You are on page 1of 54

IT Audit

:
Security Beyond the Checklist

Copyright SANS Institute
Author Retains Full Rights
This paper is from the SANS IT Audit site. Reposting is not permited without express written permission.

Interested in learning more?
Check out the list of upcoming events offering
"20 Critical Security Controls: Planning, Implementing and Auditing (SEC440)"
at http://it-audit.sans.orghttp://it-audit.sans.org/events/

s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
re
Auditing the Wireless environment: A mobile wireless LAN used for training in

or
multiple sites on a corporate WAN- An Auditor’s perspective

th
GSNA v. 2.0
SANS Conference 2002 – Orlando Au
2,
00
-2
00
20
te
tu
sti
In
NS

Submitted by
SA

Angela Loomis
©

September 2002

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

1
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.

Abstract/Summary

This paper is submitted as the requirement for a practical in the GSNA
certification track. It examines in detail an audit of a small wireless network that

s.
will be used for a training site on a company’s wide area network. The auditor’s

ht
objective is to secure this training LAN for a specific location; later, the auditor

rig
will use the same methods and tests to certify other locations on the corporate
WAN. The goal of the practical is to address specific wireless vulnerabilities and

ull
tighten up this small network so that unauthorized access via the wireless link is
not going to occur.

f
The auditor examines not only the wireless access point, but also the laptops

ns
usedfingerprint
Key for training. TheFA27
= AF19 risks2F94
of wireless are many,
998D FDB5 DE3Dso the06E4
F8B5 auditor wants
A169 4E46to secure

tai
the small LAN so that the risks to the corporate WAN will be mitigated.

re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

2
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.

Contents

Assignment 1........................................................................................................4
Identify the system to be audited ..........................................................................4

s.
Evaluate the risk to the system .............................................................................5

ht
Current State of Practice.......................................................................................6

rig
Improvement of current methods and techniques.................................................6

ull
Assignment 2........................................................................................................7
Create an Audit Checklist .....................................................................................7

f
ns
Assignment
Key fingerprint3......................................................................................................16
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

tai
Summary table....................................................................................................42

re
Assignment 4......................................................................................................47

or
Executive Summary............................................................................................47

th
Audit Findings .....................................................................................................47
Background/Risk.................................................................................................48
Au
Audit Recommendations.....................................................................................50
Costs...................................................................................................................50
2,

Compensating Controls ......................................................................................50
00
-2

References .........................................................................................................51
00
20
te
tu
sti
In
NS
SA
©

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

3
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.

Assignment 1

s.
Identify the system to be audited

ht
This audit is an auditor’s perspective of a wireless LAN used for training only.

rig
The training wLAN consists of a Cisco Aironet 1200 (System Firmware v. 11.42,
Radio Firmware v. 4.99.38) and ten HP Omnibook XE 4100 laptop systems. The

ull
laptops connect to the AP via the Cisco 350 wireless card; and are allowed to
access the Internet over the corporate WAN. Any Internet access passes over

f
ns
the corporate network infrastructure and through the corporate firewall. This
Key fingerprint
mobile training=network
AF19 FA27 2F94 998D
enables FDB5
training DE3D
to take F8B5
place in 06E4 A169
various 4E46in
rooms

tai
numerous buildings throughout the WAN, but primarily from “Location A.” This

re
audit of “Location A” will provide a framework for testing and certifying other
possible training locations in various buildings as training requests arise. This

or
audit will outline the method used to “certify” a location on the corporate campus

th
for use as a training area.
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©

Figure 1 provides a view of the path the wLAN traffic will travel from “Location A”
to the Internet. Most other locations provide similar paths across the corporate
WAN. The wireless AP will connect to a switch and/or a router. That router
Key fingerprint
connects back=toAF19 FA27 2F94
the central 998D
office via FDB5 DE3D
a private T1.F8B5
The 06E4 A169
central 4E46
office connects
to the Internet through a firewall. While not specifically depicted in the diagram
(for simplicity’s sake), the corporate WAN includes servers and workstations at
both the satellite office and central office.

4
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.

While the information contained on the wLAN itself is insignificant because it is strictly used for training purposes. customer confidence damaged. Evaluate the risk to the system The wLAN needs to be secured from both outside access via unauthorized wireless connections and separated from the corporate WAN. Compromise of Corporate and/or Intrusion via wireless customer data High or LANjacking Reputation. . as well as the probability of occurrence. The matrix below includes specific risks. Compromise of training center -2 decryption of WEP encrypted data. customer confidence damaged. f Probability ns Risk Key fingerprint = AF19 FA27 2F94 998D Risk DE3D F8B5 06E4Outcome andFDB5 A169 4E46 tai Rating re Unauthorized wireless access. Compromise of Corporate and/or Intrusion via training center High Au customer data laptop end user 2. Unauthorized setup and use of Could provide access to corporate wireless training center by and/or Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5customer 06E4 A169 data4E46 via employees unsecured setup of wLAN in High unsecured area. The risks provided to the ht training center and corporate data include standard security risks that exist for rig any network. tu Obsolescence of purchased Possibility that hardware cannot be sti wireless technology Medium upgraded to address newly In discovered vulnerabilities Virus.2002 As part of GIAC practical repository. or Malware Virus infection of the training LAN NS exploited on training center and WAN wired network. with the addition of the vulnerabilities provided by wireless access. th Unauthorized WAN access. 20 Compromise of Corporate and/or customer data. Reputation. Misconfigured Wireless Access Could provide access to Corporate © Point and/or customer data leading to High compromise of that data. leading to unauthorized data access via wireless access point 00 Medium authentication compromise. Trojan. the access provided through the corporate infrastructure s. 5 © SANS Institute 2000 . Sniffing of plaintext data Compromise of training center data Low 00 between laptops and AP. Author retains full rights. only Compromise of WEP. te Disruption of wireless network Decreased efficiency of training Low via radio interference center—denial of service. High level of customer confidence shaken. includes a measure of risk to the corporate WAN. ull and possible outcomes of those risks. Medium laptops compromise of Corporate and/or SA customer data. Reputation damaged.

gov/publications/drafts/draft-sp800-48. Wireless standards for security (802.Au (http://csrc. It is very granular with its recommendations so 6 © SANS Institute 2000 . fingerprint which = AF19 FA27 follow. In July.macworld.com/strip/dailydose/index.pdf) 2. The NIST checklist that has been out in draft form and will soon be released provides an excellent starting point for developing checklists for wireless LANs. One of the best resources for wireless network th implementation guidelines was released by NIST (Nation Institute of Standards and Technology) in a draft report in July 2002. I needed to evaluate the wireless access point coupled with laptop evaluation. 00 While I am basing my checklist on many of the NIST points.1x) are still under development by IEEE and IETF. even in mainstream press. Key The checklists.nist.gov/news/news/financial/2002/fil0208. ull (http://www. Author retains full rights. The NIST report includes a checklist for secure wireless LAN implementation. NIST is finalizing a report recommending to government that NS wireless LANs not be implemented at all. I am breaking it into sections that relate specifically to the wireless LAN training 00 network that we will be implementing in the near future. F8B5 06E4 can4E46 A169 certainly be modified and used to certify any location within a corporate WAN environment for the installation and use of wireless. Theft or tampering with AP and Damage or loss of hardware Medium training laptops.fdic. Wireless security standards have been re documented and outlined by some government agencies to provide guidance for or wireless implementation.com/news/0208/19. any technology we implement is examined for compliance with known te standards as well as evaluated as to its fitness in our regulated environment.2002 As part of GIAC practical repository. have recently come out describing the numerous vulnerabilities presented in ht wireless networking. (http://www.cfm?uc_full_date=20020721& uc_comic=db&uc_daction=X) f ns Many Key of these=articles fingerprint outline AF19 FA27 vulnerabilities 2F94 998D FDB5 DE3Dwithout giving F8B5 much 06E4 advice A169 4E46 for tai mitigating risk. Current State of Practice It seems everyone is discussing wireless network vulnerabilities.php) SA Improvement of current methods and techniques © Specific checklists for the Cisco Aironet 1200 don’t exist for auditing purposes. And.doonesbury. . sti In Because the emerging and current state of wireless security is both vulnerable and evolving. In order for me to develop the checklist for the wireless training LAN. The privacy of customer data is of primary importance in order to comply with tu regulations like Gramm-Leach-Bliley. Many articles s. I am also expanding -2 it to include guidance provided by the FDIC regarding wireless.11i. 802.html) As an FDIC insured 20 institution.wirelesslans. (http://maccentral. Doonesbury featured a rig wireless network “cowboy” accessing the Internet through another man’s home wireless network. 2F94 998Dand the DE3D FDB5 methodology used. I also needed to audit to ensure that the training users were segregated from our corporate WAN.

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 7 © SANS Institute 2000 . With a known policy in place.2002 As part of GIAC practical repository. and how the training users are segregated or separated from our regular network. tu Compliance Does the company have a clearly stated policy on wireless sti access in general as well as a clearly stated policy on the specific wireless training LAN? Either the policy exists. the wireless card setup.Policy for wireless training LAN Au Reference Security basics. Again. some policies include vague NS language that addresses new installation of systems like the wireless AP—what does this company have in place SA for policy? Testing Review existing policies for language relevant to wireless. Author retains full rights. Control Objective Outlines standards for wireless implementation company- 00 wide. management has more leverage in te the case of an information security incident. Objective/Subjective Subjective-policy language generally has room for interpretation. . that even people without a thorough technical understanding of wireless can identify settings and parameters that secure the wireless environment. -2 Risk This step provides for an overlaying policy and standard for the company outlining “certified” training scenarios. or In it doesn’t. ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai Assignment 2 re Create an Audit Checklist or th Cisco Aironet 1200 Access Point Checklist Step 1 . I need to evaluate the AP. © Review any newly developed or implemented policies for language relevant to wireless. s. 00 Clearly stated policies regarding wireless access leave 20 nothing open to interpretation company-wide. with this wireless training LAN. However. NIST document 2.

00 Risk System and network compromise by unauthorized persons 20 leading to compromise of corporate and customer private data. -2 Ensure the AP configuration is as secure as technically possible in the existing network environment. te Compliance Implement most secure configuration outlined in product tu literature. MAC-based authentication with WEP © F. Open authentication with WEP E. tai Testing Evaluate admin and other username/pw for system. Shared Key authentication with WEP SA D.2002 As part of GIAC practical repository.Administrative access to AP Reference Security basics – password protect access to systems. . (In re this particular case this may be accomplished by simply asking the administrator for this information—since the or admin and audit have a great rapport!) th Objective/Subjective Objective Au Step 3 . EAP authentication with WEP G.AP Security settings Reference Cisco Aironet 1200 Configuration Guide. Cisco literature describes these levels of sti security for the access point (listed from least secure to most secure configuration)- In A. NIST standards 2. Step 2 . Risk AP compromise leading to system and network access to ht an unauthorized end user. There must also be strong passwords in place for f ns other users to ensure the integrity of the running Key fingerprint = AF19 FA27 2F94 998D configuration ofFDB5 DE3D F8B5 06E4 A169 4E46 the AP. This is a very high risk for a wireless network. Control Objective Control unauthorized administrative level system access. change default password. and WEP Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 8 © SANS Institute 2000 . deny unauthorized administrator access. ull Compliance There must be a strong password for administrative access. Unique SSID with Broadcast SSID disabled C. Default settings NS B. This is a high level risk in that it rig could lead to compromise of customer data by allowing unauthorized access to the corporate network. broadcast key rotation. etc. EAP authentication with MIC. Control Objective Control unauthorized wireless access to AP and the 00 corporate WAN with the most secure configuration. Author retains full rights. s.

with lower scores for f any other methods of authentication. OR 4. compromising the security of the encrypted corporate and customer data.2002 As part of GIAC practical repository. MAC-based authentication with WEP. Verify key change by looking for policies. . Confirm shared key authentication. Also. and with interviews of the AP administrator. Confirm unique SSID with Broadcast SSID disabled. Testing 1. Verify that keys are changed. OR ht 6. This sti provides a level of security by limiting the timeframe a key is in use so that the key is less likely to be broken. 5. no RADIUS server exists on the WAN. Objective/Subjective Subjective Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 9 © SANS Institute 2000 . Take into ns consideration Key fingerprint = AF19 FA27 2F94 998Dnetwork resources FDB5 DE3D F8B5 available: 06E4 A169for instance. a RADIUS server must be re available to authenticate clients. broadcast key rotation. EAP authentication with MIC. Author retains full rights. NIST standards 20 Control Objective Larger keys take exponentially longer to break—therefore. AND 2. 00 Objective/Subjective Objective -2 Step 4 . Open authentication. the highest level afforded is MAC-based Au authentication with WEP. In Risk Key may be broken. So. OR s. and the added or expense for the RADIUS implementation is not endorsed th for the protection of a small training LAN. © Testing Verify within the AP configuration settings. A better score would be the highest level of security. rig and WEP Obviously. if system settings allow) SA are used. NS Compliance Ensure 128 bit keys (or higher. keys should be changed periodically. the choice of authentication method is directly ull related to the security of the wireless LAN.Key length and use 00 Reference Common security knowledge. tu especially when using shared key authentication. in 4E46 tai order to implement EAP. In this particular case. OR 3. MAC authentication. EAP authentication with WEP. for this case. and testing 2. and what timeframe key change occurs. key size should be set to the highest level the system will te afford. These settings can be confirmed by examining the configuration.

Wireless “perimeter” site survey-signal strength and security Reference NIST standards. Risk Theft of AP. Check AP storage during and after training sessions. 00 Control Objective Control the “perimeter” of the wireless reception by using 20 the least possible MhZ so that the wireless signal is significantly degraded outside the physical training area. In Compliance To exhibit compliance in this area. s. and Key fingerprint = AF19 FA27 not in2F94 use. This could lead to AP compromise. signal strength must be NS as low as it can go in public areas of the building. Also. . This is a high level risk. te Risk Wireless signal may be hijacked if it is available to the tu outside world indiscriminately. and those responsible rig need to be aware of the chain of responsibility regarding the access point. Objective/Subjective Objective 00 -2 Step 6 . Cisco documentation.998D Are FDB5 there DE3D F8B5 06E4 procedures A169 4E46 that address the storage tai of the AP when not in use? Are there specific “sign-out” re procedures for use of the systems? Who holds the keys to the locked area where these systems are stored? or Testing Review IT internal documentation about securing access th point. Verify who has Au the keys to remove the AP from locked storage. 2. Step 5 . This can be mitigated with awareness of the environment coupled with physical barriers to public access such as locked areas. Any signal that is detected in a public area must provide © an additional layer of physical security or visibility so that anonymous wireless access cannot occur. and ull correlated risk to the corporate network. and customer data. Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 10 © SANS Institute 2000 .Physical access to AP Reference NIST standards. Review and verify available secure storage and use areas for AP.2002 As part of GIAC practical repository. unauthorized setup and use by ht employees. Additionally. Control Objective Ensure only authorized personnel have physical access to the AP. This is a high level risk with sti an outcome of the compromise of corporate and customer private data. common security practice. there should be NO signal picked up outside SA the office building where training location “A” is contained. Review IT procedures for use of AP. f ns Compliance Ensure the physical security of the AP when in use.

then no -2 opportunity exists for unauthorized access attempts or cracking. measure and record signal strength in various places in the building. NIST standards Control Objective Au Make the wireless AP unavailable during periods of no use. the AP security 00 may be cracked. After the system has been configured. unauthorized laptop users. Author retains full rights. Objective/Subjective Objective 11 © SANS Institute 2000 . . rig so verify through interviews with employees that they should understand the potential meaning of a customer ull seated in a waiting area for a length of time using a personal laptop. Testing Verify by spot-checking that the AP is locked up and te powered off when no training is taking place. Risk This addresses the risk that over time. This one is pretty straightforward—turn off the AP when no training classes are using it. 2. Verify the signal strength is low or non- f existent outside the building. NIST standards NS Control Objective This step addresses the fact that systems should be put into place after all default settings for the system have SA been changed. Risk A system with default settings “in the wild” is much easier © to crack than a system that does not use default settings. It would be very unlikely that a ht customer would be using their laptop in the environment. ns Objective/Subjective Key Objective-signal fingerprint = AF19 FA27 strength 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai Subjective-employee awareness re or Step 7 . Document signal strength. Pay special attention to areas where the public has full access. 00 Compliance Verify that policy and procedure outline that the access 20 point be powered off and locked up when not in use.2002 As part of GIAC practical repository. If the wireless AP is powered off. and verify that employees can monitor these public areas for s. tu Objective/Subjective Objective sti Step 8 . Testing With the access card utility provided with Cisco cards. Compromise of the AP would lead to compromise of corporate and customer data. verify these settings have new values.AP powered down when not in use th Reference General Security knowledge. Compliance Compliance with this item is straightforward-either the settings are default or they have been changed.Default settings changed In Reference General Security knowledge. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Testing Make a list of the factory default settings.

verify if the network manager uses SNMP. Ensure long-term usage of the technology. Disable tu SNMP if not in use.2002 As part of GIAC practical repository.Obsolescence of technology Reference NIST standards. Objective/Subjective Subjective Au Step 10 . upgraded in order to address any newly discovered ht vulnerabilities. FDIC guidance Control Objective Ensure that technology purchases are made with the “long term” in mind. Step 9 . In If they are using SNMP. then verify that SNMP has been disabled on the AP. 00 Risk SNMP compromise. Verify on the manufacturer’s th website that the system can be upgraded. which could lead to the compromise 20 of corporate and customer data. SA Objective/Subjective Objective – if SNMP not used Subjective – if SNMP in use (“strong” community strings) © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 12 © SANS Institute 2000 . then the obsolescence of the technology would not come quickly. If they don’t. SNMP must -2 be configured as securely as possible in the network environment. rig Risk The risk here is that the technology could become outdated quickly. look to see if it is SNMPv3 that NS provides cryptographic protection. Compliance (From NIST checklist) Make sure robust community strings te are used for SNMP management on the AP.SNMP management 2. . Ensure hardware or firmware can be s. If purchases are made with the “long ull term” in mind. Key fingerprint = AF19 FA27 Compliance Verify2F94 that998D FDB5 DE3D the system F8B5 can be 06E4 A169 4E46 upgraded—that the tai “upgrade-ability” of a system was considered in the re purchase process. Reference NIST standards 00 Control Objective If SNMP management is enabled for the AP. Look for strong community strings if SNMP is in use. Testing Interview system manager and people responsible for or signing off on the purchase. sti Testing First. ensuring prudent investment for f ns the company. Author retains full rights.

Anti-virus software Reference General Security knowledge. Then. th Testing Log on to each laptop as a training user.Radio Channel -2 3.2002 As part of GIAC practical repository. would 00 cause disassociation with the AP. Cisco Wireless PC Card AIR-PCM350 Checklist Step 1 . then the laptop is out of compliance.SSID 00 2. Objective/Subjective Objective Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 13 © SANS Institute 2000 . and change the configuration. Compliance Verify that only an administrator can change configuration or settings on the training laptops using the client utility. wireless 998D This FDB5isDE3D a low F8B5 06E4toA169 level risk 4E46 the organization. 1. access the Cisco Client Utility. . Verify you have Au connectivity with the AP. Unauthorized end users could change the f ns configuration. if successfully changed. The risk is medium level. Risk By limiting the access of end users to the configuration ull components. © Compliance Verify that anti-virus software is installed on the training laptops. If you are able to 20 change these settings and cause the wireless link to drop. security knowledge s. an administrator will ensure wireless network stability. Control Objective Limit accessibility to the client utility so that no one but ht administrators can change wireless client configuration rig (profiles). Risk Corruption of corporate and customer data could occur if SA the training center systems were infected and then infected the local network.WEP key parameters Any of these settings.Administrative access to Aironet Client Utility Reference Cisco configuration guide. NIST checklist In Control Objective Control the network environment to keep it free from NS viruses and Trojans. or profile. Author retains full rights. tai as it is in place mainly to prevent configuration changes re from a “known good” state. and disconnect the client from the Key fingerprint = AF19 FA27 2F94LAN. Testing Verify that the laptops have up-to-date anti-virus software with current DAT files. Some settings that could be changed are: 2. te Objective/Subjective Objective tu sti Step 2 .

then the obsolescence of the technology would not come quickly. f ns Compliance Ensure the physical security of the laptops and wireless Key fingerprint = AF19 FA27 cards2F94 when998D FDB5 in use. and customer data. and those rig responsible need to be aware of the chain of responsibility regarding the access point.2002 As part of GIAC practical repository. ensuring prudent investment for SA the company.Physical access to laptops and wireless cards Reference NIST standards. common security practice. Control Objective Ensure only authorized personnel have physical access to the laptops and Cisco cards. Step 3 . Review IT procedures for use of laptops/cards. Verify on the manufacturer’s website that the system can be upgraded.06E4 AreA169 there4E46 procedures tai that address the storage of these laptops when they are re not in use? Are there specific “sign-out” procedures for use of the systems? Who holds the keys to the locked or area where these systems are stored? th Testing Review IT internal documentation about securing access Au point. Verify who has the keys to remove the laptops/cards from locked storage.Obsolescence of technology 20 Reference NIST standards. Ensure hardware or firmware can be tu upgraded in order to address any newly discovered sti vulnerabilities. Author retains full rights. Risk The risk here is that the technology could become In outdated quickly. If purchases are made with the “long NS term” in mind. Also. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Objective/Subjective Subjective 14 © SANS Institute 2000 . s. Testing Interview system manager and people responsible for signing off on the purchase. unauthorized setup ht and use by employees. storage and use areas for laptops/cards. Compliance Verify that the system can be upgraded—that the © “upgrade-ability” of a system was considered in the purchase process. . DE3D and F8B5 not in use. Review and verify available secure 2. Check 00 laptops/card storage during and after training sessions. This is a high level risk. Risk Theft of laptops and/or cards. and correlated risk to the corporate network. FDIC guidance Control Objective Ensure that technology purchases are made with the “long te term” in mind. -2 Objective/Subjective Objective 00 Step 4 . Ensure long-term usage of the technology. This could lead to wireless ull network compromise.

Step 5 . tu then segregation can be very granular. NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 15 © SANS Institute 2000 .Ad Hoc or Infrastructure mode Reference Cisco configuration guide Control Objective Ensure the wireless network does not operate in Ad Hoc (peer to peer) mode. traffic from the wLAN should be limited. corporate network compromise 20 does NOT necessarily follow. then the corporate WAN -2 environment is at risk. Key fingerprint = AF19 FA27 Objective/Subjective 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Objective tai re or Segregation of end users in the training environment Checklist th Step 1 . security knowledge 2. . Control Objective Training end users should not be able to access network resources from the training wLAN.2002 As part of GIAC practical repository. s. Author retains full rights. As much as possible. If no firewall exists sti between the wLAN and WAN. te Compliance If a firewall is in place between the wLAN and the WAN. Risk Ad Hoc connections could be established with ht unauthorized users—this could lead to compromise of rig corporate and customer data. it is very difficult to segregate traffic from the WAN.Segregation by IP address Au Reference NIST standards. This would be a high level risk. The best solution would In be to have a firewall between the two environments. 00 Risk If the wLAN is compromised. Compliance Compliance in this area is clear: Ad Hoc connections must ull not be enabled for either the AP or the Cisco client cards. Testing Verify Ad Hoc or Infrastructure setting in all training f ns laptops. and controlled so that even if 00 the wLAN is compromised.

2002 As part of GIAC practical repository. Also. this could be A169 4E46 tai an audit in and of itself) The training users access levels re should be examined in detail (in our case.1*” using the CTRL-F function in Microsoft word. look for firewall rules that allow traffic based on s.Policy for wireless training LAN te Method tu The auditor looked at existing policies that cover most areas of Information sti Security for the organization.Administrative access to AP Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Method The auditor discussed the current password parameters and users who are set up for administrative access to the AP with the Administrator. . I won’t cover this in detail at this time) At the very least. th Objective/Subjective Subjective Au 2. Also. The auditor also spoke NS with the Administrator about procedures regarding the wireless training LAN. There were three policies that cover systems. if no f firewall is available. Author retains full rights. The auditor searched the text for “wireless” and In “802. Testing If a firewall exists between the wLAN and WAN. and disaster recovery. (Because this is really a separate audit in and of itself. ull If no firewall exists. Results SA No currently board approved policies cover 802. Conclusion-FAIL No policies currently exist on wireless network access and the corporate WAN. the AP should be attached to a Layer 2 switch rather than a hub. and what rights they have to the 16 © SANS Institute 2000 .11b or any other wireless network connections. 06E4(Again. Step 2 . by examining the Novell NDS settings for the training users) to verify that or their access exists at a very low level. at the very least. IP addresses. The auditor viewed the page outlining who the users are. then the firewall rule base should be examined to verify how wLAN traffic is passed.” No other addresses should be allowed to pass through the firewall. the firewall should have an existing ht list of wireless client card IP addresses (or even MAC rig addresses—even better!) that are “allowed. Assignment 3 00 -2 Conduct the Audit 00 Cisco Aironet 1200 Access Point Checklist 20 Step 1 . and security of the wireless training LAN. The Administrator is developing procedures that will cover © setup. storage. then the training users’ access must ns be address Key fingerprint = AF19 FA27 by USER 2F94 998D rather F8B5 FDB5 DE3D than IP. end users.

Author retains full rights. alphanumeric passwords of 9 characters in length.2002 As part of GIAC practical repository. Having two administrative users 00 provides checks and balances for correct configuration. the Auditor screen shot the http sti configuration page which had a radio button for “Allow Broadcast SSID to Associate” to verify that “NO” had been chosen. s. . ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th AP. -2 Conclusion-PASS Passwords adhere to company standards. Au Results There are two users who have administrative rights to the AP. Passwords are changed 00 according to IT policy—every 60 days.AP Security settings te Method tu To verify that the broadcast SSID was disabled. In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 17 © SANS Institute 2000 . 20 Step 3 . Both users use 2.

Author retains full rights. 20 Now. 00 According to Cisco configuration guidelines. To test this. the auditor removed the SSID from a client that had associated to the AP. After verifying which MAC address was NS on the auditor’s laptop. and could still SA pass traffic through the AP! © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 18 © SANS Institute 2000 . ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2. by checking “NO” you only allow -2 devices that specify the SSID to associate with the AP. the Administrator removed the auditor’s MAC address from the AP filter. s. the Administrator entered all MAC addresses of the wireless cards into the Address In Filters section of the AP configuration. Upon removal. . After configuring the Cisco ACU sti so that it would associate with the AP by configuring WEP and the SSID.2002 As part of GIAC practical repository. the auditor needs to verify that MAC address filtering in addition to non- te broadcast SSID prevents non-identified (rogue) MAC addresses from associating tu with the AP. But the auditor’s laptop was still associated. This step was interesting to prove. 00 the client was no longer associated.

sometimes the card/laptop could associate but couldn’t 19 © SANS Institute 2000 . Author retains full rights. © SSID X X X X WEP X X X X MAC X X X X Can NO NO NO NO YES NO YES associate Key Canfingerprint pass = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 NO NO NO NO NO NO YES traffic If an item is checked. Once this setting was in place. that means it was set up to match the correct settings in the AP. had the te Administrator look to see if an Advanced Radio setting had been changed which tu would correctly (and fully) enable MAC address filtering by the AP. after referencing the Cisco configuration guide. Interestingly. ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2.2002 As part of GIAC practical repository. MAC address filtering worked as documented by sti Cisco. . 00 -2 00 20 The auditor. s. In Results NS The auditor created a matrix that gives the possible combinations to try SA associating with the AP.

Also. © Step 4 . ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2. the card associates to 20 the AP. the Administrator correctly NS implemented changing the SSID. = AF19 how long the FA27 keys 2F94 998Dif FDB5 are. Testing proved that all three sti needed to be in place in order to associate and pass traffic through the AP. Author retains full rights. The auditor also looked at the configuration settings in the AP to verify that 128- bit WEP keys are used. enabling WEP. the auditor asked the Administrator to explain how often keys will Key fingerprint change. Once WEP is correctly configured for the wireless card. . WEP. not IP. and SA enabling MAC filters so that only users with all three elements correctly configured would be able to associate and pass traffic through the AP. and identifies it by IP address because WEP enables decryption. pass traffic. and “allowed” MAC addresses should be able to associate with the AP. defines the AP. and DE3D there is F8B5 written 06E4 A169 4E46 documentation explaining this process. disabling Broadcast SSID. te tu Only wireless cards configured with the SSID. Here’s the screen shot for associating without WEP: s.Key length and use Method The auditor asked the Administrator to demonstrate how keys are chosen for WEP. In Conclusion-PASS After initially misconfiguring the MAC filter. 00 -2 00 Notice that MAC. 20 © SANS Institute 2000 .2002 As part of GIAC practical repository.

ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2. The Administrator demonstrated for the auditor how the keys are developed: 20 The Administrator goes to the Random. If a class 00 lasts four days.2002 As part of GIAC practical repository. if a class lasts one day. s. the key for that class will be in effect for four days. Author retains full rights. .org website and chooses “Hexadecimal. 00 Results -2 The Administrator outlined that WEP keys will change for each class. the key will be in place for one day. For example.” te tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 21 © SANS Institute 2000 .

Conclusion-FAIL No Policy or written procedure exists at this time regarding the Cisco AP. te Keys are used for one class only.2002 As part of GIAC practical repository. Results No currently board approved policies cover 802. storage. ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2. 00 Conclusion-PASS 20 WEP key length is 128-bit. There were three policies that cover systems. The auditor also spoke © with the Administrator about procedures regarding physical security of the wireless training LAN. Author retains full rights. When “Get Bytes” is clicked. sti Step 5 . . Each 00 hex key is 26 characters in length. fingerprint The Administrator = AF19 FA27 2F94 998D FDB5is developing DE3D F8B5procedures 06E4 A169 that 4E46will cover setup.11b or any other wireless network Key connections. and security of the wireless training LAN.1*” using the CTRL-F function in Microsoft word. and disaster recovery. end SA users. The auditor searched the text for “wireless” and “802.org is used only one time for one class. the result is: s. Policy and procedure need to be written to address the physical security of the AP. 22 © SANS Institute 2000 . Keys are random in nature. tu No written procedures exist for WEP key implementation.Physical access to AP In Method NS The auditor looked at existing policies that cover most areas of Information Security for the organization. Keys are pulled from this hex block by designating a starting place by row. and is manually keyed into the AP and each -2 laptop’s ACU by the Administrator. The hex block generated by random.

as well as specifically Key fingerprint outlining. The ACU f ns provides a graphic depiction of signal strength and quality. and accepts full responsibility for the physical access to the AP. Other employees have cubicles and offices where customers Au can interact in a more private setting with the employees. a corridor that leads to an exit. Author retains full rights. “not = AF19 FA27when associated” 2F94 998D out ofFDB5 range. and a glass double door entry. .Wireless “perimeter” site survey-signal strength and security rig Method The auditor utilized Cisco’s Aironet Client Utility (ACU) to measure signal ull strength both inside and outside the building where the training LAN was set up. s. and fully associating. One restricted area is only accessed by employees who have keys to the area. he also understands and agrees that policies and procedures need to be developed in this area. -2 Results Here are the screen shots with description of locations: 00 20 te tu Site survey in training room next to AP sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 23 © SANS Institute 2000 .) While the Administrator is very “hands on” with the AP.DE3D F8B5 06E4 A169 4E46 tai The training LAN is in a physically restricted area in the basement of a one-story re brick building. This or area is partially walled off so that the public has interaction with the employees th over a counter.2002 As part of GIAC practical repository. The auditor walked various areas of the building. 2. Fully public areas include a lobby area with an L-shaped seating area in front of a fireplace. Upstairs. Two employees have access to the locked storage area where the AP is kept— there are no current sign out procedures for use of the AP (and training environment. documenting location and 00 screenshotting signal strength to determine radio coverage. ht Step 6 . The auditor started by standing near the AP. both public and restricted areas are accessed.

Author retains full rights. 00 -2 00 20 Desk in restricted key access area directly above training room te tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Lobby – public area fully open to the public 24 © SANS Institute 2000 . . ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2. Top of the stairs leading from Training Room to Restricted key access area s.2002 As part of GIAC practical repository.

. ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2. but accompanied by employee access 25 © SANS Institute 2000 . s.2002 As part of GIAC practical repository. 00 -2 00 20 Lobby – near fireplace. seated on sofa te tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Private office area – publicly accessible. Author retains full rights.

2002 As part of GIAC practical repository. s. The public can’t be alone here without drawing attention to themselves. . 00 -2 00 20 Private. only. ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2. non-public access area near copy machines te tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 26 © SANS Institute 2000 . Author retains full rights.

2002 As part of GIAC practical repository. The area near the front double glass door entrance also registered as Not Associated 00 -2 00 20 te Back downstairs about 20 feet from the AP (near the restroom) tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 27 © SANS Institute 2000 . ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au The entire outside perimeter of the building registered as Not Associated 2. Corridor leading to exit s. . Author retains full rights.

the Administrator detached one antenna. Au While the Administrator is very “hands on” with the AP. ht A site survey using Cisco’s ACU during a thorough walkabout the building both rig indoors and outdoors showed that access is limited. This limited the radio range of the AP. tai re Step 7 . and accepts full responsibility for the physical access to the AP. In addition. While signal strength and quality are sometimes fair to good in publicly accessible areas. 00 the Administrator is the one primarily responsible for the training LAN. the 350 again becomes unassociated. Currently. Conclusion-PASS Signal strength in the AP was configured to the lowest transmission level of 1 megawatt. he also understands and agrees that policies and procedures need to be developed in this area. the existence of ull security cameras recording activity in the public areas provides a control.AP powered down when not in use Conclusion-PASS or No Policy or written procedure exists at this time regarding the Cisco AP. with only one antenna. the Administrator emphasizes the importance of powering off the AP.2002 As part of GIAC practical repository. . 00 20 te tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 28 © SANS Institute 2000 . Approximately 8 feet further away. Policy th and procedure need to be written to address the physical security of the AP. An additional control in those areas is provided by employee observation that limits f ns the amount of time someone could spend in an area before arousing employees’ Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 suspicion. Two different 2. If another -2 IT person is involved in setup and breakdown of the area. leaving the AP s. Author retains full rights. spot checks of the AP verified that it was powered off when not in use.

INI Default SSID changed 20 dot11PowerManagementMode.2=0 dot11ExcludeUnencrypted. .1=true In dot11AuthenticationAlgorithmsEnable.3=false ***** DEFAULT.ini dot11AuthenticationAlgorithmsEnable.2=2000 ***** DEFAULT.<edited out by auditor> dot11OperationalRateSet. Both admin users still existed with the same usernames and passwords that ull existed before flashing back to default. shown here: ns Key fingerprint Comparing = AF19 files FA27and config. with the Administrator’s OK.ini 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 DEFAULT.ini dot11PowerManagementMode.2.2=0 dot11ExcludeUnencrypted.2=false dot11AuthenticationAlgorithmsEnable.2=\x82\x84\x8b\x96 ***** tu sti ***** config. Author retains full rights.ini dot11WEPKeyMappingLength. Step 8 .2=2339 Key traffic fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 ***** DEFAULT.exe) and output the differences f to a text file (diff.INI tai ***** config.2. Then.2=.3=false © ***** ***** config.2.2=2339 29 © SANS Institute 2000 .2=true Only allow WEP encrypted dot11RTSThreshold.2002 As part of GIAC practical repository. (This brought the AP back to the default config.2=tsunami te dot11OperationalRateSet.2.2=true NS dot11AuthenticationAlgorithmsEnable. but it’s easy ht enough to flash the saved config back to the AP) Flashing the AP back to the rig default while preserving the IP information ALSO preserved user information. Then.2=\x82\x84\x8b\x96 00 ***** DEFAULT. 00 ***** config.2=2000 Au ***** 2.2.2=active -2 dot11DesiredSSID. she also saved the default configuration. preserving the s.2=active dot11DesiredSSID.INI dot11WEPKeyMappingLength.Default settings changed Method The auditor saved the configuration file currently in use by the AP.42T) Configuration File=== dot11AuthenticationResponseTimeOut.2.1=true SA dot11AuthenticationAlgorithmsEnable. IP information.ini #===Beginning of AP1200-ABCD (Cisco 1200 Series AP 11.2=false dot11RTSThreshold. the auditor used Windows file compare (fc.INI dot11AuthenticationAlgorithmsEnable.INI th #===Beginning of AP1200-a45fff (Cisco 1200 Series AP 11.42T) Configuration re File=== or dot11AuthenticationResponseTimeOut.txt).

2=19 ull ***** f ***** config.<edited out by auditor>=permanent sti dot1dStaticStatus.<edited out by auditor>=ffffffff dot1dStaticAllowedToGoTo.<edited out by auditor>=ffffffff 00 dot1dStaticAllowedToGoTo.2=diversity dot11CurrentTxPowerLevel.<edited out by auditor>=permanent NS dot1dStaticStatus. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai sysName=AP1200-ABCD sysLocation= re ***** DEFAULT. or sysName=AP1200-a45fff sysLocation= th ***** Au ***** config.<edited out by auditor>=ffffffff 00 dot1dStaticAllowedToGoTo.ini ns sysContact=Aironet Wireless Communications. Author retains full rights.<edited out by auditor>=permanent dot1dStaticStatus.INI enableTelnet=T enableSNMP=F 30 © SANS Institute 2000 .INI default 6 mW dot11CurrentRxAntenna.<edited out by auditor>=permanent tu dot1dStaticStatus.<edited out by auditor>=ffffffff 20 Only specified MAC dot1dStaticAllowedToGoTo.0=300 © cdpGlobalRun=T ***** ***** config.<edited out by auditor>=ffffffff -2 dot1dStaticAllowedToGoTo.<edited out by auditor>=permanent SA cdpGlobalRun=T ***** DEFAULT.ini 2.<edited out by auditor>=permanent dot1dStaticStatus.<edited out by auditor>=permanent In dot1dStaticStatus.ini enableTelnet=T Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 enableSNMP=T enableDnsResolver=T SNMP disabled ***** DEFAULT.2=diversity rig dot11CurrentTxPowerLevel.0=300 dot1dStaticAllowedToGoTo.ini dot11CurrentRxAntenna. .2=1 Transmit power level changed to 1 mW from s.<edited out by auditor>=ffffffff dot1dStaticAllowedToGoTo. dot1dTpAgingTime. dot11CurrentDwellTime.2=6 dot11CurrentDwellTime. ***** ***** config.2002 As part of GIAC practical repository.<edited out by auditor>=ffffffff addresses are allowed dot1dStaticAllowedToGoTo.<edited out by auditor>=permanent dot1dStaticStatus.<edited out by auditor>=ffffffff te dot1dStaticStatus. Inc. Inc.2=19 ht ***** DEFAULT.INI dot1dTpAgingTime.INI sysContact=Aironet Wireless Communications.

ini awcDot11UseAWCExtensions.com defaultResolverDomainServer.ini Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai awcDot11AuthenticationRequireEAP.2=false te awcDot11LEAPUserName.14=T allowBrowseWithoutLogin=T protectLegalPage=F © ***** ***** config.2.nothing.3=0 awcDot11AllowEncrypted.2=T s.3=ffffffff or ***** DEFAULT.3=0 awcDot11AllowEncrypted.INI 31 © SANS Institute 2000 .3=true awcDot11AuthenticationDefaultUcastAllowedToGoTo.2.INI 20 awcDot11AuthenticationDefaultVlanId.2.2=T awcDot11AllowAssocBroadcastSSID.2.2. .2=F ht awcDot11EnetEncapsulationDefault.255. ***** 00 ***** config.2=255.2.255.2= ***** DEFAULT.3=ffffffff 2.2=encapRfc1042 ***** DEFAULT.INI login SA awcDot11ChanSelectEnable.2002 As part of GIAC practical repository.com Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 defaultResolverDomain=nothing.1=00000000 re awcDot11AuthenticationDefaultUcastAllowedToGoTo.ini -2 awcDot11AuthenticationDefaultVlanId.2= tu ***** sti ***** config.2=true 00 awcDot11LEAPUserName.2. Author retains full rights.255.INI Broadcast SSID disabled rig awcDot11UseAWCExtensions.2=ffffffff awcDot11AuthenticationDefaultUcastAllowedToGoTo.255 defaultResolverDomainServer.2.2.2=T ull awcDot11EnetEncapsulationDefault. enableDnsResolver=T ***** ***** config.2.2=encapRfc1042 ***** f ns ***** config.255 defaultResolverDomainServer.1=ffffffff Au awcDot11AuthenticationDefaultUcastAllowedToGoTo.3=true th awcDot11AuthenticationDefaultUcastAllowedToGoTo. awcDot11AllowAssocBroadcastSSID.2.2.ini In awcDot11ChanSelectEnable.2=00000000 awcDot11AuthenticationDefaultUcastAllowedToGoTo.ini awcConsoleAutoApply=T resolverDomainSuffix=.INI awcDot11AuthenticationRequireEAP.3= ***** DEFAULT.1=255.255.14=T allowBrowseWithoutLogin=F Access to Management of NS protectLegalPage=F AP required username/pw ***** DEFAULT.

informationweek.com/shared/printableArticle?doc_id=IWK20020417S0008) The Information Week article coupled with discussions between the Administrator © and a CCIE who recommended the Cisco 1200 AP supports the opinion of the auditor that the purchase of this technology was made with consideration for long-term use. the auditor can verify these default settings have changed.txt include: 1-Default SSID changed Au 2-Allow WEP encrypted traffic 3-Transmit power level at lowest level 2. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 32 © SANS Institute 2000 .1= defaultResolverDomainServer.txt simplifies looking for changes from the default configuration. The AP is not consumer-grade. and can be upgraded over time.Obsolescence of technology Conclusion-PASS SA (www.ini awcPublicVlanId=0 ull #===End of AP1200-ABCD Configuration File=== ***** DEFAULT. with a quick review. defaultResolverDomainServer. awcConsoleAutoApply=T resolverDomainSuffix= defaultResolverDomain= defaultResolverDomainServer.INI f awcPublicVlanId=0 ns #===End of AP1200-a45fff Configuration File=== Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai ***** re Results The output in diff. .2002 As part of GIAC practical repository.3= ht ***** rig ***** config. or th The changes outlined in diff. 4-MAC filtering enabled 00 5-SNMP disabled -2 6-Broadcast SSID disabled 7-Access to http management of AP requires login 00 20 So.2= s. In NS Step 9 . securing the AP according to NIST recommendations. Author retains full rights. te tu Conclusion-PASS sti The most important default settings have changed.

SNMP management Method Determine whether SNMP is enabled or disabled by viewing the configuration page. If SNMP is enabled. one of which was NS SNMP. continue with further testing. Results ht The auditor viewed the SNMP setup page in the configuration and discussed rig SNMP with the Administrator. s. SNMP is disabled for the AP. Step 10 . Conclusion-PASS SA Even though much of the network is monitored via SNMP. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 33 © SANS Institute 2000 .2002 As part of GIAC practical repository. Author retains full rights. ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2. the Administrator determined that the AP does not need SNMP monitoring because of its limited © use. In Also. recall from Step 8 that the default settings changed. 00 -2 00 20 te tu sti SNMP is disabled. .

Administrative access to Aironet Client Utility Method In order for policy creation/modification to be disabled for a training user. Administrator 00 612 Yes Yes Power user -2 Administrator 613 Yes Yes Power user 00 Administrator 614 Yes Yes 20 Power user 615 Yes Power user No te 616 Yes Power user No tu 617 No User Yes sti In order to prove these conditions. a box must be unchecked so that regular users cannot modify the ACU. The ACU showed that the laptop was associated NS with the AP. . ull In order to verify that these three conditions are met with each of the ten training f laptops. Author retains full rights. SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 34 © SANS Institute 2000 . Cisco Wireless PC Card AIR-PCM350 Checklist Step 1 . Additionally. the auditor created a matrix like the one shown here: ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai Laptop number Admin ACU User member of Aironet Client re ID access group Utility Installed correctly or 608 Yes User No th Power user 609 Yes Yes Au Administrator 610 Yes Power user No 611 Yes Power user No 2. Thirdly. the user s. must not have administrative or power user status on the laptop. ht the Cisco Aironet Client Utility must be enabled during installation in order for rig rights to be restricted to administrators only. and the laptop was no longer associated with the AP. then the auditor disabled WEP. the auditor logged in to each laptop as the In training user for that laptop.2002 As part of GIAC practical repository.

Author retains full rights. . In order to verify that the software was installed 20 correctly. s. ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2. 00 -2 This proved that there was at least one of the two instances when regular users 00 could modify the ACU profile. the auditor looked for the checkbox to appear on the ACU preferences tab: te tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 35 © SANS Institute 2000 .2002 As part of GIAC practical repository.

Then. If the ACU was installed incorrectly. Author retains full rights. . 36 © SANS Institute 2000 . All laptops except for one allowed the training users to modify the ACU profiles. A169 4E46 Most of the Training users were set up incorrectly on the laptops. then the checkbox was not present: s. ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2. Only one was set up correctly where the training user was ONLY a member of -2 the regular “users” group: 00 20 te tu sti In NS SA © Results Half of the laptops’ installation of the Aironet Client Utility was incorrect—the choice Key to make= the fingerprint AF19 ACU FA27 configurable 2F94 998D by a regular FDB5 user was DE3D F8B5 06E4unavailable. the auditor also confirmed which groups the training user was a member of 00 on each laptop.2002 As part of GIAC practical repository.

Step 2 . ull Results f Each laptop has Norton Corporate Edition with fully up-to-date DAT files. s.Anti-virus software ht Method rig Verify that anti-virus software is installed and correctly configured so that DAT files are up-to-date. 00 -2 00 20 te tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 37 © SANS Institute 2000 . Conclusion-FAIL The laptop setup and configuration allows the training center user to modify the Aironet Client Utility. Author retains full rights. .2002 As part of GIAC practical repository. ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2.

. 00 -2 00 20 te tu sti In NS SA © Conclusion-PASS A visual Key inspection fingerprint of FA27 = AF19 all the2F94 laptops 998Dverified that they FDB5 DE3D have F8B5 anti-virus 06E4 A169 4E46installed correctly. All DAT files were up to date as of the date of the inspection.2002 As part of GIAC practical repository. ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2. 38 © SANS Institute 2000 . s. Author retains full rights.

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Conclusion-FAIL tai No Policy or written procedure exists at this time regarding the laptops and re Aironet cards. The AP is not sti consumer-grade. end s. The auditor searched the text for “wireless” and ht “802.com/shared/printableArticle?doc_id=IWK20020417S0008) 20 The Information Week article coupled with discussions between the Administrator and a CCIE who recommended the Cisco wireless environment including the te PCM350 cards supports the opinion of the auditor that the purchase of this tu technology was made with consideration for long-term use. or Two IT department employees have access to the locked storage area where the th laptops are kept. There are sign out procedures for use of the laptops. and can be upgraded over time. The Administrator is developing procedures that will cover f ns setup. and security of the wireless training LAN. There were three policies that cover systems.1*” using the CTRL-F function in Microsoft word. 00 -2 Step 4 . At this time. In Step 5 . storage. Results ull No currently board approved policies cover 802. but not Au specifically in conjunction with the wireless environment. Policy and procedure need to be written to address their physical security.11b or any other wireless network connections. the wireless cards are not marked as “property of Company A” but the laptops are identified with company specific identity labels. users. and disaster recovery.Physical access to laptops and wireless cards Method The auditor looked at existing policies that cover most areas of Information Security for the organization.Ad Hoc or Infrastructure mode NS Method Using Cisco’s Aironet Client Utility. Author retains full rights. © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 39 © SANS Institute 2000 . . The auditor also spoke rig with the Administrator about procedures regarding the wireless training LAN.2002 As part of GIAC practical repository. verify that the laptop is set up in SA Infrastructure mode. 2.Obsolescence of technology Conclusion-PASS 00 (www.informationweek. Step 3 .

. The auditor logged in as a training user and attempted to access files on the WAN. 00 Conclusion-PASS The laptops are running in Infrastructure mode. Is a firewall part of the Training LAN setup? If no firewall is in place. and even pulls power from the switch.2002 As part of GIAC practical repository. ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2. s. is the AP plugged directly into a switch rather than a © hub? The auditor observed that the AP is plugged directly into a switch. Do the training end users have limited accounts on the network? See how training users login-is it locally or on the network. Author retains full rights. Key Access=was fingerprint AF19denied FA27 for all998D 2F94 resources—the FDB5 DE3Dauditor couldA169 F8B5 06E4 see 4E46 all the servers in a browse session 40 © SANS Institute 2000 . A simple check of the configuration of the ACU profile system parameters 00 shows that a laptop is running in Infrastructure mode.Segregation by IP address NS Method A firewall between the AP and the trusted network would provide a means to SA segregate traffic from the WAN. Results -2 All 10 laptops are configured for Infrastructure mode. 20 te tu sti In Segregation of end users in the training environment Checklist Step 1 .

ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2. s.2002 As part of GIAC practical repository. Author retains full rights. 00 -2 But had to use a network login to actually touch the files on the servers. . 00 20 te tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 The auditor COULD share data between the training laptops as a “workgroup” LAN. Results 41 © SANS Institute 2000 .

Obsolescence of PASS 42 © SANS Institute 2000 . The AP is directly connected to a switch.Anti-virus PASS software Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Step 3 . End users log on locally rather than authenticating to the Novell network.Administrative PASS access to AP Au Step 3 .Wireless 20 “perimeter” site survey- PASS signal strength and te security tu Step 7 . Additionally. Conclusion-PASS ht While no firewall is in place. .Physical access FAIL to AP 00 Step 6 . Author retains full rights.Key length and 00 PASS use -2 Step 5 .AP Security PASS settings 2.Administrative AIR-PCM350 access to Aironet Client FAIL Utility Step 2 . the other criteria for this step were met. Step 4 .Default settings In PASS changed NS Step 9 .AP powered PASS sti down when not in use Step 8 . No firewall is in place at this time. s. Training users do not exist in the Novell network at all. and consequently have absolutely no rights on the network as a Training user.Obsolescence of PASS technology SA Step 10 .Physical access to laptops and wireless FAIL cards Step 4 .2002 As part of GIAC practical repository. ull f ns Summary table Key Thisfingerprint = AF19anFA27 table provides 2F94 998D overview FDB5 of audit DE3D F8B5 06E4 A169 4E46 findings tai re Audit section Audit step Audit outcome Cisco Aironet 1200 Step 1 .Policy for or FAIL Access Point wireless training LAN th Step 2 .SNMP PASS management © Cisco Wireless PC Card Step 1 . rig training users are not able to access corporate or customer data by network browsing from the training LAN as a training user.

environment ht rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai re or th Au 2. 00 -2 00 20 te tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 43 © SANS Institute 2000 . .Ad Hoc or PASS Infrastructure mode Segregation of end users Step 1 . Author retains full rights.Segregation by in the training IP address PASS s. technology Step 5 .2002 As part of GIAC practical repository.

While consideration must be given to opportunities available for unauthorized individuals to crack WEP. tu Again. with a training session 00 of less than an hour for the IT department. Because the re Administrator will delegate setup and breakdown of the LAN. the objective of segregating the training traffic wasn’t fully met.2002 As part of GIAC practical repository. . ultimately compromise the corporate WAN. This would preclude the implementation of a ”desktop box” firewall. the NIST standards and common security practice suggest the use of a SA firewall between the AP and the local network. actually. rig The Administrator’s and the Auditor’s biggest concerns were the risks associated with cracking the network wirelessly. Even if 20 the ACU had been installed correctly. Specific sign out procedures and storage procedures will also mitigate th physical risk to the systems. this will cost only time to clear up. While the security of “Location A” was sufficiently proven in regards to cracking the wireless link. and s. ns The fingerprint Key checklist brought to light = AF19 FA27 the998D 2F94 fact that FDB5specifically DE3D F8B5 outlined policies 06E4 A169 and 4E46 tai procedures have not been created for this wireless LAN. these high level risks are ht abated significantly because the wireless LAN will only be operating sporadically. It shouldn’t take much longer than 2 sti hours for all 10 laptops to be set up correctly. The fingerprint Key Administrator places = AF19 FA27a 2F94 high 998D priority on preserving FDB5 DE3D F8B5 the portability 06E4 A169 4E46of the training environment. uninstalling and reinstalling the ACU. In the training LAN. and configuring the ACU profiles. the SSID. a firewall would deny anything except http and https traffic through to the Internet across © the corporate WAN. it presents an easier environment to secure. -2 A significant finding during the audit was the misconfiguration of the laptops. portable firewall like the Netscreen-5 would certainly meet both the firewall and portability needs for the training LAN. ull After evaluating the wireless training environment. it is the auditor’s opinion that f this environment can be secured. Is the system securable? Because this wireless LAN environment is not used continuously. week for the development of the policies and procedures. Au Policy and procedure development coupled with training for the IT department in those policies and procedures will cost only in hours. Author retains full rights. but some improvement will have to be made. but also the training users were given Administrative and Power User rights. many users would have had rights to te change the profiles. a small. The Auditor estimates a 2. NS Finally. Not 00 only was the Aironet Client Utility installed incorrectly on many of the laptops. the Administrator needs to develop specific procedures so that the wireless LAN operates or correctly. The Netscreen- 44 © SANS Institute 2000 . However. That’s an estimate including In changing the groups for the training users.

If the Administrator takes into account that the training LAN itself (laptops. The re NIST checklist defined specific objectives with a wireless network. The checklists addressed specific system and configuration issues as thoroughly as possible to mitigate the f risk of unauthorized wireless access. The auditor discovered during the audit that the training users would log on locally to the laptops. who is responsible for setup and breakdown of In the classroom. it is the opinion of the Administrator that training users should be able to access their email while in training. AP. which would be 45 © SANS Institute 2000 . Also. but also consideration must be given to the people sitting at the laptops for the training NS classes. s. By auditing more than just the Cisco Access Point. the training LAN environment is auditable. But does the audit of just the systems themselves really “certify” a classroom for use as a wireless training Au area? 2. In addition. FDB5 extensive DE3D testing F8B5 06E4 would A169 4E46be required to sufficiently prove that the training users did not have access to corporate servers. While the auditor’s objective was to “certify” a setting for training.000. the auditor provided a more thorough or audit of the entire wireless LAN. Taken together as a ull whole. and wireless cards) cost around $16. 00 What became clear during the audit was that a deeper examination of the training users must occur. Shouldn’t they also be briefly instructed on wireless security at the start of their training session? And how would that be audited? SA One area within the audit that lacked more technical substantiation was in the © very last section. Author retains full rights. 5 is generally between $500-$700. Segregation of users in the training environment. The checklist developed for this area was vague. then the cost of the firewall is only 3% or 4% of the cost of the training center. ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai The specific hardware within the environment is most definitely auditable. . Over time. so much more 00 is involved other than just making sure that the wireless radio waves won’t be -2 available outside the physical building. What if that is tu not the case? sti Not only must the IT department. adhere to policies and procedures to mitigate risk. since no firewall is in place between the corporate Key WAN fingerprint and the = AF19 wireless FA27 training 2F94 998D LAN.2002 As part of GIAC practical repository. how will the systems be used? The 20 assumption made by the auditor throughout this audit was that only corporate te employees would be trained on these laptops in this environment. An audit of the AP alone would not have th uncovered the issues with the training laptops. even though the objective was clearly stated. ht Is the system auditable? rig Each component of the wireless training LAN is auditable.

Key length and use to tu verify that only OPEN AUTHENTICATION should be used. sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 46 © SANS Institute 2000 . but after reading more ht specifics. Author retains full rights. so that while training sessions are meeting the auditor can again verify the range of wireless ull for that specific training location. Au From the configuration guide: 2. Signal strength and signal quality were easily seen. it appears “shared” would be more secure than “open” – the auditor re based her interpretation on the common definition of the two words. Because of this further reading. found that Netstumbler does not support the Cisco card. The tools available with the Cisco ACU were sufficient to discover the wireless AP’s range. the or auditor determined that ONLY “open” authentication should be enabled. Down the rig road.” 20 te This additional check should be included in Audit Step 4. 00 “Cisco recommends Open authentication as -2 preferable to Shared Key authentication. The challenge queries and responses used in Shared Key 00 leave the access point particularly vulnerable to intruders. f After the audit of the Cisco Aironet AP was completed. auditor was originally intending to use Netstumbler. the auditor is budgeting for hardware that will be supported. th “Shared” authentication should not be enabled because it is actually LESS secure than open authentication. the auditor was curious ns about Key the difference fingerprint = AF19between “open” FA27 2F94 998DorFDB5 “shared” DE3D authentication F8B5 06E4 A169with4E46 WEP. At tai first glance. and the site survey function kept communication open until the auditor was out of range. The s.2002 As part of GIAC practical repository. opposed to the opinion of the auditor that the traffic remains fully segregated from the corporate network. . So the auditor consulted the configuration guide.

The most significant risks to XYZ Company revolve around the insecurity of wireless—and the auditor or concludes that these risks have been significantly mitigated by proper th configuration and deployment of the Cisco 1200 Access Point. The auditor also verified that the encryption level for access through the AP had been set to 128-bit encryption. f We found the overall security of the wireless training center to be satisfactory.2002 As part of GIAC practical repository. Au The weaknesses discovered in the audit are mostly related to the absence of current written policies and procedures regarding the wireless training network. As such. the audit examined how the training users would be segregated SA from XYZ’s corporate network to prevent unauthorized access to corporate and customer data. -2 The audit process used to evaluate the wireless network and specifically the XYZ 00 Company Training Room A can also be used to certify the security of other potential training locations. Additionally. the site certification process should be 20 implemented as policy so that new training sites can be identified and certified te before their use as training rooms. (Please reference Access Point Audit steps 3 and 4) 47 © SANS Institute 2000 . It NS also included a close examination of the laptops that will be used for the training. The auditor verified from viewing the configuration that the access point’s SSID had been changed from the manufacturer’s Key default. and the risks specific to ull XYZ Company in installing and operating the wireless training center. fingerprint = AF19 and that FA27 2F94 998Dthe “broadcast FDB5 SSID” DE3D F8B5 hadA169 06E4 been4E46 disabled. Assignment 4 Executive Summary s. Author retains full rights. 2. . The wireless training center recently approved by XYZ Company’s Technology ht Risk Committee was audited by XYZ Company’s Internal Audit Department in rig late August 2002 This pre-implementation audit examined the wireless environment. © The auditor discussed the configuration of the access point with XYZ’s Administrator. ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai Risks that can arise for a wireless network include the possibility of unauthorized re persons connecting via the wireless access point. Another important audit finding was specific to the training center laptops’ 00 configuration. tu sti Audit Findings In The audit of the training environment consisted of a thorough examination of the Cisco wireless access point that provides a bridge to XYZ’s wired network. the risks inherent in wireless networks. and examined the configuration in detail. and the key selection was random and changed periodically.

Other settings within the Client Utility have been correctly configured which also mitigates risk. (Reference Wireless Card Step 1) 00 All laptops have correctly configured Anti-virus software installed. Author retains full rights. In this case. by modifying the client utility. then In they have their normal network rights on XYZ’s Novell network.2002 As part of GIAC practical repository. The training users do not have any rights to the corporate network. and re Wireless Card step 3) or The laptops for use in the training center and the configuration of those laptops th are key to the security of the wireless training environment. Training users could create a network vulnerability if they 2. 5. Administrators should be the only people who can modify the Aironet Client Utility—in this case Au the auditor discovered that most of the regular training users could modify the profile settings. 48 © SANS Institute 2000 . The training network will be locked in a cabinet when not in use. ns There Key are no written fingerprint = AF19policies and998D FA27 2F94 procedures outlining FDB5 DE3D F8B5the set A169 06E4 up and use of the 4E46 tai wireless training environment. if sti someone in a class logged in as themselves rather than the training user. (Please refer to Segregation of Users Step 1) NS SA Background/Risk © The technology of wireless is still evolving. f Policies and procedures regarding the wireless network are still in development. 8. a training user could 00 break the connection with the access point. It is unlikely that a successful attempt to access the wireless ull network would go undetected in those areas. which could impact them negatively -2 during a training session. . The auditor used the Cisco Site Survey tool to complete a thorough survey of signal strength and quality for training location A. signal strength and quality is enough to permit s. the auditor examined how the training users access the training network. 20 (Please refer to Wireless Card Steps 2 and 5) te tu Finally. Also. (Reference Access Point Audit steps 1. However. The fact that the wireless Key fingerprintaccess = AF19point FA27will generally 2F94 be used 998D FDB5 DE3D forF8B5 short06E4 periods rather A169 4E46than left on at all times significantly mitigates the risk of unauthorized access. use of wireless connections. (Please review Access Point Step 6 in the full ht report to reference signal strength and quality in building A) A mitigating factor rig for those areas includes the installed security cameras coupled with the presence of XYZ employees. Signal strength was set so that the auditor was not able to detect a signal outside the perimeter of the building. Much has been written about the insecurities of wireless—there are many tools that could be used to break into a wireless connection. the wireless access will not be used every day. modified the client utility. In some public areas of location A.

When at a class 20 session. Additionally. By associating directly with other wireless 2. other compensating controls on unauthorized wireless access will deter that access at training room A. but also the users’ behavior. They would also know the risks involved in implementing wireless. Then. A firewall could be set to specifically outline what type of network traffic NS is allowed. there is no In means to clearly define and limit the type of access through the corporate network. laptop connections.= the fingerprint AF19risk is that FA27 a regular 2F94 training 998D FDB5 DE3Duser could F8B5 modify 06E4 A169the profile. Author retains full rights.2002 As part of GIAC practical repository. Training users should not log on to the training laptops using their regular network logon. they should not access any confidential information—information could te possibly be “left” on the training laptop. wireless setup. People could open a document. the organization is at some risk. Because the wireless signal can be detected in public areas at the building where the training room is located. Because there is no sti firewall between the training environment and the corporate network. . ull Because the Aironet Client Utility is installed incorrectly on many of the laptops. the presence of security cameras coupled with employee awareness will deter an unauthorized person from sitting for long periods of time attempting to crack XYZ Company’s s. if the training user changed the mode from Infrastructure mode to Ad Hoc Au mode. This could take a great deal of time – a training user or may not even be aware of what they changed. th Also. People who have received Key training fingerprint in theFA27 = AF19 policy and 2F94 procedures 998D regarding FDB5 DE3D the wireless F8B5 06E4 training A169 4E46 network would be more apt to recognize configuration issue. and tu save a copy locally without realizing they had done so. the unauthorized user may be able to glean -2 information that could lead to the compromise of confidential information. 00 The training users’ access itself poses some risk. 4E46 tai This could result in the laptop losing communication with the Access Point. Because the training will take place in a basement training room. The re risk evident here is that training would be interrupted or even halted until the ACU was configured correctly. The next training user to log in could very well have access to that information. so they would be more likely to 49 © SANS Institute 2000 . Again. ht the wireless signal is not even detectable outside the building. Policies and procedures lay the groundwork for securing not only the technology. Only people with rig prior knowledge of the wireless environment would even know to attempt access during a training session. VPN connections (Virtual Private Network-encrypted connections from the laptops to the firewall using software on each laptop) from SA the laptops to the firewall would add another layer of security by adding additional encryption over the wireless connections. © Because no policies and corresponding procedures have been clearly written yet. there is a chance that the training user could associate with 00 an unauthorized user. f and because the training users are members of Power Users and Administrators ns in some Key cases. the laptop will try to associate directly with other wireless connections rather that through the Access Point.

2. 4E46 tai From that policy. The hardware that was purchased for the wireless training environment is a good s. the Aironet Client Utility should be installed so that only an Au administrator can modify the profiles. three factors must be correct in order to associate with the Access Point. an estimate for reconfiguring the laptop users and the Aironet Client Utility on those laptops is less than 3 hours. The firewall would serve to clearly define the traffic allowed from the training network over the corporate network. It is a business class system that ht should prove useful over many years. would certainly help to deter unauthorized access. © Compensating Controls If Company XYZ decides to forego purchasing a small firewall. a Netscreen-5 firewall would be portable In and easily configurable for securing the wireless training network. the risk of unauthorized Key fingerprint access = AF19 via FA27wireless is mitigated 2F94 998D FDB5 DE3Dsomewhat by the F8B5 06E4 correct A169 4E46 configuration of the Access Point. th For the laptops. SA Consider approximately 1 week for writing policies and procedures. 00 Company XYZ could also consider implementing VPN technology to further secure the wireless environment. 00 Finally. and the client’s MAC address 50 © SANS Institute 2000 .2002 As part of GIAC practical repository. in turn. procedures that outline specifics such as secure operation and re storage of the wireless training network should be written.fingerprint Key a clearly=written policy2F94 AF19 FA27 that 998D addresses FDB5 wireless DE3D F8B5needs toA169 06E4 be developed. anyone who will be authorized to set up the training network should receive training in or these newly developed policies and procedures. Training users should be associated to groups that do not allow them to modify the profiles. This. . the WEP key must match. For less than $800. safely operate and store the training room equipment. 20 te tu Costs The firewall would be the only direct costs associated with our audit sti recommendations. Company XYZ should consider implementing a firewall between the -2 wireless network and their corporate network. As described in Access Point Audit step 3. (See Access Point Audit step 10. investment that can be upgraded in the future. The SSID must be correct. Accordingly. Author retains full rights. and rig Wireless Card step 4) ull f Audit Recommendations ns First. NS Other recommendations require time alone.

pdf Au “Cisco Aironet 1200 Series Access Point Software Configuration Guide.nist.edu/~waa/wireless.” 2.cisco. 2001 00 “Cisco Aironet Wireless LAN Client Adapters Installation and Configuration Guide 20 for Windows” OL-1394-03.pdf 51 © SANS Institute 2000 .com/warp/public/cc/pd/witc/ao350ap/prodlit/a350w_ov. must also be entered into the “Allowed” field in the Access Point’s configuration settings. However. & Narendar Shankar. Tom & Les Owens. Clear and effective communication between the members of the IT department and to any training users may compensate for the absence of policy and s. Internal Audit does not recognize any clearly defined ht compensating controls for this area. “Your 802. 2001. 2002. c.802. April 17. “Cisco’s Vision of a Wireless Future” InformationWeek.Wireless Network Security.cisco. Antone. 00 -2 “Cisco Release Notes for Cisco Aironet Client Utilities. “DRAFT. “SAFE: Wireless LAN Security in Depth” undated Cisco white paper.001 for Windows” c.C. Key fingerprint March = AF1930. © URL: http://www.com/warp/public/cc/so/cuso/epso/sqfr/safwl_wp. Version 5. April 2002. University of Maryland.2002 As part of GIAC practical repository. Justin Wan. National th Institute of Standards and Technology. URL: http://www.htm SA Gonsalves. . Software Release 11.com/story/IWK20020417S0008 Arbaugh. 8/2002 NS URL: http://www. Author retains full rights. William A.cs. rig ull f ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai References re Karygiannis.informationweek. FA27 2F94(8/2002) 998D FDB5 DE3D F8B5 06E4 A169 4E46 URL: http://www.gov/publications/drafts/draft-sp800-48.41T. Y. Sean and Darrin Miller.htm sti In Convery.2001 te tu “Cisco Aironet Wireless LAN Security Overview” undated white paper 8/2002.” Special Publication 800-48. Testing during step 3 proved this to be true.11 Wireless Network has No Clothes” Department of Computer Science. procedure.01. (August 2002) URL:http://csrc.11.umd. July 2002. or Bluetooth™ and Handheld Devices.

Brewin.. ht July 15. Snyder.73421.com/mobiletopics/mobile/technology/story/0. August 12. 2002 http://www.00. rig URL: http://www.” Computerworld. “Tools for detecting rogue wireless LAN users.doonesbury.72601.zdnet. 00 -2 00 20 te tu sti In NS SA © Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 52 © SANS Institute 2000 . “Doonesbury.com/securitytopics/security/story/0.computerworld.co. .2002 As part of GIAC practical repository. Joel. URL: http://computerworld. Bob.” July 21. ZDNet UK.html ns Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 tai Trudeau.cfm?uc_full_date=20020721&uc_comic=db&uc_daction=X re or th Au 2. “Hackers user Wi-Fi invisibility cloak. 2002.html Sutton.t481-s2119788-p2.” Network World/ Computerworld. 2002. 2002. Author retains full rights.10801. f URL: http://techupdate.00.10801.00. ull July 25.” Tech Update. Garry.uk/story/0. “Securing the wireless LAN.html s.com/strip/dailydose/index. Michael.

2013 Upcoming SANS IT Audit Training SANS Monterey 2013 Monterey. Last Updated: March 18th. 2013 Live Event Community SANS Miami Miami. 2013 Live Event Critical Security Controls International Summit London. DC Oct 15. VA May 09.SEC566: Implementing and Auditing the Twenty SEC566 . 2013 . BC Dec 09. and AUD507 . 2013 .Sep 08.Mar 27.Apr 26.Aug 18.May 10. CA May 07. 2013 . Netherlands Apr 15.May 10.Mar 28. 2013 . 2013 . Perimeters.Nov 25. 2013 Community SANS Community SANS Washington @ GWU Washington. 2013 Community SANS SANS CyberCon 2013 Online. Singapore Oct 21.201307. 2013 Live Event SANS vLive . 2013 Live Event Emirates SANS Northern Virginia 2013 Reston. Dec 02. 2013 . 2013 . 2013 Live Event Africa (ISC)2 CyberSecureGov 2013 Arlington.Apr 13. 2013 Community SANS SANS vLive .Jan 15. DC Aug 12. United Nov 16.Nov 21. Sep 02. 2013 Live Event SANSFIRE 2013 Washington. 2013 Live Event Critical Security Controls Summit Washington. ON Nov 18. 2013 vLive Critical Security Controls . 2013 .Sep 19.Aug 22. 2013 .Sep 21. DC Sep 03.In-Depth Community SANS Vancouver Burnaby. 2013 . 2013 .AUD507: Auditing Networks. 2013 Live Event SANS London 2013 London. 2013 Community SANS SANS Virginia Beach 2013 Virginia Beach. 2013 Live Event Community SANS Dallas Dallas. TX Aug 19.201312.Dec 12.Nov 02.201309. VA Apr 08. 2013 .In-Depth SANS Rocky Mountain 2013 Denver.Oct 16. CA Mar 22.Jul 20. 2013 . 2013 Live Event SANS vLive . 2013 . 2013 . 2013 Live Event SANS at IT Web Security Summit 2013 Johannesburg. 2013 . 2013 . 2013 . 2013 . VA Apr 22. 2013 vLive Systems SANS Capital City 2013 Washington. United Apr 26.Oct 18. 2013 Community SANS SOS SANS October Singapore 2013 Singapore. 2013 Live Event SANS Secure Europe 2013 Amsterdam.May 16. 2013 .Apr 27. 2013 Live Event Network Security 2013 Las Vegas.May 02. South May 09. CO Jul 15. NV Sep 16. IL Apr 22. 2013 Community SANS SANS OnDemand Online Anytime Self Paced SANS SelfStudy Books & MP3s Only Anytime Self Paced . 2013 .Jun 22. FL Sep 16. 2013 . 2013 . 2013 Live Event Kingdom Community SANS Toronto Toronto.Apr 27. 2013 . United Arab Mar 23. 2013 . 2013 Live Event SANS Abu Dhabi 2013 Abu Dhabi. 2013 Live Event Kingdom SANS Security West 2013 San Diego. Jul 08. 2013 .SEC566: Implementing and Auditing the Twenty SEC566 . DC Jun 15.Aug 07. 2013 Live Event Community SANS Chicago Chicago.Aug 30. VA Aug 19. 2014 vLive Critical Security Controls .