Hide Notes 

Slide 1: PCIE IT Roundtable Evaluating Wireless Networks Evaluating Wireless Networks PCIE IT Roundtable Workshop October 14, 2003
Slide 2: PCIE IT Roundtable Evaluating Wireless Networks Outline • Introduction to wireless networks • Threats and vulnerabilities • Evaluating wireless networks • • • • • Objectives Methodology Tools Findings Recommendations 2 • Conclusion
Slide 3: PCIE IT Roundtable Evaluating Wireless Networks Introduction to Wireless Networks • Rapid growth computer communications technology • Agencies increasingly use wireless networks • • • • Enhanced mobility Greater productivity Low implementation costs Painless installation 3
Slide 4: PCIE IT Roundtable Evaluating Wireless Networks Introduction to Wireless Networks (cont.) • Use of radio waves instead of cables • Major standard • Institute of Electrical and Electronic Engineers (IEEE) 802.11, Wireless Local Area Networks • Components of a Wi-Fi network • Access Points (Hot Spot) • Wireless clients (e.g. laptops, PDAs) 4
Slide 5: PCIE IT Roundtable Evaluating Wireless Networks 5
Slide 6: PCIE IT Roundtable Evaluating Wireless Networks Threats • Disclosure of sensitive/confidential data • Denial of service (DoS) • Unauthorized access to wireless-enabled resources • Potential weakening of existing security measures on connected wired networks and systems 6
Slide 7: PCIE IT Roundtable Evaluating Wireless Networks 7
Slide 8: PCIE IT Roundtable Evaluating Wireless Networks Vulnerabilities • Wired Equivalent Privacy (WEP) encryption standard extremely weak • Radio signals susceptible to jamming and interference • Protocol vulnerabilities allow • Network sessions to be taken over by an intruder • Injection of invalid data into network traffic • Network reconnaissance • Default configurations create “open” network 8
Slide 9: PCIE IT Roundtable Evaluating Wireless Networks Wireless Automatically Enabled “Roam if you want to. Windows XP automatically recognizes the 802.11 wireless network you’re near and connects you to it.” Microsoft Windows XP Retail box 9
Slide 10: PCIE IT Roundtable Evaluating Wireless Networks Evaluating Wireless Networks • Wireless networks are • Easy to implement • Difficult to secure • Policies often have not been developed 10
Slide 11: PCIE IT Roundtable Evaluating Wireless Networks Evaluation Objectives • Assess the current Agency position regarding wireless networks • Examine the use of wireless technology • Evaluate the security of the wireless network and applications including threats to • Data integrity • Confidentiality • Availability of services and resources • Determine the level of user awareness of wireless technology 11
Slide 12: PCIE IT Roundtable Evaluating Wireless Networks Evaluation Methodology • External scanning to illustrate the ease with which unauthorized persons could intercept wireless signals • Internal scanning and physical inspection to verify the source of signals • Traffic analysis to see if sensitive data is being transmitted, if transmissions are encrypted, and how vulnerable the networks are to attack • Review network topologies to assess connectivity to wired networks and determine measures to protect wired networks • Meet with wireless users and administrators to assess awareness, employee expertise, and strength of security measures 12
Slide 13: PCIE IT Roundtable Evaluating Wireless Networks Content Analysis • • • • • Characterize data on the network View potential vulnerabilities Determine appropriate network use Assist in review of policy conformance 18 USC 2511(2)(a)(i) allows protectors of systems (non law-enforcement) to look at content of wireless transmissions 13
Slide 14: PCIE IT Roundtable Evaluating Wireless Networks Evaluation Tools • Hardware • • • • Laptop Wireless network card Antenna GPS • Wireless sniffing software • WEP encryption cracking software • Mapping software 14
Slide 15: PCIE IT Roundtable Evaluating Wireless Networks Findings • Wireless networks with inadequate security • Range of wireless networks exceed physical boundaries of user organizations • Non-existent or inadequate policies for wireless networks • No risk assessments were performed prior to wireless implementation • No logical separation of wireless networks from wired counterparts • Insufficient employee awareness 15
Slide 16: PCIE IT Roundtable Evaluating Wireless Networks Example: Many wireless networks do not use WEP or other encryption to protect network traffic. ▲ = Access points using encryption ▲ = Access points without encryption 16
Slide 17: PCIE IT Roundtable Evaluating Wireless Networks Example: The radio signal from a wireless network can spill over from the building where access points are located to neighboring buildings, parking lots and public roads. 17
Slide 18: PCIE IT Roundtable Evaluating Wireless Networks Example: These packet traces show highly confidential data that can be captured from a wireless network 18
Slide 19: PCIE IT Roundtable Evaluating Wireless Networks General Evaluation Recommendations • Develop wireless network policies • Conduct risk assessments to determine required level of security • Limit access to wireless networks through the use of wireless security measures (ie. 802.11i or WPA) • Maintain logical separation between wireless and wired networks • Perform wireless scans to identify wireless networks and applications (on a regular basis) • Enforce wireless network policies 19
Slide 20: PCIE IT Roundtable Evaluating Wireless Networks Information Sharing • Awareness • Collaborative use of findings • Confidentiality 20
Slide 21: PCIE IT Roundtable Evaluating Wireless Networks Conclusion • Wireless network evaluations are easy to conduct using inexpensive or freely available tools. • Evaluations are very necessary • Wireless networks are inexpensive, convenient, and simple to use – so people will use them. • BUT, wireless networks are vulnerable. 21
Slide 22: PCIE IT Roundtable Evaluating Wireless Networks Contact for Wireless Network Evaluations Jamil Farshchi (202) 358-1897 jamil@nasa.gov 22