Wireless security

From Wikipedia, the free encyclopedia

Wireless networks are very common, both for organizations and individuals. Many laptop computers have wireless cards pre-installed for the buyer. The ability to enter a network while mobile has great benefits. However, wireless networking has many security issues. Crackers have found wireless networks relatively easy to break into, and even use wireless technology to crack into non-wireless networks. Network administrators must be aware of these risks, and stay up-to-date on any new risks that arise. Also, users of wireless equipment must be aware of these risks, so as to take personal protective measures.

Contents 1 Security Risks 1.1 Wireless being used to crack into non-wireless networks 2 Types of unauthorized access to company networks 2.1 Accidental Association 2.2 Malicious Association 2.3 Ad-Hoc Networks 2.4 Non-Traditional Networks 2.5 Identity Theft (MAC Spoofing) 2.6 Man-In-The-Middle Attacks 2.7 Denial of Service 2.8 Network Injection 3 Counteracting Risks 3.1 Methods of counteracting security risks 3.2 MAC ID filtering 3.3 Static IP Addressing 3.4 WEP encryption 3.5 WPA 3.6 WPA2 3.7 802.1X 3.8 LEAP 3.9 PEAP 3.10 TKIP 3.11 RADIUS 3.12 Smart Cards, USB Tokens, & Software Tokens 4 Steps in Securing A Wireless Network 5 References

[edit] Security Risks

The risks to users of wireless technology have increased exponentially as the service has become more popular. There were relatively few dangers when wireless technology was first introduced. Crackers had not yet had time to latch on to the new technology and wireless was not commonly found in the work place. Currently, however; there are a great number of security risks associated with wireless technology. Some issues are obvious and some are not. At a corporate level, it is the responsibility of the IT department to keep up to date with the types of threats and appropriate counter measures to deploy. Security threats are growing in the wireless arena. Crackers have learned that there is much vulnerability in the current wireless protocols, encryption methods, and in the carelessness and ignorance that exists at the user and corporate IT level. Cracking methods have become much more sophisticated and innovative with wireless. Cracking has become much easier and more accessible with easy-to-use Windows-based and Linux-based tools being made available on the web at no charge. IT personnel should be somewhat familiar with what these tools can do and how to counteract the cracking that stems from them.

[edit] Wireless being used to crack into non-wireless networks

Some organizations that have no wireless access points installed do not feel that they need to address wireless security concerns. This is a common deceptive inference. In-Stat MDR and META Group have estimated that 95% of all corporate laptop computers that will be purchased in 2005 will be equipped with wireless. Issues can arise in a supposedly non-wireless organization when a wireless laptop is plugged into the corporate network. A cracker could sit out in the parking lot and break in through the wireless card on a laptop and gain access to the wired network. This problem is aggravated by what is referred tnts. This can be a major security risk. If no security measures are implemented at these access points, it is no different from providing a patch cable out the back door for crackers to plug into whenever they wish.

[edit] Types of unauthorized access to company networks

[edit] Accidental Association

Unauthorized access to company wireless and wired networks can come from a number of different methods and intents. One of these methods is referred to as “accidental association”. This is when a user turns on their computer and it latches on to a wireless access point from a neighboring company’s overlapping network. The user may not even know that this has occurred. However, this is a security breach in that proprietary company information is exposed and now there could exist a link from one company to the other. This is especially true if the laptop is also hooked to a wired network.

[edit] Malicious Association

“Malicious associations” are when wireless devices can be actively made by crackers to connect to a company network through their cracking laptop instead of a company access point (AP). These types of laptops are known as “soft APs” and are created when a cracker runs some software that makes his/her wireless network card look like a legitimate access point. Once the cracker has gained access, he/she can steal passwords, launch attacks on the wired network, or plant trojans. Since wireless networks operate in the Layer-2 world, Layer-3 protections such as network authentication and virtual private networks (VPNs) offer no protection. Wireless 802.1x authentications do help with protection but are still vulnerable to cracking. The idea behind this type of attack may not be to break into a VPN or other security measures. Most likely the cracker is just trying to take over the client at the Layer-2 level.

[edit] Ad-Hoc Networks

Ad-hoc networks can pose a security threat. Ad-hoc networks are defined as peer to peer networks between wireless computers that do not have an access point in between them. While these types of networks usually have little security, encryption methods can be used to provide security.

[edit] Non-Traditional Networks

Non-traditional networks such as personal network Bluetooth devices are not safe from cracking and should be regarded as a security risk. Even bar code scanners, handheld PDAs, and wireless printers and copiers should be secured. These non-traditional networks can be easily overlooked by IT personnel that have narrowly focused on laptops and APs.

[edit] Identity Theft (MAC Spoofing)

Identity theft (or MAC Spoofing) occurs when a cracker is able to listen in on network traffic and identify the MAC address of a computer with network privileges. Most wireless systems allow some kind of MAC filtering to only allow authorized computers with specific MAC IDs to gain access and utilize the network. However, a number of programs exist that have network “sniffing” capabilities. Combine these programs with other software that allow a computer to pretend it has any MAC address that the cracker desires, and the cracker can easily get around that hurdle.

[edit] Man-In-The-Middle Attacks

A man-in-the-middle attack is one of the more sophisticated attacks that have been cleverly thought up by crackers. This attack revolves around the attacker enticing computers to log into his/her computer which is set up as a soft AP (Access Point). Once this is done, the cracker connects to a real access point through another wireless card offering a steady flow of traffic through the transparent cracking computer to the real network. The cracker can then sniff the traffic for user names, passwords, credit card numbers...etc. One type of man-in-the-middle attack relies on security faults in challenge and handshake protocols. It is called a “de-authentication attack”. This attack forces AP-connected computers to drop their connections and reconnect with the cracker’s soft AP. Man-in-the-middle attacks are getting easier to pull off due to freeware such as LANjack and AirJack automating multiple steps of the process. What was once done by cutting edge crackers can now be done by script kiddies, less knowledgeable and skilled crackers sitting around public and private hotspots. Hotspots are particularly vulnerable to any attack since there is little to no security on these networks.

[edit] Denial of Service

A Denial-of-Service attack (DoS) occurs when an attacker continually bombards a targeted AP (Access Point) or network with bogus requests, premature successful connection messages, failure messages, and/or other commands. These cause legitimate users to not be able to get on the network and may even cause the network to crash. These attacks rely on the abuse of protocols such as the Extensible Authentication Protocol (EAP).

[edit] Network Injection

The final attack to be covered is the network injection attack. A cracker can make use of access points that are exposed to non-filtered network traffic. Specifically broadcast network traffic such as “Spanning Tree” (802.1D), OSPF, RIP, HSRP…etc. The cracker injects bogus networking re-configuration commands that affect routers, switches, and intelligent hubs. A whole network can be brought down in this manner and require rebooting or even reprogramming of all intelligent networking devices.

[edit] Counteracting Risks

Risks from crackers are sure to remain with us for any foreseeable future. The challenge for IT personnel will be to keep one step ahead of crackers. Members of the IT field need to keep learning about the types of attacks and what counter measures are available.

[edit] Methods of counteracting security risks

There are many technologies available to counteract wireless network intrusion, but currently no method is absolutely secure. The best strategy may be to combine a number of security measures.

There are three steps to take towards securing a wireless network:

1. All wireless LAN devices need to be secured
2. All users of the wireless network need to be educated in wireless network security
3. All wireless networks need to be actively monitored for weaknesses and breaches

[edit] MAC ID filtering

Most wireless access points contain some type of MAC ID filtering that allows the administrator to only permit access to computers that have wireless functionalities that contain certain MAC IDs. This can be helpful; however, IT personnel must remember that MAC IDs over a network can be faked. Cracking utilities such as SMAC are widely available, and some computer hardware also gives the option in the BIOS to select any desired MAC ID for its built in network capability.

[edit] Static IP Addressing

Disabling at least the IP assignment function of the network's DHCP server, with the IP addresses of the various network hosts then set by hand, will also make it more difficult for a casual or unsophisticated intruder to log onto the network., especially if the subnet size is also reduced from one of the standard default settings to what is absolutely necessary and if permitted but unused IP addresses are blocked by the access point's firewall. In that case, where no unused IP addresses are available, a new user can log on without detection using TCP/IP only if he or she stages a successful Man in the Middle Attack using appropriate software.

[edit] WEP encryption

Main article: Wired Equivalent Privacy

WEP stands for Wired Equivalency Privacy. This encryption standard was the original encryption standard for wireless. As its name implies, this standard was intended to make wireless networks as secure as wired networks. Unfortunately, this never happened as flaws were quickly discovered and exploited. There are several open Source utilities like aircrack-ng, weplab, WEPCrack or airsnort can be used by crackers to break in by examining packets and looking for patterns in the encryption. WEP comes in different key sizes. The common key lengths are currently 128- and 256-bit. The longer the better as it will increase the difficulty for crackers. However, this type of encryption has seen its day come and go. In 2005 a group from the FBI held a demonstration where they used publicly available tools to break a WEP encrypted network; and it only took three minutes! WEP protection is better than nothing, though generally not as secure as the more sophisticated WPA-PSK encryption. The problem is that if a cracker gets a lock on your network, it is only a matter of time until the code is cracked.

[edit] WPA

Main article: Wi-Fi Protected Access

Wi-Fi Protected Access (WPA) is an early version of the 802.11i security standard that was developed by the WiFi Alliance to replace WEP. The TKIP encryption algorithm was developed for WPA to provide improvements to WEP that could be fielded as firmware upgrades to existing 802.11 devices. The WPA profile also provides optional support for the AES-CCMP algorithm that is the preferred algorithm in 802.11i and WPA2.

WPA Enterprise provides either RADIUS based authentication using 802.1x. WPA Personal uses a Pre-shared Shared Key (PSK) to establish the security using an 8 to 63 character passphrase. The PSK may also be entered as a 64 character hexadecimal string. Weak PSK passphrases can be broken using an off-line dictionary attacks by capturing the messages in the four-way exchange when the client reconnects after being deauthenticated. Wireless suites such as aircrack-ng can crack a weak passphrase in less than a minute. WPA Personal is secure when used with ‘good’ passphrases or a full 64-character hexadecimal key.

[edit] WPA2

Main article: IEEE 802.11i

WPA2 is a WiFi Alliance branded version of the final 802.11i standard. The primary enhancement over WPA is the inclusion of the AES-CCMP algorithm as a mandatory feature. Both WPA and WPA2 support EAP authentication methods using RADIUS servers and preshared key (PSK) based security.

[edit] 802.1X

Main article: IEEE 802.1X

This is an IEEE standard for access of wireless and wired LANs. It provides for authentication and authorization of LAN nodes. This standard defines the Extensible Authentication Protocol (EAP) which uses a central authentication server. Unfortunately, during 2002 a Maryland professor discovered some shortcomings.

[edit] LEAP

Main article: Lightweight Extensible Authentication Protocol

This stands for the Lightweight Extensible Authentication Protocol. This protocol is based on 802.1X and helps minimize the original security flaws by using WEP and a sophisticated key management system. This also uses MAC address authentication. LEAP is not safe from crackers. THC-LeapCracker can be used to break Cisco’s version of LEAP and be used against computers connected to an access point in the form of a dictionary attack.

[edit] PEAP

Main article: Protected Extensible Authentication Protocol

This stands for Protected Extensible Authentication Protocol. This protocol allows for a secure transport of data, passwords, and encryption keys without the need of a certificate server. This was developed by Cisco, Microsoft, and RSA Security.

[edit] TKIP

Main article: TKIP

This stands for Temporal Key Integrity Protocol and the acronym is pronounced as tee-kip. This is part of the IEEE 802.11i standard. TKIP implements per-packet key mixing with a re-keying system. It also provides a message integrity check. These avoid the problems of WEP.

[edit] RADIUS

Main article: RADIUS

This stands for Remote Authentication Dial In User Service. This is an AAA (authentication, authorization and accounting) protocol used for remote network access. This service provides an excellent weapon against crackers. RADIUS was originally proprietary but was later published under ISOC documents RFC 2138 and RFC 2139. The idea is to have an inside server act as a gatekeeper through the use of verifying identities through a username and password that is already pre-determined by the user. A RADIUS server can also be configured to enforce user policies and restrictions as well as recording accounting information such as time connected for billing purposes.

[edit] Smart Cards, USB Tokens, & Software Tokens

This is a very high form of security. When combined with some server software, the hardware or software card or token will use its internal identity code combined with a user entered PIN to create a powerful algorithm that will very frequently generate a new encryption code. The server will be time synced to the card or token. This is a very secure way to conduct wireless transmissions. Companies in this area make USB tokens, software tokens, and smart cards. They even make hardware versions that double as an employee picture badge. Currently the safest security measures are the smart cards / USB tokens. However, these are expensive. The next safest methods are WPA2 or WPA with a RADIUS server. Any one of the three will provide a good base foundation for security. The third item on the list is to educate both employees and contractors on security risks and personal preventive measures. It is also IT’s task to keep the company workers' knowledge base up-to-date on any new dangers that they should be cautious about. If the employees are educated, there will be a much lower chance that anyone will accidentally cause a breach in security by not locking down their laptop or bring in a wide open home access point to extend their mobile range. Employees need to be made aware that company laptop security extends to outside of their site walls as well. This includes places such as coffee houses where workers can be at their most vulnerable. The last item on the list deals with 24/7 active defense measures to ensure that the company network is secure and compliant. This can take the form of regularly looking at access point, server, and firewall logs to try and detect any unusual activity. For instance, if any large files went through an access point in the small hours of the morning, a serious investigation into the incident would be called for. There are a number of software and hardware devices that can be used to supplement the usual logs and usual other safety measures.

[edit] Steps in Securing A Wireless Network

The following are some basic steps that should be taken to secure a wireless network, in order of importance:

1. Turn on encryption. WPA2 encryption should be used if possible. WPA encryption is the next best alternative, and WEP is better than nothing.
2. Change the default password needed to access a wireless device — Default passwords are set by the manufacturer and are known by crackers. By changing the password you can prevent crackers from accessing and changing your network settings.
3. Change the default SSID, or network name — Crackers know the default names of the different brands of equipment, and use of a default name suggests that the network has not been secured. Change it to something that will make it easier for users to find the correct network. You may wish to use a name that will not be associated with the owner in order to avoid being specifically targeted.
4. Disable File and Print Sharing if you don't need it — this can limit a cracker's ability to steal data or commandeer resources in the event that they get past the encryption.
5. Access points should be arranged to provide radio coverage only to the desired area if possible. Any wireless signal that spills outside of the desired area could provide an opportunity for a cracker to access the network without entering the premises. Directional antennas should be used, if possible, at the perimeter directing their broadcasting inward. Some access points allow the signal strength to be reduced in order to minimise such signal leakage.
6. Divide the wired and wireless portions of the network into different segments, with a firewall in between. This can prevent a cracker from accessing a wired network by breaking into the wireless network.

There are some often-recommended security steps that are not usually of any benefit against experienced crackers (they will however prevent the larger group of inexperienced users from gaining access to your network easily, should they find your password). These are:

Disabling the SSID broadcast option — Theoretically, hiding the SSID will prevent unauthorised users from finding the network. In fact, while it will prevent opportunistic users from finding the network, any serious cracker can simply scan your other network traffic to find the SSID. It will also make it harder for legitimate users to connect to the network, since they must know the SSID in advance and type it in to their equipment. Hiding the SSID will not prevent anyone from reading the data that is transmitted, only encryption will do that.

Enabling MAC address filtering — MAC address filtering will prevent casual users from connecting to your network by maintaining a list of MAC addresses that are allowed accesss, (or not) but a serious cracker will simply scan your network traffic to find a MAC address that is allowed access, then change their equipment to use that address. Any new equipment will require another MAC address to be added to the list before it can be connected. Again, enabling MAC address filtering will not prevent anyone from reading the data that is transmitted without encryption.

[edit] References

• "Best Practices for Rogue Wireless LAN Detection" A white paper by AirDefense, Inc. © 2003 AirDefense, Inc. From http://www.airdefense.net
• "Wireless LAN Security: What Hackers Know That You Don’t" A white paper by AirDefense, Inc. © 2002-2005 AirDefense, Inc. From http://www.airdefense.net
• "Layered Approach to Wireless Network Security and Management" A white paper by AirDefense, Inc. © 2002-2005 AirDefense, Inc. From http://www.airdefense.net
• "Navis iOperations Software — NavisRadiusTM-BP AAA Policy Management Solution" Software Marketing brochure #RCN08/01 © 2001 Lucent Technologies Inc.
• "RSA SecurID Authenticators — The gold standard in two-factor user authentication." Brochure #SID DS 0205 © 2004-2005 RSA Security Inc. All rights reserved.
• "RSA SecurID® 6100 USB Token — Extending the power of Java® platform smart cards for increased ease-of-use" Brochure #SIDUSB DS 0303 © 2003 RSA Security Inc. All rights reserved.
• "Wireless Security — Four Steps you need to Take" http://www.linksys.com/edu/page10.asp
• Linksys’s "Educate Me/Wireless Security—Wi-Fi Protected Access™ (WPA) Security" at http://www.linksys.com/edu/wpa.asp
• AeONsafe Secured WiFi at Public Venues at http://www.AeONsafe.com/
• "Security Aspects of Wireless Networking" a college report by John K. Sturm, Lahela Corriagn, and Kevin Carley