Document Sample
WAP Powered By Docstoc
					Wireless Access Point & ARP Poisoning


   1.   Introduction                             1

   2. The ARP Protocol and Cache Poisoning       4
   3. ARP cache poisoning on 802.11b Networks    8
            Enterprise attacks                  9
            Consumer attacks                   13
    4. Prevention                               17
    5. Home Installations                       19
    6. Detection                                20
    7. Conclusion                               21
    8. Wireless Communication Policy            22

  Department of Telecommunication.        1     March-July 2004
Wireless Access Point & ARP Poisoning

                               ARP POISONING


        Wireless networks, specifically 802.11b, have received a
   tremendous amount of interest and scrutiny from the security
   community over the past few months. The security community
   agrees that wireless networks introduce a new point of entry into
   previously closed wired networks and must thus be treated as an
   untrusted source, just like the Internet. Standard technologies
   enable wireless client machines to connect to a local area network
   made up of other wireless hosts. For wireless networking to be
   most useful, the wireless networks must pass data on to standard
   wired networks connected to the Internet. This paper describes
   the application of a well understood class of attacks on wired
   networks to the emerging mix of wired and wireless networking
   equipment. Address resolution protocol (ARP) cache poisoning is a
   MAC layer attack that can only be carried out when an attacker is
   connected to the same local network as the target machines,
   limiting     its   effectiveness     only   to   networks   connected    with
   switches, hubs, and bridges; not routers. Most 802.11b access
   points act as transparent MAC layer bridges, which allow ARP
   packets to pass back and forth between the wired and wireless
   networks. This implementation choice for access points allows ARP
   cache poisoning attacks to be executed against systems that are
   located behind the access point.

  Department of Telecommunication.             2                   March-July 2004
Wireless Access Point & ARP Poisoning

 In unsafe deployments, wireless attackers can compromise traffic
 between machines on the wired network behind the wireless
 network, and also compromise traffic between other wireless
 machines including roaming clients in other cells. Of particular
 note is the vulnerability of home combination devices that offer a
 wireless access point, a switch, and a DSL/cable modem router in
 one package. These popular consumer devices allow a wireless
 attacker to compromise traffic between computers connected to
 the built- in switch. Additional vulnerable network architectures
 are explored below.

        ARP cache poisoning is not a new problem; it has been
 extensively explored and defended against in the context of wired
 networks. Unfortunately, the design of wireless access points and

  Department of Telecommunication.      3                March-July 2004
Wireless Access Point & ARP Poisoning

 the corresponding network architecture implications of their use
 are particularly vulnerable to this class of problems. The path to
 managing the security risks discovered by Cigital and discussed
 herein involves rethinking network architectures, redesigning or
 upgrading access point hardware and firmware, deploying VPN
 solutions on the wireless network, and making wireless access
 points an integral part of the VPN infrastructure. Any and all
 applications designed for use over wireless networks must take
 these     risks    into    account     (preferably when they are   being

 ARP Cache Poisoning

      ARP cache poisoning is a known class of attacks that have
 been reasonably mitigated in most wired networks. The advent of
 standard, off- the-shelf wireless networks makes the ARP cache
 poisoning risk particularly relevant again.

 Defining Terms

       An important concept in understanding ARP cache poisoning
 is the difference between collision domains and broadcast domains
 in networking equipment. A collision domain is the set of hosts
 that all send packets across the same logical wires. A broadcast
 domain is the set of hosts that all receive each other‟s broadcast
 messages. These two kinds of domains do not always contain the
 same sets of hosts.

  Department of Telecommunication.           4                March-July 2004
Wireless Access Point & ARP Poisoning

 Network hubs take traffic that comes in on each hub port and
 broadcast the traffic out over all other ports. All hosts connected
 to a hub share the same collision and broadcast domains. Any

 traffic sent to the hub may collide with traffic sent to the hub on
 another port. All hosts connected to the hub see broadcasts.

 A switch or bridge takes the traffic that comes in on each port
 and sends the traffic only to the port where the target host
 (determined by Ethernet MAC address) resides. By contrast,
 broadcast messages must be sent to all ports since all hosts need
 to see the message. All hosts connected to a switch or bridge
 share a broadcast domain, but the collision domains are limited to
 each separate port. The division of ports into separate collision
 domains in a switch increases network throughput, but does not
 significantly enhance security.

 Routers serve as borders for both collision and broadcast
 domains. Each port on a router is a member of a separate collision
 and broadcast domain from all other ports on the router.

 The ARP Protocol and Cache Poisoning

      The Address Resolution Protocol (ARP) serves the function
 of determining the mapping between IP addresses and MAC
 hardware addresses on local networks. For example, a host that
 wants to send a message to IP address on the local
 network sends a broadcast ARP packet that requests the MAC for
 that IP. The host that owns the IP returns an ARP reply
 packet with its MAC address. The requesting host then sends the

  Department of Telecommunication.      5                   March-July 2004
Wireless Access Point & ARP Poisoning

 message, and stores the IP-to-MAC mapping for future packets.
       In order to minimize network traffic, ARP implementations
 update      their cache of ARP-to- IP mappings whenever an ARP
 request or reply is received. If the MAC address reported in the
 packet for the given IP has changed, the new value will overwrite
 the old one in the cache. ARP replies are unicast packets directed
 at one machine, and cause only that machine to update its cache.

  Department of Telecommunication.      6                March-July 2004
Wireless Access Point & ARP Poisoning

 Figure 1: Setting up a man in the middle attack by C against
 A and B by poisoning ARP caches.

      The particular kind of ARP attack examined in this paper is the
 use of ARP reply packets to perform cache poisoning. This attack
 makes possible many sorts of “man in the middle” attacks.
 Consider an example. The attacker, host C, sends an ARP reply to
 B stating that A‟s IP maps to C‟s MAC address, and another ARP
 reply to A stating that B‟s IP maps to C‟s MAC address (see Figure
 1). Since ARP is a stateless protocol, hosts A and B assume they
 sent a ARP request at some point in the past and update their ARP
 caches with this new information.

  Department of Telecommunication.      7                  March-July 2004
Wireless Access Point & ARP Poisoning

 Figure 2: C performs a man in the middle attack against A
 and B, most likely without being detected.

       Now, when A tries to send a packet to B it will go to C
 instead. Host C can use this unique position to forward the
 packets on to the correct host and monitor or modify them as they
 pass through C (Figure 2). This man in the middle attack allows C
 to monitor or modify telnet sessions, read mail passing over POP
 or SMTP, intercept SSH negotiations, monitor and display Web
 usage, and commit many other nefarious activities.
       The ARP cache poisoning attack can be used against all
 machines in the same broadcast domain as the attacker. Hence, it
 works over hubs, bridges, and switches, but not across routers.
 An attacker can, in fact, poison the ARP cache of the router itself,
 but the router won't pass the ARP packets along to its other links.
 Switches with port security features that bind MAC addresses to
 individual ports do not prevent this attack since no MAC addresses

  Department of Telecommunication.      8                 March-July 2004
Wireless Access Point & ARP Poisoning

 are actually changed. The attack occurs at a higher network layer,
 the IP layer, which the switch does not monitor. The tool that was
 used in demonstrating and testing the effectiveness of these
 attacks was Ettercap. Developed as an open source project,
 Ettercap provides both a menu based (ncurses) and command line
 tool to perform ARP cache poisoning and man in the middle
 attacks against switched networks (among other things). This tool
 was used without any modifications in performing the attacks
 discovered by Cigital in an 802.11b wireless environment.

 ARP Cache Poisoning on 802.11b Networks

            Most 802.11b access points (APs) act as hubs for all the
 hosts on the wireless network and bridge traffic between the
 wireless network and the wired network (or backbone wireless
 network) on the other side. The collision domains in this case are
 separated; all the hosts on the wireless subnet are in one collision
 domain and the wired network hosts are in another. The broadcast
 domain is not limited by the presence of the AP, and includes the
 wired network. Since this ARP attack is applicable to all hosts in a
 broadcast domain a standard off-the-shelf bridging AP (installed
 according to manufacturer‟s instructions) allows this attack to
 occur through itself, and propagate into the network it is
 connected to.
 If an access point is connected directly to a hub or a
 switch, then all hosts connected to that hub or switch are
 susceptible to man in the middle attacks performed from
 the wireless network. The attacker may, for example, be in
 the lobby of an enterprise with a wireless installation.
 Specific Demonstrated Attacks.

  Department of Telecommunication.      9                 March-July 2004
Wireless Access Point & ARP Poisoning

         The following scenarios were tested at Cigital to ensure that
 the attacks work as expected. Various operating systems were
 used in the tests, including several distributions of Linux, Windows
 2000, and Windows NT.

   Enterprise attacks

 Scenario 1: Attacking wired hosts through a wireless

   1) Wireless attacker can perform a man in the middle attack
       against two machines on the wired network connected to the
       same switch as the access point. The forged ARP packets can
       reach both target hosts. Though this setup should never be
       used     in   a    deployed      network,   it   is   likely   that   many
       organizations have deployed their systems this way due to a
       lack of knowledge about the risks described in this paper. The

  Department of Telecommunication.           10                         March-July 2004
Wireless Access Point & ARP Poisoning

   ability to compromise the wired network from a machine located
   on the wireless is one of the most significant illustrations of this
   attack method.

 Scenario 2: Attacking both a wireless client and wired
 client through a wireless vulnerability.

 2) A wireless attacker can perform a man in the middle attack
 against a wireless client connected to a machine on the hub or
 switch that the AP is connected to. Both target machines are still
 in the broadcast domain, and can receive the attacker‟s forged
 ARP packets. This situation was observed at the DEF CON and
 Usenix Security conferences in the form of SSH man in the middle
 attacks between wireless clients and the gateway to the Internet.

  Department of Telecommunication.      11                   March-July 2004
Wireless Access Point & ARP Poisoning

 Scenario 3: Attacking roaming wireless hosts on different

 3) A wireless attacker can perform a man in the middle attack two
 against two wireless clients on different APs in a roaming setup
 involving multiple access points. Currently available roaming
 802.11b networks require all APs to be connected to a common
 switcher hub. (Some vendors may have more advanced roaming
 products available, but no documentation on the implementation
 of these features is readily available.) Because all the APs act as
 bridges and are connected to a common switch, the broadcast
 domain spans all the hosts connected to all the access points and
 the forged ARP packets can reach all the target hosts. All available
 examples and case studies for deploying roaming 802.11b
 networks claimed that the network should be set up in precisely

  Department of Telecommunication.      12                 March-July 2004
Wireless Access Point & ARP Poisoning

  this fashion; all the APs are connected to a common switch or
 collection of switches.

 Scenario 4: Attacking two wireless hosts on the same AP.

 4) A wireless attacker can perform a man in the middle attack
 against two other wireless clients connected to the same AP. This
 is a trivial case that is identical to performing an ARP cache
 poisoning attack in a solely wired environment.

  Department of Telecommunication.      13               March-July 2004
Wireless Access Point & ARP Poisoning

Consumer attacks

              Internal Structure of Home Devices

 The final examined scenarios focus on home deployments. Several
 vendors offer combined AP, switch, and DSL/cable modem router
 devices. These devices are implemented as an AP, connected to a
 switch for several local wired clients, which is then connected to a
 router to talk to the users ISP. Since the AP is directly connected
 to the switch the following attacks are possible.

  Department of Telecommunication.      14                 March-July 2004
Wireless Access Point & ARP Poisoning

 Scenario 1: Attacking two wired hosts through a wireless

 1) A wireless attacker can perform a man in the middle attack
 against two wired machines talking to each other over the switch.
 This is similar to enterprise attack scenario 1. The success of this
 attack is particularly noteworthy because the average home user
 will expect that these gateway devices provide a separation
 between their wired and wireless networks. In fact, these products
 are popular precisely because the end user doesn‟t want to worry
 about securing a home network or doesn‟t know how to set up a
 secure home network. Most consumers want to buy an off- the-
 shelf solution that will do it for them without any headache.

  Department of Telecommunication.      15                 March-July 2004
Wireless Access Point & ARP Poisoning

 Scenario 2: Attacking a wireless client and wired host
 through a wireless vulnerability.

 2) A wireless attacker can perform a man in the middle attack
 against another wireless client talking to a wired machine in the
 user‟s home. This attack is very similar to the previously described
 in enterprise scenario 2, except the switch is directly integrated
 with the access point. (The target „wired‟ machine could actually
 even be the router within the gateway device.)

 A Drop in the Bucket

 The attack scenarios sketched out above are just a few of the
 many possible ways that wired and wireless networks can be
 integrated. They illustrate situations where various ARP related
 vulnerabilities can be exploited in several configurations that are

  Department of Telecommunication.      16                 March-July 2004
Wireless Access Point & ARP Poisoning

  likely to be found in current deployments. There are as many
 possible configurations as there are networks, so the reader is
 cautioned to examine how these risks apply to their own situation.
 Note that each of these scenarios can also be carried out in
 reverse, with the wired hosts performing man in the middle
 attacks against wireless clients. However, this situation is much
 less relevant in threat models against most networks.

 Mitigation Strategies

            After acknowledging the new risks introduced by wireless
 deployments, the next step is to determine the best ways to
 mitigate them. Technical mitigation strategies fall into two broad
 classes: methods of prevention and means of detection. Any
 mitigation activities must carried out as the result of a mature risk
 management approach. That is, any technical decisions should be
 made in light of business context and threat model.

  Department of Telecommunication.      17                  March-July 2004
Wireless Access Point & ARP Poisoning


 Commercial Installations

      The enterprise scenarios described above apply to most
 commercial deployments of wireless systems. There are several
 levels of increasing protection that can be applied to strengthen
 the security of these systems.
      The first step is separate the wireless network from the
 organizational wired network. Placing a firewall between the
 switch connecting the access points and the rest of the wired
 network will prevent the ARP attacks from spreading beyond the
 firewall. This technique does nothing to prevent ARP poisoning
 attacks directed against other wireless clients or the connection
 between wireless clients and the firewall itself. Firewalling at the
 access point has the added benefit of providing a way to filter out
 other attacks or unauthorized access attempts that may originate
 on the wireless network. Deploying a Virtual Private Network
 (VPN) to provide authentication and client-to-gateway security of
 transmitted data will also provide a partial solution. On a VPN
 protected network an attacker can still redirect and passively
 monitor the traffic via the ARP based attacks we describe, but this
 will only gain the attacker access to an encrypted data stream.
 Attackers will still have the ability to cause a denial of service by
 feeding bogus data into the ARP caches of clients, but the
 compromise of data will no longer be an issue if the VPN is
 implemented correctly. (This also addresses the weakness in using
 the WEP protocol, which makes it a particularly attractive option.)
 Note that completely securing a wireless network using a VPN
 solution involves more than simply setting up an external VPN

  Department of Telecommunication.      18                  March-July 2004
Wireless Access Point & ARP Poisoning

 server on the wired backbone network. While such a set up will
 protect wired traffic and wireless-to-wired connections, traffic
 between two wireless hosts will remain outside the scope of the
 VPN. To address this problem, several vendors have recently
 announced IPsec aware access points that will block all traffic from
 or to a host unless a secured connection with this host has been
 established. Other VPN aware access points are expected to
 become available as the                inadequacy of current techniques
 becomes more widely recognized. Such products will have the
 added benefit of reducing the attacks outlined here from a wide-
 ranging compromise of network traffic to the minor annoyance of
 small-scale denial of service. Other, less optimal solutions include:
 isolating each access point with it‟s own firewall, which limits ARP
 poisoning to clients within one wireless cell; and having vendors
 implement a roaming protocol based on routing instead of
 bridging, thus removing the need for access points to behave as
 bridges. Finally we note again that any and all applications
 designed for use over a wireless network must take into account
 the specific risk profile. Porting wired applications to wireless
 installations without revisiting the risks will lead to security

  Department of Telecommunication.           19                 March-July 2004
Wireless Access Point & ARP Poisoning

 Home Installations

  Home users should make an effort to separate wireless traffic
 from wired traffic. The combined home gateway devices currently
 do not offer any protection against these attacks. If combination
 devices are used, precautions should be taken on all individual
 machines. The use of static ARP entries on each host (through the
 „ARP‟ command) will prevent ARP traffic from being generated,
 and prevent the overwriting of static entries with spurious ARP
 replies from the network. (Be careful, and make sure things really
 work this way with any particular OS. Some versions of Windows
 and other platforms are known to have flaws, allowing dynamic
 ARP replies to overwrite static entries.)
      One way to fix combined home gateway devices is to redesign
 them to route between the AP, switch, and ISP connection
 separately,      instead      of    routing   only   between   the   combined
 AP/switch, and the ISP connection. This may require a new
 product cycle to get better gateways on the market, but it is likely
 that some home gateway devices will be able to fix this problem
 through a firmware upgrade.
            A third option, for technically savvy home users, is to
 build a „three- legged‟ firewall to separate the three sources of
 traffic; one port on the firewall for a standalone access point, one
 for local wired traffic, and one for the upstream connection to an
 ISP. This provides the most flexibility, but require significant
 knowledge to set up. This solution also allows security conscious
 users to add IPsec support to the firewall, and provide adequate
 encryption to their wireless traffic.

  Department of Telecommunication.             20                     March-July 2004
Wireless Access Point & ARP Poisoning


    Detection of ARP poisoning attacks is needed for situations
 where prevention isn‟t possible, or as an assurance that the
 prevention methods are working. There are several methods for
 detecting ARP poisoning attacks in progress.
        The      ARP     watch       tool    provides   email     notification   to
 administrators when IP to MAC bindings change on a local area
 network. Most ARP attack tools trigger a flurry of emails when
 they     are     used,      alerting       administrators   to   the    problem.
 Unfortunately, DHCP address assignments also trigger alerts,
 limiting the applicability of this tool in DHCP enabled networks
 because of the large number of false positives.
        On machines that are the target of ARP poisoning attacks,
 detection is often possible by examining the contents of the ARP
 cache. If multiple entries map to the same MAC address, this is a
 strong indication that an attack of this sort may be in progress or
 may have recently occurred. Similarly, broadcast of reverse
 address resolution protocol (RARP) messages for the MAC of each
 machine expected to be on the network will provoke multiple
 answers for machines that are being actively attacked. This
 approach involves significant system administration overhead that
 may be unacceptable, since a list of all MAC addresses in use must
 be maintained.
        Finally, intrusion detection systems may be able to detect the
 excessive       number of unsolicited ARP replies that are caused by
 the common tools running in their default configuration. Many of
 the tools are usable in a stealthy manner, but the average „script
 kiddie‟ doesn‟t have a deep enough understanding of normal ARP
 traffic to correctly hide the attack.

  Department of Telecommunication.               21                     March-July 2004
Wireless Access Point & ARP Poisoning


      Cigital discovered a new class of wireless attacks that can be
 used to gain unauthorized access to normally protected machines
 on a standard wire-based internal network. Wireless networks
 involve installation of a wireless Access Point on a normal internal
 network. This Access Point is usually connected to the wired
 network through a switch or a hub. The attacks discovered by
 Cigital are based on an adaptation of a well-understood network
 attack     from     the    non-wireless   world   known   as   ARP   cache
 poisoning. This emphasizes the importance of re-considering old
 risks in light of new technologies, something that is especially
 important in software-based systems. Mitigating the risks of these
 attacks is possible. The best fix involves placing a technical barrier
 between the wireless network and the normal wired network. This
 provides only a partial solution that leaves the wireless network in
 a compromised state, though it protects against the worst of the
 attack class Cigital discovered. Further risks can be mitigated
 through advanced design of any and all software applications that
 make use of the wireless network. Cigital provides services to help
 companies adjust their architecture and assess the risks inherent
 in their wireless applications.

  Department of Telecommunication.          22                   March-July 2004
Wireless Access Point & ARP Poisoning

      This    section     sets       forth   the    policies   for    using    wireless
 technologies and assigns responsibilities for the deployment of
 wireless services and the administration of the wireless radio
 spectrum. This policy describes how wireless technologies are to
 be deployed, administered and supported at the UC Davis
 campus. It refines and expands the policies in PPM 310-16 by
 adding specific content addressing wireless communications and
 the resolution of interference issues that might arise during use of
 specific frequencies. The policy couples the desire for campus
 constituencies to deploy wireless technologies with a central
 administrative desire to assure that all constituents be assured of
 deploying such systems with an acceptable level of service quality
 and security.

       Wireless     Ethernet         systems       and   interface    cards    will   be
 deployed at UC Davis to support both administrative and academic
 applications. This policy guides such deployments. Policies and
 guidelines for deployment of these systems are essential to:
 1.     Prevent       interference           between      different    departmental
 implementations and other uses of the wireless spectrum
 2. Safeguard security of campus network systems
 3. To ensure that a baseline level of connection service quality is
 provided to a diverse user community. This policy helps define the
 levels of service that the campus community should assume to be
 part of the campus wireless infrastructure.

  Department of Telecommunication.                 23                         March-July 2004
Wireless Access Point & ARP Poisoning

 Scope of the Policy

 The Vice Provost, Information and Educational Technology (IET),
 is responsible for providing a secure and reliable campus network
 to support the mission of the University. Under this broad
 responsibility IET must foster campus-wide network standards
 (wired and wireless) to meet the networking requirements of all
 campus constituencies and limit access to network connections
 which do not conform to generally accepted standard network
 protocols and security measures. The policies stated below deal
 with known concerns and in aggregate do not necessarily form a
 comprehensive policy statement. Electronic communications is
 changing rapidly both in terms of technology and application and
 additional policy questions will surely arise in this area. This
 policy, other relevant UC Davis and system policies, and all
 applicable      laws     govern          use    of        Electronic   Communications

 Scope of Service: This policy defines the levels of service that
 the campus community should assume to be part of the campus
 wireless infrastructure. It defines the roles of the campus units
 and     IET      for    deploying         and        administering       the    wireless
 infrastructure for the campus.

 Network        Reliability:         In    a    wireless        environment,     network
 reliability is a function both of the level of user congestion (traffic
 loads) and service availability (interference and coverage). In
 efforts to provide an acceptable level of reliability, this policy
 establishes a method for resolving conflicts that may arise from
 the use of the wireless spectrum. The campus approaches the

  Department of Telecommunication.                    24                        March-July 2004
Wireless Access Point & ARP Poisoning

 shared use of the wireless radio frequencies in the same way that
 it manages the shared use of the wired network. While IET does
 not actively monitor use of the airspace for potential interfering
 devices, we will respond to reports of specific devices that are
 suspected of causing interference and disrupting the campus
 network. Where interference between the campus network and
 other Devices cannot be resolved, IET reserves the right to restrict
 the use of all wireless devices in university-owned buildings and
 all outdoor spaces.

 Security: The maintenance of the security and integrity of the
 campus network requires adequate means of ensuring that only
 authorized users are able to use the network. Wireless devices
 utilizing the campus wired infrastructure must meet certain
 standards to insure only authorized and authenticated users
 connect to the campus network and that institutional data used by
 campus users and systems not be exposed to unauthorized

 Support: This policy defines the responsibilities of campus units
 and     centralized        support     organizations   for    the   planning,
 deployment, management and development of wireless network
 equipment and services. The policy describes the responsibilities
 for Department heads that want to provide wireless network
 facilities and the role of Information & Educational Technology for
 ensuring      overall      integrity   of   the   campus     network.   Policy
 statements herein generally provide for IET to support the public
 accessible wireless environments on the campus and departments
 providing support for wireless networking within campus buildings
 used by departments. However, the Vice Provost for Information &
 Educational Technology or designee may delegate responsibility

  Department of Telecommunication.            25                     March-July 2004
Wireless Access Point & ARP Poisoning

 for public accessible wireless environments where the public area
 is used exclusively by a campus department and may at the
 request of a department head provide support to the department
 under negotiated terms and conditions.


 Access       Point:      An     access      point   is   a     piece    of    wireless
 communications hardware, which creates a central point of
 wireless connectivity. Similar to a “hub” the access point is a
 common connection point for devices in a wireless network.
 Access points can be used to connect segments of a LAN, using
 transmit and receive antennas instead of ports for access by
 multiple users of the wireless network. Similar to standard wired
 “hubs”, access points are shared bandwidth devices and can be
 connected to the wired network via a NAM, allowing wireless
 access to the campus network.

 Baseline Level of Connection Service Quality: The baseline
 level of connection service quality is determined by factors that
 can affect radio transmissions, such as distance from the access
 point, number of users sharing the bandwidth, state of the
 environment from which the transmission is taking place, and the
 presence of other devices that can cause interference. Acceptable
 throughput        levels    should     be    specified       within    service     level

 Coverage: Coverage is the geographical area where a baseline
 level of wireless connection service quality is attainable.

  Department of Telecommunication.              26                            March-July 2004
Wireless Access Point & ARP Poisoning

 Interference: Interference is the degradation of a wireless
 communication signal caused by electromagnetic radiation from
 another source. Such interference can either slow down a wireless
 transmission or completely eliminate it depending on the strength
 of the signal.

 Privacy:       Privacy     is   the        condition   that   is   achieved      when
 successfully maintaining the confidentiality of personal, student
 and/or employee information transmitted over a wireless network.
 Security: Security, as used in this policy, not only includes
 measures to protect electronic communication resources from
 unauthorized access, but also includes the preservation of
 resource availability and integrity.

 Wireless        Infrastructure:             Wireless   infrastructure       refers   to
 wireless access points, antennas, cabling, power, and network
 hardware        associated          with    the   deployment       of   a     wireless
 communications network.

  Department of Telecommunication.                 27                        March-July 2004
Wireless Access Point & ARP Poisoning


 Responsibility           for        Wireless        Access      Points:     Campus
 responsibility for electronic communication resources resides with
 the Vice Provost for Information and Educational Technology. The
 Vice Provost for Information and Educational Technology or
 designee must approve all installations of wireless access points
 used on the campus.

 1.    Wireless       equipment         and        users   must    follow     general
 communications              policies. Wireless services are subject to the
 same       rules     and        policies   that        govern    other     electronic
 communications services at UC Davis.
 2. Abuse or interference with other activities is a violation of
 acceptable use. Interference or disruption of other authorized
 communications or unauthorized interception of other traffic is a
 violation of policy.
 3. Radio communication, due to its dependence on a scarce and
 shared      resource,      is    subject     to    additional    rules    concerning
 interference and shared use.
 a. Wireless access points must meet all applicable rules of
 regulatory agencies, such as, the:
 1. Federal Communications Commission
 2. Public Utilities Commission
 3. Wireless access points must be installed so as to minimize
 interference with other RF activities particularly as described
 4. Only hardware and software approved by the Vice Provost for
 Information and Educational Technology or designee shall be used
 for wireless access points.

  Department of Telecommunication.                 28                       March-July 2004
Wireless Access Point & ARP Poisoning

 5. Deployment and management of wireless access points in
 common areas of the campus is the responsibility of the Vice
 Provost for Information and Educational Technology or designee.
 Common areas of the campus include, but are not limited to,
 a. Public access area and general conference room areas
 b. Open seating areas where members of the community may sit
 and work
 c. Cafes
 d. Lounges
 e. General Lecture halls
 f. Where wireless networks installed by two or more campus units
 might interfere
 g. Outside space where people meet/gather/study

 6. Department heads are responsible for wireless access points
 within campus buildings used by the department. Where more
 than one department share a common building, the Department
 heads may jointly share responsibility for wireless access points in
 that building or request the Vice Provost for Information and
 Educational Technology or designee to take responsibility for the
 wireless access points in that building.
 7. Department heads shall register any deployment of wireless
 access     points      with    the     Vice   Provost   for   Information   and
 Educational Technology or designee. This registration shall provide
 information requested by Vice Provost for Information and
 Educational Technology or designee.
 a. Registration can be performed via an IET web site.
 b. Information about registered stations will be available to
 system administrators via an IET web site.

 8. Installation of Access Points

  Department of Telecommunication.              29                    March-July 2004
Wireless Access Point & ARP Poisoning

 a. Installation of antennas must comply with all federal and state
 regulations for antennas
 b. The installation of access points and bridging devices must be
 consistent with health, building, and fire codes.

 Security: General access to the network infrastructure, including
 wireless infrastructure, will be limited to individuals authorized to
 use campus and Internet resources. Users of campus and Internet
 resources shall be authenticated. Exhibit A contains further
 information on security architectures for wireless networks.
 1. Physical security of wireless access points will be maintained to
 protect the access point from theft or access to the data port.
 2. Password and data protection is the responsibility of the
 application. The wireless infrastructure will not provide specialized
 encryption         or    authentication   that    should   be   relied   on    by
 applications. In particular, no application should rely on IP address
 based security or reusable clear text passwords. It is expected
 instead that service machines will expect/require their own
 general       or        applications   authentication,     authorization      and
 encryption mechanisms to be used by clients entering from any
 unprotected network.
 3. Access points shall enforce user authentication at the access
 point before granting access to campus or Internet services.
 Wireless network interfaces shall support authentication to access
 the campus wireless network.

 Interference: Wireless networking equipment is an inexpensive
 shared medium technology that uses the unlicensed frequency
 bands to create small local area network cells. These cells can be
 further linked together over an underlying wired network to create
 an extended wireless network covering whole buildings or wider

  Department of Telecommunication.            30                      March-July 2004
Wireless Access Point & ARP Poisoning

 areas. The success of any wide deployment wireless networking
 requires that all equipment that operate in the frequency
 spectrum to be carefully installed and configured to avoid physical
 and logical interference between components of different network
 segments and other equipment.
 1. In the event that a wireless device interferes with other
 equipment, the Vice Provost for Information and Educational
 Technology        or    designee       shall   resolve   the   interference      as
 determined by use priority.
 2. The order of priority for resolving unregulated frequency
 spectrum use conflicts shall be according to the following priority
 a. Research
 b. Instruction
 c. Administration
 d. Public Access
 e. Personal

 Suitability: Wireless networks are not a substitute for wired
 network       connections.          Wireless   should    be    viewed     as    an
 augmentation to the wired network to extend the network for
 general access to common and transient areas.
 1. Wireless is appropriate for “common areas” where students,
 staff, and faculty gather.
 Common areas most appropriate for wireless use include but not
 limited to, instructional labs, public areas, and research labs.
 2. Wireless networking is most applicable for uses such as email
 and web browsing. Unless using encrypted protocols, wireless
 devices should not be used for connecting to campus business
 systems such as human resources, payroll, student information,
 financial information systems, or other systems that contain

  Department of Telecommunication.              31                       March-July 2004
Wireless Access Point & ARP Poisoning

 sensitive information or are critical to the mission of the
 3. Wireless access points provide a shared bandwidth. As the
 number of users increase the available bandwidth per user
 diminishes. Before deploying wireless networking in 4 common
 areas, the advice of the Vice Provost for Information and
 Educational Technology or designee should be sought regarding
 the ratio of users to access point.
 4. New plans for buildings and gathering areas should consider the
 need for and use of wireless networking, similar to the planning
 done currently for wired networking.
 5. Users of wireless should consider all unencrypted
 communications over the network as insecure and available and
 all content as clear text.

  Department of Telecommunication.      32               March-July 2004

Shared By: