Wireless application protocol
• Wireless application protocol (WAP)
is an application environment and set
of communication protocols for
wireless devices designed to enable
manufacturer-, vendor-, and
technology-independent access to
the Internet and advanced telephony
• Short for Wired Equivalent Privacy, a
security protocol for wireless local area
networks (WLANs) defined in the 802.11b
standard. WEP is designed to provide the
same level of security as that of a wired
• LANs are inherently more secure than
WLANs because LANs are somewhat
protected by the physicalities of their
structure, having some or all part of the
network inside a building that can be
protected from unauthorized access.
WLANs, which are over radio waves, do
not have the same physical structure and
therefore are more vulnerable to
• WEP aims to provide security by
encrypting data over radio waves so that it
is protected as it is transmitted from one
end point to another. However, it has been
found that WEP is not as secure as once
believed. WEP is used at the two lowest
layers of the OSI model - the data link and
physical layers; it therefore does not offer
• 802.11x refers to a group of evolving
wireless local area network (WLAN)
standards that are under development as
elements of the IEEE 802.11 family of
specifications, but that have not yet been
formally approved or deployed.
• As of August 2004, these incomplete
standards included the following:
• 802.11e -- Adds Quality of Service (QoS)
features to existing 802.11 family
• 802.11f -- Adds Access Point
Interoperability to existing 802.11 family
• 802.11h -- Resolves interference issues with
existing 802.11 family specifications
• 802.11j -- Japanese regulatory extensions to
802.11 family specifications
• 802.11k -- Radio resource measurement for
802.11 specifications so that a wireless network
can be used more efficiently
• 802.11m -- Enhanced maintenance
features, improvements, and amendments
to existing 802.11 family specifications
• 802.11n -- Next generation of 802.11
family specifications, with throughput in
excess of 100 Mbps
• These standards are being developed with
the goal that they support all the 802.11
family specifications in current use.
• 802.11x is also sometimes used as a
generic term for any existing or proposed
standard of the 802.11 family.
• Wireless security is not much different
from wired security. You want several
things from security, wired or not:
authenticate whom you are talking to,
secure the data as it travels from the
handheld device to the destination host,
and ensure that the traffic hasn't been
altered en route.
• Wireless Transport Layer Security (WTLS)
is the security level for Wireless
Application Protocol (WAP) applications.
Based on Transport Layer Security (TLS)
v1.0 (a security layer used in the Internet,
equivalent to Secure Socket Layer 3.1).
• WTLS was developed to address the
problematic issues surrounding mobile
network devices - such as limited
processing power and memory capacity,
and low bandwidth - and to provide
adequate authentication, data integrity and
privacy protection mechanisms.
• Wireless transactions, such as those between a
user and their bank, require stringent
authentication and encryption to ensure security
to protect the communication from attack during
data transmission. Because mobile networks do
not provide end-to-end security, TLS had to be
modified to address the special needs of
• Designed to support datagrams in a high
latency, low bandwidth environment,
WTLS provides an optimised handshake
through dynamic key refreshing, which
allows encryption keys to be regularly
updated during a secure session.
• Short for service set identifier, a 32-
character unique identifier attached to
the header of packets sent over a
WLAN that acts as a password when a
mobile device tries to connect.
• The SSID differentiates one WLAN from
another, so all access points and all
devices attempting to connect to a specific
• Because an SSID can be sniffed in plain
text from a packet it does not supply any
security to the network.
• Wired Equivalent Privacy (WEP), part of
the IEEE's 802.11 standard, was
supposed to neutralize wireless'
vulnerabilities by adding encryption and
access control. But recent developments
demonstrate that WEP is about as strong
as a wet paper bag.
• "WEP is insecure in just about every
way you could be afraid of," says Dave
Wagner, cryptography expert and
assistant professor of computer science
at the University of California, Berkeley.
He and colleagues Nikita Borisov and
Ian Goldberg were one of several
groups that discovered exploitable holes
in both the 40-bit and 128-bit versions of
• You can eavesdrop on WEP sessions, you
can tamper with transmitted packets, you can
bypass the access control to gain access to
the network," he says.
• The most troubling attack was posited in a
paper by researchers Fluhrer, Mantin, and
Shamir, who suggested a way to recover the
shared secret key that WEP uses to encrypt
traffic between the access point and a client.
The paper was merely theoretical until three
AT&T Labs researchers tried the attack.
• The problem lies in the way WEP handles RC4,
the underlying cryptographic algorithm. "They
started with a good encryption algorithm and
mis-applied it," says Wagner.
• As is usually the case, this high-level research
has condensed itself into easily-used attack
tools such as AirSnort and WEPCrack, which let
even low-skilled attackers decipher WEP-
• Using AirSnort, "an attacker can break the
cryptography by listening to about 15
minutes of network transmissions," says
Wagner. "Someone sitting in a van in your
parking lot could use the attack to
eavesdrop on your traffic. Once this attack
is finished, the bad guy learns your
• Besides deciphering data, possession of the key
gives an attacker access to the wireless
network, which may expose systems on the
wired network, such as workstations, production
servers, databases, and other rich pickings.
• But before you start yanking NICs out of laptops,
experts say that wireless LANs can be safe, as
long as you don't rely on WEP.
• According to John Pescatore, research
director for Internet security at the
Gartner Group, major vendors of
wireless products such as Cisco
Systems and Agere Orinco have added
their own security measures. One
measure is dynamic key management,
in which the access point frequently
changes the encryption key.
• You can purchase security solutions from
smaller companies such as Colubris,
Bluesocket, Proxim, and Funk Software, to add
to your present wireless infrastructure. These
solutions layer strong authentication and
encryption over your wireless traffic.
• Alternatively, you can treat your wireless
network the same way you would the Internet.
• Ensure that wireless traffic entering your
corporate network has to pass through a
firewall first. Also, "wherever you have a
wireless access point, put a VPN server
behind it," says Pescatore. "When I connect
to the access point, I'm behind this VPN
server that I have to authenticate to, just the
way I would over the Internet." An IPSec-
compatible VPN provides much stronger
authentication and encryption than WEP.
• However, it also requires installing additional
VPN gateways and clients, as well as
assuming the subsequent administrative
• Even if you tighten wireless security or your
company won't install a wireless LAN, don't
think you've dodged this bullet. "Wireless
base stations are becoming so cheap,
employees can go buy a hundred-dollar
access point and plug it in to the corporate
network without telling anyone," says
• These "rogue" access points blow a huge hole in
your carefully constructed defenses. Besides
operating without administrative controls, the
default configurations for most access points
don't even have WEP turned on. Pescatore
recommends that administrators regularly sweep
their buildings for unauthorized base stations.
Hacker tools or commercial products such as
Network Associates' Sniffer Wireless can hunt
down these rogue elements.
DoS and Distributed DoS (DDoS) attacks
are well understood. The perpetrator
bombards a target with more traffic than it
can handle. The bad traffic prevents
legitimate users from accessing the
resources under attack.
• A site survey is part of an audit done on
• Site surveys allow system and network
administrators to determine the extent
(wireless range) beyond the physical
boundaries of their buildings
• Typically, a site survey uses the same
tools an attacker uses, such as a sniffer
and a WEP cracking tool (for 802.11
network site surveys)
• The sniffer can be either Windows-based
such as NetStumbler or UNIX/Linux-based
such as Kismet.
For WEP cracking AirSnort is recommended
• Directional antenna can be used to allow
wireless network auditors the ability to
determine how far an attacker can
realistically be from the source of the
wireless network transmissions in order to
receive from and transmit to the network.