Hack Proofing Your Wireless Network

472 Index algorithm weaknesses, Federal Bureau of Investigation Fluhrer, Scott, 348, 425 205–208 (FBI), 93, 230 fog, 161–162, 199 Forum of Incident Response MD5 cryptocipher, 82–83 FHSS. See frequency-hopping spread spectrum (FHSS) and Security Teams need for, 37 (FIRST), 380 Fiber Optics initiative (802.8), fragmentation, configuring, 148 secure copy (SCP), 220 136 fraud, 32, 385 free-space optics (FSO), secure shell (SSH), 78, 220, File Transfer Protocol (FTP), 161–162 317 82, 83 frequencies of channels, 139–140 secure sockets layer (SSL), 78, filtering frequency, changing, 227–228 83, 204, 220 frequency hopping, 80–81 firewalls, 316–318 frequency-hopping spread Twofish algorithm, 93 spectrum (FHSS) media access control (MAC), 802.11 standard, 135 using, 92–93 264–271, 312–315, 802.11b standard, 139–140 341–342, 413, 430–431 Bluetooth, 140, 152, 193 Wired Equivalent Privacy description, 28–29 (WEP) protocol, 35, 78 N-Code, 342–343 HomeRF, 154 frequency reuse, 155 See also cryptography; RC4 Network Flight Recorder, frequently asked questions stream cipher 341–342 (FAQ) architecture and design, enhanced data rates for global protocols, 271–273 199–200 evolution (EDGE), 43, attacks and vulnerabilities, 46, 157–158 financial safeguards, 107 237–238 auditing, 406 entertainment services, 15 firewalls case scenarios, 436–437 monitoring and intrusion environment, analyzing, authorization, 86–87 detection, 361–362 163–164, 330–331 security, 123–124 descriptions, 316–318 security countermeasures, ephemeral keys, 84 296–297 expense, 437 security measures, ESS. See extended service sets circumventing, 326 (ESS) filtering, 316–318 wireless challenge, 73–74 fresnel zones, 129–130, 132 ESSID. See extended service-set insufficiency, 124 FSO. See free-space optics identifiers (ESSIDs) (FSO) log files, 417 FTP. See File Transfer Protocol Etherape monitoring tool, (FTP) 336–338 personal, 307–309 future of wireless technologies, 6–7 Ethereal discovery tool, 215, single and dual, 414–417 301, 326, 344 G FIRST. See Forum of Incident Ethernet Response and Securitiy GAO, General Accounting Teams (FIRST) Office (GAO) 802 standards, 136–138, 140, 146, 163, 190 first generation (1G) mobile gap analysis, 170–172 wireless technology. See “gap in WAP,” 34 sniffing programs, 215–220, mobile wireless Gartner Group, 311 301 technologies gathering information for evaluating products, 177 First Monday, 87 audits, 372, 388–390 exchanges, local, 131 fixed access units (FAUs), 130–132 existing environment, analyzing, 163–164 fixed wireless technologies Extended Markup Language local multipoint distribution (XML), 159 service, 130 extended service-set identifiers multichannel multipoint (ESSIDs), 252, 409–410, distribution service, 412, 422 128–129 extended service sets (ESS), point-to-point (PTP) 144–146, 149 microwave, 131–133 Extensible Authentication wireless local area networks Protocol (EAP), 209 (WLANs), 133–134 F wireless local loop (WLL), 128, 130–132, 199 FAQ. See frequently asked questions (FAQ) flexibility of wireless networks, 16–18 FAU. See fixed access units (FAUs) flooding, 114, 226–228 floor plan, 330, 427

Index 473 General Accounting Office program; ngrep sniffing Hypertext Markup Language (GAO), 381 tool; Nmap snooping (HTML), 159 tool; Sniffer Wireless general packet radio service program; Stick IDS I (GPRS), 42–43, 157, 161 mimicking program; TCPDump sniffing tool i-Mode wireless data network, generations. See mobile wireless 35, 39, 73 technologies hardware location, 256 ICMP. See Internet Control Global and National Health Information Portability Message Protocol Commerce Act, 111–112 and Accountability Act (ICMP) (HIPAA), 108–111 Global Positioning System identifying resources, 96–97 (GPS), 213, 307, 420 Hellman, Martin, 83–84 identity theft, 32 global system for mobile Henry III of France, 64 communications (GSM), IDS. See intrusion detection 39, 42, 155, 157, Hermes chipset, 419–420 system (IDS) 159–160 Hewlett-Packard IEC. See International Gnutella peer-to-peer software, Electrotechnical 340–341 OpenView performance Commission (IEC) monitor, 310, 336 Gold PCMCIA cards, 419 IEEE. See Institute of Electrical WEP key management, 209 and Electronics Goodman, Cassi, 116 Engineers (IEEE) hidden node, 147 GPRS. See general packet radio IETF. See Internet Engineering service (GPRS) high-level design, 174 Task Force (IETF) GPS. See Global Positioning high-level operating model, IIA, Institute of Internal System (GPS) 176–177 Auditors (IIA) Gramm-Leach-Bliley Act, high-level physical design, 176 ILEC. See incumbent local 106–108 exchange carrier (ILEC) high-level services, 175 groupware, corporate, 11–12 IMEI, international mobile high-level topology, 174–175 equipment identifier GSM. See global system for (IMEI) mobile communications high-performance radio LAN (GSM) (HiperLAN), 154 implementing security policy, 98–101 GSM-IP. See general packet hijacking, 223–226, 322 radio service (GPRS) implementing wireless networks HIPAA. See Health Information guidelines for auditing, 378 Portability and checklists, 429–432 Accountability Act H (HIPAA) configuration of access points (AP), 412–413 hacking HiperLAN. See high- performance radio LAN locations, physical, 411 backdoor systems, 351–352 (HiperLAN) locations, scouting for, booby traps, 351 history of wireless technologies, 426–429 7–9 planning, 300–303 nonsecure installation, home location register (HLR), 409–410 rootkits, 351 160 obstacles, 330–331, 426, 428 sniffing programs, 215–220, HomeRF 301, 314 planning, 184 access speeds, 23–24 social engineering, 318–320, policies for security, 417–418 354 audio/video applications, 56–57 ultrasecure installation, tools, 217, 301–302, 307–308, 410–418 418–420, 425. See also Bluetooth, 193 AiroPeek program to IMSI, international mobile gather traffic; AirSnort data applications, 56 subscriber identity key-recovery program; (IMSI) Back-Orifice remote specification, 54–55 access program; IMT-2000. See International Dachb0den Labs; dsniff Standard Wireless Access Mobile sniffing toolkit; Ethereal Protocol (SWAP), 154 Telecommunications discovery tool; 2000 (IMT-2000) NetStumbler wireless- telephony applications, 56 network discovery IMT-CDMA. See code-division hopping, frequency, 80–81 multiple access (CDMA) host audits, 370–371 incident response, 348–352 host-based intrusion detection system (IDS), 361

474 Index incumbent local exchange cyclic redundancy checks RedCreek Communications, carrier (ILEC), 130 (CRCs), 79 93 independent basic service sets, data injection, 79 IR. See infrared 142 See also RC4 stream cipher IRC. See Internet relay chat Industrial, Scientific, and (IRC) Medical (ISM) radio interference and coexistence of bands, 31 radio sources, 31–32, irregularities in sampling, 384 226, 331–333, 428 information and entertainment ISACA. See Information services, 15 internal resources, 96 Systems Audit and Control Association information appliances, growth International Electrotechnical (ISACA) of, 5 Commission (IEC), 104 ISC2. See International information for audits International Information Information Systems Systems Security CSeocnusroitrytiuCmert(iIfSicCa2ti)on analysis, 390–392 (CISeCrti2f)ic, a3t7io9n Consortium ISDN. See Integrated Services gathering, 372, 388–390 international mobile equipment Digital Network (ISDN) identifier (IMEI), 160 Information Systems Audit and ISM. See Industrial, Scientific, Control Association international mobile subscriber and Medical (ISM) radio (ISACA), 379 identity (IMSI), 160 bands Information Systems Security International Mobile ISO. See International Association (ISSA), 380 Telecommunications Organization for 2000 (IMT-2000), 45 Standardization (ISO) Information Technology Security Evaluation International Organization for Isochronous Services LAN Certification (ITSEC), Standardization (ISO) (ISLAN) initiative 89, 102 standards, 104–106, (802.9), 137 380–381 infrared ISSA. See Information Systems Internet access, 15 Security Association broadband, 161–162 (ISSA) Internet Control Message optical wireless, 193 Protocol (ICMP), 271 ITAudit.org, 380 physical layer in 802.11, 48, Internet Engineering Task ITSEC. See Information 135 Force (IETF), 381 Technology Security Evaluation Certification infrastructure basic service sets, Internet relay chat (IRC), 341 (ITSEC) 143, 144 interoperable LAN security, 137 IV. See initialization vectors initialization vectors (IVs), (IVs) 205–208, 305 interviewing for audits, 365, 374, 389 J inside-out placement of access points (APs), 330 intrusion, detection of, 328–357 JavaScript, 229 insiders, exploiting, 318–320 intrusion detection system K (IDS) installation. See implementing Kazaa peer-to-peer software, wireless networks host-based, 361 340–341 Institute of Electrical and Network Flight Recorder, keys Electronics Engineers 341–342 (IEEE) acquiring, 305–306 reading log files, 417 description, 134 cryptography, 84 sensor signatures, 343–345 task groups, 48–50 ephemeral, 84 IP addresses Institute of Internal Auditors management, 209 (IIA), 380 allocating, 251–252, 278–281, 412–413 private, 89 insurance, 311 filtering in firewalls, 316–317 public, 37, 62–67, 83–84, 90 integrated monitoring, 338–342 private, 309 keystroke logger, 322 Integrated Services Digital Network (ISDN) line, IPSec virtual private network L 283 authentication and L2TP. See Layer 2 Tunneling integration plan, 172 encryption, 281–282 Protocol (L2TP) integration service, 145–146 commercial VPN systems, 414 LAN. See local area networks (LANs) integrity encrypted packets, 427 checksums, 78–79 integrity checks, 242 cryptography, 79, 83–84 recommended for security, 78

Index 475 LAN/MAN Bridging and local multipoint distribution medicine, 57 Management initiative service (LMDS), 128, media access control (MAC) (802.1), 136 130–131 acknowledgment of data, 147 landscape, physical, 188–190 locations allowable addresses, 144 hardware, 256 authenticating wireless laws physical, 411 scouting for, 426–429 devices, 150, 313–314 Children’s Online Privacy Bluetooth, 55 Protection Act log files bridge operations in 802.11c, (COPPA), 112 access points (APs), 91, 310 Dynamic Host Configuration 49 civil liability, 112 Protocol (DHCP), 310 configuring address in Agere firewalls, 417 Global and National intrusion detection system ORiNOCO, 222 Commerce Act, 111–112 (IDS), 417 defined by IEEE 802.11, 48 media access control (MAC) definition, 312–313 Gramm-Leach-Bliley Act, filters, 267 encryption, 154 106–108 reviewing frequently, 332, enhanced by 802.11e, 49 338–339 enhanced by 802.11h and Health Information transactions, 90 Portability and 802.11i, 50 Accountability Act Logical Link Control initiative filtering, 264–271, 312–315, (HIPAA), 108–111 (802.2), 136 413, 430–431 legal duty, 112 logical roaming, 20 limiting for security, 86 loss of data, 113–114 logging, 91, 100 NAIC model act, 106 Lucent Gateway, 212, 215 searching addresses, 321–322 Lucent WEP keys, acquiring, specified by 802.11, 60, 135, National Association of Insurance Commissioners 229 138 (NAIC) model act, 105 specified by 802.16.1, 60 M spoofing, 114, 314–315 old, 123 transfer of data frames, 145 MAC. See media access control unauthorized addresses, in policy, 99 (MAC) 341–342 torts, 112 maintenance plan, 183 virtual collision detection maintenance window audits, Layer 2 Tunneling Protocol (VCD) mode, 51 (L2TP), 240, 281–282 370–371 in wired network, 144 malware, 216, 222, 228–231 Merkle, Ralph, 84 layered protection, 285 MAN. See metropolitan area messaging, mobile, 10, 15 meters, parking, 13–14 LBT, listening before talking networks (MANs) methodology. See design (LBT) man-in-the-middle attacks, 33, methodology LEAP authentication, 85, 113, 224 Metropolitan Area Network 209–211 management requirements, 168 management statements, 94 (MAN) initiative (802.6), liability law, 112 managing power, in WLANs, 136 microwave ovens, 31, 331 licenses, 25, 168 148 MMDS. See multichannel Mantin, Itsik, 348, 425 multipoint distribution lifetime of resources, 98 market adoption challenges, 27 service (MMDS) mass dialing, 116 mobile messaging, 10, 15 LimeWire peer-to-peer matrix mobile office, 11–12 software, 340 mobile station, 159 access points (APs), 254 mobile switching center limitations of radio. See radio analysis, 391 (MSC), 160 limitations recommendations, 392 mobile wireless technologies, risk, 172 114 LinkManager, 355–357 McCullagh, Adrian, 87 2.5 generation (2.5G), 42–44, McNamara, Joel, 116 155, 157, 199 Linksys access points (APs), MD5 cryptocipher, 82–83 253, 313 Linux operating system, 186, 229, 420 listening before talking (LBT), 146–147 LMDS. See local multipoint distribution service (LMDS) local area networks (LANs), 46–62, 136–137 local exchanges, 131

476 Index architecture, 155–156 (NAIC) model act, 105, high-level physical design, 106 176 first generation (1G), 155, 156, 199 national information high-level services, 175 infrastructure. See general packet radio service unlicensed national high-level topology, 174–175 (GPRS), 161 information infrastructure (U-NII) implementation plan, 184 global system for mobil spectrum communications (GSM), maintenance plan, 183 159–160 National Institute of Standards and Technology (NIST), operating model design, second generation (2G), 23, 381 detailed, 182–183 39–42, 155, 157, 199 National Security Agency operations design, 182 short message service (SMS), (NSA), 93, 102, 115 161 operations services, 176 Netscape Secure Sockets Layer telephone interference, 226 (SSL) Challenge, 204 physical design, detailed, 181–182 third generation (3G), 23, NetStumbler wireless-network 43–45, 155, 157–158, discovery program planning phase, reviewing, 199 174 access-point listings, 217–219, Wireless Access Protocol 302, 421–422 product evaluation, 177 (WAP), 158–159 attack distance, 290 reviewing and validating, 179 mobility of wireless networks, 21, 44–45 cards supported, 301, services, detailed, 180–181 420–421 modem, cable, 129 topology, detailed, 179–180 closed networks, 274, 412 monitoring training plan, 183 conflicts, identifying, 228 defensive, 331–337 validating, 179 database of found networks, integrated, 338–342 213–214 Network Associates, 301, 326 performance, 335–337 description, 213 network baseline, 169–170 remote, 13 extent of network signals, 346 Network Flight Recorder filtering, 341–342 tools, 310, 336–337, 342–345 history, 116–117 network interface cards (NICs) monitors, baby, 114, 428 network snooping, 252 media access control (MAC) MP3 music, 57 output analysis, 425 addresses, 312–313 MPEG2 video, 144 rogue access points (APs), stolen, 311 320–322 MPEG4 video, 57 See also cards, PCMCIA signal-strength monitoring, MSC, mobile switching center 218–219, 320, 355–356, network plans, 167–168 (MSC) 426–427 network standards. See multicell roaming, 148–149 SSID hidden from, 329 standards; individual 802.x network standards multichannel multipoint thwarting, 220 distribution service network subsystem, 159–160 (MMDS), 128–131, 168 vendor information, 215 networks multimedia, 5, 43–45 network address translation (NAT), 336 ad-hoc, 142–143, 152 multipath reflection, 129–130, 132 network architecture, auditing, 370–371 developing N closed, 212, 301, 303, 329, action plan, 178 412 N-Code filter writing, 342–343 collocation architecture, 175 open, 301–303, 307–310 NAIC. See National Association of Insurance deliverables, 178 secure, designing and Commissioners (NAIC) deploying, 163–183, design documents, detailed, 253–257 naming conventions, 244 184 token ring, 136 Napster peer-to-peer software, design phase, detailed, 340–341 178–179 topology, 190–191 NAT. See network address high-level operating model, See also local area networks translation (NAT) 176–177 (LANs); metropolitan area networks (MANs); National Association of network architecture, Insurance Commissioners developing; virtual private networks (VPNs); wireless local area networks (WLANs);

Index 477 wireless metropolitan optical wireless technologies, SNIPS, 336–337 area networks 161–162 personal communications (WMANs); wireless personal area networks Orange Book, 102 services (PCS), 151, 159 (WPANs) organizationally unique personal digital assistants NFR Security, 342 identifiers (OUIs), (PDAs), 3–7, 10, 22, 312–313, 321–322, 38–39, 151–152, 186 ngrep sniffing tool, 217 341–342 personal operating space (POS), ORiNOCO. See Agere 58 NIC. See network interface ORiNOCO personal resources, 98 cards (NICs) Orthogonal Frequency Division PGP keyrings, 230 Multiplexing (OFDM), photonics, open-air, 161–162 NIST. See National Institute of 141 physical design Standards and OSI. See Open System detailed, 181–182 Technology (NIST) Interconnection (OSI) high-level, 176 ostrich response, 245 physical landscape, 188–190 Nmap snooping tool, 309, OUI. See organizationally piconets, 58, 152–153 347–348, 422–424 unique identifiers (OUIs) PKI. See public key ovens, microwave, 31 infrastructure (PKI) NOCOL performance plain old telephone service monitor, 336 P (POTS), 130, 160 planning node, hidden, 147 Packet Storm, 115 deliverable plans, 173–174 packets, “weak,” 215 implementation, 184 noise, 428 paranoia, 245 maintenance, 183 parking meters, 13–14 network, 167–168, 174 See also interference and passive attacks, 36, 225 operations, 170 coexistence of radio passwords training, 183 sources; signal-to-noise point coordination function ratio archive.pst file, 425 (PCF), 190–191 avoiding dictionary words, point-to-point (PTP) Nokia Wireless, 313 microwave, 131–133 273–275 Point-to-Point Tunneling Nordic Mobile Telephone dictionary, 83 Protocol (PPTP), (NMT) system, 156 discovering, 319 281–282 protection, 82–83, 244, 288, policies, rules hierarchy for, NSA. See National Security 98–99 Agency (NSA) 290 policies for auditing, 378 revealed to E-Bay, 229 policies for security O zero knowledge, 83–84 corporate, 382–384 patches and upgrades, 94 definition, 242 obstacles, 330–331, 426, 428 PCF. See point coordination double-edged sword, 108 implementation, 98–101 OFDM. See Orthogonal function (PCF) incident response, 350 Frequency Division PCMCIA cards for war driving, required by law, 123 Multiplexing (OFDM) revisiting, 241–243 301, 419–420 risk analysis (RA), 95–97 office, mobile, 11–12 PCS. See personal rules hierarchy, 98–99 sample, 100 open-air photonics, 161–162 communications services Poll, Power Save, 148 (PCS) POP mail, 82, 83 Open Distributed Processing PDA. See personal digital port filtering, 317–318 Reference Model, 105 assistants (PDAs) POS. See personal operating peer-to-peer software, 339–341 space (POS) open networks, 301–303, performance audits, 370 307–310 performance monitoring, 335–337 Open System Interconnection performance monitors (OSI), 104, 164, 267 Hewlett-Packard OpenView, 310, 336 OpenView performance NOCOL, 336 monitor, 310, 336 OpenView, 310, 336 operating model, high-level, 176–177 operating model design, detailed, 182–183 operations design, 182 planning, 170 requirements, 168 operations services, 176 opinions, biased, 385 opt-out rights, 107

478 Index POTS. See plain old telephone (WEP) protocol;Wireless encapsulating the payload, service (POTS) Access Protocol (WAP) 150 provisioning requirements, 168 power, managing in WLANs, proxy servers, 317 encrypting transmitted 148 PTP. See point-to-point (PTP) network packets, 78 microwave Power Save Poll frame, 148 public-key cryptography, 83–84 key scheme, 305 public key infrastructure (PKI), linear function, 208 PPTP. See point-to-point 37, 62–67, 90 protected confidentiality, 117 tunneling protocol public resources, 96 secure data communications, (PPTP) Q 42 pre-authentication service, 144 weaknesses, 206, 348 quality of service (QoS), reacting to incidents, 350–351 predictions, 6–7 141–142, 154, 164 reassociation service, 145 recommendations matrix, 392 preventing incidents, 352 R Red Creek Communications, PRISM 2 chipset, 304, 419–420 RA. See risk analysis (RA) 93 radio reflection, multipath, 129–130, prism2dump packet sniffer, 420 frequencies of channels, 132 privacy 139–140 regulatory issues, 168 rekeying Wired Equivalent definition, 81 frequency, changing, 227–228 PCMCIA cards, 409 Privacy (WEP) protocol, policies, 106 ports, 131 215, 306, 319, 351 range and coverage, 30 Remote Access Dial-In User service, 144–145, 150 signal strength, 218–219, Service (RADIUS) authentication standards, 106–112 332–333, 346, 411 802.11 enhancement, 85–87 waves, 17, 27–28, 411 authenticating end-user only, private IP addresses, 309 See also 2.4GHz and other 322 behind VPN server, 282–283 private keys, 89 specific bands external database, 100, 223 Radio Frequency (RF) external management, process, design. See design 208–209 process spectrum analyzer, 303 preventing association, 314 radio limitations supported by access points product evaluation, 177 (AP), 244–245 antenna use, 30–31 Remote Access Service (RAS), productivity from wireless direct-sequence spread 150, 251, 285 networks, 24 remote monitoring and control, spectrum (DSSS), 29–30 13 promiscuous mode, 216 frequency-hopping spread report samples, 397–401 reporting incidents, 351 protection, layered, 285 spectrum (FHSS), 28–29 reports for audits, 372–373, interference and coexistence, 392–396 protocol filters, 271–273 repudiation, 87–90 31–32, 226, 331–333, request to send/clear to send protocols. See Address 428 (RTS/CTS), 51, 147 Resolution Protocol range and coverage, 30 requirements (ARP); Connectionless radio transmission technology administration, 168 Network Protocol (RTT), 43 business, 168 (CLNP); Digital RADIUS. See Remote Access gathering, 168–169 Enhanced Cordless Dial-In User Service management, 168 Telecommunications (RADIUS) operations, 168 (DECT) protocol; rain, 132, 161–162, 199 provisioning, 168 Dynamic Host range and coverage of radio, 30 technical, 168 Configuration Protocol RAS. See Remote Access (DHCP); Extensible Service (RAS) Authentication Protocol RC4 stream cipher (EAP); File Transfer data injection, 79 Protocol (FTP); Internet degrading, 205 Control Message description, 258, 260 Protocol (ICMP); Layer 2 Tunneling Protocol (L2TP); Point-to-Point Tunneling Protocol (PPTP); Simple Mail Transfer Protocol (SMTP); Standard Wireless Access Protocol (SWAP); User Datagram Protocol (UDP);Wired Equivalent Privacy

Index 479 resources, identifying, 96–97 secure copy (SCP) encryption, repudiation, 87–90 responding to incidents, 220 service-set identifiers (SSIDs), 348–352 secure shell (SSH) encryption, 149–150 restricted resources, 97 78, 220, 317 reviewing network architecture, standards, early, 102–103 secure sockets layer (SSL) 179 encryption, 78, 83, 204, trust hierarchy, 102 risk analysis (RA), 95, 96, 97, 220 user participation, 287–291 172–173, 365–367 SecurID, 223, 414 risk audits, 370 security X.509 certificates, 61 risk matrix, 172 risks, common, 113–118, AAA tenets, 77 See also denial of service accounting, 90–91 (DoS) attacks; 202–231, 246–253 analyzing threats, 245–253 encryption; laws; policies Rivest, Ron, 258 assurance levels, 89, 102–103 for security; virtual roaming, 18–21, 74, 148–149 audit trails, 90–91 private networks (VPNs); rogue access points (APs) authentication, 81–85 Wired Equivalent authorization, 85–87 Privacy (WEP) protocol; hacker-created, 216, 224, 354 availability, 80–81 wireless local area installing, 320–322 Big Three,The, 76–77, 119 networks (WLANs) investigating, 355–357 bypassing, 315–318 surveying for, 353–357 challenges, 36–38 “security through obscurity,” user-created, 244, 289, checksums, 79 412 CIA tenets, 76–77 353–354 circumventing, 407–434 segmentation of access, 90 Roos, Andrew, 206 classification criteria, 97–98 rootkits, 351 common risks and threats, service-set identifiers (SSIDs) RSA Security Inc. 113–118, 202–231, access points (APs), 275 RC4 encryption, 42, 80 246–253 Ron Rivest, 258 confidentiality, 77–78 access points (APs), multiple, SecurID, 414 consequences of loss, 149–150 X.509 certificates, 61 117–118 RTS/CTS. See request to cyclic redundancy checks altering default SSIDs, (CRCs), 79 252–254, 315–316 send/clear to send designing and deploying, (RTS/CTS) 253–257 broadcasting, 243–244, 264, RTT. See radio transmission eavesdropping, 115–117, 274, 329 technology (RTT) 219–220 rules hierarchy for policy, 98–99 frequently asked questions configuring, 262 (FAQ), 123–124 S fundamentals, 76–92, 123 dictionary words, avoiding, hardware location, 256 273–275 safeguards, financial, 107 incident response, 348–352 Safeware computer insurance, integrity, 78–79 empty value, 302–303 intrusion, detection of, 311 328–357 finding, 311 sampling irregularities, 384 layers of, 266 SANS. See System limitations due to, 32–38 unencrypted in Windows loss of data, 113–114 registry, 311 Administration, monitoring, detection of, Networking, and 328–331 services in 802.11, 144–145 Security Institute monitoring, integrated, (SANS) 338–342 services in network architecture scatternets, 58, 152–153 patches and upgrades, 94 scheduled audits, 370–371 privacy, 81, 106–112 detailed, 180–181 Schneir, Bruce, 93 SCP. See secure copy (SCP) high-level, 175 encryption second generation (2G) mobile levels, 168 wireless technology. See mobile wireless offerings, 168 technologies operations, 176 session hijacking, 223–226, 322 Shamir, Adi, 348, 425 shared-key authentication, 84–85, 259 short-distance wireless networks. See 802.15 network standard short message service (SMS), 10, 161 short-range campus environments, 130 signal strength, 218–219, 332–333, 346, 411

480 Index signal-to-noise ratio, 148, 187 media access control (MAC), old, 123 114, 314–315 signature files, 342–343 Open System Trojan horse, 247 Interconnection (OSI), signatures 104 unencrypted SSIDs in electronic, 111 Windows registry, 311 privacy, 106–112 intrusion detection system Windows registry, editing security, 101–106 (IDS) sensors, 343–345 MAC address in, 220 Trusted Computer Systems need for, 37 spread spectrum, 28, 57 Evaluation Criteria (TCSEC), 102 SIM. See subscriber identity See also direct-sequence module (SIM) spread spectrum (DSSS); See also individual 802.x frequency-hopping network standards Simple Mail Transfer Protocol spread spectrum (FHSS) (SMTP), 271 Starbucks, 301 SSH. See secure shell (SSH) Site Monitor, Agere encryption station services in 802.11, ORiNOCO, 355 144–145 SSID. See service-set identifiers skill required for attacks, 227, (SSIDs) Stick IDS mimicking program, 238 345 SSL. See secure sockets layer SMC access points (APs), 253 (SSL) encryption stolen users’ devices, 216, 230–231, 310–312 SMS. See short message service Standard for Interoperable LAN (SMS) Security (SILS) initiative subscriber identity module (802.10), 137 (SIM), 45, 159–160 SMTP. See Simple Mail Transfer Protocol (SMTP) Standard Wireless Access subscriber relationships, Protocol (SWAP), 154 187–188 Sniffer Pro program, 314 standards success factors in auditing, Sniffer Wireless program, 301 376–377 assurance levels, 89, 102–103 sniffing programs, 215–220, Sun Tzu, 213 301, 314 auditing, 377–379 support for applications, SNIPS performance monitor, British Standards Institute 185–188 336–337 (BSI), 104 SWAP. See Standard Wireless SNMP configuration of access Canadian Trusted Computer Access Protocol (SWAP) points (APs), 315 Product Evaluation Criteria (CTCPEC), 102 switched environment, 219 SNMP-trap server, 310 cellular-based wireless symmetric ciphers, 63–66 Snort intrusion detection networks, 38–46 system (IDS), 341, SYN scan, 423 343–345 conflicts, 25–26 System Administration, social engineering, 318–320, Gramm-Leach-Bliley Act, Networking, and 354 106–108 Security Institute (SANS), 101, 350 Solutions Fast Tracks Health Information Portability and system compliance, auditing, architecture and design, Accountability Act 368, 370 194–198 (HIPAA), 108–111 system operation, auditing, 367 attacks and vulnerabilities, home network, 200 232–237 T Information Technology auditing, 403–405 Security Evaluation TACACS+ authentication, 100 Certification (ITSEC), case scenarios, 434–435 89, 102 TACS,Total Access Communication System monitoring and intrusion Institute of Electrical and (TACS) detection, 359–361 Electronics Engineers (IEEE) task groups, task groups security, 120–122 48–50 802.11 network standards, security countermeasures, International Electrotechnical 48–50 293–296 Commission (IEC), 104 802.15 network standard, security measures, International Organization 58–60 circumventing, 323–326 for Standardization (ISO), 104–106 802.16 network standard, 62 wireless challenge, 69–72 Institute of Electrical and speed of wireless networks, Electronics Engineers 22–24 (IEEE), 48–50 spoofing authentication spoofing, 221 description, 113, 220–223

Index 481 TCPDump sniffing tool, 215, likelihood, 95 training plan, 183 217 risk plus vulnerability, transaction log files, 90 TCSEC. See Trusted Computer 246–253 Systems Evaluation transmitters, cellular, 155 Criteria (TCSEC) See also denial of service (DoS) attacks; spoofing travel information updates, 15 TDMA. See time-division multiple access (TDMA) TIM. See traffic indicator map Trojan horse, 247, 322 (TIM) technical analysis, 365 trust hierarchy, 102 technical requirements, 168 time-division multiple access technical review in auditing, (TDMA), 41 Trusted Computer Systems Evaluation Criteria 390 Tiny’s Personal Firewall, 417 (TCSEC), 102 technologies Token-Passing Bus initiative trusted third party (TTP), cellular-based wireless (802.4), 136 88–90 networks, 3 Token Ring initiative (802.5), Twofish encryption algorithm, communications, 39–46 136 93 convergence, 3 fixed wireless, 128–142 Tone Loc program, 116 U future of, 6–7 history of, 7–9 tools U-NII. See unlicensed national information appliances, information AiroPeek program to gather infrastructure (U-NII) growth of, 5 traffic, 252, 301, 314, 326 spectrum mobile wireless, 155–161 optical wireless, 161–162 ARP spoofing, 224–225, 227 UDP. See User Datagram statistics, 4 Protocol (UDP) trends, 4 auditing, 374–376 wireless local area networks UMTS. See universal mobile autoresponding, 339 telephone system (WLANs), 3 (UMTS) technology plans, 171–172 Cquire.net, 229 telematics, 13–14 unauthorized media access telemedicine, 57 hacking, 301–302, 307–308, control (MAC) addresses, telemetry, 13–14 418–420, 425. See also 341–342 telephones, wireless. See mobile AiroPeek program to gather traffic; AirSnort United States General wireless technologies key-recovery program; Accounting Offices, 381 telephony applications, 56 Back-Orifice remote telepresence, 11–12 access program; United States National Institute Telnet, 82, 83, 315 Dachb0den Labs; dsniff of Standards and TEMPEST eavesdropping, 115 sniffing toolkit; Ethereal Technology (NIST), 381 theft, identity, 32 discovery tool; theft of users’ devices, 216, NetStumbler wireless- universal mobile telephone network discovery system (UMTS), 45–46 230–231, 310–312 program; ngrep sniffing third generation (3G) mobile tool; Nmap snooping unlicensed national information tool; Sniffer Wireless infrastructure (U-NII) wireless technology. See program; Stick IDS spectrum, 49, 138, mobile wireless mimicking program; 140–141 technologies TCPDump sniffing tool Third-Party Partnership Project upgrades and patches, 94 2 (3GPP2), 45 monitoring, 310, 336–337, Third-Party Partnership Project 342–345 useful life of resources, 98 (3GPP), 45 threats Nmap snooping tool, 309, User Datagram Protocol analyzing, 245–253 347–348, 422–424 (UDP), 336 common, 113–118, 202–231, 246–253 topology users flooding, 226–228 detailed, 179–180 exploiting, 318–320 high-level, 174–175 participation in security, 287–291, 417–418 wireless networks, 190–191 projected quantities of, 4 torts, 112 theft of devices, 216, Total Access Communication 230–231, 310–312 System (TACS), 156 V traffic, 13–14, 339–341 validating network architecture, traffic indicator map (TIM), 179 51–52 value of resources, 97 van Eck,Wim, 116

482 Index van Eck devices, 115–116 “weak” packets, 215 exploiting, 303–306 VCD. See virtual collision weaknesses history of, 203 detection (VCD) mode vendor compatibility with design of Wired Equivalent implementing, 257–264 Privacy (WEP) protocol, 802.11, 138–139 203–205 Lucent WEP keys, acquiring, video applications, 56–57, 144 229 video on demand, 154 encryption algorithm, Vironix Software Laboratories, 205–208 optional, 204–205 206 exploiting in targets, 215–216 privacy, creating, 258–259 virtual collision detection finding in targets, 214–215 privacy service, 145, 150 (VCD) mode, 51 virtual private networks key management, 208–211 rekeying, 215, 306, 319, 351 (VPNs), 93 RC4 stream cipher, 348 security implications, authentication, 242, 244–245 260–261 designing a server user behavior, 211–213 shared-key authentication, implementation., Web clipping, 185–186 84–85, 91, 259 414–417 exploiting, 322 WECA. See Wireless Ethernet weaknesses, 202–213 SecurID, 414 Compatibility Alliance still relied on, 54, 150 (WECA) wireless local area networks support by access points (WLANs), 35–38 (APs), 252, 254 Wegner, David, 206 use of, 281–286 Wireless Access Protocol user load, 297 WEP. See Wired Equivalent (WAP), 34–35, 73, See also IPSec virtual private Privacy (WEP) protocol 158–159 network visitor location register (VLR), WEPcrack program, 348 Wireless Ethernet 160 Compatibility Alliance voice data, encrypting and authentication spoofing, 221 (WECA), 138 monitoring, 92–93 voice over IP (VoIP), 39, 57, 60, history, 208, 304 wireless gateways, 115 154 VPN. See virtual private requires much data, 224 Wireless LAN (WLAN) networks (VPNs) initiative (802.11), 137 vulnerability secret keys, 212 assessing, 346–348 wireless local area networks eavesdropping, 115–117, “weak” packets, 215 (WLANs) 219–220 flooding, 226–228 WildPackets AiroPeek, 252, 802.11 network standard, hijacking, 223–226, 322 301, 314, 326 47–54 reconnaissance, 213–216 security countermeasures, Williams, Ross, 79 802.11a network standard, 246–253 51–53, 140–141 sniffing, 216–220 WIMAN Systems, Inc., 80–81 See also denial of service 802.11b network standard, (DoS) attacks; spoofing Windows registry 51–53, 139–140 W changing media access 802.11e network standard, control (MAC) address, 141–142 Walker, Jesse, 204, 207, 303 220 WAP. See Wireless Access ad-hoc networks, 142–143, Lucent WEP keys, acquiring, 152 Protocol (WAP) 229 war dialing, 116, 213, 408 basic service sets (BSS), war driving, 116, 213, 306–312, unencrypted service-set 142–144 identifiers (SSIDs), 311 408–409, 418–426 benefits, 133 Wired Equivalent Privacy (WEP) protocol bypassing obstacles, 428 access points (APs), 241 carrier-sense multiple-access collision avoidance acquiring WEP keys, 305–306 (CSMA-CA), 146–147 advantages, 259–260 data, acknowledging, 147 algorithm description, definition, 3 205–206 developing through 802.11, criticisms of overall design, 142–151 203–205 developing through 802.15, defined by 802.11, 203–205, 151–154 257–258 extended service sets (ESS), disadvantages, 260, 296, 144–146 303–305, 412–413 fragmentation, configuring, encryption, 78, 85, 92, 117, 148 205–208 example, 262–264

Index 483 IP addresses, allocating, antenna use, 30–31 wireless personal area 278–281 applications, business, 9–14 networks (WPANs) applications, consumer, 14–15 managing power, 148 benefits, 16–24 Wireless Personal Area broadcasting information, Network (WPAN) multicell roaming, 148–149 initiative (802.15), 137 211–212 request to send/clear to send commercial conflicts, 27 wireless personal area networks (RTS/CTS), 51, 147 convenience, 16–21 (WPANs) corporate communications, security, 149–151 802.15 network standard, 10–12 57–60, 137, 151–154 security improvement cost, 22–23 initiatives, 297 customer service, 13 Bluetooth, 151–153 direct-sequence spread standard, content of, 135, 137 high-performance radio LAN spectrum (DSSS), 29–30 (HiperLAN), 154 standard, need for, 133–134 field service, 14 flexibility, 16–18 HomeRF, 154 vendor compatibility, 138 frequency-hopping spread spread spectrum, 57 See also wireless networks spectrum (FHSS), 28–29 interference and coexistence, task groups, 58–60 wireless local loop (WLL), 128, 130–132, 199 31–32, 226, 331–333, See also wireless networks 428 Wireless Markup Language market adoption challenges, wireless technologies. See (WML), 159 27 technologies mobility, 21 wireless metropolitan area productivity, 24 wireless telephones. See mobile networks (WMANs), promiscuous mode, 216 wireless technologies 60–62 radio limitations, 27–32 range and coverage, 26, 30 WLAN. See wireless local area wireless network architecture. reality, 24–38 networks (WLANs) See design methodology; roaming, 18–21 design process; fixed security limitations, 32–38 WLL. See wireless local loop wireless technologies; speed, 22–24 (WLL) mobile wireless standards conflicts, 25–26 technologies; network telemetry, 13–14 WMAN. See wireless architecture, developing; Wired Equivalent Privacy metropolitan area optical wireless (WEP) protocol, 35–36 networks (WMANs) technologies; wireless Wireless Access Protocol local area networks (WAP), 34–35 WML. See Wireless Markup (WLANs); wireless See also cellular-based wireless Language (WML) network attributes; networks; implementing wireless personal area wireless networks; WPAN. See wireless personal networks (WPANs) wireless local area area networks (WPANs) networks (WLANs); wireless network attributes writing audit reports, 393–396 application support, 185–188 X network topology, 190–191 X.509 certificates, 61 physical landscape, 188–190 XML. See Extended Markup Language (XML) subscriber relationships, 187–188 Z wireless networks zero knowledge passwords, 83–84 access zones, 18–20 Zone Labs ZoneAlarm Pro, aesthetics, 24 308, 417 affordability, 22–23

SYNGRESS SOLUTIONS… AVAILABLE NOW! ORDER at www.syngress.com Designing a Wireless Network Wireless network design presents the IT professional with unique obsta- cles. Your network requires the seamless and secure distribution of information, in spite of competing communication protocols, incompat- ible hardware platforms, and narrow bandwidths. This book is an introduction to developing efficient means of wireless transport in order to fully leverage wireless technologies. ISBN: 1-928994-45-8 Price: $49.95 US, $77.95 CAN AVAILABLE MARCH 2002! ORDER at www.syngress.com Building a Cisco Wireless LAN For individuals designing and supporting a Cisco LAN this book has detailed information on building a network design for the Cisco 340, 350, and UBR 7200 series and shows how to configure a Cisco WLAN. ISBN: 1-928994-58-X Price: $59.95 US, $92.95 CAN AVAILABLE MARCH 2002! ORDER at www.syngress.com Hack Proofing Your Network, Second Edition This completely revised and updated edition of the highly popular inter- national best-seller covers more methods of attack and hacker secrets written by an all star-security team. You’ll learn terms like “smashing the stack,” “blind spoofing,” “building a backward bridge,” “steganog- raphy,” “buffer overflow” and you’ll see why you need to worry about them. Also covered are the theories of hacking, how to fend off local and remote attacks, and how to report and evaluate security problems. ISBN: 1-928994-70-9 Price: $49.95 US, $77.95 CAN [email protected]