Wireless Network Security Jon P. McKinley mckinley TS 3150 – Fundamentals of Network Design Sunday, December 28, 2003 TABLE OF CONTENTS Introduction 3 The Wireless Market 5 Components of a wireless network 6 Wireless Security Mechanisms 1 8 Categories of Attack 10802. 11 Attack Risks 12 Wireless risk mitigation 13 Summary 15 References 16 Introduction Wireless networks have grown in popularity. This is largely due to the increase in the value of a network as more users are attached to it.
The value added to a network by nature of connecting more devices to it, is summarized in “Metcalf’s law.” Metcalf’s law states that if you “connect any number, ‘n,’ of machines – whether computers, phones or even cars – and you get ‘n’s qua red potential value.” [1] The incredible growth of the Internet seems to validate Metcalf’s law. It then seems reasonable that eliminating physical constraints to connecting to a network would provide value by allowing more devices to be connected to a network regardless of physical location. Wireless networks provide that ability. Wireless networks operate over the full spectrum of network topographies. These topographies include: Personal, Local, Controller, Metropolitan, and Wide area networks. A Personal Area Network (PAN) is .”..
the interconnection of information technology devices within the range of an individual person, typically within a range of 10 meters.” [2] A Local Area Network (LAN) is .”.. a group of computers and associated devices that share a common communications line or wireless link and typically share the resources of a single processor or server within a small geographic area (for example, within an office building).” [2] A Campus Area Network (CAN) is a fiber-optic network that physically interconnects entire buildings into one giant network. While each building may have several discrete LANs within it, each building represents a single node on the CAN. [3] A Metropolitan Area Network (MAN) is “a network that interconnects users with computer resources in a geographic area or region larger than that covered by even a large [LAN] but smaller than the area covered by a wide area network (WAN [- explained next]).” [2] A Wide Area Network (WAN) is “a geographically dispersed telecommunications network.” [2] Wireless networks come in many configurations and use many technologies. Figure 1 depicts an example of the wireless technologies and standards used for each of the networks types defined above.
The figure indicates two major categories of wireless technologies: fixed and mobile. The figure also indicates 10 technologies in use: Bluetooth, irDA, 802. 11, IR LAN, IR Bridge, Ricochet, RF Bridge, Cellular, MCS and Satellite. Virtually all of these technologies play a role in multiple topographies. It is interesting to note that the 802.
11 standard has only been assigned to the Mobile LAN and CAN topographies. It has been omitted from them PAN topography. I believe this is an oversight, and I will provide rational for this in a later section. Each wireless technology has unique security risks and concerns. Many of the risks and concerns are shared across technologies. In order to provide even a brief overview of each technology, topography, and the risks inherent to each would require a document far larger than is specified for this project.
Therefore, this document will focus on the 802. 11 standard as used in the PAN and LAN topographies. Figure 1 – Types of Wireless Networks [4]The Wireless Market ” Over the past ten years or so an alternative to wired LAN structures has evolved in the form of the Wireless LAN. The first generation Wireless LAN products, operating in unlicensed 900-928 MHz Industrial Scientific and Medical (ISM) band, with low range and throughput offering (500 Kbps), subjected to interference came to market with few successes in some applications. But they enjoyed reputation of being inexpensive due to break through development in semiconductor technologies, on the other hand the band become crowded with other products with in short period of time leaving no room for further development. The second generation in 2.
40-2. 483 GHz ISM band WLAN products boosted by the development of semiconductor technology was developed by a huge number of manufactures. Using Spread spectrum technology and modern modulation schemes this generation products were able to provide data rate up to 2 Mbps, but again the band become crowded since [the] most widely used product in 2. 4 GHz is [the] microwave oven which caused interference. Third generation product[s] assembled with more complex modulation in [the] 2. 4 GHz band allows 11 Mbps data rate.
In June 1997, the IEEE finalized the initial standard for wireless LANs: IEEE 802. 11. [The] [f]irs t fourth generation standard, HiperLAN, came as specification from European Telecommunication Standard Institute (ETSI) Broadband Radio Access Network (BRAN) in 1996 operating at 5 GHz band. Unlike the lower frequency bands used in prior generations of WLAN products, the 5 GHz bands do not have a large ‘indigenous population’ of potential [interferes] like microwave ovens or industrial heating system as was true in 900 MHz and 2. 4 GHz [8]. In late 1999, IEEE published two supplements to the 802.
11: 802. 11 b and 802. 11 a following the predecessor success and interest from the industry. Etsi next generation HiperLAN family, HiperLAN/2, proposed in 1999 operating at same band with its predecessor, is still under development, the goal is to provide high-speed (raw bit rate 54 Mbps) communications access to different broadband core networks and moving terminals. It is expected that 802.
11 b will compete with HiperLAN/1 and 802. 11 a will compete with HiperLAN/2 in near future.” [5]”As wireless technology matures, newer features and functionality will continue to be made available. Standardization organizations, like IEEE, ETSI, are providing continuous effort to meet new demands from user by introducing new standards as well as minimizing shortcomings of the previous standards. This includes performance fine-tuning, like smother and seamless roaming capabilities as well as QoS and most importantly security features. These standards are currently in development, and will sit atop of existing ones delivering more robust performance Wireless LAN.” [5] The wireless market is expected to grow significantly over the next several years. As this growth occurs, solution providers will also be expected to address security concerns.
[6]Components of a wireless network IEEE 802. 11 wireless networks consist of the following components: Stations: A station (STA) is a network node that is equipped with a wireless network device. A personal computer with a wireless network adapter is known as a wireless client. Wireless clients can communicate directly with each other or through a wireless access point (AP). Wireless clients are mobile.
Wireless APs: A wireless AP is a wireless network node that acts as a bridge between STAs and a wired network. A wireless AP contains: o At least one interface that connects the wireless AP to an existing wired network (such as an Ethernet backbone). o A wireless network device with which it creates wireless connections with STAs. o IEEE 802. 1 D bridging software, so that it can act as a transparent bridge between the wireless and wired networks. The wireless AP is similar to a cellular phone network’s base station.
Wireless clients communicate with both the wired network and other wireless clients through the wireless AP. Wireless APs are not mobile and act as peripheral bridge devices that extend a wired network. Ports: A port is a channel of a device that can support a single point-to-point connection. For IEEE 802. 11 b, a port is an association, a logical entity over which a single wireless connection is made. A typical wireless client with a single wireless network adapter has one port and can support only one wireless connection.
A typical wireless AP has multiple ports and can simultaneously support multiple wireless connections. The logical connection between a port on the wireless client and the port on a wireless AP is a point-to-point bridged LAN segment-similar to an Ethernet-based network client that is connected to an Ethernet switch. IEEE 802. 11 defines two operating modes: Ad how mode and Infrastructure mode. In ad how mode, also known as peer-to-peer mode, wireless clients communicate directly with each other (without the use of a wireless AP). Two or more wireless clients who communicate using ad how mode form an Independent Basic Service Set (I BSS).
Ad how mode is used to connect wireless clients when a wireless AP is not present. Figure 2 – ad how mode depicts the configuration of an ad how mode network. Figure 2 – ad how mode In infrastructure mode, there is at least one wireless AP and one wireless client. The wireless client uses the wireless AP to access the resources of a wired network. The wired network can be an organization intranet or the Internet, depending on the placement of the wireless AP. A single wireless AP that supports one or multiple wireless clients is known as a Basic Service Set (BSS).
A set of two or more wireless APs that are connected to the same wired network is known as an Extended Service Set (ESS). An ESS is a single logical network segment (also known as a sub net), and is identified by its Service Set Identifier (SSID). If the available physical areas of the wireless APs in an ESS overlap, then a wireless client can roam, or move from one location (with a wireless AP) to another (with a different wireless AP) while maintaining Network layer connectivity. Figure 3 – Infrastructure Mode depicts an infrastructure mode network. Figure 3 – infrastructure mode Wireless Security Mechanisms 1 The IEEE 802. 11 standard defines the following mechanisms for wireless security: o Identification through open system authentication o Authentication through shared key authentication o Data confidentiality through Wired Equivalent Privacy (WEP) Open system authentication does not provide authentication, only identification using the wireless adapter’s MAC address.
Open system authentication is used when no authentication is required. Some wireless APs allow the configuration of the MAC addresses of allowed wireless clients (MAC Filtering). Figure 4 – 802. 11 MAC filtering depicts MAC filtering.
Figure 4 – 802. 11 MAC filtering Shared key authentication verifies that an authenticating wireless client has knowledge of a shared secret. This is similar to pre shared key authentication in Internet Protocol security (IPsec). It is a simple “challenge-response” scheme based on whether a client has knowledge of a shared secret. In this scheme, a random challenge is generated by the access point and sent to the wireless client.
The client, using a cryptographic key (WEP key) that is shared with the AP, encrypts the challenge (or “nonce,” as it is called in security vernacular) and returns the result to the AP. The AP decrypts the result computed by the client and allows access only if the decrypted value is the same as the random challenge transmitted. [8] The 802. 11 standard currently assumes that the shared key is delivered to participating STAs through a secure channel that is independent of IEEE 802.
11. In practice, this secret is manually configured for both the wireless AP and client. Because the shared key authentication secret must be distributed manually, this method of authentication does not scale to a large infrastructure mode network (for example, corporate campuses and public places, such as malls and airports). Figure 5 – shared key authentication depicts this authentication method.
Figure 5 – shared key authentication WEP is intended to provide the level of data confidentiality that is equivalent to a wired network. WEP provides data confidentiality services by encrypting the data sent between wireless nodes. WEP encryption uses the RC 4 symmetrical stream cipher with either a 40-bit or 104-bit encryption key. WEP provides data integrity from random errors by including an integrity check value (ICV) in the encrypted portion of the wireless frame. Figure 6 – WEP encryption depicts the WEB encryption process. Figure 6 – WEP encryption Taken all together, MAC Address Filtering, Shared Key Authentication and WEP Encryption standards provide authenticated and encrypted network services.
The following sections of this document will identify security risks to wireless networks using these standards as well as risk mitigating techniques and standards. Categories of Attack 802. 11 Wireless Network attacks can be placed in two categories, passive and active attacks. Figure 7 – Categories of Attacks[Passive attacks are attacks] in which an unauthorized party simply gains access to an asset and does not modify its content (i. e.
, eavesdropping). Passive attacks can be either simple eavesdropping or traffic analysis (sometimes called traffic flow analysis). These two passive attacks are described below. o Eavesdropping – The attacker simply monitors transmissions for message content. An example of this attack is a person listening into the transmissions on a LAN between two workstations or tuning into transmissions between a wireless handset and a base station. o Traffic analysis – The attacker, in a more subtle way, gains intelligence by monitoring the transmissions for patterns of communication.
A considerable amount of information is contained in the flow of messages between communicating parties. [Active attacks are attacks] whereby an unauthorized party makes modifications to a message, data stream, or file. It is possible to detect this type of attack but it may not be preventable. Active attacks may take the form of one of four types (or combination thereof): masquerading, replay, message modification, and denial-of-service (DoS). These attacks are defined below.
o Masquerading – The attacker impersonates an authorized user and thereby gains certain unauthorized privileges. o Replay – The attacker monitors transmissions (passive attack) and retransmits messages as the legitimate user. o Message modification – The attacker alters a legitimate message by deleting, adding to, changing, or reordering it. o Denial-of-service – The attacker prevents or prohibits the normal use or management of communications facilities. All risks against 802. 11 are the result of one or more of these attacks.
The consequences of these attacks include loss of proprietary information, legal and recovery costs, tarnished image, and loss of network service. 802. 11 Attack Risks The 802. 11 attacks mentioned in the previous section can be carried out by a myriad of sources from current and past employees, to industrial spies, or war-drivers. “War driving is the act of locating and possibly exploiting connections to wireless local area networks while driving around a city or elsewhere. To do war driving, you need a vehicle, a computer (which can be a laptop), a wireless Ethernet card set to work in promiscuous mode, and some kind of an antenna which can be mounted on top of or positioned inside the car.
“[9] Inherent in the nature of wireless networks, securing physical access to the network is difficult because of the nature of radio frequency transmissions. Anyone within operational range of an access point or STA can conduct an attack. This puts all wireless networks at risk. In this section, I will describe some of the attacks that can be carried out on a wireless network.
The first 802. 11 attack risk I will discuss deals with the Open System Authentication. Open System Authentication is not secure because the MAC address of a wireless client can be spoofed. This is a “masquerading” attack. Recall from an earlier section (Figure 4 – 802.
11 MAC filtering) that APs typically can filter STAs that do not have a MAC address in the AP’s list. Because MAC addresses are transmitted in the clear from a STA to an AP, the MAC address can be easily captured. Malicious users can spoof a MAC address by changing the actual MAC address on their computer to a MAC address that has access to the wireless network. Using a MAC Access Control List (ACL) does not provide a significant level of security but may keep the casual “hacker” off of an AP. Shared key authentication is a risky scheme because there is a “human in the loop.” As described in Figure 5 – shared key authentication, the shared key must be assigned outside of the 802. 11 standard.
Anyone who obtains a valid WEP key can gain access to the network. Since this does not positively identify a user, there is little possibility of discovering that someone is “masquerading” on the network. This scheme can be enhanced by combining the MAC address list with shared key authentication, but since the MAC address can be easily spoofed, even the combination of the two schemes provides little to deter a skilled hacker. The WEP provides better security, but it is still prone to attack. One significant problem is that WEP keys are distributed through a “human-in-the-loop” process the same way shared key authentication WEP keys are. Additionally, there is no defined mechanism to change the WEP key-either per authentication or at periodic intervals over the duration of an authenticated connection.
All wireless APs and STAs use the same manually configured WEP key for multiple connections and authentications. With multiple STAs sending large amounts of data, it is possible for a hacker to remotely capture large amounts of WEP cipher text (the encrypted information being transferred) and use cryptanalysis methods to determine the WEP key. Thus, the hacker can use the WEP Key to decipher all subsequent packets. This is a type of “passive” attack that enables a user to then execute any of the “active” attacks listed in Figure 7. However, without WEP, eavesdropping and remote packet sniffing would be very easy. WEP will definitely keep all but the skilled hackers from compromising a network.
Wireless risk mitigation Netgear, Inc has defined 10 simple and inexpensive steps to securing wireless networks. [10]1. Enable the highest level of WEP (Wireless Encryption Protocol) that ships with the access point. WEP may be flawed; however it does provide some protection.
802. 11 b and 802. 11 g provide up to 128-bit WEP, while 802. 11 a provides up to 152-bit WEP encryption.
2. Change the default SSID (Service Set ID) that ships with your access points and / or wireless router. For example, the default name of a NETGEAR Access Point and Router is, ‘Wireless.’ Finding an access point with the default SSID signals an unguarded access point. 3.
Implement infrastructure mode, where all wireless clients on a network link directly via an access point or wireless router. Disable the ‘Ad-Hoc’ mode, which enables a peer-to-peer network and that allows a user to connect with other wireless LAN cards. This opens the door for any hacker in wireless range to access your network through a legitimate wireless user. 4.
Set up MAC Address Authentication via ACLs. Configure your access points so they allow only clients with specific MAC addresses to access the network, or allow access to only a given number of MAC addresses. 5. Disable the ‘broadcast’ mode in which access points periodically transmit their Ssid. Since hackers know the default names of many access points, they can use freeware utilities, or even Windows (R) XP, to find the names of nearby wireless networks. Little More Involved 6.
If you ” re running SNMP (Simple Network Management Protocol) agents on your access points, assign a non-obvious name to the ‘community’ that identifies which management applications can communicate with those agents. That way, wireless hackers can’t just sniff around for the default community names that ship with many management tools. 7. Perform a regular audit for rogue access points. NETGEAR recommends that you scan at least once a quarter, if not once a month. This can be as easy as walking around with a wireless notebook equipped with free sniffer software such as Net Stumbler (or Windows XP), or as ambitious as using SNMP queries to find new devices that have been added to your network.
Once you find the rogue access points, you ” ll need to be able to shut them down or reconfigure them. 8. Place access points on separate sub nets and put a firewall between that sub net and the main corporate network. This mimics the architecture of many security tools that puts a gateway or other security server between the access points and the wired network. Even More Secure 9. Implement Virtual Private Networking (VPN) over wireless LAN.
This technology makes it possible for users to communicate securely via a VPN tunnel between the client desktop or notebook PC and the wireless access point or router. VPNs employ encryption and strong authentication methods as mechanisms for hiding or masking information about the private network topology from potential attackers on the public network. This solution typically requires a separate VPN Server. 10.
Educate your network users about the security risks of wireless networks. If you are in a corporate environment, you can then create and enforce a wireless security policy. By using these 10 steps, you can mitigate the risks that all but the most talented and determined hackers present. Summary The IEEE 802. 11 standard is still relatively new. As the standard matures, more emphasis will be placed on its current short comings.
IEEE has already begun finalizing a standard called 802. 11 i that will plug many of the holes in the previous 802. 1 x standards. In that standard, there are two major improvements: Wi-Fi Protected Access (WPA) and Extensible Authentication Protocol (EAP). To improve data encryption, WPA utilizes a Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements including a per-packet key mixing function, a message integrity check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.
Through these enhancements, TKIP addresses all WEP’s known vulnerabilities. WEP has almost no user authentication mechanism. To strengthen user authentication WPA will implement 802. 1 x and EAP.
Together, these implementations provide a framework for strong user authentication. This framework utilizes a central authentication server, such as RADIUS, to authenticate each user on the network before they join it, and also employs “mutual authentication” so that the wireless user doesn’t accidentally join a rogue network that might steal its network credentials. In addition to the issues addressed in the 802. 11 i standard, third party software vendors are rapidly creating and marketing wireless security services and third-party solutions. As the wireless market matures, it will become increasingly difficult to “crack” wireless network security.
References[1] web – Metcalf’s Law and Legacy[2] web – Whatis? com[3] web – LAN FAQ 1[4] web – Canadian Information Processing Society[5] web iqbal. pdf – Wireless LAN Technology: Current State and Future Trends[6] web – [Wireless] Market Overview[7] web – Microsoft Tech Net[8] web – Wireless Network Security[9] web (war driving) – Whatis? com[10] web docs/10 StepsWirelessSecurity. pdf – Ten Easy Steps for Wireless LAN Security.