If you've been watching all my other episodes on wireless threats, you should be significantly concerned that there could be problems with a typical 802 11 wireless network. And that's what this episode is all about hardening 802 11. Now, there's a lot to cover here. So what I'm going to do is I'm going to break it down into these are four groups that I use personally, when I'm thinking about hardening my 802 11 networks, number one is going to be survey installation issues. Number two is going to be maintaining an existing wireless network number three, which is actually a corollary to monitoring a wireless network. And number four, the one that everybody forgets, how do you defend your wireless clients?
So let's go ahead and get started with survey and installation. If you're going to be installing or upgrading a wireless network, the first question you have to answer is, what do I have here right now, and that's the job of what I call survey tools. Now survey tools can physically manage fest as multi thousand dollar specialized pieces of hardware that look like tablets to something as simple as absolutely free open source software that you can install on any laptop and do it yourself. There's a reason some stuff's free and some stuff's expensive, though, be that as it may, a good site survey program is going to be looking for things like for example, ss IDs, the MAC addresses, all the different bands is going to be running on all the different channels, hopefully only two things like signal strength. And it's going to be taking all this information.
And it's going to be documenting it for you in a way with good charts with good graphing with good logs that help you document everything that is 802 11 around you. And that's really where good survey tools come into play. In fact, a really good survey tool will often have an added feature called a heat map. So here's an example of one. What you're looking at here is the relative signal strength of all The different wireless access points within this little office environment. So the more red it is, the stronger the signal, and then it goes out to green where it becomes an extremely light signal.
The end result of all this is that if you're going to be setting up a wireless network, you've got to do some kind of site survey, and you need a survey tool. I'm not going to try to sell you on any particular one Kismet. But there's a lot of great tools out there. And these are the core tools that allow you to set up a network so that you can get to the next point maintaining one. So you've got a new Happy 802 11 network up and running well, good for you. But we need to talk about what we do to maintain that wireless network and in particular to maintain its security.
The number one rule the biggest one and the one nobody seems to do is good wireless documentation. Take advantage of those sites, surveys to have all Your SS IDs, MAC addresses associated to webs physical location, heat maps all of this organized and easy to get to so that we know exactly how our networks laid out. Here's a floor plan example of my total seminars office. Now you can see here are a couple of wireless access points. But in this case, I only have one SSID. We're just not that big.
But we know exactly where everything is. We know the SS IDs and we know the access point MAC addresses. Now good documentation is great. So before we get into a little more depth here, I want to start off by killing what I call a couple of old tech tails. Especially for those of you who've taken other CompTIA exams, these may be a bit of a shock to you. Old tech tail number one, turning off broadcast SSID is a good thing.
It really isn't. Any wireless access point will say turn off broadcast SSID. The problem with this is that pretty much any wireless device out there, even the clients that come with Windows systems can see there's an SSID out there, they just don't see the name, so it doesn't hide you very well. The second thing is MAC filtering to actually set up a wireless access point so that every client is Mac filtered can happen, but it's usually fairly rare, you would see a situation like in an industrial control system where you only had very specific workstations that access that particular wireless access point. In that situation, it would work pretty well. Other than that, for example, in a coffee shop, you have so many different people coming in and out.
The concept of MAC filtering simply doesn't work. However, one that does work well is the idea of AP isolation. Every access point out there has a little checkbox that calls AP isolate. What that means is that all of the wireless devices on that SSID can all see the access point can all get to the network, but unlike a typical Ethernet network, they can see each other. It's a powerful tool. And it's done on just about every access point, especially those that are out in the public.
Now the next thing I want to talk about is 802 dot one x. A lot of people will have a WPA two pFk encryption out there. And that's great. If you're going to do that use long passwords and I mean like 20 characters, and avoid using words and phrases like that make it complicated. It will make it pretty much impossible for guys like me to be able to crack your WPA or WPA two passwords if you make them long. However, 802 dot one x is not that hard to implement.
I'm not saying it's the easiest thing in the world. You're gonna have to bring in an extra server, you have to do some kind of authentication, but it makes for a robust and pretty much uncrackable wireless network. Okay, so your networks up and cooking. The big danger you have to wireless networks isn't what you know, it's things that appear that you don't know for example, a rogue access point. So So what we do on any good wireless network is we do occasional scanning monthly every two weeks. It really depends on how paranoid your security levels are.
And this scanning really is nothing more than just re surveying the network going out there listening for SS IDs, you don't recognize looking for websites that are coming out on your SSID. But with a MAC address that you don't recognize, any good wireless network is going to be doing this type of periodic scanning. In fact, it becomes so important that in some situations, you pretty much want to be scan continuously. And that's the job of a wireless intrusion detection system. A wireless intrusion detection system is as the name implies, an intrusion detection system that's looking for things on the is m bands, 2.4 gigahertz and five gigahertz were 802 11 lives now. A Wi Fi DS can manifest in a lot of different ways.
You can get a piece of freeware that you can install on a laptop, or you can spend a lot of money with big third party turnkey systems. So the important part about a wi DS is that it monitors your wireless radios, it watches for rogue access points, it knows all the wireless access point, MAC addresses. So if a evil twin were to appear, they would recognize it a good Wi Fi DS, if you want it can do stuff like Well, we know what protocols are on here. So it can actually watch for the protocols that are supposed to work and not supposed to work. It can do a lot of very, very powerful stuff. But it can come at a price.
There's a reason why some w IDs are free and some are very, very expensive. Whatever the case may be, let me give you one quick example. Here's the Floor Plan of my total seminars network. Now, a good w IDs is usually going to start with sensors. These are physical devices that are placed around your network. And they're really nothing more than wireless access points.
Now, they're not actually transmitting. They're simply listening for things that shouldn't be there. If they hear something, they'll send that data to a W IDs server. This is a dedicated box whose only job is to take all this information and get it to a nice log file so that people can access it. Now a W IDs is only going to be as good as the way it lets us know intrusions are taking place. So we're getting these logs that are being built up on the W IDs server.
But that's only so much goodness, I mean, a good w IDs, you can set it up to send you an SMS text message, you can set it up to give you an email, you can even make a phone call and they'll give you a voice text telling you exactly what's happening. So they're really really powerful tools depending on how much money you want to spend. But the important thing for the exam. That you're going to be expected to be able to look at what we call log files, and to be able to have some idea of what type of naughtiness is taking place. So let's take a look at a couple of examples. For the first example, here's a log output from a hypothetical IDs.
Now as you look at this, what I want you to notice is that it's noticing that there are a number of login failures, attempting to access a particular SSH server. Now, if we were to look at that, we would say that there's probably somebody is trying to hack into the server, an example of a very bad thing. As a second example, on this particular one, we see a list of a number of access points that are working away but if you take a look on one in particular, you'll notice that it says unknown BSS ID however, it shares the same SSID as all of the other listings on this particular log which is office This would be a great example of an evil twin. A good wireless intrusion detection system is absolutely amazing. But there's another line of defense I want to talk about. And that's the individual clients.
So let's talk about hardening your clients. Wireless clients aren't something that we actually harden per se. In fact, they're the things we tend to defend against. in case somebody who's another wireless client is trying to get into a network they shouldn't. However, there are some situations where the not really the device, but that crazy thing that's using the device, the human working, that system needs some training to be able to watch out for some particularly scary situations. Now, you would say to yourself, I'm just a wireless user, I count on the IT guys to do all this stuff.
Well, it's actually not true. There's actually some very cool things you can do. If you only have the right tool and you've got the right tool. If you look at any wireless client, all of them have a list of SS IDs that pop up. Here's an example in Windows 10. Here's an example in os 10.
I love Mac's because it gives you more detail than Windows does by default. In fact, even my mobile device gives me a nice list of SS IDs that it can see. The cool part is, is that's an essence, a survey tool it gives you it's a poor man survey tool. It's a casual tool doesn't give you as much information, but it gives you enough information to be able to watch out for scary situations. Now, one example no problem. Let's say that you've been working in your office here for the last two years, and you always log into this one SSID called office one day you just happen to notice when you look at your list of SS IDs that there's a new SSID out there, and it's called Bob or Linksys or D link or something like that.
Now You know, good and well that there's never been an SSID like that before, at least within your office area. This could be a great example of a rogue access point. somebody bought themselves a little Linksys router and plugged it in. might be time to call the IT department Hmm. need another example? No problem.
So let's say you're out on the road. Now normally, you work here in the shop, so you always link into an SSID called shop. Now, that's great. But suddenly you're out on the road, and you're giving a sales presentation to some mechanics, and suddenly you realize that you're on an SSID called shop. Now wait a minute. First of all, what's happening here?
Well, number one, shop. I mean, if you're in the auto industry, I could imagine a lot of people would coincidentally all named their SS IDs shop. But the other thing that could be happening here is there's there might be an evil twin scenario, somebody is intentionally set up an SSID called shop to get to you. So that's something to watch out for. One more Example You got it. Let's say that you've been working for years at a particular location, and you've set up your wireless network.
And every day you come in with your laptop, and everything's great, and you're on there, and you're on Google and whatever. But then suddenly, one day, you suddenly see that it's asking you for your username and password again, or just for your private shared key, whatever it might be. In a situation like this, unless somebody in the IT department told you they change the key or something. You might be a victim of a classic man in the middle attack. So that's something to watch out for, too. So remember, just because you're on a client, you're a critical and important part of it.