Which of the following is an example of an attack using a rogue access point?

Corporate Policy and User Awareness

Employees that install access points often do not understand the security risks of their actions. To avoid this and enforce your security policy you must implement a wireless security policy that mandates that all employees obey proper security measures, and coordinate with your information technology (IT) department the installation of any network equipment. You must audit and communicate this policy to your employees on a regular basis. A security policy works only if employees are aware of it and obey it.

Mutual Authentication

Mutual authentication of the user and the authenticator eliminates the ability of a corporate user authenticating with a rogue access point planted by an attacker to steal another user’s credentials.

Sniffers and WIDS

You can use sniffer tools and a Wireless Intrusion Detection System (WIDS) to continually watch the air for any wireless signals and data passing through. Then you can match detected signals against a list of valid wireless devices to determine whether any rogue access points are present.

Central Management and Detection

Vendors such as Cisco Systems provide central management solutions for enterprise network clients to manage their wireless security. One feature of such solutions is the ability to detect rogue access points. Access points as well as wireless clients are turned into an army of scanners and auditors. This army then reports to the central management server any security findings within the signal area. For example, say a client with a wireless laptop is walking around campus using his wireless connection and he detects two other access points nearby. He reports these two access points to his wireless gateway router, and that information is then passed to the central management server. The central management server compares the detected access points against its access list to determine whether rogues have been found. If it determines that the detected access points are rogues, the server calculates the rogues’ position using the wireless network within the area and sends an alert to the security administrators that rogues have been detected.

Physical Detection

Sometimes all you have to do is to walk around the office, looking for unauthorized devices and access points plugged into wired ports at users’ desks. If you find an unauthorized access point plugged into a wired network, you should turn it off and inform the user of your corporate security policy against unauthorized network devices.

Wired Detection

You can scan your wired network with an application such as Nmap to detect what is plugged into it and where. Each network device has its own set of signatures, which define the way it acts and reacts to certain probes. These detected signatures are used to detect the types of devices plugged into your network. For example, say you have a network that is dedicated to user desktops against which you run your Nmap scanner, and you notice that five of the desktop Internet Protocol (IP) addresses are running HTTP (port 80) and Telnet (port 23) services. There is no reason a desktop should be running these services; hence, this immediately raises a red flag, and a reason for you to investigate.

Tools & Traps…

Countermeasures

The following measures help secure RF infrastructures:

Probing/network discovery: Encrypt the SSID connection. There is little that a network designer can do to prevent probing and network discovery other than to turn off the SSID message. However, that does not prevent a determined hacker. I suggest using 802.11a or another less used frequency for backhaul traffic. The network cannot be probed if the hacker does not possess equipment that can see the network. Encrypting the SSID helps to prevent entry.

DoS attacks: DoS attacks can take several forms, but all of them are carried out with the intent to deny access to the appropriate user. A common DoS method is RF jamming.

RF jamming: RF jamming involves flooding the airwaves with 802.11 frequency energy. There is little that can be done about this. I recommend using either 802.11a or another less used frequency for backhaul (there is less equipment in use and, therefore, less chance of jamming).

Deauthentication attacks: In a deauthentication attack, the attacker floods the airwaves with spoofed MAC addresses. Eventually, the system loses track of what devices it is connected to and will try to search for another AP. There are several effective means to prevent this type of attack, including detection of MAC address spoofing. Other countermeasures can log the attempts and approximate the physical location of the attacker based on signal strength in proximity to his or her nearest wireless node.

Surveillance: Encrypt all data on the RF system using a strong encryption algorithm. This helps prevent your video from being illegally exported to other systems. I recommend the use of IPSec for this purpose.

Impersonation: Often, solving the surveillance problem also solves the impersonation problem. Another type of impersonation attack is the man-in-the-middle attack. This type of attack allows the hacker to add, delete, and modify data. An intrusion detection system can be effective in preventing man-in-the-middle attacks.

Client-to-client intrusion: Many designers make their servers nearly impervious to outside attacks but fail to protect client devices. Diligent maintenance of network authorizations can prevent this type of attack. I strongly recommend against allowing business user clients onto the security system wireless backbone, even if a VLAN is used.

Client-to-network intrusion: Multilayer security as described previously is effective in preventing this type of attack.

Rogue APs and ad hoc networks: Diligent network management can prevent a client from setting up a rogue access point.

FortiGuard

FortiGuard is Fortinet’s threat research and response service for the FortiGate UTM platforms and for most of the other offerings. The services offered here are primarily subscription based, providing signature updates for anti-virus, intrusion prevention, and application controls. In addition, direct access to real-time anti-spam reputation databases and web filtering URL categorization databases for the FortiGate UTM solution. The FortiGuard service is maintained and updated by security researchers around the world. Upon discovery of new threats, research and development of the related service signatures are synchronized with over two dozen global data centers where updates are distributed hourly to hundreds of thousands Fortinet UTM devices. Besides actively tracking global threats, developing, and maintaining security services for their UTM offerings, Fortinet security researchers also actively find exploits. To see both current and historical discovered vulnerabilities, see the FortiGuard web site [3]. For further details on FortiGuard, please reference Chapter 6.

FortiCarrier

The FortiCarrier solution is an extension of the FortiGate solution. It leverages the same features as in the current FortiGate FortiOS but adds features used in service provider infrastructures such as GTP firewall, secure MMS (MulitMedia Messaging Services), and IMS SIP signaling firewall capabilities. As of FortiOS 4.0 MR3, all of the SIP related features in FortiCarrier was ported over leaving GTP and MMS features as the main differences for the FortiCarrier product line. The FortiCarrier platforms are limited to the FortiCarrier 3810A, 3950B, and the 5000 series system products with the FortiCarrier 5001A-DW and 5001B blades. For further details on the FortiCarrier products visit: http://www.fortinet.com/products/forticarrier/.

FortiBridge

FortiBridge is a stand alone product used in conjunction with the FortiGate UTM platforms to provide a bypass method when the UTM solution goes offline. The FortiBridge bypass capabilities provide a automatic bridging of traffic by routing traffic around an inline FortiGate UTM in an event of a power outage or a system fault. There are three version of this product:

FortiBridge-2002: Provides two segment bypass protection with 8 × 10/100/1000 copper interfaces.

FortiBridge-2002F: Provides two segment bypass protection with 4 × GbE SFP (fiber or copper) and 4 × GbE fiber interfaces.

FortiBridge-2002X: Provides two segment bypass protection with 4 × 10 GbE SFP+ and 4 × 10 GbE LC Fiber interfaces.

Given this is an external bypass solution; it only works with a FortiGate UTM solution deployed in a transparent (layer 2) mode. This could be a cheaper alternative network redundancy solution then purchasing another FortiGate device for a high availability configuration. The only downsides to this solution are the transparent mode requirement (typical with any bypass solution on the market) and when the FortiGate UTM solution goes offline then there are no security enforcement in place. Since the FortiGate is offline and the external bypass solution is in bypass mode therefore bypassing security inspections usually performed by the FortiGate solution. For further details on the FortiBridge products visit: http://www.fortinet.com/products/fortibridge/.

FortiAP

FortiAP is an 802.11x wireless access point (AP) offering. As of this writing there are three commercial grade FortiAP models offered by Fortinet, FortiAP-210B, FortiAP-220B, and FortiAP-222B. All three models support 802.11a/b/g/n standards and operate on both 2.4 GHz b/g/n and 5 GHz a/n spectrums. The 210B has single radio whereas the other two have two radios. The 222B can be used outdoors unlike the other two models which are indoor only. Each radio supports multiple wireless clients with ability to span across multiple wireless network segments each with its own SSID and with different access rights. Having multiple radios in a single FortiAP provides options for dedicating certain wireless frequency spectrums to specific uses. A radio could also be dedicated for wireless rogue AP (Access-Point) detection. Rogue detection provides another layer of defense by detecting unauthorized access points being used in your network environment. In addition, on-wire rogue AP detection is possible by leveraging the dedicated wireless radio detected rogue AP MAC address and correlating the FortiGate wireless controller MAC entries from potential wireless user client using the rogue AP on the network. If a rogue AP is detected on your physically connected network (on-wire), the FortiGate has the ability to suppress and block network activities coming from the discovered rogue AP. These APs are used in conjunction with the FortiGate UTM solution acting as a wireless controller for the AP and providing fast roaming capabilities between FortiAPs. The wireless controller function is included in almost all FortiGate models (check datasheet to confirm support). With the FortiGate providing the wireless controller functionality, it adds additional benefit for a secure wireless infrastructure by leveraging all the FortiGate offered UTM features. For further details on the FortiGate built-in wireless controller feature will be covered in Chapter 7 of this book.

FortiToken

FortiToken provides a two-factor authentication solution for use with the FortiGate platforms administrative access, IPSec VPN, SSL VPN, and Identity Policy Authentications. It provides another layer of security with a one-time password (OTP) capability used in conjunction with an existing single-factor authentication, such a static password. The seeding of the OTP is managed by our FortiGuard Center as a cloud-based repository. The FortiToken can also be used as a stand alone external authentication method used in conjunction with the FortiAuthenticator product (see description on this product below). Further details on this product will be covered in Chapter 5.

FortiAuthenticator

FortiAuthenticator is a user-based identity management solution, used for user authentication, two-factor authentication with FortiToken, and identity verification network access. The user authentication credentials use a build-in standardized RADIUS or LDAP server configuration. It may also be integrated with third-party authentication servers such as Microsoft Active Directory by using LDAP. For further details on the FortiAuthenticator product visit: http://www.fortinet.com/products/fortiauthenticator/.

FortiMail

FortiMail is a comprehensive messaging security solution. It provides Anti-Virus, Anti-Spam, Data Loss Prevention, and Identity-Based Encryption for email. The product can operate in Gateway (MTA), Transparent and also offer a full email server mode capability. As of this writing there are four appliance models (FortiMail 200D, 400C, 2000B, 3000C), a chassis blade (5002B) version, and a Virtual Machine (VM) version. For further details on the FortiMail product visit: http://www.fortinet.com/products/fortimail/

FortiWeb

FortiWeb is a WAF (Web Application Firewall) that is used to protect, load balance, and accelerate content to and from web server(s). As a WAF, it provides protection for web applications and related database content by mitigating common threats like cross-site scripting, buffer overflows, denial of service, SQL injection, and cookie poisoning. It addresses the OWASP Top 10 web application vulnerabilities. FortiWeb also provides server load balancing, content-based routing, data compression, and SSL encryption accelerations. The product is ICSA Labs certified and also provides a built-in vulnerability scanner module that helps with PCI DSS compliance requirement 6.6. As of this writing there are three appliance models (FortiWeb 400C, 1000C, 3000C) and also a Virtual Machine (VM) version. For further details on the FortiWeb product visit: http://www.fortinet.com/products/fortiweb/.

FortiScan

FortiScan is a vulnerability management solution which provides a central network-level and OS-level vulnerability scanning of devices throughout the network. In addition, it provides patch & remediation management, asset management, and compliance reporting capabilities that are compliant with regulatory and best practices for FDCC, NIST SCAP, SOX, GBLA, HIPAA, PCI/DSS, FSIMA, and ISO 17799. For further details on the FortiScan product visit: http://www.fortinet.com/products/fortiscan/.

FortiDB

FortiDB is a database security and compliance product which provides a central management view of policy compliance and vulnerability management for databases. It supports majority of the commercial databases such as Oracle, MS SQL Server, Sybase, and DB2. As of this writing the product comes in three models (FortiDB-400B, 1000C, and 2000B) and also in a Virtual Machine (VM) version. The main difference between the FortiDB models are the licensing structure each model supports which are based on number of database instances used for the product. For further details on the FortiDB product visit: http://www.fortinet.com/products/fortidb/.

FortiBalancer

FortiBalancer is an application delivery controller. It provides Layer 2 through Layer 7 load-balancing capabilities. In addition, it provides a built-in caching supporting HTTP 1.1, in-line HTTP compression, TCP connection multiplexing, TCP accelerations, IPv6 support, and SSL offloading/acceleration. The product can be deployed in proxy and transparent mode configuration. As of this writing there are three versions of the FortiBalancer (FortiBalancer-400, 1000, and 2000). For further details on the FortiBalancer products visit: http://www.fortinet.com/products/fortibalancer/.

FortiClient

FortiClient is a software-based endpoint security client providing various security features for enterprise and mobile devices. As of this writing there are four versions of the client offering various features for several different OS platform and mobile devices. The versions of FortiClient and supported features are:

FortiClient (standard)—Provides IPSec & SSL VPN, two-factor authentication support, Wan Optimization, and Application detection & enforcement along with Policy compliance enforcement when used with FortiGate UTM devices.

FortiClient Premium—Provides all of the above features and adds Anti-Virus, Anti-Spam, Application-based firewall, and Web Filtering.

FortiClient Lite—Is a free edition that only provides Anti-virus/spyware functionality.

All versions of the FortiClient are supported on most Windows versions in 32 bit or 64 bit. At this time, only the standard FortiClient is support on OSX.

Fortinet also offers a stand alone SSL VPN client for tunnel mode usage to a FortiGate solution. This stand alone SSL VPN client can be installed separately with no additional cost. Although, access to this client is available at Fortinet support website with a valid FortiCare support contract login. This endpoint SSL VPN client can support Linux and Mac OS besides Windows OS.

For further details on the FortiClient products visit: http://www.fortinet.com/products/endpoint/ or http://www.forticlient.com.

Defining Hijacking

Many tools are available to the network hijacker. These tools are based upon basic implementation issues within almost every network device available today. As TCP/IP packets go through switches, routers, and APs, each device looks at the destination IP address and compares it with the IP addresses it knows to be local. If the address is not in the table, the device hands the packet off to its default gateway.

This table is used to coordinate the IP address with what MAC addresses are local to the device. In many situations, this list is a dynamic list that is built up from traffic that is passing through the device and through Address Resolution Protocol (ARP) notifications from new devices joining the network. There is no authentication or verification that the request received by the device is valid. So a malicious user is able to send messages to routing devices and APs stating that their MAC address is associated with a known IP address. From then on, all traffic that goes through that router destined for the hijacked IP address will be handed off to the hacker s machine.

If the attacker spoofs as the default gateway or a specific host on the network, all machines trying to get to the network or the spoofed machine will connect to the attacker s machine instead of where they had intended. If the attacker is clever, he will only use this to identify passwords and other necessary information and route the rest of the traffic to the intended recipient. This way the end user has no idea that this “man-in-the-middle” has intercepted her communications and compromised her passwords and information.

Another clever attack that is possible is through the use of rogue APs. If the attacker is able to put together an AP with enough strength, the end users may not be able to tell which AP is the real one to use. In fact, most will not even know that another is available. Using this, the attacker is able to receive authentication requests and information from the end workstation regarding the secret key and where they are attempting to connect.

These rogue APs can also be used to attempt to break into more tighdy configured wireless APs. Utilizing tools such as AirSnort and WEPCrack requires a large amount of data to be able to decrypt the secret key. A hacker sitting in a car in front of your house or office is easily identified, and will generally not have enough time to finish acquiring enough information to break the key. However, if they install a tiny, easily hidden machine, this machine could sit there long enough to break the key and possibly act as an external AP into the wireless network it has hacked.

Sample Hijacking Tools

Attackers who wish to spoof more than their MAC addresses have several tools available. Most of the tools available are for use under a UNIX environment and can be found through a simple search for “ARP Spoof” at http://packetstormse-curity.com. With these tools, the hacker can easily trick all machines on your wireless network into thinking that the hacker s machine is another machine. Through simple sniffing on the network, an attacker can determine which machines are in high use by the workstations on the network. If they then spoof themselves as one of these machines, they could possibly intercept much of the legitimate traffic on the network.

AirSnort and WEPCrack are freely available. And while it would take additional resources to build a rogue AP, these tools will run from any Linux machine.

Hijacking Case Scenario

Now that we have identified the network to be attacked, and spoofed our MAC address to become a valid member of the network, we can gain further information that is not available through simple sniffing. If the network being attacked is using SSH to access their hosts, just stealing a password might be easier than attempting to break into the host using any exploit that might be available.

By just ARP spoofing their connection with the AP to be that of the host they are wishing to steal the passwords from, all wireless users who are attempting to SSH into the host will then connect to the rogue machine. When they attempt to sign on with their password, the attacker is then able to, first, receive their password, and second, pass on the connection to the real end destination. If the attacker does not do the second step, it will increase the likelihood that their attack will be noticed because users will begin to complain that they are unable to connect to the host.

Protection against Network Hijacking and Modification

You can use several different tools to protect your network from IP spoofing with invalid ARP requests. These tools, such as Arp Watch, will notify an administrator when ARP requests are seen, allowing the administrator to take appropriate action to determine if indeed someone is attempting to hack into the network.

Another option is to statically define the MAC/IP address definitions. This will prevent the attacker from being able to redefine this information. However, due to the management overhead in statically defining all network adaptors’ MAC address on every router and AP, this solution is rarely implemented. In fact, many APs do not offer any options to define the ARP table, and it would depend upon the switch or firewall you are using to separate your wireless network from your wired network.

There is no way to identify or prevent any attackers from using passive attacks, such as from AirSnort or WEPCrack, to determine the secret key used in an encrypted wireless network. The best protection available is to change the secret key on a regular basis and add additional authentication mechanisms such as RADIUS or dynamic firewalls to restrict access to your wired network once a user has connected to the wireless network. However, if you have not properly secured every wireless workstation, an attacker need only go after one of the other wireless clients to be able to access the resources available to it.