WISDOM Advanced Security Measures

Oct 14,2007 00:00 by admin

WISDOM Advanced Security Measures

WISDOM Advanced Security is designed for high-level security WLANs in a converged network that are subject to regulations or legal security requirements such as the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (U.S. Department of Health and Human Services, 2002) for health care systems, and the Gramm-Leach-Bliley Act (GLBA) of 1999 (U.S. Federal Trade Commission, 2002) for financial data, sensitive and secure government systems, or those systems involved in financial transactions. WISDOM Advanced Security also requires that the WLAN security management considerations and those required for WISDOM Intermediate Security described earlier be implemented as part of its layered approach. WISDOM Advanced Security uses an Internet Protocol Security (IPSec) VPN design to provide high-security risk mitigation for Option Three.

Because of its widespread use and popularity on wired networks, IPSec is frequently recommended in the literature as a solution for overcoming the inadequate standards-based security mechanism built into 802.11 in wireless networks. Another option, the Point-to-Point Tunneling Protocol (PPTP), is popular in some Microsoft-dominated networks because it is built into many Microsoft products. IPSec is generally recommended over PPTP for VPN because IPSec is much more resilient in temperamental networking environments such as wireless. Also, because IPSec encrypts and authenticates traffic as needed, the overhead on the network is noticeably less than it is with PPTP, which also makes it possible to temporarily lose your wireless connection and come back without dropping your VPN connection. IPSec has many desirable built-in features, such as integrity checking, mutual authentication, and antireplay. Using a VPN appliance or firewall with IPSec-enabled WLAN clients does not require you to use only a single vendor's equipment, as does LEAP and some 802.1x implementations.

IPSec has a few drawbacks in performance and cost that make the risk-benefit most applicable for use in Option Three. IPSec on the WLAN environment prevents roaming, which means that a user will not be able to seamlessly move about from one access point to another. IPSec requires the use of additional equipment, software, administrative management, and training. IPSec VPNs require some overhead in each packet, but this is very small compared to other VPN protocols such as PPTP. In addition, as a VPN protocol, it only supports unicast traffic, so applications that use only broadcast or multicast may not work correctly.

WISDOM Advanced Security uses a VPN appliance that allows limited Internet access for WLAN users, but requires an IPSec VPN connection before allowing entrance to the wired network. A VPN requires a VPN switch, also called a VPN gateway, that can be accessed from the Internet. Restricting unnecessary or redundant protocols from the LAN segments that connect the APs to the VPN gateway reduces the possibility of unidentified holes and vulnerabilities. The LAN segments that connect to wireless APs should connect to a corporate VPN gateway, but not directly to the production network. Eliminating APs from the production network minimizes the risk of attack techniques such as packet sniffing. This option also assumes that a WLAN security policy is in place.

IPSec is a framework of open standards for ensuring secure private communications over IP networks. IPSec VPNs use the services defined within IPSec to ensure the confidentiality, integrity, and authenticity of data communications across public networks, such as the Internet. IPSec also has a practical application to secure WLANs by overlaying IPSec on top of cleartext 802.11 wireless traffic. When IPSec is deployed in a WLAN environment, an IPSec client is placed on every PC connected to the wireless network, and the user is required to establish an IPSec tunnel to route any traffic to the wired network. Filters are put in place to prevent any wireless traffic from reaching a destination other than the VPN gateway and DHCP/DNS server. IPSec provides for confidentiality of IP traffic, as well as authentication and antireplay capabilities. Confidentiality is achieved through encryption using a variant of the Data Encryption Standard (DES) called Triple DES (3DES). Although IPSec is used primarily for data confidentiality, extensions to the standard allow for user authentication and authorization to occur as part of the IPSec process. This scenario offers a potential solution to the user differentiation problem with WLANs.

IPSec provides numerous security features. The following have configurable values for the administrator to define their behavior: data encryption, device authentication and credentialing, data integrity, address hiding, and Security-Association (SA) key aging. The IPSec standard requires use of either data integrity or data encryption; using both is optional. WISDOM Option Three will use both encryption and integrity. Data encryption will be set for 3DES. Data integrity comes in two types: 128-bit-strength Message Digest 5 (MD5)-HMAC or 160-bit-strength Secure Hash Algorithm (SHA)-HMAC. Because the bit strength of SHA is greater, it is considered more secure, and it will be used in this design. A session key's strength is proportional to the number of binary bits comprising the session key file. This means that session keys with a greater number of bits have a greater degree of security and are considerably more difficult to forcibly decode.

WISDOM Advanced Security uses IPSec VPN(s) as an overlay security mechanism to access the production network from a WLAN. The WLAN APs will connect to Layer 2 (OSI Model) switches and forward traffic from the WLAN to the wired LAN using IPSec to protect the data until it reaches the wired network. WEP will not be enabled in this design. The WLAN is considered an untrusted network, suitable only as a transit network for IPSec traffic. The WLAN clients associate with a wireless AP to establish connectivity to the wired network at Layer 2. The wireless clients then use DHCP and DNS services in the server module to establish connectivity to the wired network at Layer 3. When the wireless client is communicating with the wired network, but before the IPSec tunnel is established, the client traffic is not considered secure. All of the noted WLAN security issues are still present until the wireless client can secure communications with an IPSec VPN. In addition to the implementation of Option One security requirements, the following will be implemented to mitigate remaining WLAN vulnerabilities:

Personal firewall software is included on the wireless client to protect the client while it is connected to the untrusted WLAN network without the protection of IPSec.
In general terms, the VPN gateway delineates between the trusted wired network and the untrusted WLAN. The wireless client establishes a VPN connection to the VPN gateway to start secure communications to the corporate network. In the process of doing so, the VPN gateway provides device and user authentication via the IPSec VPN. Even with this filtering, the DNS and DHCP servers are still open to direct attack on the application protocols. Extra care will be taken to ensure that these systems are as secure as possible at the host level. This will include up-to-date OS and application patches and a Host-based Intrusion Detection System (HIDS).

The VPN gateway can use digital certificates or preshared public keys for wireless device authentication. The VPN gateway then takes advantage of One-Time Passwords (OTPs) to authenticate users to it. Without OTPs, the VPN gateways are vulnerable to brute force login attempts by hackers who have obtained the shared IPSec key used by the VPN gateway. The VPN gateway takes advantage of RADIUS services, which in turn contact the OTP server for user authentication. The VPN gateway uses DHCP for IP address configuration in order for the WLAN client to communicate through the VPN tunnel. Security in this configuration is maintained by preventing network access if a VPN gateway or RADIUS service fails. Both services are required in order for the client to reach the wired network with production traffic. In remote-access VPNs, user authentication and device authentication occurs. When the remote device is authenticated, some level of access control should be in place to permit only the traffic over the tunnel that should be there. Device authentication uses either a preshared key or valid digital certificate issued from a recognized CA to provide the identity of a device. Digital certificates scale better than unique preshared public key pairs because they allow any device to authenticate to any other device but do not have the security properties of wildcard keys.

A message digest is the representation of text in the form of a single string of digits, created using a formula called a one-way hash function. Encrypting a message digest with a private key creates a digital signature, which is an electronic means of authentication. A one-way hash is an algorithm that turns messages or text into a fixed string of digits, usually for security or data management purposes. The "one way" means that it is nearly impossible to derive the original text from the string. A one-way hash function is used to create digital signatures, which in turn identify and authenticate the sender and message of a digitally distributed message.

Digital certificates are not tied to IP addresses, but to unique, signed information on the device that is validated by the enterprise's CA. If a hacker compromises or steals a device with a digital certificate, the administrator will revoke the digital certificate and notify all other devices by publishing a new Certificate Revocation List (CRL). The CRL contains a CA-signed list of revoked certificates. When a device receives a request for tunnel establishment and uses a digital certificate for proof of identity, the device checks the peer certificate against the CRL. Much of the information required to manage certificates can be stored in a Lightweight Directory Access Protocol (LDAP)-compliant directory. LDAP can also contain CRL information.

LDAP, which is used for accessing directory services, provides even greater flexibility for managing certificates. The CA can use LDAP directory information as a means to issue certificates individually or in batches, depending on the security policies of the organization. Other routine management tasks, such as key management and renewing and revoking certificates, can be partially or fully automated with the aid of the directory. Devices generating digital certificates or validating received certificates during tunnel authentication and establishment must know the correct time of day (preferably Coordinated Universal Time [UTC]). This is more than just expiration, it is a frame in which the certificate is valid—not before, not after. Time is also used to determine when the CRL expires so that a new one can be retrieved. Although checking CRLs can be configured as optional, it should always be enabled on remote and head-end devices when digital certificates are deployed. This is the only revocation scheme for digital certificates compared to preshared key pairs that are simply removed from the uncompromised devices.

After the device and user authentications (if applicable) are complete, IPSec access control occurs. Normally, the networks, hosts, and ports that are allowed to traverse the tunnels are defined in the Security Policy Database (SPD), as defined by the IPSec protocol (IETF, 2003). This database is populated by the use of ACLs, which are sometimes referred to as "crypto ACLs" or "network rules." For remote-access traffic filtering, access control occurs dynamically by loading the per-user granular authorization information when the user successfully authenticates via extended authentication (XAUTH).

WISDOM Advanced Security also provides internal users with connectivity to Internet services and Internet users with access to information on the public servers (e.g., Hypertext Transfer Protocol [HTTP], FTP, Simple Mail Transfer Protocol [SMTP], and DNS). Additionally, this design will terminate VPN traffic from remote users and remote sites as well as traffic from traditional dial-in users. The 10 WISDOM Advanced Security vulnerability, threat, and mitigation elements are described in Table 12.3. The WISDOM Advanced Security topology is shown in Figure 12.3. Key design features and components for WISDOM Advanced Security are as follows:

VPN gateway. This authenticates individual remote users and terminates their IPSec VPN tunnels.
Remote-access VPN client with personal firewall software. This software client provides end-to-end encrypted tunnels between individual PCs and the corporate wireless VPN gateways; personal firewall software provides device-level protection for individual PCs.
VPN firewall. This provides network-level protection of resources and stateful filtering of traffic and differentiated security for remote-access users; it authenticates trusted remote sites and provides connectivity using IPSec tunnels.
VPN concentrator. This authenticates individual remote users and terminates their IPSec tunnels.

NIDS appliance. This provides Layer 4–to–Layer 7 monitoring of essential network segments in the module.

DHCP server. This delivers IP configuration information for wireless VPN clients before and after VPN establishment.

Figure 12.3: WISDOM Advanced Security topology.

Table 12.3: WISDOM Advanced Security Elements
Vulnerability	Threat	Mitigation
*Client's WLAN without IPSec protection.* IPSec renders most of the commonly used attack methods completely ineffective. It does this by providing confidentiality, integrity, and authentication of traffic.	A client's system can be vulnerable to attack when it is connected to the untrusted WLAN network without the protection of IPSec.	Include personal firewall software on the wireless client to protect the client while it is connected to the untrusted WLAN network without the protection of IPSec.
*DNS and DHCP server application protocols.* These protocols are not protected by the VPN IPSec solution and will require supplementary host security best-practice implementation and third-party software to mitigate the risk of attack against the server(s).	In general terms, the VPN gateway delineates between the trusted wired network and the untrusted WLAN. The wireless client establishes a VPN connection to the VPN gateway to start secure communication to the corporate network. In the process of doing so, the VPN gateway provides device and user authentication via the IPSec VPN. This filtering does not protect the application protocols on the DNS and DHCP servers and therefore leaves them open to direct attack. Extra care must be taken to ensure that these systems are as secure as possible at the host level.	Implement host-level security to include updating and maintenance of the latest OS and application patches and the use of a host-based intrusion detection system (HIDS).
*Wireless packet sniffers against WLAN clients.* The effort needed for intruders to penetrate a wireless network is now being lessened with the release of several wireless sniffer software applications that allow intruders to passively collect data for real-time or later analysis. Such analysis can lead to the compromise of the network. AirSNORT is an application that utilizes known WEP flaws to extract the WEP key and allow unauthorized network access. NetStumbler is a full-featured wireless sniffer that logs an extensive array of information about any wireless network it happens to encounter: the MAC address of the access point, the network name, SSID, manufacturer, channel in use, signal strength, and whether WEP is enabled, to name a few. An intruder looking to attack a target wireless network can use all of this information.	Wireless packet sniffers can take advantage of any of the known WEP attacks to derive the encryption key and other information valuable for preattack reconnaissance.	Use IPSec encryption of wireless client traffic.
*Man-in-the-middle attacks.* A man-in-the-middle attack security breach is when a malicious user intercepts, and possibly alters, data traveling along a network. Security auditing tools such as dsniff, sshmitm, and webmitm are capable of performing active man-in-the-middle attacks against encrypted SSH and HTTPS traffic. A rogue access point can utilize this default behavior to compel clients to connect to a node performing active man-in-the-middle attacks against sensitive traffic.	WLANs are susceptible to man-in-the-middle attacks. The man-in-the-middle or TCP hijacking attack is a well-known attack where an attacker sniffs packets from a network, modifies them, and inserts them back into the network. There are a few programs/ source codes available for doing a TCP hijack. TCP hijacking is an exploit that targets the victim's TCP-based applications such as Telnet, rlogin, ftp, mail application, Web browser, etc. An attacker can grab unencrypted confidential information from a victim's network-based TCP application and can further degrade the authenticity and integrity of the data.	Use IPSec encryption of wireless client traffic.
*DHCP IP configuration protocol spoofing.*	By spoofing the client's packet exchange, a DHCP server will give all of the available leases to a spoofed MAC address, thus causing a denial of service. Any machine wishing to join the network after the attack would not be allocated an IP address because the whole of the DHCP range will have been either allocated to valid interfaces (i.e., interfaces already joined to the network before the attack took place) or spoofed MAC addresses. Any interface already joined to the network would not notice the effect of the attack because it has already been assigned an IP address, but interfaces without an IP address would not be able to join the network because the DHCP server will have no available IP addresses. A rogue DHCP server could also be set up by a hacker. The DHCP protocol can aid a hacker to redirect traffic through his or her machine (man-in-the-middle attack) or to send users to false Web pages (via a rogue DNS server). This could occur because a DHCP server can set various options, such as what IP address to use for the default gateway and what DNS servers to use.	Allow only the known protocols for initial IP configuration (DHCP) and VPN access (DNS, Internet Key Exchange [IKE], and Encapsulating Security Payload [ESP]) from the WLAN to the wired network through filtering at the AP and Layer 3 switch. Enforce authorization policies on the VPN gateway for individual user groups.
*IP spoofing.* The attack is based on the fact that Internet communication between distant computers is routinely handled by routers, which find the best route by examining the destination address, but generally ignore the origination address. The origination address is only used by the destination machine when it responds to the source. In a spoofing attack, the intruder sends messages to a computer indicating that the message has come from a trusted system. To be successful, the intruder must first determine the IP address of a trusted system and then modify the packet headers so that it appears as if the packets are coming from the trusted system. The attacker is fooling (spoofing) the distant computer into believing that he or she is a legitimate member of the network. The goal of the attack is to establish a connection that will allow the attacker to gain root access to the host, allowing the creation of a backdoor entry path into the target system.	WLANs are susceptible to IP spoofing. A hacker can use IP spoofing to gain unauthorized access to the network and computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears as if the packets are coming from that host.	Implement IPSec. Hackers can spoof traffic on an unprotected WLAN, but only valid, authenticated IPSec packets will ever reach the production wired network. An effective measure against IP spoofing is the use of a VPN protocol such as IPSec. This methodology involves encryption of the data in the packet as well as the source address. The VPN software, or firmware, decrypts the packet and the source address and performs a checksum. If either the data or the source address have been tampered with, the packet will be dropped. Without access to the encryption keys, a potential intruder would be unable to penetrate the firewall.
*ARP spoofing.* ARP spoofing is a method of exploiting the interaction of IP and Ethernet protocols. It is only applicable to Ethernet networks supporting IP. ARP spoofing involves constructing forged ARP replies. By sending forged ARP replies, a target computer could be convinced to send frames destined for computer A to go instead to computer B. When it is done properly, computer A will have no idea that this redirection took place. The process of updating a target computer's ARP cache with a forged entry is referred to as "poisoning."	ARP is a TCP/IP-based protocol used to convert an IP address into a physical address (called a Data Link Control [DLC]) such as an Ethernet address. A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. A host on the network that has the IP address in the request will reply with its physical hardware address. After authenticating, ARP spoofing attacks can be launched in the same manner as in a wired environment to intercept other users' data.	Implement IPSec. ARP spoofing attacks can be launched; however, data is encrypted to the VPN gateway, so hackers will be unable to read the data.
*Password attacks.* An attacker who obtains some sensitive password-derived data, such as a hashed password, performs a series of computations using every possible guess for the password. Because passwords are typically small by cryptographic standards, the password can often be determined by brute force. Depending on the system, the password, and the skills of the attacker, such an attack can be completed in days, hours, or perhaps only a few seconds. A password database should always be kept secret to prevent a dictionary attack on the data. Obsolete password methods also permit a dictionary attack by someone who eavesdrops on the network. Strong password policy enforcement methods prevent this occurrence.	As with wired networks, WLANs are vulnerable to exploitation when weak policies and password controls exist.	Implement good password policies, one-time-passwords (OTP), and auditing.
*Unauthorized network topology discovery.* Network topology discovery is part of the reconnaissance process for an adversary planning for unauthorized access to a network or an attack.	Unauthorized topology discovery can occur in the same way that is possible in the wired network. Network topology can aid an adversary in the attack planning phase when this information is not otherwise available.	Control IP configuration protocols. Only IKE, ESP, DNS, and DHCP will be allowed from the WLAN to the wired network.
*MAC/IP spoofing from unauthenticated users.* WLANs are susceptible to both MAC and IP spoofing.