THE WIRELESS PARADIGMTHE WIRELESS PARADIGM

ISQS 6342ISQS 6342

Spring 2003Spring 2003

R.K. MillerR.K. Miller

The concept of Wireless LAN or wireless home networking (wireless LAN on a small scale) is to use omni directional radio frequency analog carrier signals to transmit digital and analog data between desktop and laptop computers and between an internet gateway and these same devices. A home network or corporate LAN strung together by T1 operates in the same way as the wireless version, except you lose the “wire.” The market for home, SmallOffice/HomeOffice (SOHO) and large-scale corporate users has just begun to take off. Though the technology and availability of unlicensed bandwidth has been around since 1985, it has only been since 1999 when the equipment price range has come down sufficiently to make this option attractive to the corporate and individual consumer. Add to this the very recent advances in securing data packets transmitted over the ether and controlled access to “access points” and the security shortcomings of wireless are becoming the same as those associated with wired configurations.

INTRODUCTION

STANDARDS

Spectrum – In 1985 the FCC opened up an unlicensed set of radio frequency bands for Industrial, Scientific and Medical use (“ISM”).

900 -- 928 MHz Industrial band 2.4 -- 2.4835 GHz Scientific band 5.15 -- 5.825 GHz Medical band

802.11b – The 1997 IEEE Layer 1 standard for the first generation of wireless networks operating in the 2.4 GHz spectrum (1.6 to 2 Mbps at first). Enhanced by IEEE in 1999, it is now widely available with data speeds up to 11 Mbps by aggressively using direct sequence spread spectrum (“DSSS”) modulation versus frequency hopping spread spectrum (“FHSS”) modulation.

Problems with 802.11b It has gotten a bad “security” rap because most users have failed to enable WEP and other security measures. Although the 2.4 GHz spectrum is open to all, there is a primary owner: the microwave oven manufacturers. Thus if there is any overlap with the primary owner, he gets the right-of-way. A WLAN NIC operates at 100 mW versus microwaves at 600-1000 Watts. Maximum data transfer rates are presently 11 Mbps with direct sequencing (with a possibility of up to 33 Mbps by using all three22-MHz-wide channels). With major corporate networks wanting 100 Mbps pipes (and higher, especially with video applications), this is a serious limitation.

ENTER 802.11a (are we going backwards??)

802.11a -- uses a 300 MHz bandwidth divided into three 100 MHz sections: 5.15 – 5.25 GHz, 5.25 – 5.35 GHz and 5.725 – 5.825 GHz, each with differing maximum transmission wattages. Orthogonal Frequency-Division Multiplexing, which requires no guard band, is used. 802.11a’s faster speeds (54 Mbps), greater security and better data reliability through the addition of forward error correction (not in 802.11b), are presently somewhat outweighed by high equipment costs, putting it out of the range of most consumers, e.g. Circuit City has an Access Point (without router) from Linksys priced at $299. Both 802.11a and 802.11b use the same MAC protocol: carrier sense multiple access with collision avoidance (“CSMA-CA”).

The Corporate Potential – For corporate WLAN’s the 5.25-5.35 GHz range (U-NII 2) and the 5.725-5.825 GHz range (U-NII 3) offer the most attraction. These devices may transmit at up to 250 mW and 1 W respectively (vs. 50 mW for U-NII 1) and allow indoors/outdoors and outdoors operations respectively. The former can easily handle intra-building WLAN’s while the latter is favored for point-to-point and point-to-multipoint installations. Guess who uses this type of installation, powered by Cisco devices? Cisco Security

What about the Europeans?Are the standards the same?

HiperLAN/1 and HiperLAN/2 -- Developed by the European Telecommunications Standards Institute (“ETSI”), these standards are similar to 802.11b and 802.11a respectively. One major difference is the MAC protocol, where the Europeans use time division multiple access (“TDMA”), also seen in European cellular phone technology, instead of CSMA-CA. It is not likely to be in use in the U.S., but the 2.4 GHz and 5.4 GHz bands in Europe have been reserved for HiperLAN/1 and HiperLAN/2. Therefore 802.11b and 802.11a are not yet certifiable in those markets. IEEE and ETSI are trying to work out the incongruities.

Other Standards and Technologies

802.11g – Myth or fact? Just released, operates in the 2.4GHz waveband, and is basically an enhanced version of 802.11b enabling higher data transfer rates, by developing a new physical layer extension. This technology will be beneficial for improved access to fixed network LAN and inter-network infrastructure (including access to other wireless LANs) via a network of access points, as well as creation of higher performance ad hoc networks. It does not address security issues—that is covered by 802.1X.

Other Standards (cont.)

Bluetooth -- The much heralded, easy and cheap solution to linking PC’s, PDA’s, laptops and other electronic devices, in a home, office and public environment, just has not gotten off the ground. The Bluetooth device is a small 1/3 inch square chip which can be integrated in all these devices and should allow hook-ups within a 30 foot range. Present cost per device is $30, expected to drop to $4. Few PC and other electronic device manufacturers have incorporated Bluetooth into their products. Because its data link protocol is inefficient and uses FHSS, data throughput is only about 780 Kbps, also in the crowded 2.4 GHz band. It is an unofficial standard, which may be recognized by IEEE as part of 802.15.

Infrared -- Not really part of the traditional wireless technology, though it is part of the 802.11 standard, infrared is limited by line-of-sight restraints and operates effectively within a small range without the use of relay reflectors. This is not really a viable competitor in the home market, but more suited for building-to-building relays. It is also relatively expensive.

Ultra Wideband – More about this later. This may be the real sleeper in the whole wireless scenario as it promises data transfer speeds of up to1 Gbps over a two kilometer range.

EQUIPMENT Wireless Cards/Adapters – These devices allow each electronic unit (PC, laptop, PDA,

etc.) to talk to another device so equipped (ad hoc topology) or to a wireless router connected to another device(s). The price of these varies depending on the data transmission technology.

Network Access Points (NAP) – This device serves to allow multiple devices access to the cable or ADSL modem or a server, but does nothing for letting each device talk to others.

Routers – This device enables the adapter-equipped devices to talk to each other just as with a regular wired router.

NAP/Router Combo – Combines a NAP with a router, but usually costs more. Linksys

Security Issues

The Human Factor – first and foremeost, as with wired networks, the ultimate weak link has two legs, two arms and not much upstairs. The Wardrive coalition, which did a study on WLAN’s by literally driving around and accessing them, found that 72% of the access points/networks they compromised did not even have their “Wired Equivalent Privacy” (WEP) enabled.

Authentication – is the client who is trying to gain access to the network via tht access point a bona fide user? 802.11b and a are very weak in their WEP standards which are either open or “NULL” access or a shared key access as shown below.

Security Issues (cont.)

Shared Key Authentication is a rudimentary cryptographic technique for authentication. It is a simple “challenge-response” scheme based on whether a client has knowledge of a shared secret. A random challenge is generated by the access point and sent to the wireless client. The client, using a shared WEP key, encrypts the challenge and returns the result to the AP. The AP decrypts the result computed by the client and allows access only if the decrypted value is the same as the random challenge transmitted. It does not provide mutual authentication and therefore there is no assurance that a client is communicating with a legitimate AP, and wireless network. Such unilateral challenge-response schemes have long been known to be weak and suffer from numerous attacks including the infamous “man-in-the-middle” attack.

802.1X Authentication – The new IEEE standard for authentication on wired and wireless networks, can provide dynamic per-user, per-session WEP keys, removing the administrative burden and security issues surrounding static WEP keys. The particular types include a common framework and the Extensible Authentication Protocol (EAP). The credentials used for authentication, such as a log-on password, are never transmitted in the clear, or without encryption, over the wireless medium. Combined with an “Access Control List” (“ACL”) of authorized MAC’s, 802.1X effectively limits access to the WLAN by an unauthorized user.

Confidentiality/Frame Encryption – “For Your Eyes Only.” The 802.11b standard

supports privacy (confidentiality) through the use of cryptographic techniques for the wireless interface. The WEP supports cryptographic keys sizes from 40-bits to 104-bits and can be expanded to 128-bit by adding a 24-bit initialization vector (“IV”) key. Research has shown that key sizes of greater than 80-bits make brute-force cryptanalysis (codebreaking) an impossible task. The graph on the following slide illustrates the WEPFrame encryption process. Replacing WEP with IPSec and other frame encryption and adding cyclic key management, such as Kerberos, easily brings this aspect of WLAN security to its wired cousin’s standards.

Security Issues (cont.)

Security Issues (cont.)

Security Issues (cont.)

Integrity – 802.11b uses a non-encrypted Cyclic Redundancy Check (CRC) at the MAC level, as shown in the previous diagram. If the CRC’s between the sending and receiving units do not match, this would indicate an integrity violation (perhaps a message spoofer), and the packet would be discarded. But, this combination of noncryptographic checksums with stream ciphers is dangerous and often leads to unintended “side channel” attacks. An attacker could decrypt any packet by systematically modifying the packet and CRC, sending it to the AP, and noting whether the packet is acknowledged.

802.1X & Proprietary Security Systems – The problems associated with 802.11b’s confidentiality and integrity protocols are also addressed in 802.1X and proprietary systems like Cisco’s Aironet, e.g. using pre-standard Temporal Key Integrity Protocol (TKIP), support for Message Integrity Check (MIC), per-packet key hashing, and broadcast key rotation.

The following slide from Cisco’s product promotion, shows the relative weaknesses of the 802.11 standard out of the box and the means by which these shortcomings are overcome. Bottom line, security should be no more of a concern with WLAN’s than it is with their wired brethren.

Table 1: WLAN Attack Mitigation Chart Cisco Wireless Security Suite

Attack Static WEP Cisco LEAP and WEP

EAP-TLS Cisco LEAP, TKIP, Broadcast Key Rotation, MAC Authorization, and Per-packet Keying

Man-In-The-Middle

Vulnerable Vulnerable Vulnerable Mitigated

Authentication Forging

Vulnerable Mitigated Mitigated Mitigated

Fluhrer (FMS Paper)

Vulnerable Vulnerable Vulnerable Mitigated

Rogue Access Points

Vulnerable Mitigated Mitigated Mitgated

Dictionary Attacks1

Vulnerable Mitigated2 Mitigated Mitigated2

1A dictionary attack is a brute force method of compromising network security. During a dictionary attack, a network intruder uses a list of known passwords in various combinations to try to access the network via a known user's account. The intruder uses weak user passwords or words that are found in the dictionary during this attack2Requires Strong Passwords

Ultra Wideband

Pulse-Type Radio Transmission – employs billions of radio frequency pulses per second over the entire radio spectrum, with each pulse lasting no more than a nanosecond. The wide swath and very low power (< .05 mW) cause UWB transmissions to appear as background noise to anyone without a very finely tuned receiver.

Uses Unlicensed Spectrum – per discussions with the FCC and preliminary approval given 2/14/02, commercial users of UWB will be given access to unused portions of the overall spectrum and which don’t interfere with DOD or airline radar/communication frequencies. Therefore, it could use the ISM bands as well as those small portions of spectrum which lie between licensed bands (i.e. the guardbands).

High Data Carrying Capacity – at least one developer, PulseLink of San Diego, CA, is predicting data rates of up to 1 Gbps in the 802.11a spectrum over a range of up to 2 kilometers.

Wireless ISP’s

Kick the Copper and Fiber Optic Habit – if you are in a remote location or don’t want to fool around with DSL or cable modems or can’t afford to lease a T1 line, there are other options:

Satellite, e.g. DirecTV or EchoStar.

Wireless ISP’s, e.g. airBand Communications of Dallas or our own Door right here in Lubbock.

REFERENCES

Cisco - SAFE Wireless LAN Security in Depth.htm andCisco Aironet Wireless LAN Security Overview.htm at http://www.cisco.com/go/safe

Wireless Network Security 802.11, Bluetooth™ and Handheld Devices Tom Karygiannis, Les Owens Recommendations of the National Institute of Standards and Technology NIST Special Publication 800-48

WEP Security StatementWireless Ethernet Compatibility Alliance (WECA)September 7, 2001

O'Reilly Network Wireless LAN Security A Short History.htmhttp://www.oreillynet.com/pub/a/wireless/2002/04/19/security.html

News Networks suffer from wireless insecurity.htmhttp://www.zdnet.com/

OVERVIEW AND GUIDE TO THE IEEE 802 LMSCDecember 2002, IEEE