Tuesday, June 06, 2006
Wireless LAN Security Threats and Countermeasures
Wireless networks are becoming increasingly popular, but they also introduce additional security risks. Wireless networks rely on radio waves rather than wires to connect computers to the Internet. A transmitter, known as a wireless access point or gateway, is wired into an Internet connection. This provides a "hotspot" that transmits the connectivity over radio waves. Hotspots have identifying information, including an item called an SSID (or service set identifier), which allow computers to locate them. (Continue)
Subscribe to:
Post Comments (Atom)
3 comments:
Wireless networks are becoming increasingly popular, but they also introduce additional security risks. Wireless networks rely on radio waves rather than wires to connect computers to the Internet. A transmitter, known as a wireless access point or gateway, is wired into an Internet connection. This provides a "hotspot" that transmits the connectivity over radio waves. Hotspots have identifying information, including an item called an SSID (or service set identifier), which allow computers to locate them. Computers that have a wireless card and have permission to access the wireless frequency can take advantage of the network connection. Some computers may automatically identify open wireless networks in a given area, while others may require that you locate and manually enter information such as the SSID. Because wireless networks do not require a wire between a computer and the Internet connection, it is possible for attackers who are within range to hijack or intercept an unprotected connection. A practice known as Wardriving or Stumbling or War Walking involves individuals equipped with a computer, a wireless card, and a GPS device driving through areas in search of wireless networks and identifying the specific coordinates of a network location. This information is then usually posted online. Some individuals who participate in or take advantage of Wardriving have malicious intent and could use this information to hijack your home wireless network or intercept the connection between your computer and a particular hotspot.
Threats:
1. WEP Cracking
WEP is vulnerable because the encryption keys remain static. Key never changes unless the administrator on all devices periodically and manually changes it. An attacker uses a relatively wireless packet sniffer to collect packets. Then, the attacker runs readily available tools such as AirSnort. These tools can determine encryption keys in a few minutes, enabling the attacker to decrypt and read all data passing between the client and the AP.
2. Denial of Service (DoS)
Attackers can flood APs with illegitimate traffic, slowing or stopping users from accessing the network. There are three types of DoS. First class of attacks targets the transmission frequency used. Second level of attacks targets the MAC layer. Finally, attacks target protocols on the higher level such as TCP/IP or client/server system directly.
3. Dictionary Attacks
The attackers gather a challenge and response exchange from password-based protocols. Using open source tools based on a dictionary of hundreds of thousands of words, manes, and phrases, an offline computer tries essentially every name-password combination, until the login information is decrypted. Once a name and password have been cracked, the attacker has access to the WLAN, with all the rights and privileges of that user.
4. Interception of Traffic (Wireless Sniffing or Traffic Analysis)
Attackers look for passwords, proprietary/confidential data, or documents. It is a simple technique whereby the attacker can determine the load on the communication medium by the number and size of packets being transmitted. The attackers only need a wireless a wireless card operating in promiscuous mode and software to count the number and size of the packets being transmitted. The attackers may use yagi (simple directional antenna consisting of a horizontal conductor with several insulated dipoles parallel to and in the plane of the conductor.) or helical directional antenna to increase range of analyzing traffic.
Traffic analysis allows the attackers to obtain three forms of information. First they know that there is an activity on the network. A significant increase in the amount of network activity serves as an indicator for the occurrence of a large event. A second form of information acquired from traffic analysis is the identification and physical location of wireless access points (APs.) The third piece of information that an attacker may receive is the type of protocols being used in the transmissions.
5. Session Hijacking
Attackers create look alike general or reliable Access Points (APs). Therefore, attackers are capable of not only listening to network traffic but also inserting their own information; a session is then susceptible to hijacking-redirecting it away form a legitimate end point. These attackers can set up an AP, and unsuspecting wireless LAN clients will try to connect to it by sending their authentication information.
Security Mechanisms and Technologies:
1. Authentication
· WEP Protocol
The Wired Equivalent Privacy (WEP) protocol provides the most basic wireless encryption security. But because it used unchanging, static encryption keys and a weak encryption method called RC-4, it could quickly be broken down. WEP provides varying levels of encryption from 40- to 128-bit for 802.11b and 802.11g, and up to 152-bit on 802.11a. More bits mean better security, because a longer key takes more effort to break.
As I mentioned before, WEP does not support key management, which is the automatic exchange of encryption keys between client and APs. Therefore, WEP requires the keys to be changed manually in order to maintain effective security. However, this is a tedious process, especially in large environments. For this reason, WEP may be sufficient for only small business users to secure their wireless access.
· Closed Network Access Control (Disabling Broadcast Service Set Identifier or SSID)
This is the most basic security authentication mechanism for 802.11 networks. Normally, APs send out Beacon Frames, 10 times per second, by default. These contain the “name” of the network (SSID) and list the capabilities of that AP. So, if you enable “Disabling Broadcast SSID” mode, the AP will blank out the SSID from Beacon packets and prevent a response to clients looking to connect to any AP.
The SSID can be used as a shared secret but the SSID is transmitted unencrypted. So, an attacker can use passive eavesdropping to find the SSID. From this reason, SSID is only effective against the most unskilled attacker.
· MAC Address Filtering
This security mechanism is designed to deny access to all clients except those explicitly authorized to use the WLAN. This method is useful for small WLANs because it requires to implement and to maintain large access list. In addition, it provides no protection from insider, who is an authorized user of the network.
· LEAP (Lightweight Extensible Authentication Protocol by CiscoĆ¢)
LEAP came out shortly after WEP was broken. LEAP used MS-CHAPv2 for the authentication hash. MS-CHAPv2 has been known for years to be vulnerable to dictionary attacks because it is very easy to determine the last two bytes of whatever has been hashed with it. Once you know those last two bytes, you simply perform the MS-CHAPv2 hash only those dictionary words that match those last two bytes. For this reason, LEAP is considered to be completely broken.
· 802.1x and WPA/802.11i
The IEEE 802.11i (also called WPA2 by Wi-Fi Alliance) uses AES to encrypt network traffic. It is the present IEEE standards for WLAN security. 802.1x provides network login capabilities between PCs and the edge-networking infrastructure. It is focused on authentication and key management. Using AES will make WLAN networks safer, but it will probably require complete new and more expensive hardware to be used because most pre-2003 APs and WLAN cards cannot support WPA2.
2. Encrypted Tunnel or Virtual Private Network (VPN)
VPN is a strong application for WLAN security because it combines encryption and authentication. The user set up a secure tunnel to AP with a user name and password login procedure. It works by maintaining privacy through security procedures including encryption, keying, authentication, and tunneling protocols. These protocols verify users and servers, encrypt data at the sending end, and decrypt it at the receiving end. VPN creates a tunnel that cannot be entered by data or users that are not properly encrypted or authenticated. VPN uses encryption protocols such as 3DES and AES. VPN will enable authorized wireless users to connect securely from virtually anywhere. It is transparent to application.
3. Integrity Checking
Integrity checking is another aspect that needs to be considered. Integrity is normally implemented separately from the encryption and indicates whether or not the packet has been altered from when the sender created it. A specific checksum is necessity. The integrity check mechanism can encrypt the message and authenticate the encrypted message or it can authenticate the plain text message and encrypt the authentication and the message. IPSec suggests to authenticate the encrypted message. There are cryptographic hash algorithms that provide message integrity such as WEP CRC-32 Checksum, Cryptographic Checksum or MIC, SHA-1.
Conclusion:
It is well understood that WLAN security implementation needs improvement. The original encryption method used (WEP or LEAP) can be easily broken and the authentication method provided was very poor. New security initiatives such as 802.11i will bring industry-standard security measures to the WLAN environment. The IEEE specification 802.11i (also known as Robust Security Network or RSN) is the next generation of WLAN security standard that comes with stronger encryption and privacy. It will combine improved encryption with authentication. 802.11i and the use of AES will increase the security of wireless networking.
References:
1. http://www.infragard.net/library/congress_05/cyber_security/index.htm Joe Tomasone - Wireless LAN Threats and Countermeasures Fortress Technologies
2. http://www.itoc.usma.edu/Documents/ITOC_TR-2003-101_(G6).pdf
3. http://www.microsoft.com/smallbusiness/resources/technology/broadband_mobility/6_wireless_threats_to_your_business.mspx
4. http://www.trisc.org/documents/9_20_Rawat_WLAN.pdf
5. http://www.educause.edu/ir/library/pdf/CSD2714.pdf
6. http://www.wardrive.net/security/links
7. http://www.wi-fi.org/knowledge_center/security
http://www.bbwexchange.com/
Weblink for Wireless News
http://www.euclideanspace.com/coms/stack/osi/index.htm
OSI Layer
Post a Comment