#8 WIRELESS SECURITY

WIRELESS SECURITY

WLANs allow greater flexibility and portabulity than do tranditional wired local are network (LAN). Unlike a tranditioanl LAN, which requires a wire to connect a user computer to the network, a WLAN connect computer and other components to the network using an access point device.

An access point communicates with devices eqquipped with wireless network adaptrs. it connect to a wired Ethernet LAN via an RJ-45 port. Access point devices typically have coverage areas of up to 300 feet (approximately 100 meter). This coverage area is called a cell or range. Users move freely within the cell with their laptop or other network device. Access point cells can be linked together to allow users to even 'roam' within a building or between buildings.

- IEEE ratified 802.11 in 1997.
~Also known as Wi-Fi.
- Wireless LAN at 1 Mbps & 2 Mbps.
- WECA (Wireless Ethernet Compatibility Alliance) promoted Interoperability.
~Now Wi-Fi Alliance
- 802.11 focuses on Layer 1 & Layer 2 of OSI model.
~Physical layer
~Data link layer

802.11 Components
- Two pieces of equipment defined:
~Wireless station
-A desktop or laptop PC or PDA with a wireless NIC.
~ Access point
- A bridge between wireless and wired networks
- Composed of
- Radio
- Wired network interface (usually 802.3)
- Bridging software
- Aggregates access for multiple wireless stations to wired network

802.11 modes
- Infrastructure mode
- Basic Service Set (BSS)
- One access point
- Extended Service Set
-Two or more BSSs forming a single subnet.
- Most corporate LANs in this mode.
-Ad-hoc mode
-Also called peer-to-peer.
- Independent Basic Service Set
- Set of 802.11 wireless stations that communicate directly without an access point.
- Useful for quick & easy wireless networks.

Infrastructure mode


Ad-hoc mode

802.11 Physical Layer
1. Originally three alternative physical layers
~ Two incompatible spread-spectrum radio in 2.4Ghz ISM band
-Frequency Hopping Spread Spectrum (FHSS)
- 75 channels
- Direct Sequence Spread Spectrum (DSSS)
- 14 channels (11 channels in US)
~ One diffuse infrared layer
~ 802.11 speed
- 1 Mbps or 2 Mbps.

802.11 Data Link Layer
~Layer 2 split into:
~Logical Link Control (LLC).
~Media Access Control (MAC).
~LLC - same 48-bit addresses as 802.3.
~MAC - CSMA/CD not possible.
~Can’t listen for collision while transmitting.
~CSMA/CA – Collision Avoidance.
-Sender waits for clear air, waits random time, then sends data.
-Receiver sends explicit ACK when data arrives intact.
-Also handles interference.
-But adds overhead.
~802.11 always slower than equivalent 802.3

RTS / CTS
1. To handle hidden nodes
2. Sending station sends
- “Request to Send”
3. Access point responds with
- “Clear to Send”
-All other stations hear this and delay any transmissions.
4. Only used for larger pieces of data.
- When retransmission may waste significant time.

802.11b
1. 802.11b ratified in 1999 adding 5.5 Mbps and 11 Mbps.
2. DSSS as physical layer.
- 11 channels (3 non-overlapping)
3. Dynamic rate shifting.
- Transparent to higher layers
- Ideally 11 Mbps.
- Shifts down through 5.5 Mbps, 2 Mbps to 1 Mbps.
- Higher ranges.
- Interference.
- Shifts back up when possible.
4. Maximum specified range 100 meters
5. Average throughput of 4Mbps


Joining a BSS
~ When 802.11 client enters range of one or more APs
- APs send beacons.
- AP beacon can include SSID.
- AP chosen on signal strength and observed error rates.
- After AP accepts client.
-Client tunes to AP channel.
~Periodically, all channels surveyed.
-To check for stronger or more reliable APs.
-If found, re-associates with new AP.


Roaming and Channels
~Re-association with APs
-Moving out of range.
-High error rates.
-High network traffic.
-Allows load balancing.
~Each AP has a channel.
-14 partially overlapping channels.
-Only three channels that have no overlap.
-Best for multi cell coverage.


802.11a
~802.11a ratified in 2001
~Supports up to 54Mbps in 5 Ghz range.
-Higher frequency limits the range
-Regulated frequency reduces interference from other devices
~12 non-overlapping channels
~Usable range of 30 metres
~Average throughput of 30 Mbps
~Not backwards compatible

802.11g
• 802.11g ratified in 2002
• Supports up to 54Mbps in 2.4Ghz range.
- Backwards compatible with 802.11b
• 3 non-overlapping channels
• Range similar to 802.11b
• Average throughput of 30 Mbps
• 802.11n due for November 2006
- Aiming for maximum 200Mbps with average 100Mbps



Open System Authentication
• Service Set Identifier (SSID)
• Station must specify SSID to Access Point when requesting association.
• Multiple APs with same SSID form Extended Service Set.
• APs can broadcast their SSID.
• Some clients allow * as SSID.
- Associates with strongest AP regardless of SSID.


MAC ACLs and SSID hiding
• Access points have Access Control Lists (ACL).
• ACL is list of allowed MAC addresses.
- E.g. Allow access to:
~ 00:01:42:0E:12:1F
~ 00:01:42:F1:72:AE
~ 00:01:42:4F:E2:01
• But MAC addresses are sniffable and spoofable.
• AP Beacons without SSID
- Essid_jack
~ sends deauthenticate frames to client
~ SSID then displayed when client sends reauthenticate frames
Interception
• Wireless LAN uses radio signal.
• Not limited to physical building.
• Signal is weakened by:
-Walls
-Floors
-Interference
• Directional antenna allows interception over longer distances.
• Directional antenna provides focused reception.
802.11 Wireless LAN
- Three basic security services defined by IEEE for the WLAN environment
~ Authentication
-provide a security service to verify the identity of communicating client stations
~ntegrity
- to ensure that messages are not modified in transit between the wireless clients and the access point in an active attack
~ Confidentiality
- to provide “privacy achieved by a wired network”


802.11 Authentication
The IEEE 802.11 specification defines two means to validate wireless users attemping to gain access to a wired network, open system authentication and shares key authentication. One means, shared key authentication, is based on cryptography, and the other is not. The open-system authentication technique is not truly authentication, the access point accepts the mobile station without verifying the identity of the station. It should be notes also that the authentication is only one-way; only the mobile station is authentication. The mobile station must trust that it is communicating to a real AP. Taxonom of the tavhniques for 802.11 is depicted in above figure:-


802.11b Security Services
• Two security services provided:
- Authentication
- Shared Key Authentication
- Encryption
- Wired Equivalence Privacy


Wired Equivalence Privacy
• Shared key between
-Stations.
-An Access Point.
• Extended Service Set
-All Access Points will have same shared key.
• No key management
-Shared key entered manually into
-Stations
-Access points
-Key management nightmare in large wireless LANs


RC4
• Ron’s Code number 4
-Symmetric key encryption
-RSA Security Inc.
-Designed in 1987.
-Trade secret until leak in 1994.
• RC4 can use key sizes from 1 bit to 2048 bits.
• RC4 generates a stream of pseudo random bits
-XORed with plaintext to create ciphertext.


WEP – Sending
• Compute Integrity Check Vector (ICV).
-Provides integrity
-32 bit Cyclic Redundancy Check.
-Appended to message to create plaintext.
• Plaintext encrypted via RC4
-Provides confidentiality.
-Plaintext XORed with long key stream of pseudo random bits.
-Key stream is function of
-40-bit secret key
-24 bit initialisation vector
• Ciphertext is transmitted.

WEP – Receiving
• Ciphertext is received.
• Ciphertext decrypted via RC4
-Ciphertext XORed with long key stream of pseudo random bits.
-Key stream is function of
-40-bit secret key
-24 bit initialisation vector (IV)


• Check ICV
-Separate ICV from message.
-Compute ICV for message
-Compare with received ICV


Shared Key Authentication
• When station requests association with Access Point
-AP sends random number to station
-Station encrypts random number
-Uses RC4, 40 bit shared secret key & 24 bit IV
-Encrypted random number sent to AP
-AP decrypts received message
-Uses RC4, 40 bit shared secret key & 24 bit IV
-AP compares decrypted random number to transmitted random number
• If numbers match, station has shared secret key.


Web Safeguards
- Shares secret key required for associating with an access point, sending data and receving data.
- Message are encrypted for confidentiality.
- Message have checksum for integrity.
- Management static still broadcast in clear containing SSID.


Initialization Vector
• IV must be different for every message transmitted.
• 802.11 standard doesn’t specify how IV is calculated.
• Wireless cards use several methods
- Some use a simple ascending counter for each message.
- Some switch between alternate ascending and descending counters.
- Some use a pseudo random IV generator.

802.11 safeguards
• Security Policy & Architecture Design
• Treat as untrusted LAN
• Discover unauthorised use
• Access point audits
• Station protection
• Access point location
• Antenna design


Security Policy & Architecture
• Define use of wireless network
- What is allowed
- What is not allowed
• Holistic architecture and implementation
-Consider all threats.
-Design entire architecture
~To minimize risk.


Wireless as untrusted LAN
• Treat wireless as untrusted.
- Similar to Internet.
• Firewall between WLAN and Backbone.
• Extra authentication required.
• Intrusion Detection
- at WLAN / Backbone junction.
• Vulnerability assessments


Discover unauthorized use
• Search for unauthorised access points, ad-hoc networks or clients.
• Port scanning
- For unknown SNMP agents.
- For unknown web or telnet interfaces.
• Warwalking!
- Sniff 802.11 packets
- Identify IP addresses
- Detect signal strength
- But may sniff your neighbours…
• Wireless Intrusion Detection
- AirMagnet, AirDefense, Trapeze, Aruba.


Access point audits
• Review security of access points.
• Are passwords and community strings secure?
• Use Firewalls & router ACLs
- Limit use of access point administration interfaces.
• Standard access point config:
-SSID
-WEP keys
-Community string & password policy