hpsetup  Ad-Hoc  By factory default, the default address 192.0.0.192 will be automatically assigned

 What can I do  Load Firmware  Change the LCD 

http://www.phenoelit.de/hp/download.html

 See what's been printed  /saveDevice/DigitalSend/jobs  /fax

 Sniff Print Jobs  Dest Port 9100

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

43

Exploiting is too Easy!     

Vx.netlux.org MVBSWE Worm Editors Virus Editors Script Editors Do you Trust your Hotspot Web Page? Corporate Guest Access? Copyright © 2002-2007 AirDefense Proprietary and Confidential.

44

Zero Day Alerts http://www.frsirt.com/ http://www.cert.org http://nvd.nist.gov

FrSIRT delivers vulnerability and threat alerts, 24/7, 365 days a year, to inform organizations of new potential threats. Our services are designed to deliver notification of vulnerabilities and exploits as they are identified, providing timely, actionable information and guidance to help mitigate risks before they are exploited. Copyright © 2002-2007 AirDefense Proprietary and Confidential.

45

FYI: Cisco Flaw on WCS Switch Will turn Switch to default PWD

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

ZERO Day New Attacks 

Zero-Day attacks against know services



Zero-Day attacks against IE, Firefox  Remote Exploits  I am on your system as YOU!



New Trojans and Virus ready for Injection



Favorite exploits 

NEW



WMF



Media Player



Java Exploits

www.milw0rm.com Copyright © 2002-2007 AirDefense Proprietary and Confidential.

47

Fuzzing Attacks from Milw0rm.com  Real Code…… Real Attacks  Broadcomm  http://www.milw0rm.com/exploits/2770

 Atheros  Apple  http://www.milw0rm.com/exploits/2700

 Intel

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

48

Sniffing Enterprise Secrets

 Hackers can sniff passwords and credentials  FTP, HTTP, POP3 and IMAP passwords  Hashes can be cracked – NTLM, MDx, SHA-x, OSPF, CDP, et al  Certificates and Keys Stolen

 Pervasive wireless makes this easy Copyright © 2002-2007 AirDefense Proprietary and Confidential.

49

Hacking Password Hashes     

Get virtually any password Offline & passive LEAP, PPTP, MS-CHAPv2, MD-5 Search hash list to find password Large password list to generate hashes  Requires 3-5 GB of space

 Rainbow tables are indexed hash lists     

Required 2-3 TB of space Known tables exist for up to14 characters http://rainbowtables.shmoo.com/ http://www.antsight.com/zsl/rainbowcrack/ http://www.rainbowcrack-online.com/

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

50

http://www.antsight.com/zsl/rainbowcrack/

99,909%

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Listening in on VoIP Conversations using Cain Cain & Able  Decode SIP conversations  Recorded as WAV files  Caller ID intercepting

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

52

Snarfing  Hot Spots  Security question: Connecting to a untrusted network and launching the most vulnerable program you have just screams “ E X P L O I T M E “!!!! Fake web pages  Steals your Hotspot Password

 Evil web pages  Infect your PC with Malware

 My Web pages         

Steal your NT Password 1x1 pixel Cross Site Scripting Installs Trojans Installs Spyware Opens back doors Changes Registry Adds User Account Shares Files and such

 Oops you just opened a web page, that’s all!!!!! Copyright © 2002-2007 AirDefense Proprietary and Confidential.

53

Wireless Threat Status

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

54

Firewall Myths

“Firewall only” approach to network security

Firewalls:  Cannot stop rogue wireless devices  Do not eliminate the need for wireless scanning for rogues  Do not protect against wireless attacks  Once a hacker is on the network they can punch through open ports  Access Control Lists are weaker than Firewalls  Best bet is to keep hackers off the network Copyright © 2002-2007 AirDefense Proprietary and Confidential.

55

VPN Myths  Allows the hacker to get onto open Wi-Fi network and exploit network or clients for weaknesses

VPN WIPS

 Client cannot run on many embedded devices (e.g., wireless scanners, VoWi-Fi handsets, etc.)  Subnet roaming is problematic  VPN Less performance and more overhead  Break weak encryption & authentication  Re-authentication on weak ciphers  Dictionary attacks on weak ciphers

 Protocol & server flaws exposed  IKE Aggressive mode  Pre-shared keys  Exploiting bugs in VPN server

Wireless Security

A Layer 3 solution to a Layer 2 problem

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

56

VLANs  Virtual Local Area Networks  A logical grouping of devices or users  Users can be grouped by function, department, application, regardless of physical segment location  VLAN configuration is done at the switch (Layer 2)  WIRELESS is not the SAME (Spoofing is EASY)  VLAN Membership  Static VLAN Assignment  Port based membership: Membership is determined by the port on the switch on not by the host.

 Dynamic VLAN Assignment  Membership is determined by the host’s MAC address. Administrator has to create a database with MAC addresses and VLAN mappings

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

57

Guestnetworking Issues on VLANs  Guestaccess to Internet via WLAN  IP-Adress for WLAN- Client via DHCP Server which is in the area of the Corporate Network, including DNS Servercredentials  Sometimes a split but that does not help either…. As the DNS Server, still is in the Corporate LAN…  Issues: DHCP DoS Access Point DNS DoS VLAN Hopping u.a. = 1q VLAN used for Guest “tunnelt” = DHCP Address supplied containing DNS Server Information = DNS request from Client Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Internet DNS Server

DHCP Server

WLAN SSID

Guest

VLAN Hopping Basic VLAN Hopping Attack Attacker fools switch into thinking that he is a switch that needs trunking Double Encapsulated VLAN Hopping Attack SSID’s

Switches perform only one level of IEEE 802.1q decapsulation

Corp Guest OLD VOIP

This allows the attacker to specify Corp a .1q tag inside the frame, allowing the frame to go to a Client VLAN that the outer tag did specify

VOIP OLD

?

Guest

WPA-2

Guest

WEP Only

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

59

Rogue Threat    

Always bigger than you believe  Why are they so HARD? Access Points  Not Solving a Problem Stations – Laptops  Requires Collaboration  Human Resources Other Devices  Upper Management

 Phones  PDA’s

 Have to look to find them  No other way

 Found it, Now What  Evil Rogues  Other Channels  Quiet – no broadcast  On & Off



No Easy Fix



Wireless Everywhere



Need to know things  Is it on my network?  Did it send data?  Who connected?  How long were they connected?

 Oops I was not watching!

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

60

Eliminate Rogues Connected To The Network 1

Detect Rogue Devices

2

Assess Threat Level

 APs, laptops & specialty devices

 Prioritize based on threat level

 Ad-hoc networks & accidental associations  Search wired networks for rogues

 Identify rogues connected to the network  Ignore neighboring networks

4

3

Eliminate Rogue Threat

 Automated & manual termination  Wireless or wired termination  Stop devices even when they roam  Locate rogue devices in real-time

Analyze Connections

 In-depth analysis of rogue activity  Who was connected to the rogue  How much data transmitted

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

61

Rogue Alarms 

Rogue AP on Switch



Rogue AP on Wired Network



Rogue Station



Rogue Station on Switch



Suspected Wireless Device on Wired Network

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

62

Active Over the AIR!!!!!!! Active Rogue Detection is another name is “WE DON’T Know” Unauthoized Access Point Cisco Rouge Detection CLUELESS WIPS Vendors

Will send Internal IP address over the Air in clear text using UDP AP is being an AP, it can be used as a Leap point in to the nextwork 2 Way Street DHCP Address Easy Attack Point (Connect to the bad guy) Automated connects to everything ONLY WORKS for Un-Encrypted Networks More Dangerous to use than

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

63

Cisco Rogue Detection & Forensics 

Gathers 12 statistics per device



Must search through the complete list of devices to locate the specific switch and then log into the switch directly to even get the 12 stats



No forensic capability to analyze what when/what/how



This screen shows what a Rogue running a Karma attack looks like

SN I IS H T

M T O

IS T I R; O IN

A D A

N

U O R GE

S

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

!! ! ! K C TA T A

64

DOS of the RF Medium  Physical Layer Attacks or Jamming  There is nothing you can do about RF jamming short of triangulating the jamming device and tracking its owner.  http://www.globalgadgetuk.com/wireless.htm

 Frame Deletion Attack  Corrupt the bypassing frame's CRC-32 so that the receiving host will drop it. The attacker sends a spoofed ACK frame to the sender telling it that the frame was successfully received.

 DoS Attacks Based on Specific Wireless Network Settings  There are somewhat obscure attack possibilities based on exploiting specific Layer 2 settings of 802.11 LANs, such as the power-saving mode, virtual carrier sense, and (RTS/CTS)-enabled networks. Copyright © 2002-2007 AirDefense Proprietary and Confidential.

65

Misconfigurations are Common  Here is why  Confusing  WEP, WPA, WPA-2  Backwards Compatibility  VLAN’s  802.1x  Make it Work  Client issues too  Makes PKI look ”Through 2006, 70% of successful WLAN attacks will occur Simple

because of misconfigured access points or client software.” Gartner Group Copyright © 2002-2007 AirDefense Proprietary and Confidential.

66

It’s Encrypted  Is it really encrypted??  In some APs, “Both” is typical security  No to show that data is encrypted

 The #1 AP Vendor  Enable WEP, MIC, and TKIP Set the WEP level and enable TKIP and MIC “ If you enter optional, client devices can associate to the access point with or without WEP enabled. You can enable TKIP with WEP set to optional but you cannot enable MIC. If you enter mandatory, client devices must have WEP enabled to associate to the access point. You can enable both TKIP and MIC with WEP set to mandatory.” www.cisco.com Copyright © 2002-2007 AirDefense Proprietary and Confidential.

67

WEP Summary of Attacks  23 Known Attacks against WEP  WEP Attacks      

Lack of IV replay protection Short IV sequence space RC4 vulnerabilities due to WEP’s implementation Linear properties of CRC32 (allows bit flipping) Lack of keyed Message Integrity Checking MIC Use of shared keys

Shows that Implementation is VERY IMPORTANT

Breaking Wep 2001 Un-crackable 2003 Years 2004 Days 2005 Hours 2006 Minute 2007 Seconds

Ultimate Hacking tool for Wep http://www.aircrack-ng.org/

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

68

What is AirDefense WEP Cloaking?  WEP was the old 802.11 encryption standard  WEP is broken  128-bit WEP takes a couple of minutes to crack

 There are lots of legacy WEP devices deployed  Wireless scanners/barcode readers, VoWLAN phones, embedded Wi-Fi clients, etc.  Many are not firmware upgradeable

 New regulations require upgrades  E.g. PCI requires retailers to move to WPA(2) starting in 2007

 AirDefense has technology that makes WEP uncrackable, integrated into its wireless IPS  Tremendous savings over forklift upgrades to all WEP infrastructure  Enhances shelf-life of newer wireless security standards (WPA, etc.)  Plus all the benefits of the world’s best wireless IPS solution

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

69

Legacy Encryption Protection AirDefense WEP CloakingTM

WEP cracking tools fail when AirDefense WEP Cloaking is enabled

PCI Standard Section 4.1.1

“Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN.”

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

70

WPA /WPA 2 als Lösung?  NEIN, nur bedingt!  WPA ist eher leichter zu hacken als WEP  WPA 2 hat viele EAP Issues  Es funktioniert immer noch WLAN Pishing, (SSIDs der Hotspots) sobald ein solches Gerät am Hotspot ist!

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

WPA-PSK  The PSK version of WPA suffers from an offline dictionary attack because of the BROADCASTING of information required to create and verify a session key.  In WPA, the PMK (master key) is produced by running a special function on a preshared pass phrase and an SSID. Both the host and the AP use this PMK, along with MAC addresses and nonces, in order to create the PTK (session key) Client

PMK

Access Point

PMK = PBKDF2(passphrase, ssid, ssidLength, 4096, 256)

Snonce

PMK Anonce

EAPOL-Key (Anonce) PTK

EAPOL-Key (Snonce, MIC RSN IE) PTK = PRF-512(PMK, “Pairwise key expansion”, Min(AP_Mac, Client_Mac) || Max(AP_Mac, Client_Mac) || Min(ANonce, SNonce) || Max(ANonce, SNonce))

PTK

EAPOL-Key (Anonce, MIC RSN IE) Install Keys

EAPOL-Key (Snonce, MIC)

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Install Keys 72

WPA Tools (Easier than WEP)  http://sourceforge.net/projects/ptcrack/  A hybrid dictionary/brute passphrase search tool for PMK discovery on 802.11 networks using WPA with preshared keys (PSKs)

 http://www.churchofwifi.org  coWPAtty 3.0 is designed to audit the security of pre-shared keys selected in WiFi Protected Access (WPA) networks  (http://www.churchofwifi.org)  Rainbow-Like Tables http://umbra.shmoo.com:6969/torrents/wpa_psk-h1kari_renderman.torrent  http://umbra.shmoo.com:6969/torrents/wpa_psk-h1kari_renderman.torrent  The resulting list is ~1,000,000 words for a total of approximately 40GB of hash tables for the top 1000 SSID's

 AirCrack-NG

2006 80 keys per second

 Built in WPA cracker since version 2.3  http://www.aircrack-ng.org/

 http://www.tinypeap.com/page8.html

2007 130 keys per second 2007 30,000 keys per second

 WPA Cracker is a brute force Password cracker, all information entered manually.

 Rogue Squadron WRT firmware  http://airsnarf.shmoo.com/rogue_squadron/index.html

 If you use 21 Character Pass-Phase you are safe?  How many clients and AP’s let you enter in 31 Characters?  What Happens when you Reach and overlap with SSID?

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

73

WPA2 – 802.1x Vulnerabilities  802.1x + 802.11 vulnerable

802.1x Session Hijacking

 Session Hijacking  Man In The Middle

 Asymmetric treatment of supplicants and APs  PSK still used for Key Management  Flawed assumption: AP trusted  EAP-TLS does provide mutual authentication. Still susceptible to MITM  Lack of 802.11 management frame integrity  Lack of state machine synchronization between AP and supplicant

PMK = PBKDF2(passphrase, ssid, ssidLength, 4096, 256)

EAP standard variants within WPA and 802.1x have known vulnerabilities. Vendor interoperability is still limited.

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

74

802.1X Attacks (They Live) 802.1X RADIUS Cracking

Recovering RADIUS secret by brute force from 802.1X access request, for use by evil twin AP

802.11 Frame Injection

Crafting and sending forged 802.11 frames.

802.11 Data Replay

Capturing 802.11 data frames for later (modified) replay.

802.11 Data Deletion

Jamming an intended receiver to prevent delivery while simultaneously spoofing ACKs for deleted data frames.

802.1X EAP Replay

Capturing 802.1X Extensible Authentication Protocols (e.g., EAP Identity, Success, Failure) for later replay

802.1X RADIUS Replay

Capturing RADIUS Access-Accept or Reject messages for later replay.

802.1X Identity Theft

Capturing user identities from cleartext 802.1X Identity Response packets.

802.1X Password Guessing

Using a captured identity, repeatedly attempting 802.1X authentication to guess the user's password.

802.1X LEAP Cracking

Recovering user credentials from captured 802.1X Lightweight EAP (LEAP) packets using a dictionary attack tool to crack the NT password hash.

802.1X EAP Downgrade

Forcing an 802.1X server to offer a weaker type of authentication using forged EAP-Response/Nak packets.

802.11 TKIP MIC Exploit

Generating invalid TKIP data to exceed the target AP's MIC error threshold, suspending WLAN service

802.11 Deauthenticate Flood

Flooding station(s) with forged Deauthenticates or Disassociates to disconnecting users from an AP.

802.1X EAP-Start Flood

Flooding an AP with EAP-Start messages to consume resources or crash the target

802.1X EAP-Failure

Observing a valid 802.1X EAP exchange, and then sending the station a forged EAP-Failure message

802.1X EAP-of-Death

Sending a malformed 802.1X EAP Identity response known to cause some APs to crash.

802.1X EAP Length Attacks

Sending EAP type-specific messages with bad length fields to try to crash an AP or RADIUS server.

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

75

WPA Issues  Using WPA-PSK (Personal)  Pre-Shared Keys “AGAIN”!  That bad, right?  Passwords “AGAIN”!  AGGGGGGGGGH!!!!!!!  That bad too!

 Look at the Arrows  IMPLEMENTATION IS IMPORTANT  Remember WEP

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

76

And Other Supplicates

SO ANY CERTIFICATE WILL DO

All the Hard work and a check-box ruins it Hard to beat, unless you OWN THE DNS Server

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

77

Next Generation Wireless Attacks  802.1x State Machine  Client initiated disconnection  Assumes everyone plays nice

 Fuzzing Attacks will Expand  Intel driver issues  802.1x supplicant issues  AP issues  Exploit More EAP-Types

 Windows Vista  Wireless stack rewritten  Good news  Support for many EAP types  Providing for XP too

 Bad news  Hacking tools ported to Windows  Built in Network Address Spoofing  Point and click “hacking”

 TLS is not secure in Windows Copyright © 2002-2007 AirDefense Proprietary and Confidential.

78

The AirDefense Product Family The AirDefense Enterprise Solution

Tools for Administrators

Analyze AirDefense Server

Protect Enterprise Perimeter

AirDefense Sensor

Protect Mobile User

HEADQUARTERS

Plan & Validate

AirDefense Personal Agent

REMOTE OFFICES

Real-time snapshot of local wireless activity

MOBILE USERS

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Accurate RF simulation tool for coverage analysis In-field measurements of wireless deployments

79

The AirDefense Solution

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Appliance Hardware

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Sensor Models Quick Reference

Model 510

Model 520

Radios

dual radio: a & b/g

dual radio: a & b/g

Radio Receive Sensitivity

-92dBm @ 1Mbps (802.11b)

-93dBm @ 1Mbps (802.11b)

-87dBm @ 6Mbps (802.11g)

-88dBm @ 6Mbps (802.11g)

-87dBm @ 6Mbps (802.11a)

-88dBm @ 6Mbps (802.11a)

Antenna

Internal antennas, omni-directional

Removable, external antennas, omnidirectional

Antenna Gain

+2dBi (2.4GHz)

+2dBi (2.4GHz)

+3dBi (5GHz)

+5dBi (5GHz)

Removable antenna capable

Yes, external SMA connectors

Yes, external RP-SMA connectors

Mounting

Bracket included

Bracket included

Mounting options

Ceiling, Ceiling Tile, Wall Mount

Ceiling, Wall Mount

DC Adapter Input

N/A

110-240VAC 50-60Hz Universal Power input

Power-over-Ethernet

802.3af compliant

802.3af compliant

Plenum (UL 2043)

FCC, UL/CSA, CE, Plenum (UL2043), ROHS

FCC, UL/CSA, CE, Plenum (UL2043), ROHS

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Comprehensive Intrusion Detection 200+ Threats Detected      

Reconnaissance & Probing Various DoS Attacks Identity Theft, Malicious Association Dictionary Attacks Security Policy Violations Clear-text Leakage

Minimal False Positives  Correlation across multiple detection engines reduces false positives  Most accurate attack detection

Day Zero Attacks  Anomalous behavior engines ensure protection against all Day Zero / unknown attacks

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

83

Automated Protection Wireless Termination AirDefense Server

 Terminates target device only – minimal disruption to rest of network  Automated or on-command disconnect

AirDefense Sensor Neighboring AP

 Authorization required, audit trail maintained

X

 Compliant with applicable laws & FCC regulations

Switch Laptop

Wired-side Port Shutdown PORT ALERT! SUPPRESSED!

TERMINATED! ALERT!

Rogue AP on Network

Accidental Association

PCI Standard Section 11.4

 Port look-up and suppression  On-command shutdown

Use network intrusion detection systems, host-based intrusion detection systems, and/or intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up to date. Copyright © 2002-2007 AirDefense Proprietary and Confidential.

84

Policy Compliance Define Policy

Define

Monitor COMPLY

Enforce Define  Monitor  Enforce

PCI Compliance Report

Run compliance reports for:  

PCI Report Financial (GLBA)



Federal Govt. (DoD 8100.2)



Corporate (Sarbanes Oxley)

PCI Standard Section 11.1

Use a wireless analyzer at least quarterly to identify all wireless devices in use.

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

85

Troubleshoot Wireless Network Performance Remote Troubleshooting

Network Usage & Performance

 View remote devices & channels with LiveView  Identify connectivity & throughput issues

 Determine over-utilized APs & channels  Pinpoint network congestion

 Decode 802.11 frames in real-time  Perform remote frame captures

 Find bandwidth hogs  Analyze utilization & congestion trends

Availability

Live View of Devices

 Notify administrators of AP failures  Create inventory list of all devices  Report devices missing from the network  Maintain wireless service level agreements

Report WLAN Usage

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

86

Live Wireless Troubleshooting  AirDefense LiveRF – Proactive troubleshooting & performance monitoring Assess Capacity Based on Application

Identify Interference Sources

Find Coverage Holes View Impact to Throughput

Resolve interference, capacity, & coverage problems remotely! Copyright © 2002-2007 AirDefense Proprietary and Confidential.

87

Performance Monitoring

 Identify wireless performance problems quickly  Flag location, group, and device impacted

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

88

AirDefense LiveRF

Identify Location of noise source

LiveRF Noise View

 View real time performance and coverage issues  Identify source and location of interference sources

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

89

AirDefense Mobile Detect  Analyze  Locate        

Real Time Device Discovery & Connection Analysis Advanced Rogue Management with Threat Indicators Real-time Threat Detection & Alarm Expert Help Advanced Location Tracking Live View for Traffic Analysis Wireless Network Usage Statistics & Health Analysis Capture file playback for off-site analysis and reporting Advanced Diagnostics tools for Troubleshooting

Cost-Optimized, Mobile Security Tool

Device Tree Frames & Bytes Transferred

Integrated with AirDefense Enterprise Event Messages

 Import Authorized Device List from Enterprise to Mobile  Synchronization of authorized & rogue wireless devices for specified locations  Rogue Device Information can be imported for problem resolution & device tracking

Live View

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

90

DOWNLOAD Links zu Air Defense Mobile 

http://www.airdefense.net/products/admobile/AirDefense_Mobile.zip

Bitte senden Sie mir eine email ([email protected]) nach erfolgtem Download, ich sende Ihnen alsbald einen Eval Lizenzkey.  Dokumentation zu Air Defense Mobile finden Sie unter: 

http://www.airdefense.net/products/admobile/AD_Mobile_Documentation.zip

AirDefense Mobile supports the following: A laptop running Microsoft® Windows® XP SP1/SP2 or Windows 2000 SP4 with 256MB RAM and PIII 800Mhz Processor or higher (512MB RAM Recommended). One of the following wireless 802.11 a/b/g wireless cards * Cisco® 802.11 a/b/g Cardbus Wireless LAN Client Adapter CB21AGA-K9 * Netgear® WAG511 V1 or V2 * Linksys® WPC55AG (V1.0, V1.1, V1.2 or V1.3 Firmware) * Ubiquiti Networks SuperRange Cardbus Adapter ************************************************************************ Eine preisgünstige Empfehlung: Netgear WAG 111 – Preis 54,90 Euro, z.B.: erhältlich bei Snogard: http://www.snogard.de/index.php?kategorieId=114&artikelId=WIRELESNET-13 , als auch bei anderen Anbietern. Copyright © 2002-2007 AirDefense Proprietary and Confidential.

AirDefense Personal Mobile Workforce Protection  AirDefense Personal is a small software agent that runs on Windows laptops, monitors for wireless exposures, and notifies the user and AirDefense Personal Central Manager  Continuous protection & policy enforcement for mobile users on the road or at their office for all wireless networks including Wi-Fi, EV-DO, 3G, GPRS etc.  Ensure that wireless protocols prohibited by your policy are not used  Complements personal firewalls & host-based IDS systems that don’t protect against wireless attacks

CENTRALLY-DEFINED POLICIES

Policy Enforcement

Central Reporting & Notification

INTERNET

AirDefense Enterprise Appliance AirDefense Personal Agents

ALERTS

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

92

AirDefense Personal Alarm and Alert for Danger

Monitor the End User

Can Perform Automated responses, from turning off the adapater or preventing connection Copyright © 2002-2007 AirDefense Proprietary and Confidential.

93

AirDefense Architect Rapid WLAN Design & Management  Complete 3D RF design & simulation of WLANs based on building specific environments  Industry leading accuracy to optimize AP & sensor coverage  Compare site-survey measurements to expected network performance, enabling real-time design modifications  Avoid costly retrofits, minimize deployment costs & increase ROI Step 4

Step 1

Import Floor plans

Step 2

Matl. Characteristics

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Simulation & Optimization

Step 3

3D Building 94

Zusammenfassung • Wireless ist ein “Business enabler” und als Bestandteil heutiger Datennetze nicht mehr wegzudenken • Nichtüberwachte Wireless Systeme stellen eine große Gefahr für das gesamte Netzwerk dar! • AirDefense bietet marketführende Lösungen an, die eine umfassendes Securitymanagement und somit die Kontrolle von WLANs gestatten, verbunden mit der schnellen Möglichkeit der Fehlereingrenzung (Trouble Shooting) • Die Gesamtlösung ist ein zentral gemanagtes System mit umfassender • Es ist ein vollkommen passives System, somit keine Preisgabe von securityrelevanten Parametern • Investmentprotection für WEP & WPA Geräte • Ergänzung um AirDefense Personal für mobile Endgeräte

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

95

Einige Gedanken zum Abschuss....  Sind Sie sich wirklich sicher, Ihnen betriebene WLAN nicht der „örtliche“ Rundfunk für sensible Forschungsund Wissenschaftliche Daten ist?  Es gibt immer mindestens einen Interessenten für interessante Daten.  Schützen Sie Ihre IT- Datennetze richtig, bevor Ihnen Am Ende geht es doch um Universitätsstandorte deren Ruf und um Geld!  Wir helfen Ihnen gerne und bieten die für Ihre Umgebung passende Lösung! Copyright © 2002-2007 AirDefense Proprietary and Confidential.

Kontakt:

[email protected] Mobil: +49 162 647 0053

Copyright © 2002-2007 AirDefense Proprietary and Confidential.

97