Wireless Security 26ppt - Wireless Security by lonyoo


									Wireless Security
Wireless application protocol
• Wireless application protocol (WAP)
  is an application environment and set
  of communication protocols for
  wireless devices designed to enable
  manufacturer-, vendor-, and
  technology-independent access to
  the Internet and advanced telephony
• Short for Wired Equivalent Privacy, a
  security protocol for wireless local area
  networks (WLANs) defined in the 802.11b
  standard. WEP is designed to provide the
  same level of security as that of a wired
• LANs are inherently more secure than
  WLANs because LANs are somewhat
  protected by the physicalities of their
  structure, having some or all part of the
  network inside a building that can be
  protected from unauthorized access.
  WLANs, which are over radio waves, do
  not have the same physical structure and
  therefore are more vulnerable to
• WEP aims to provide security by
  encrypting data over radio waves so that it
  is protected as it is transmitted from one
  end point to another. However, it has been
  found that WEP is not as secure as once
  believed. WEP is used at the two lowest
  layers of the OSI model - the data link and
  physical layers; it therefore does not offer
  end-to-end security.
• 802.11x refers to a group of evolving
  wireless local area network (WLAN)
  standards that are under development as
  elements of the IEEE 802.11 family of
  specifications, but that have not yet been
  formally approved or deployed.
• As of August 2004, these incomplete
  standards included the following:
• 802.11e -- Adds Quality of Service (QoS)
  features to existing 802.11 family
• 802.11f -- Adds Access Point
  Interoperability to existing 802.11 family
• 802.11h -- Resolves interference issues with
  existing 802.11 family specifications
• 802.11j -- Japanese regulatory extensions to
  802.11 family specifications
• 802.11k -- Radio resource measurement for
  802.11 specifications so that a wireless network
  can be used more efficiently
• 802.11m -- Enhanced maintenance
  features, improvements, and amendments
  to existing 802.11 family specifications
• 802.11n -- Next generation of 802.11
  family specifications, with throughput in
  excess of 100 Mbps
• These standards are being developed with
  the goal that they support all the 802.11
  family specifications in current use.
• 802.11x is also sometimes used as a
  generic term for any existing or proposed
  standard of the 802.11 family.
• Wireless security is not much different
  from wired security. You want several
  things from security, wired or not:
  authenticate whom you are talking to,
  secure the data as it travels from the
  handheld device to the destination host,
  and ensure that the traffic hasn't been
  altered en route.
• Wireless Transport Layer Security (WTLS)
  is the security level for Wireless
  Application Protocol (WAP) applications.
  Based on Transport Layer Security (TLS)
  v1.0 (a security layer used in the Internet,
  equivalent to Secure Socket Layer 3.1).
• WTLS was developed to address the
  problematic issues surrounding mobile
  network devices - such as limited
  processing power and memory capacity,
  and low bandwidth - and to provide
  adequate authentication, data integrity and
  privacy protection mechanisms.
• Wireless transactions, such as those between a
  user and their bank, require stringent
  authentication and encryption to ensure security
  to protect the communication from attack during
  data transmission. Because mobile networks do
  not provide end-to-end security, TLS had to be
  modified to address the special needs of
  wireless users.
• Designed to support datagrams in a high
  latency, low bandwidth environment,
  WTLS provides an optimised handshake
  through dynamic key refreshing, which
  allows encryption keys to be regularly
  updated during a secure session.

• Short for service set identifier, a 32-
  character unique identifier attached to
  the header of packets sent over a
  WLAN that acts as a password when a
  mobile device tries to connect.
• The SSID differentiates one WLAN from
  another, so all access points and all
  devices attempting to connect to a specific
• Because an SSID can be sniffed in plain
  text from a packet it does not supply any
  security to the network.
• Wired Equivalent Privacy (WEP), part of
  the IEEE's 802.11 standard, was
  supposed to neutralize wireless'
  vulnerabilities by adding encryption and
  access control. But recent developments
  demonstrate that WEP is about as strong
  as a wet paper bag.
• "WEP is insecure in just about every
  way you could be afraid of," says Dave
  Wagner, cryptography expert and
  assistant professor of computer science
  at the University of California, Berkeley.
  He and colleagues Nikita Borisov and
  Ian Goldberg were one of several
  groups that discovered exploitable holes
  in both the 40-bit and 128-bit versions of
  WEP. "

• You can eavesdrop on WEP sessions, you
  can tamper with transmitted packets, you can
  bypass the access control to gain access to
  the network," he says.
• The most troubling attack was posited in a
  paper by researchers Fluhrer, Mantin, and
  Shamir, who suggested a way to recover the
  shared secret key that WEP uses to encrypt
  traffic between the access point and a client.
  The paper was merely theoretical until three
  AT&T Labs researchers tried the attack.
• The problem lies in the way WEP handles RC4,
  the underlying cryptographic algorithm. "They
  started with a good encryption algorithm and
  mis-applied it," says Wagner.
• As is usually the case, this high-level research
  has condensed itself into easily-used attack
  tools such as AirSnort and WEPCrack, which let
  even low-skilled attackers decipher WEP-
  encrypted data.
• Using AirSnort, "an attacker can break the
  cryptography by listening to about 15
  minutes of network transmissions," says
  Wagner. "Someone sitting in a van in your
  parking lot could use the attack to
  eavesdrop on your traffic. Once this attack
  is finished, the bad guy learns your
  encryption keys."
• Besides deciphering data, possession of the key
  gives an attacker access to the wireless
  network, which may expose systems on the
  wired network, such as workstations, production
  servers, databases, and other rich pickings.
• But before you start yanking NICs out of laptops,
  experts say that wireless LANs can be safe, as
  long as you don't rely on WEP.
• According to John Pescatore, research
  director for Internet security at the
  Gartner Group, major vendors of
  wireless products such as Cisco
  Systems and Agere Orinco have added
  their own security measures. One
  measure is dynamic key management,
  in which the access point frequently
  changes the encryption key.
• You can purchase security solutions from
  smaller companies such as Colubris,
  Bluesocket, Proxim, and Funk Software, to add
  to your present wireless infrastructure. These
  solutions layer strong authentication and
  encryption over your wireless traffic.
• Alternatively, you can treat your wireless
  network the same way you would the Internet.
• Ensure that wireless traffic entering your
  corporate network has to pass through a
  firewall first. Also, "wherever you have a
  wireless access point, put a VPN server
  behind it," says Pescatore. "When I connect
  to the access point, I'm behind this VPN
  server that I have to authenticate to, just the
  way I would over the Internet." An IPSec-
  compatible VPN provides much stronger
  authentication and encryption than WEP.
• However, it also requires installing additional
  VPN gateways and clients, as well as
  assuming the subsequent administrative
• Even if you tighten wireless security or your
  company won't install a wireless LAN, don't
  think you've dodged this bullet. "Wireless
  base stations are becoming so cheap,
  employees can go buy a hundred-dollar
  access point and plug it in to the corporate
  network without telling anyone," says
• These "rogue" access points blow a huge hole in
  your carefully constructed defenses. Besides
  operating without administrative controls, the
  default configurations for most access points
  don't even have WEP turned on. Pescatore
  recommends that administrators regularly sweep
  their buildings for unauthorized base stations.
  Hacker tools or commercial products such as
  Network Associates' Sniffer Wireless can hunt
  down these rogue elements.
DoS and Distributed DoS (DDoS) attacks
 are well understood. The perpetrator
 bombards a target with more traffic than it
 can handle. The bad traffic prevents
 legitimate users from accessing the
 resources under attack.
              Site surveys
• A site survey is part of an audit done on
  wireless networks.
• Site surveys allow system and network
  administrators to determine the extent
  (wireless range) beyond the physical
  boundaries of their buildings
              Site survey
• Typically, a site survey uses the same
  tools an attacker uses, such as a sniffer
  and a WEP cracking tool (for 802.11
  network site surveys)
• The sniffer can be either Windows-based
  such as NetStumbler or UNIX/Linux-based
  such as Kismet.
For WEP cracking AirSnort is recommended
              Other Tools
• Directional antenna can be used to allow
  wireless network auditors the ability to
  determine how far an attacker can
  realistically be from the source of the
  wireless network transmissions in order to
  receive from and transmit to the network.

To top