Security Over Wireless Security Over Wireless NetworkNetwork

BY

SYED UBAID ALI JAFRI

Information Security ExpertCEOUJ Consultant & Solution Providerhttp://www.ujconsultant.com

Securing a Wireless Securing a Wireless Network Network

Wireless networks are rapidly becoming Wireless networks are rapidly becoming pervasive. pervasive.

How many of you have web-enabled cell How many of you have web-enabled cell phones? phones?

How many of you have networked PDAs How many of you have networked PDAs and Pocket PCs? and Pocket PCs?

How many of you have laptops with How many of you have laptops with wireless network cards? wireless network cards?

How many of you have wireless How many of you have wireless networks at work?     at home? networks at work?     at home?

How many of you use wireless networks How many of you use wireless networks when you are out and about? when you are out and about?

Securing a Wireless Securing a Wireless Network Network

Of those of you who have wireless Of those of you who have wireless devices, how many of you: devices, how many of you:

protect your wireless device protect your wireless device with a password? with a password?

encrypt the data in your wireless encrypt the data in your wireless device? device?

employ any type of security with employ any type of security with your wireless device? your wireless device?

employ security with your employ security with your wireless network?wireless network?

Securing a Wireless Securing a Wireless Network Network

Wireless Technology Wireless Technology

Security Vulnerabilities with Security Vulnerabilities with Wireless Networks Wireless Networks

Wireless Security Solutions Wireless Security Solutions

Precautions Precautions

Securing a Wireless Securing a Wireless Network Network

Most wireless networks today use the Most wireless networks today use the 802.11 standard for communication. 802.11 standard for communication. 802.11b became the standard wireless 802.11b became the standard wireless ethernet networking technology for both ethernet networking technology for both business and home in 2000. The IEEE business and home in 2000. The IEEE 802.11 Standard is an interoperability 802.11 Standard is an interoperability standard for wireless LAN devices, that standard for wireless LAN devices, that identifies three major distribution systems identifies three major distribution systems for wireless data communication: for wireless data communication:

Direct Sequence Spread Spectrum (DSSS) Direct Sequence Spread Spectrum (DSSS) Radio Technology Radio Technology

Frequency Hopping Spread Spectrum Frequency Hopping Spread Spectrum (FHSS) Radio Technology (FHSS) Radio Technology

Infrared TechnologyInfrared Technology

Independent Basic Service Independent Basic Service Set Set (IBSS) - computers talk (IBSS) - computers talk

directly to each otherdirectly to each other

[Basic Service Set (BSS)] Network - all [Basic Service Set (BSS)] Network - all traffic passes through a wireless access traffic passes through a wireless access

pointpoint

Extended Service Set Extended Service Set (ESS)(ESS) Network - Network - traffic passes through traffic passes through

multiple wireless access pointsmultiple wireless access points

Over view Simulation of Over view Simulation of Wireless NetworkWireless Network

IEEE 802.11b specificationIEEE 802.11b specification• wireless transmission of approximately 11 wireless transmission of approximately 11

Mbps of raw dataMbps of raw data• indoor distances from several dozen to several indoor distances from several dozen to several

hundred feethundred feet• outdoor distances of several to tens of miles outdoor distances of several to tens of miles • use of the 2.4 GHz band. use of the 2.4 GHz band. • 802.11b appeared in commercial form in mid-802.11b appeared in commercial form in mid-

1999. 1999. • Wireless Ethernet Compatibility Alliance Wireless Ethernet Compatibility Alliance

(WECA) certifies equipment as conforming to (WECA) certifies equipment as conforming to the 802.11b standard, and allows compliant the 802.11b standard, and allows compliant hardware to be stamped Wi-Fi compatible. hardware to be stamped Wi-Fi compatible.

• wireless NICs transmit in the range of 11, 5.5, wireless NICs transmit in the range of 11, 5.5, 2 and 1 Mbit/s at a frequency of 2.4 GHz. 2 and 1 Mbit/s at a frequency of 2.4 GHz.

• 802.11b is a half duplex protocol802.11b is a half duplex protocol

IEEE 802.11b specificationIEEE 802.11b specification• Multiple 802.11b access points can operate in Multiple 802.11b access points can operate in

the same overlapping area over different the same overlapping area over different channels, which are subdivisions for the 2.4 channels, which are subdivisions for the 2.4 GHz band. There are 14 channels, which are GHz band. There are 14 channels, which are staggered at a few megahertz intervals, from staggered at a few megahertz intervals, from 2.4000 to 2.4835 GHz. Only channels 1, 6, and 2.4000 to 2.4835 GHz. Only channels 1, 6, and 11 have no overlap among them.11 have no overlap among them.

• cards equipped with the Wired Equivalent cards equipped with the Wired Equivalent Privacy (WEP) data encryption, based on the Privacy (WEP) data encryption, based on the 64 bit RC4 encryption algorithm as defined in 64 bit RC4 encryption algorithm as defined in the IEEE 802.11b standard on wireless LANs. the IEEE 802.11b standard on wireless LANs. In addition, there are more expensive cards In addition, there are more expensive cards that are able to use 128 bit encryption. All that are able to use 128 bit encryption. All your nodes must be at the same encryption your nodes must be at the same encryption level with the same key to operate.level with the same key to operate.

IEEE 802.11b specificationIEEE 802.11b specification Any network adapter coming within range of Any network adapter coming within range of

another 802.11b network adapter or access another 802.11b network adapter or access point can instantly connect and join the network point can instantly connect and join the network unless WEP – wireless encryption protocol – is unless WEP – wireless encryption protocol – is enabled. WEP is secure enough for most homes enabled. WEP is secure enough for most homes and business’ but don’t think it can’t be hacked. and business’ but don’t think it can’t be hacked. There are several flaws in WEP making it There are several flaws in WEP making it unusable for high security applications. At this unusable for high security applications. At this point, it takes some serious hacking abilities to point, it takes some serious hacking abilities to bust into a WEP enabled network so home users bust into a WEP enabled network so home users should not worry. should not worry.

Full strength 802.11b signal will get you about Full strength 802.11b signal will get you about 3.5-4.5 Mbps without WEP enabled. With WEP 3.5-4.5 Mbps without WEP enabled. With WEP enabled, expect 2.5-3.5 Mbps. As you put walls enabled, expect 2.5-3.5 Mbps. As you put walls and distance between your wireless adapter and and distance between your wireless adapter and your access point, your speed will drop. Don’t your access point, your speed will drop. Don’t expect to put more than a few walls between you expect to put more than a few walls between you and your access point.and your access point.

IEEE 802.11a specificationIEEE 802.11a specification Within the last year, devices that comply with Within the last year, devices that comply with

the 802.1a standard (54 Mbps over the 5 GHz the 802.1a standard (54 Mbps over the 5 GHz band) have been released. 802.11a also has 12 band) have been released. 802.11a also has 12 channels (eight in the low part of the band and channels (eight in the low part of the band and four in the upper) which do not overlap, four in the upper) which do not overlap, allowing denser installations. 802.11a's range allowing denser installations. 802.11a's range is apparently less, but it can often transmit at is apparently less, but it can often transmit at higher speeds at similar distances compared to higher speeds at similar distances compared to 802.11b. 802.11b.

802.11a devices use the same Wired Equivalent 802.11a devices use the same Wired Equivalent Privacy (WEP) security. Some vendors, such as Privacy (WEP) security. Some vendors, such as Orinoco and Proxim, have included Orinoco and Proxim, have included configurable (albeit non-standard) high-configurable (albeit non-standard) high-encryption capabilities into their access points encryption capabilities into their access points to prevent simple WEP cracking.to prevent simple WEP cracking.

IEEE 802.11g… IEEE 802.11g… specificationspecification

802.11g devices (54 Mbps over 2.4 GHz) 802.11g devices (54 Mbps over 2.4 GHz) will be released in mid-2003. 802.11g will be released in mid-2003. 802.11g features backwards compatibility with features backwards compatibility with 802.11b, and offers three additional 802.11b, and offers three additional encodings (one mandatory, two optional) encodings (one mandatory, two optional) that boost its speed. that boost its speed.

Several related IEEE protocols address Several related IEEE protocols address security, quality of service, and adaptive security, quality of service, and adaptive signal use (802.11e, h, and i, among signal use (802.11e, h, and i, among others). : 802.11i will offer additional others). : 802.11i will offer additional security for 802.11. This standard will security for 802.11. This standard will replace WEP and build on IEEE 802.1X. replace WEP and build on IEEE 802.1X.

IEEE 802.1x is a standard for passing EAP IEEE 802.1x is a standard for passing EAP over a wired or wireless LANover a wired or wireless LAN

Security VulnerabilitiesSecurity Vulnerabilities packet sniffing - war drivers; higain antenna packet sniffing - war drivers; higain antenna War Driver Map of LA War Driver Map of LA Antenna on the Cheap (er, Chip) - Pringle's can Antenna on the Cheap (er, Chip) - Pringle's can

antenna antenna Coffee Can Antenna Coffee Can Antenna resource stealing - using a valid station's MAC resource stealing - using a valid station's MAC

address address traffic redirection - modifying ARP tables traffic redirection - modifying ARP tables rogue networks and station redirection [network rogue networks and station redirection [network

administrators also rely on manufacturers' default administrators also rely on manufacturers' default Service Set IDentifiers (SSIDs)]Service Set IDentifiers (SSIDs)]The Gartner Group estimates that at least 20 percent The Gartner Group estimates that at least 20 percent of enterprises have rogue wireless LANs attached to of enterprises have rogue wireless LANs attached to their networks. their networks.

DoS (any radio source including 2.4 Ghz cordless DoS (any radio source including 2.4 Ghz cordless phones)phones)

Security VulnerabilitiesSecurity Vulnerabilities Wired Equivalent Privacy (WEP) algorithm used Wired Equivalent Privacy (WEP) algorithm used

to protect wireless communication from to protect wireless communication from eavesdropping. secondary function of WEP is to eavesdropping. secondary function of WEP is to prevent unauthorized access to a wireless prevent unauthorized access to a wireless network. network.

WEP relies on a secret key that is shared between WEP relies on a secret key that is shared between a mobile station and an access point. The secret a mobile station and an access point. The secret key is used to encrypt packets before they are key is used to encrypt packets before they are transmitted, and an integrity check is used to transmitted, and an integrity check is used to ensure that packets are not modified in transit. ensure that packets are not modified in transit. Most installations use a single key that is shared Most installations use a single key that is shared between all mobile stations and access points. between all mobile stations and access points. More sophisticated key management techniques More sophisticated key management techniques can be used to help defend from attacks.can be used to help defend from attacks.

Security VulnerabilitiesSecurity Vulnerabilities WEP uses the RC4 encryption algorithm, known as WEP uses the RC4 encryption algorithm, known as

a stream cipher. A stream cipher expands a short a stream cipher. A stream cipher expands a short key into infinite pseudo-random key stream. The key into infinite pseudo-random key stream. The sender XORs the key stream with the plaintext to sender XORs the key stream with the plaintext to produce ciphertext. The receiver has a copy of the produce ciphertext. The receiver has a copy of the same key, and uses it to generate identical key same key, and uses it to generate identical key stream. XORing the key stream with the ciphertext stream. XORing the key stream with the ciphertext yields the original plaintext. yields the original plaintext.

If an attacker flips a bit in the ciphertext, then If an attacker flips a bit in the ciphertext, then upon decryption, the corresponding bit in the upon decryption, the corresponding bit in the plaintext will be flipped. Also, if an eavesdropper plaintext will be flipped. Also, if an eavesdropper intercepts two ciphertexts encrypted with the same intercepts two ciphertexts encrypted with the same key stream, it is possible to obtain the XOR of the key stream, it is possible to obtain the XOR of the two plaintexts. Once one of the plaintexts becomes two plaintexts. Once one of the plaintexts becomes known, it is trivial to recover all of the others.known, it is trivial to recover all of the others.

Security SolutionsSecurity Solutions Wired Equivalent Privacy (WEP) and WEP2 Wired Equivalent Privacy (WEP) and WEP2 Media access control (MAC) addresses: Media access control (MAC) addresses:

configuring access points to permit only configuring access points to permit only particular MAC addresses onto the network. Easy particular MAC addresses onto the network. Easy to implement, but fairly easy to defeat. to implement, but fairly easy to defeat.

IEEE 802.1X: This standard, supported by IEEE 802.1X: This standard, supported by Windows XP, defines a framework for MAC-level Windows XP, defines a framework for MAC-level authentication. Susceptible to session-hijacking authentication. Susceptible to session-hijacking and man-in-the-middle attacks. and man-in-the-middle attacks.

VPNs: using a VPN to encrypt data on wireless VPNs: using a VPN to encrypt data on wireless networks. VPNs require a lot of management and networks. VPNs require a lot of management and client configuration. client configuration.

User authentication User authentication The Temporal Key Integrity Protocol (TKIP) The Temporal Key Integrity Protocol (TKIP)

[IEEE 802.11i][IEEE 802.11i]

Security SolutionsSecurity Solutions Advanced Encryption Standard (AES) Advanced Encryption Standard (AES)

encryption [IEEE 802.11i] encryption [IEEE 802.11i] "Key-hopping" technology that can change "Key-hopping" technology that can change

the encryption key as often as every few the encryption key as often as every few seconds. seconds.

EAP-TTLS (Extensible Authentication Protocol EAP-TTLS (Extensible Authentication Protocol (EAP) -(EAP) - Tunneled Transport Layer Security) Tunneled Transport Layer Security)

Enhanced Security Network (ESN) - Extended Enhanced Security Network (ESN) - Extended Service Set with Service Set with

enhanced authentication mechanism for both STAs enhanced authentication mechanism for both STAs and APs based on 802.11x and APs based on 802.11x

key management key management dynamic, association-specific cryptographic keys dynamic, association-specific cryptographic keys enhanced data encapsulation using AES enhanced data encapsulation using AES

Security SolutionsSecurity Solutions Wireless Protocol Analyzers. They Wireless Protocol Analyzers. They

can: can: check for unknown MAC (Media check for unknown MAC (Media

Access Control) addresses and alert Access Control) addresses and alert the network manager the network manager

log attempts to gain unauthorized log attempts to gain unauthorized access to the network access to the network

filter access attempts based on the filter access attempts based on the type of network card type of network card

conduct site survey of traffic usage conduct site survey of traffic usage find dead zones in the wireless find dead zones in the wireless

networknetwork

Wireless Security Wireless Security PrecautionsPrecautions

Change default names Change default names Add passwords to all devices Add passwords to all devices Disable broadcasting on network hubs Disable broadcasting on network hubs Don't give the network a name that Don't give the network a name that

identifies your company identifies your company Move wireless hubs away from windows Move wireless hubs away from windows Use the built-in encryption Use the built-in encryption Disable the features you don't use Disable the features you don't use Put a firewall between the wireless network Put a firewall between the wireless network

and other company computers and other company computers Encrypt data Encrypt data Regularly test wireless network securityRegularly test wireless network security