Wireless Network Security

Introduction

Wireless networks have become increasingly popular because:

Less expensive than wired networks Can be quickly deployed Increased use of laptops as the primary computing device

Types of Wireless Technology

Early wireless networks were nonstandard implementations Now, several standards exist, including:

802.11 HiperLAN HomeRF SWAP Bluetooth

Types of Wireless Technology (cont.)

From a functional perspective, WLANs are categorized as:

Peer-to-peer wireless LANs Multiple point wireless LANs Building-to-building wireless networks

Point-to-point Point-to-multipoint

Wireless Data Networks

50 Mbps 10 Mbps 2 Mbps 1 Mbps

Data Rates

Spread Spectrum Infrared Wireless Wireless LANs

LANs

2.5 GHz Service Broadband PCS

56 Kbps

Circuit and Packet Data

19.6 Kbps 9.6 Kbps Narrow Band Wireless LANs Cellular, CDPD, Mobitex, DataTac

Narrowband PCS Coverage Area

Satellite
Wide

Local

Wireless Technologies
WAN
(Wide Area Network)

MAN
(Metropolitan Area Network)

LAN
(Local Area Network)

PAN
(Personal Area Network)

PAN
Standards Speed Range Applications
Bluetooth <1 Mbps Short Peer-to-Peer Device-to-Device

LAN
802.11a, 11b, 11g HiperLAN2 254+ Mbps Medium Enterprise Networks

MAN
802.11 MMDS, LMDS 22+ Mbps MediumLong Fixed, Last Mile Access

WAN
GSM, GPRS, CDMA, 2.53G 10384 Kbps Long PDAs, Mobile Phones, Cellular Access

WLAN Evolution: 2000 Present

Warehousing Retail Healthcare Education Businesses Home

Speed Network Radio

860 Kbps

1 and 1 and 2 Mbps 2 Mbps Proprietary

11 Mbps 54 Mbps Standards-based

900 MHz

2.4 GHz

2.4 GHz
802.11 Ratified

5 GHz
802.11a,b 802.11g Ratified Drafted

IEEE 802.11Begins Drafting 1994 1996

1986

1988

1990

1992

1998

2000

2002

Wi-Fi

Wi-Fi Alliance Wireless Fidelity Alliance 170+ members Over 350 products certified Wi-Fis Mission Certify interoperability of WLAN products (802.11) Wi-Fi is the stamp of approval Promote Wi-Fi as the global standard

Types of Wireless Technology (cont.)

From a technology view, there are other standards:

HiperLAN

A standard used in Europe in the 5 GHz band

Types of Wireless Technology (cont.)

HomeRF SWAP

A standard used to communicate between computers and appliances in a home in the 2.4 GHz band

Bluetooth

Personal area network that uses low power and short range connectivity in the 2.4 GHz range

Unlicensed Frequency Bands

Short Wave Radio FM Broadcast Infrared wireless LAN AM Broadcast Television Audio Cellular (840 MHz) NPCS (1.9 GHz)

Extremely Very Low Medium High Very Ultra Super Infrared Visible Ultra- X-Rays Low Low High High High Light violet

902-928 MHz 26 MHz

2.4 2.4835 GHz 83.5 MHz (IEEE 802.11) 802.11b and 802.11g

5 GHz (IEEE 802.11) HiperLAN HiperLAN 2 802.11a

802.11 Wireless Technology

802.11 is a standard established by IEEE IEEE group responsible for defining interface between wireless clients and their network access points in wireless LANs

802.11 Wireless Technology (cont.)

802.11-based technologies takes advantage of the radio spectrum usable by the public

2.4 to 2.4835 GHz for 802.11 and 802.11b 5.15 to 5.825 GHz for 802.11a

There is a whole series of 802.11 standards

Two Different Implementations of Wireless LAN Technology

Wireless Networking
Mobile user connectivity

Wireless Bridging
LAN-to-LAN connectivity

Security Issues

Transmission through air presents some different problems than transmission through wires Attacker does not have to be within the premises to launch an attack
Availability of Sniffers
If a static WEP key is deciphered through a tool such as AirSnort, the administrator has no way of knowing that the key has been compromised by a hacker.

Example: AirSnort is a package that can capture encrypted packets (http://airsnort.shmoo.com/)

Older Security Methods

Older forms of security on WLANs

1. 2. 3. 4.

SSID Authentication controlled by MAC Wired Equivalency Privacy 802.11 40 bit keys 128 bit keys (optional) Part of the association process Uses the RC4 stream cipher of RSA Data Security, Inc. encryption

802.11 Open Authentication

Access Point A Access Point B

Initial Connection to an Access Point

Client sends probe request . [ RF PACKET ]
AP (A/B) send probe response. Client evaluates AP response, selects best AP. [ RF PACKET ] Client sends authentication request to selected AP (A).
[ RF PACKET ]

AP (A) confirms authentication and registers client. [ RF PACKET ] Client sends association request to selected AP (A).
[ RF PACKET ]

AP A confirms association and registers client. [ RF PACKET ]

802.11 Shared Key Authentication

Access Point A Steps 1-3 are the same as Open Authentication Access Point B

Client sends an authentication request to AP (A). [ RF PACKET ] AP (A) send authentication response containing the unencrypted challenge text. [ RF PACKET ]

Client encrypts the challenge text using one of its WEP keys and sends it to AP (A). [ RF PACKET ]
AP (A) compares the encrypted challenge text with its copy of the encrypted challenge text. If the text is the same AP (A) will allow the Client onto the WLAN. [ RF PACKET ]

802.11 Security Issues

SSID (Service Set Identifier)

32 ASCII character string If access point broadcasts SSID under 802.11, any client with a NULL string will associate to any access point regardless of SSID setting on access point Default setting on most access points is to broadcast the SSIDs SSIDs are sent in plain text This should not be considered a security feature

What are the default SSIDs?

101----3Com linksys----Linksys intel----Intel WLAN----Addtron Compaq-----Compaq tsunami----Cisco wireless----Netgear Attackers can use these default SSIDs to attempt to penetrate with base stations that are still in their default configuration.

802.11 Security Issues (cont.)

Assumes threat is outside the LAN Hardware Theft Rogue APs

802.11 Security Issues (cont.)

Authentication is one-way No way to dynamically generate keys No integration with existing network authentication methods on LAN

802.11 Security Issues (cont.)

Authentication is device-based No method for account auditing

Access Point Security

Part of the concern about access points is physical security When shipped, access points generally rely on HTTP, Telnet, or SNMP for configuration The suggestion is that HTTPS or SSH be used instead

Access Point Security (cont.)

A final concern is unauthorized or rogue access points

MAC Address Filtering

MAC address filtering is possible for small WLAN networks For larger networks with SSID and WEP segmentation, it may be a nightmare Further, MAC addresses can be spoofed

Improved Security

802.1X for WLANs VPN over WLAN

802.1X for WLANs

802.1X for 802.11

Current security recommendation from 802.11i Based on EAP framework Improved user authentication credentials Session-based encryption keys Centralized user administration

802.1X Advantages for WLANs

Mutual Authentication Encryption keys derived dynamically Ability to refresh encryption keys Centralized user and key management

Improved Security

Coverage extending beyond the facility Two way verification

Improved Security (cont.)

Blue

Yellow Green Yellow

Blue

Red

Red

Green

How it Works
Public/SemiPublic Network
Supplicant

Enterprise Edge
Authenticator

Enterprise Network
Authentication Server

Or

Operates on client

Operates on devices at network edge, like APs and switches

EAP plug-in goes in RADIUS server

How it Works on the WLAN

Public/SemiPublic Network
Supplicant

Enterprise Edge
Authenticator

Enterprise Network
Authentication Server

802.1X traffic only Operates on client Access Point acting as Authenticator EAP plug-in goes in RADIUS server

802.1X over Wireless Steps

Client Authenticator RADIUS Server
Access Point ignores all requests until network logon
Access request

Associate Logon

RADIUS server authenticates client

EAP request EAP response Access challenge Access request

Client authenticates RADIUS server (process repeats in reverse) Client and RADIUS server derive session WEP key
Access success EAP success

Client and Access Point start using encryption

RADIUS server passes session key to Access Point

802.1X/EAP (cont.)

802.1X/EAP

802.1X/EAP looks at ways to provide centralized authentication and dynamic key distribution

802.1X/EAP (cont.)

Three steps:

Mutual authentication between client and authentication (RADIUS) server Encryption keys dynamically derived after authentication Centralized control policy, where session time-out triggers reauthentication and new encryption key generation

RADIUS Authentication

RADIUS gives further security Not all access points support RADIUS RADIUS is not part of 802.11 standard However, RADIUS does not encrypt data Used when authentication is more important than encryption

Non 802.1X Approach: VPN over WLAN

Alternative to 802.1X over WLAN VPN/IPSec over WLAN Provides encryption Provides centralized user authentication and administration
DHCP/RADIUS/OTP Servers

Access Point VPN Concentrator

WLAN VPN

The use of WLAN VPN makes 802.11 security standards, SSID, WEP, and MAC address filtering redundant Problems with WLAN VPN

Requires additional CPU overhead Could be prohibitively expensive to set up a new one

IPsec

IPsec VPNs use the services within IPsec to ensure confidentiality, integrity, and authenticity To deploy, an IPsec client is placed in every PC connected to the wireless network

IPsec (cont.)

Filters are put in place to prevent wireless traffic from reaching anywhere except the VPN gateway and Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS) server IPsec uses 3DES or AES

VPN WLAN Design

WLAN Design Guidelines

Access point security recommendations:

Enable centralized user authentication (RADIUS, TACACS+) for the management interface Choose strong community strings for Simple Network Management Protocol (SNMP) and change them often

WLAN Design Guidelines (cont.)

Consider using SNMP Read Only if your management infrastructure allows it Disable any insecure and nonessential management protocol provided by the manufacturer Utilize secure management protocols, such as Secure Shell Protocol (SSH)

WLAN Design Guidelines (cont.)

Limit management traffic to a dedicated wired subnet. Isolate management traffic from user traffic and encrypt all management traffic where possible. Enable wireless frame encryption where available. Physically secure the access point.

WLAN Design Guidelines (cont.)

Client security recommendations:

Disable ad hoc mode. Enable wireless frame encryption where available.