Keeping Black Hat RF in The Box – Technical Note 127

East Carolina University implemented an isolated, remotely-accessible, secure wireless equipment pod to allow even the most invasive and potentially destructive wireless lab exercises to be performed within an area that is physically adjacent to a wireless production network.

Many educational institutions that offer curriculum classes in wireless technologies include protocol investigation and security configuration. Wireless technology labs help to reinforce theory and concepts, and to provide educational experiences not available through classroom lecture. Secure, remote access to lab equipment enables students to perform experiments 24/7 from any location thus maximizing the utilization of the equipment and providing scheduling flexibility to the students. Student laboratories for wireless devices can be problematic in institutions that offer wireless network access. These production wireless environments can be disrupted or even disabled if a student misconfigures the laboratory equipment.

East Carolina University has had success with the adoption of an isolated, remotely-accessible faraday cage (EMFaracage® model FC-10)that houses wireless equipment, permitting even the most invasive wireless projects to be performed in an area that offers production wireless network access. Their lab isolation is optimized for the ISM 2400-2483 MHz frequency band thus providing isolation for IEEE 802.11b/g radio communication. Current laboratory exercises include wireless access point configuration, wireless network interface card configuration, wireless network sniffing, WEP cracking, rogue access point detection, and wireless-based DoS attacks.

Remote control of devices inside a faraday cage is inherently problematic. Any wiring penetrating the wall of the cage is a potential source for RF leakage. Their approach was to use fiber optic cable for all data transmission into and out of the isolation area. Power delivery into the isolation area required care to provide grounding filters for the frequency range of concern. Heat dissipation from the isolation area was aided by forced airflow through the cage.

Purpose

The goal of this project was to provide the student with a fundamental understanding of wireless network security principles and implementation scenarios. To that end, a variety of security topologies, technologies and concepts used to provide secure communications channels are presented. An abbreviated list of subjects include:

• Explain the goals and factors involved in a wireless network security strategy.
• Explain several popular wireless network attacks and configure wireless security to mitigate vulnerabilities.
• Explain popular wireless protocols, and apply the protocols in a wireless networked environment.
• Explain and demonstrate the concepts of wireless data transfer security issues and techniques used to secure wireless data, such as WAP, WTLS, and WEP.
• Explain, model, and configure wireless network security perimeters.
• Define and implement wireless intrusion detection system (IDS), honeypots, and provide examples of several detection methods.

Implementation of the Faraday Cage

General hardware requirements for the project include four computers with wireless access, a wireless access controller, and ancillary equipment. Specific hardware requirements include a model FC-10 EMFaraCage® Faraday Cage manufactured by LBA, Greenville, NC, two Axis Copper to Fiber Converters, ATMC13, and a remote portal computer.

Physical Connectivity of Lab Devices relied on different OSI Layer 1 mediums. Shown in Figure 1, equipment was arranged in a Pod, enclosed inside a Faraday Cage, and accessible to students through a fiber hole.

Students control four computers and a Wireless Access Point (WAP). Computers are labeled WKSta1, WKSta2, Attacker, and WAP Controller. WAP Controller is used to directly connect to the WAP for configuration. The maximum number of computers required by any lab module is four. Each computer is connected to the Remote Portal through the Catalyst 2950 switch via two media converters.

Two AT-MC13 media converters are used to pass external and internal network signals through the Faraday Cage without interfering with other wireless transmissions. These signals are passed into and out of the faraday cage through fiber optic cable passing through waveguide openings. This physical configuration of the waveguides is designed to block the specific RF frequencies. One of the waveguide openings can be seen in Figure 2. They will allow other out-of-band frequencies to pass through the opening.

One converter receives network traffic from the network 10Base-T port and converts the traffic to light signals. The light signals are transmitted across SC/ST fiber optic cables to the other converter, where the signals are converted back to electronic form and sent through a 10Base-T port to the destination network. Figures 3 and 4 show the faraday cage with the cover on and off.

Remote portal operation consists of a firewall, student reservation system, and access to pod devices. This section describes remote portal operation and student access.

Unnecessary services should not be run on the remote portal. Only the secure shell (SSH) daemon is needed, and all other unnecessary services should be disabled or uninstalled.

The firewall routing table permits only SSH traffic to the remote portal from the Internet. From the internal network, only VNC ESTABLISHED traffic is permitted into the remote portal. VNC traffic is tunneled from the student to the remote portal, the encryption is stripped, and resulting VNC traffic is passed to the pod devices. On return, the VNC traffic is encrypted by the firewall and passed to the student. In this way, no malicious traffic can leave the remote portal and infect or attack outside computers.

Student access is controlled through a reservation application on the remote portal. Students make a reservation and have exclusive access to the equipment during that time. When the reservation has finished, the next student reservation becomes active. This permits the lab to be scaled for optimal equipment usage.

In order to access computers inside the secure network lab, students must initiate a SSH connection to the firewall. Normally, users are not permitted to connect to a perimeter firewall, but the student has no access to the firewall beyond a restrictive menu that permits only reservation scheduling and changing the user’s password. SSH Connectivity must be maintained for VNC traffic to be tunneled.

A student with a current reservation to the lab Pod is able to make a ssh connection to the firewall. The student then initiates a VNC session with VNC client. The VNC information is tunneled to the firewall, where the VNC information is stripped from the SSH encryption. The firewall initiates a 3-way TCP handshake with the Pod computer. However, VNC traffic from the source (student) to the destination (remote computer) is blocked by the firewall. The reservation database is checked to confirm that the user has a valid reservation and the IP network address is correct. If the information is valid, then the connection process continues. Periodically, the current time is compared against the reservation expiration time. If the two times are the same, then the student is blocked from access.

VNC server is loaded on each Pod computer and used by students for access of remote Pod computers.

Information in this application note is courtesy of Dr. Lee Toderick, School of Information and Technology, East Carolina University, Greenville, NC.


For more information free to call Jerry Brown at +1 (252) 757-0279 . You can also email us at lbagrp@lbagroup.com