Thursday, October 20, 2011

A Look at PCI 2.0 and the New Wireless Guidelines

THE PAST
I have been predicting that the PCI Standards Council would be moving towards more stringent requirements for WLANs, specifically requirements for full time monitoring, scanning and protection. I also was waiting to see suggestions that “all-in-one” solutions that provides both connectivity and security fall short of the mark. I am happy to see these predictions coming true, especially in light of the PCI-DSS v2.0.

Near the end of last year the PCI Standards Councilpublished, Ten Common Myths of PCI DSS. The very first myth addressed is that, “One vendor and product will make us compliant”. The text reads, “Many vendors offer an array of software and services for PCI DSS compliance. No single vendor or product, however, fully addresses all 12 requirements of PCI DSS. When marketing focuses on one product’s capabilities to the exclusion of other PCI DSS requirements, the resulting perception of a “silver bullet” might lead some to believe that a point product provides “compliance,” when it really only addresses just one or a few elements of the standard.” It goes on to say, “The PCI Security Standards Council urges merchants, service providers and processors to avoid focusing on point products for data security and PCI DSS compliance. Instead of relying on a single product or vendor, you should implement a holistic security strategy that focuses on the “big picture” related to the intent of PCI DSS requirements. This approach includes people and processes, not just technology.”

A large number of merchants today are buying into the idea that a single vendor (Cisco, Aruba, Juniper etc.) can cover all your needs with regard to PCI compliance. This is a very alluring message to the CIO who is making budgetary decisions and would prefer to limit the cost and variables in implementing a compliance solution. However, aside from endangering an organization’s PCI compliance, if you ask any Information Security Engineer they will say the same mantra they have been saying for years, “Limit your exposure and risk through a best of breed - layered security model.” Or, in other words, use layers of products from different vendors and processes developed in house to best protect your organization

THE PRESENT
At the end of the summer this year, the PCI Standards Council released a new set of guidelines meant to clarify their positions in version 2.0 of PCI-DSS on the security of wireless networks, specifically 802.11 (Wi-Fi) networks and Bluetooth.

In section 1.1 of the guidelines it state the purpose that the of the document is to provide, “guidance and recommendations for deploying wireless networks including 802.11 Wi-Fi and 802.15 Bluetooth technologies, in accordance with the Payment Card Industry Data Security Standard (PCI DSS). The goal is to help organizations understand and interpret how PCI DSS applies to wireless environments, how to limit the PCI DSS scope as it pertains to wireless, and to provide practical methods and concepts for deployment of secure wireless in payment card transaction environments.”

A majority of the guidelines are normal common sense approaches to securing WLANs (such as ensuring the physical security of any wireless devices, changing default passwords and settings and securely configuring wireless devices, use strong authentication and encryption, use strong cryptography and security protocols etc.) however some new ideas were put forth which shows the increasingly urgent need for full time monitoring and the prevention of wireless intrusions.

Intrusion Detection and Prevention
Section 4.3 addresses WLAN monitoring systems, specifically WIDS and WIPS systems. It states in reference to section 11. 4 of the PCI-DSS 2.0, “Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises.” This is a very important addition. It means companies who were previously attempting to get by with quarterly scans are now being asked to implement full time wireless Intrusion detection and/or prevention solutions.

The next sentence gets even more specific, “Keep all intrusion-detection and prevention engines, baselines, and signatures up-to-date.” A quick check of the market today reveals that almost all infrastructure vendors have a very small list of signatures and vulnerabilities to look for and furthermore, they only release new security signatures/alarms when it coincides with a new major release of the entire WLAN system. Typically, this occurs about once every 12-24 months and requires the customer to upgrade all WLAN controllers, APs and all management platforms.  This, coupled with the fact that the newer code may contain bugs or anomalies tends to make IT managers cautious about implementing new code system wide.

WLAN WIDS/WIPS vendors tend to be a bit more agile releasing new vulnerability alarms and attack signatures every 6-12 months although in some cases you may get a patch release on the heels of a widespread and well publicized WLAN vulnerability with a few weeks, but again, the admin must upgrade the entire system (server, clients, sensors etc.) to get the benefit of these new alarms. AirMagnet however has implemented its Dynamic Threat Update (DTU) feature for its AirMagnet Enterprise solution in the first part of 2011, ensuring that all of its customers comply with section 4.3 of the new guidelines.

As an example of what a difference to an organization this makes, we can just look to the last highly publicized WLAN hack, the Cross Site Scripting vulnerability in ArubaOS and AirWave Administration Web Interfaces. This vulnerability which allows, “an attacker to plant an AP with maliciously crafted SSID in the general vicinity of the wireless LAN which would be able to trigger a XSS vulnerability in the reporting sections of the ArubaOS and AirWave Administration WebUIs” was posted on Wed, 6 Jul 2011. Within a few days AirMagnet had code written and was testing this attack in house with the ability to prevent access to the malicious AP. By the 25th of July 2011 every AirMagnet Enterprise 9.0 customer was protected from it.

Alerting to Misconfigurations
Lastly, Section 4.3.2 of the guideline, entitled, “Detection of unsafe activity or configurations” states that, “A wireless IDS/IPS can detect misconfigurations and unsafe activity by monitoring and analyzing wireless communications. Most can identify APs and clients that are not using the proper security controls. This includes detecting misconfigurations and the use of weak WLAN protocols, and is accomplished by identifying deviations from organization-specific policies for settings such as encryption, authentication, data rates, SSID names, and channels.” No single vendor solution monitors its own configuration. They are the configuration system, they believe you should just trust them when they say they are implementing you policy of using strong authentication. And in many cases where bugs appear how could they know that they are misconfigured in the first place? WLAN management systems (Controller, APs etc.) get bugs, all systems get bugs and at other times, people make mistakes. Only a WLAN Intrusion Detection/Prevention system, Like AirMagnet Enterprise, can do that. Just another reason for implementing a separate WIPS solution, one that looks specifically for items such as:
  • AP Configuration Changed (Security)
  • AP Using Default Configuration
  • AP Configuration Changed (SSID)
  • Device Unprotected by IEEE 802.11i/AES
  • Device Unprotected by 802.1x
  • Device Unprotected by EAP-* (the * stands in for PEAP, TLS, TTLS etc.)
THE FUTURE

While today, these rules are really just very strongly worded suggestions, I am willing to go out on a limb now and predict that, unless something dramatic changes the landscape in the next 6-12 months, the PCI Standards Council will insist on full time and independent monitoring and protection of the airspace around your facilities in the next version of the PCI-DSS. Fully integrated solutions will not work as they do a very poor job of responding to new threats and they are similarly poor at ensuring that they themselves are meeting policy and all independent wireless intrusion prevention systems will have to have dynamic threat systems, to ensure the timely delivery of new alarms for recent threats, vulnerabilities and hacks.

All documents referenced in this article may be found here at the PCI alliances website.

Friday, August 12, 2011

Turn down that NOISE!!!

Here is a fun experiment if you have a 2 laptops (or 1 laptop and some other WiFi enabled device), a WLAN analyzer like AirMagnet WiFi Analyzer (or something similar such as wireshark) and a microwave oven.

We all know that microwave ovens function in the 2.4Ghz range but how much "noise" is it generating.

Go to your kitchen. Get the device without an analyzer on it and start a really long file transfer via WiFi. Make sure your AP is already on either channel 11. Now Fire up your analyzer and measure the signal, noise and the signal to noise ratio (SnR is signal minus noise) on channel 11. Get an average reading and write it down. Do it several times so you are sure you have a good sample set. Now, restart your file transfer, put a pyrex (or other microwave safe) measuring cup full of water in your microwave and set it for a few minutes on high. Re-measure your signal, noise and SnR. What did you get? Try a few different WiFi adapters with the analyzer. any difference?

Here is what I saw when I did it with the AirMagnet WiFi Analyzer. First is the image of the channel screen on channel 11 with no microwave turned on. Notice the stats.


Signal:      -51dBm
Throughput:  ~34Mb/s
Utilization: 68%
Noise:       -88dBm
SnR:         37 (-51) - (-88) = 37


Here is the important part. Notice that the noise level is completely flat at -88dBm.

Now lets turn the microwave on and do it again, here is what I saw.


Signal:      -47dBm
Throughput:  ~16Mb/s
Utilization: 39%
Noise:       -88dBm
SnR:         41 (-47) - (-88) = 41

Notice anything? Well first off throughput went down and I checked the capture later and packet loss went up. Seems appropriate with a 1200watt device slamming my connection from 2 feet away. Secondly, the signal strength and the SnR INCREASED? Why is that? Well after looking deeper into the frames and looking at the AP configuration, it looks like 802.11N beamforming in action! The AP senses packet loss and pushes harder (no-tech speak for adjusts the phase shift of the signal to focus the waves on top of the client so it gets the benefit of wave addition). Next thing you notice is the increase in SnR from 37 to 41. This is due to two issues. The first we just mentioned. Increased signal strength. The second is the trouble spot. The noise level stayed the same.

What?!!

You heard right, the noise level did not change. I can hear you yelling at me through the intertubes from here. But I thought microwave oven caused noise? Well. they do and they do not. Here I am about to get pretty picky.

You see we at AirMagnet call noise one thing and interference another and WiFi interference a third. Confusing but true. And with good reason. You see, noise readings are fiction. They are falsehood, fabrication, fib. It is a lie. There. I said it. Noise readings (except from a very small number of cards - namely only one kind that I know of) are made up on the spot by each WiFi adapter. They cannot give you a noise reading, they can only give you bits (e.i. 1s and 0s) about things they see and WiFi adpaters only see WiFi modulation. Period. Almost all wifi adapters throw away all other non-WiFi signal long before it ever gets to the the driver. Non-wifi modulation, such as the modulation you get from cordless phone, wireless headsets, video camers etc are thrown away by the radio long before they can be converted to bits. The radios are only tuned for the type of modulation and coding they understand. So a normal 802.11a adapter will only ever pass OFDM modulation. Never QPSK, or FHSS or any other signal that is not OFDM. Thus how can the driver tell us about a microwave oven, or a cordless phone, wireless camera etc? They can't. So we call interference from other modulation types in the same frequency band by a different name, we call it non-802.11 interference.

Then there is WLAN interference, which Tom's Hardware calls "congestion", but could also be thought of as WLAN contention and is sometimes referred to as co-channel interference or even adjacent channel interference. Tom's has a very good article on it here. It is where too many WLAN devices are all trying to use the same medium simutaneously. In 802.11 terms, only one device can talk in an area at one time. Too many devices means collisions and contention in a collision avoidance network that wishes to remain contention free.

So that still leaves us with noise. What is going here? When I open a WLAN analyzer I see a noise reading. You showed me one right there (see images above). Where does that come from?

To understand what the adapter manufacturers are doing requires that we first understand what noise is. Noise can be thought of as the level at which all radio signal become indistinguishable from one another. Wikipedia describes the noise floor as, "the measure of the signal created from the sum of all the noise sources and unwanted signals within a measurement system." You can create an analogy of this as follows: Imagine five people in a room, each yelling in a different language. You could probably figure out what each language was even if you couldn't have a conversation in there, you might even be able to work out what they are talking about. That example would be considered interference to you if you were trying to yell in English. Now imagine a room with 500 people in it all talking at the same time. in that instance you proabaly could not tell what any of the languages were or what anyone was talking about at all. That is noise. Again, the Tom's Hardware article is a great reference for this, especially slide 9.

 Adapter manufacturers were asked many times for a noise reading so the person conducting the WLAN site survey could determine the signal to noise ratio, or SnR. This helps determine if there is enough signal to be heard above the RF noise floor. So under this presure they created algorythims that can fake the noise reading. I have no idea what the algorythims are but I can assume from tests we have done at AirMagnet that they include measurements of retry rates, CRC errors, channel utilization, average throughput and, mostimportantly, number of devices active in range (as determined by RSSI). The reason I can know this is because at AIrMagnet we have an RF isolation chamber - or Faraday Cage. If I take a noise reading in that chamber with one AP and no STAs (WLAN client adapters) I get a zero reading with many adapters. But if I add STAs the noise floor rises. even if the STAs are mostly dormant.

Here is another catch, aside from the fact that different manufactureres create this value differently, some adapters only give noise readings on a channel by channel basis, others frame by frame and still others give no reading at all. Symbol devices fit this last group and when asked about why they gave no noise reading they replied, "that would be lying". Does that mean that you cannot use that value to create the much sought after SnR? No, I would still use it, but I would be wary if tehre were very few STAs nearby. Or many for that matter.

I hope this helps understand what noise is, what interference is and what co-channel interference or WLAN contention is.

Wednesday, August 10, 2011

BlackHat 2011 and Defcon 19

The scene in Las Vegas last week on the wireless security front was quiet and reserved. There was a veritable dearth of WLAN issues to report on at either BlackHat or Defcon. Sure there was the Wi-Fi hacking UAV and Vivek Ramachandran's normal Wi-Fi security and hacking class, also the wireless water meter 900mhz hack and 1 or 2 new WEP attacks (like WEP needs any more attacks against it, isn't complete penetration in under 5 minutes fast enough?) but nothing really new and interesting. Most of the talks were about making your PSKs long and secure to shield you from, "Sniff now, Crack Later" (using Rainbow Tables found here and here) and talks reminding everyone to monitor their WPA2-EAP implementations against Honeypot Radius WPE (the WPE is not a typo, it stands for, "Wireless Pwnage Edition" and info may be found here and here). This last one is an old vulnerability but many people still have not been keeping an eye on it especially if your organization uses server certificates only in their EAP implementation.

So what does this absence of new WLAN vulnerabilities mean? Are the hackers bored with the ability to enter a company’s WLAN from 125 miles away? Do not bet on it. Has the IEEE, Wi-Fi alliance and FCC finally secured Wi-Fi so that no new vulnerabilities will be forthcoming? I sincerely doubt it. So what is the deal?

My opinion is that people are sitting on some of the latest vulnerabilities and making use of them. Wikipedia states that, “Zero-day attacks occur during the vulnerability window that exists in the time between when a vulnerability is first exploited and when software developers start to develop a counter to that threat.”  Meaning that a hacker can only execute the exploit before it becomes common knowledge. Once the vendor and security community find out about it, then everyone races to plug the hole. In the past, plugging the hole took several months for most major WIPS and WLAN vendors and then several more months before most customers implemented the new release (this was due to the fact that it required a system-wide upgrade). But the world is much more agile now and the ability to dynamically plug a security hole quickly just got a big boost when we at Fluke Networks released our AirMagnet Enterprise version 9.0. The version 9.0 solution has the ability to dynamically update the WLAN Intrusion Prevention System against threats as they become known. We  also broke out the alarm code and implemented a much easier, non-programmatic method for creating the signature and anomaly alarms that make up the system.  This means that from the time a zero-day is known to the time it is implemented can be as little as a day or two. This is a huge benefit for customers but a real drag for hackers. They will now have even more reason to hang on new vulnerabilities. It is also a clarion call to WLAN security researchers to step up their game and look for more fuzzed approaches to WLAN threats and try more anomaly-based alarms. I know our team is so ready here at Fluke Networks so bring it on!

Tuesday, August 2, 2011

Happy 802.11 day!


Today is 802.11 day, August 8th 2001 or 8/02/11. As a friend of mine noted in Google+, Hallmark probably does not make a card for that. In honor of this auspicious day I think now is a great time to reflect on this amazing technology that we use every day and almost take for granted.

This all started when, in 1985, the FCC decided to release several radio bands for unlicensed use. This meant that just about anyone could use these frequencies however they felt like provided they adhered to certain rules such as low power, spread spectrum, and ensuring that the devices were not intentionally jamming or eavesdropping. I refer to this in classes I teach as the FCC sandbox. Then, round about 1997 the IEEE decided to standardize the protocols and RF effects into the 802.11 standard and rapidly followed by the creation of the Wi-Fi alliance creating one the quickest adoption cycles in history. Suddenly our computers were free to communicate without wires. When I read about this I was stunned and had to try it myself. I remember demonstrating this amazing effect using a Lucent WaveLAN Silver card and the initial Apple Airport to several of my decidedly non-technical friends in 1999. They didn’t appear to get it. I was loading webpages on my PowerBook G3 and there was nary a wire in sight and these friends of mine were commenting that this was just another geeky gadgety gimmick of mine that had no practical application for people in the real world.

Later on in my career and while working at AirMagnet I recall presenting the benefits of WLAN technology (802.11g at the time) to a high level executive venture capitalist. I was mentioning how health care organizations, amongst other verticals, were adopting the technology a break neck speed. To this he replied that he hoped he would never have to stay at a hospital where this was true, for how could he trust his life to a technology that worked as badly as it did at his home.

This type of thinking is one of the sad realities of a bottom up adoption process. And the embracing of WLAN technology and 802.11 was decidedly that. Most companies started to implement WLAN technology not as a way to cut costs and deliver an amazing amount of increased mobility to their users but as a way to appease executives who were bringing in Linksys routers from home and plugging them in under their desks. Executives were stating, "well if I can set one of these up at home, how hard can it be?"

This disparity between the attitude of "how hard can it be?" and "I can’t trust your network because mine at home in unreliable" is huge. These arguments leave out a great deal. They ignore the value of WLAN professional planners, surveyors, architects, engineers and integrators. They dismiss the years of research and development companies like Cisco, Aruba, Motorola, Meru, Aerohive, Ruckus and others have invested. They discount the impact of hackers and all the other various security needs. Lastly, they oversimplify issues that, to them, appear trivial and unimportant. This oversimplification is a serious issue today as it lowers the value of the technology and the people that research, build and implement it. WLAN vendors are not helping in this area either by suggesting that prospective customers do not need to know anything about wireless. That the WLAN system will heal itself and defend itself without the customer having to worry about a thing. Since when have networks not needed any protocol expertise in the people who properly design and run them? Does your router fix itself when something goes wrong? This is an issue that we, as an industry need to get past before we can expect to see realistic views of WLAN technology and appreciation of our talent by lay people.

Wireless networks today are invaluable. Without them we would be lost. For example, WLANs are the absolute key to the supply chain. They are the enabling technology for just-in-time delivery and short term warehousing. Additionally. they promote collaboration in the Enterprise and reduce costs through the reduction in cable pulls and per port costs on networking equipment. WLANs allow hospitals to reliably move equipment in and out of operating theatres, patient rooms and clinics. They enable Voice over IP anywhere. WLAN technology is in every smart mobile device made today from Smartphones to refrigerators to automobiles. We’ve come a long way baby, but still have a long way to go.

With the recent release of the 802.11n standard we finally have a technology that supplies the range and speeds that enterprises can use and depend on. And this is just the beginning, 802.11ac, 802.11ad and 802.11ah are coming to go beyond the gigabit realm into mutigigabit speeds. But with these advances in speed and range comes complexity. When these technologies break who will be there to fix it? How will they do so? And who will supply them with the tools they need to get the job done? I think you know who I am thinking of…