WiFi Security -WLAN

Wireless LAN-802.11 Security White paper vAptus Consultancy Services Pvt. Ltd 109, 7th Main, Maruthi Layout BTM Extension, Bangalore 560 029 Tel: +91 080 678 2544 / 668 1631 www.vaptus.com Document No. Authorized by Version No. Date Omprakash.S.P 1.00 14-Jul-09 WLAN Security White Paper Wireless LAN-802.11 Security Table of Contents 1. 2. 2.1. 2.2. 2.3. 2.4. 2.5. 2.6. 2.7. 3. 3.1. 3.2. 3.3. 3.4. 3.5. 4. 5. 6. 6.1. 6.2. 6.3. 6.4. 6.5. 7. 7.1. 7.2. 7.3. 7.4. 7.5. 8. 8.1. 8.2. 8.3. 8.4. 8.5. 8.6. INTRODUCTION ...................................................................................................................................................... 1 VULNERABILITIES IN WIRELESS LANS .......................................................................................................... 1 POLICY VIOLATIONS ............................................................................................................................................... 1 IDENTITY THEFT...................................................................................................................................................... 1 MAN-IN-THE-MIDDLE ATTACKS ........................................................................................................................... 1 DENIAL-OF-SERVICE .............................................................................................................................................. 1 PHYSICAL LEVEL VULNERABILITIES ....................................................................................................................... 1 HIGHER LEVEL VULNERABILITIES .......................................................................................................................... 2 DRIVE-BY HACKING ............................................................................................................................................... 2 802.1X SECURITY ISSUES ....................................................................................................................................... 3 WHAT IS WEP? ...................................................................................................................................................... 3 SECURITY ISSUES IN SHARED KEY & WEP ............................................................................................................. 4 4 MAJOR VULNERABILITIES IN WEP ..................................................................................................................... 4 WEP FLAWS ........................................................................................................................................................... 4 SEVEN SECURITY PROBLEMS OF 802.11 WIRELESS ................................................................................................ 6 802.1X AUTHENTICATION .................................................................................................................................. 11 LAYERED APPROACH TO SECURITY.............................................................................................................. 13 SIMPLE SECURITY PROTECTIONS .................................................................................................................. 13 TURN SSID BROADCASTING "OFF." ..................................................................................................................... 13 UTILIZE STATIC IP ADDRESSES. ............................................................................................................................ 13 TURN WEP "ON." ................................................................................................................................................. 14 UTILIZE SHARED KEY AUTHENTICATION. ........................................................................................................... 14 INSTALL/ACTIVATE PERSONAL FIREWALLS. ....................................................................................................... 14 ADVANCED SECURITY MECHANISMS ......................................................................................................... 15 UTILIZE A VIRTUAL PRIVATE NETWORK (VPN). ................................................................................................. 15 IMPLEMENT MUTUAL AUTHENTICATION MECHANISMS. .................................................................................... 15 PLACE ACCESS POINTS OUTSIDE THE ENTERPRISE FIREWALL.............................................................................. 15 MINIMIZE RADIO WAVE PROPAGATION IN NON-USER AREAS. ........................................................................... 15 THE BOTTOM LINE ............................................................................................................................................... 16 802.11 STANDARD SECURITY MECHANISMS .............................................................................................. 16 WIRED EQUIVALENT PRIVACY PROTOCOL .......................................................................................................... 16 OPEN SYSTEM AUTHENTICATION ....................................................................................................................... 16 SHARED KEY AUTHENTICATION ......................................................................................................................... 16 CLOSED NETWORK ACCESS CONTROL................................................................................................................ 18 ACCESS CONTROL LISTS ...................................................................................................................................... 18 KEY MANAGEMENT ............................................................................................................................................. 18 14-Jul-09 Ver 1.0 i WLAN Security White Paper 1. Introduction The mobility and productivity benefits of 802.11 wireless local-area networks do not have to put your information assets at risk. While the many risks associated with wireless LANs have made headlines in the last year, security conscious enterprises are deploying secure wireless LANs by implementing a few practical steps to protect their information assets, identify vulnerabilities, and protect the network from wireless specific attacks. By understanding the risks and how to develop security solution for 802.11a,b, g this will be a good stepping-stone for providing a good secure solution to any wireless solution. 2. Vulnerabilities in wireless LANs 2.1. Policy violations Authorized users who violate network policies against rogue access points, file sharing, and turning off security measures circumvent your investment in network security. 2.2. Identity theft Intruders can pick off Service Set Identifiers (SSIDs) and Media Access Control (MAC) addresses to steal the identity of an authorized user. 2.3. Man-in-the-Middle attacks Hackers can force a rogue station between an authorized station and an access point where all traffic between the authorized station and access point is routed through the rogue station. 2.4. Denial-of-Service Outsiders who cannot gain access to a WLAN can none-the-less pose security threats by jamming or flooding the airwaves with static noise that causes WLAN signals to collide or simply force stations to continuously disconnect from access points. 2.5. Physical level vulnerabilities Frequency-hopping spread spectrum means that the data is sent in short sequences in different frequencies. Only the transmitter and receiver know the frequency pattern. If this is implemented in pure hardware, the pattern can be repeated over some short time. An intruder, who knows what he/she is looking for, might exploit this vulnerability. On the other 14-Jul-09 Version 1.0 Page 1 of 19 WLAN Security White Paper hand, software driven hopping generator might allow longer patterns and make the system less vulnerable to attacks at physical level. Nevertheless, this method makes it very difficult to block the data traffic by sending junk data on channels and data can be reliably send in case of some interference from electronic devices in civilian purposes. Direct sequence spread spectrum radio generates a bit pattern for each bit that is transferred in nature, making error correction without retransmission possible. The main concern here is to provide error correction, leaving the method vulnerable to physical level intrusion. Narrowband technology (communication trough a fixed radio frequency) is not included in IEEE 802.11, probably because it is quite easy block and there is no low level privacy. 2.6. Higher level vulnerabilities One of the concerns in wireless LAN (as well as in wired LAN) is that the source and destination addresses are not encrypted, even if the data is encrypted .An intruder can see the direction and the amount of the data traffic and make some conclusions of that. Also, the data is only encrypted only between stations, not on end-to-end basis, which could be exploited if the intruder already has access on the network. The key management is left to the network operator, which could be a good or bad thing, depending on the operator. Nevertheless, it is implemented in a non-standard way, which adds the workload of the operator and the workload of the possible intruder (security by obscurity). Also, one of the common pitfalls is that if one has access to the network, he/she really has access to the entire network (poor user authentication). The access barriers inside the network have to be implemented in other ways. A wireless LAN isn't still safe even if it has low-level encryption. The data could be sniffed in a higher level by some one, who has already access to the network. LANs are usually connected to the Internet and without any firewalls there is no real security. A wireless LAN shares the same vulnerabilies with ordinary, wired LAN . 2.7. Drive-by Hacking Hackers can often park their cars in a company's parking lot and simply "become a node" on the firm's wireless network - known as authentication spoofing, "Unlike physical cables, it's really difficult to control how far radio waves go". Hackers can travel the entire length and basically not lose 802.11 coverage while picking up wireless LAN signals in their cars. 14-Jul-09 Version 1.0 Page 2 of 19 WLAN Security White Paper WEP is particularly vulnerable to hackers in cars. There have been cases where hackers have used parabolic dishes to pick up wireless network signals from as far as eight miles away. One of the most significant problems found in the WEP algorithm includes weaknesses in the way WEP encrypts packets of data using a stream cipher. Through a series of computations, hackers can eventually uncover the plain text of certain encrypted messages and use those packets to intercept and decrypt messages encrypted with the same key, which is known as an Initialization Vector packet collision. In addition, many commercial wireless Ethernet cards are vulnerable to hacks stemming from use by all mobile network clients of the same encryption key. "Attackers just need to know a single plain-text packet and its corresponding encrypted packet," which can be attained by pinging a company's network or sending spam traffic. "It's a correct encryption of the message, so the receiver has no reason to reject it." That could allow hackers to do things like inject packets of data into financial transactions that contain changed dollar amounts. "WEP is assumed to be cracked now", "If you watch enough good traffic on a WEP network, you can crack everything in about 12 hours." 3. 802.1x Security Issues The current 802.11 standard defines two securities  Shared Key Authentication Shared Key Authentication was designed to provide secure access Control. WEP Encryption (Wired Equivalent Privacy Algorithm) WEP was designed to provide confidentiality  3.1. What Is WEP? WEP relies on a secret key that is shared between a mobile station (e.g. a laptop with a wireless ethernet card) and an access point (i.e. a base station). The secret key is used to encrypt packets before they are transmitted, and an integrity check is used to ensure that packets are not modified in transit. The standard does not discuss how the shared key is established. In practice, most installations use a single key that is shared 14-Jul-09 Version 1.0 Page 3 of 19 WLAN Security White Paper between all mobile stations and access points. More sophisticated key management techniques can be used to help defend from the attacks we describe, however, no commercial system we are aware of has mechanisms to support such techniques. 3.2. Security issues in Shared key & WEP   Most importantly, WEP and Shared Key are optional, and turned off by default in access points. The 802.11 signal can travel surprisingly large distances from the access point, often a thousand feet or more, allowing the hackers to connect from outside the building, such as from a parking lot, or from the street, (leading to the term "drive-by hacking".) The WEP and Shared Key protocols have been shown to have significant cryptographic errors, that allow cryptographic attack on both the confidentiality and access control function  3.3. 4 Major Vulnerabilities in WEP     Single shared static key Weak RC4 encryption 1 in every 256 of its keys is known to be vulnerable Compromise of the checksum method can occur without detection by the use of bit swapping 3.4. WEP Flaws 3.4.1. Passive attacks to decrypt traffic based on statistical analysis. The first attack follows directly from the above observation. A passive eavesdropper can intercept all wireless traffic, until an IV collision occurs. By XORing two packets that use the same IV, the attacker obtains the XOR of the two-plaintext messages. The resulting XOR can be used to infer data about the contents of the two messages. IP traffic is often very predictable and includes a lot of redundancy. This redundancy can be used to eliminate many possibilities for the contents of messages. Further educated guesses about the contents of one or both of the messages can be used to statistically reduce the space of possible messages, and in some cases it is possible to determine the exact contents. When such statistical analysis is inconclusive based on only two messages, the attacker can look for more collisions of the same IV. With only a small factor in the amount of time necessary, it is possible to 14-Jul-09 Version 1.0 Page 4 of 19 WLAN Security White Paper recover a modest number of messages encrypted with the same key stream, and the success rate of statistical analysis grows quickly. Once it is possible to recover the entire plaintext for one of the messages, the plaintext for all other messages with the same IV follows directly, since all the pairwise XORs are known. An extension to this attack uses a host somewhere on the Internet to send traffic from the outside to a host on the wireless network installation. The contents of such traffic will be known to the attacker, yielding known plaintext. When the attacker intercepts the encrypted version of his message sent over 802.11, he will be able to decrypt all packets that use the same initialization vector. 3.4.2. Active attack to inject new traffic Suppose an attacker knows the exact plaintext for one encrypted message. He can use this knowledge to construct correct encrypted packets. The procedure involves constructing a new message, calculating the CRC-32, and performing bit flips on the original encrypted message to change the plaintext to the new message. The basic property is that RC4 (X) xor X xor Y = RC4 (Y). This packet can now be sent to the access point or mobile station, and it will be accepted as a valid packet. A slight modification to this attack makes it much more insidious. Even without complete knowledge of the packet, it is possible to flip selected bits in a message and successfully adjust the encrypted CRC (as described in the previous section), to obtain a correct encrypted version of a modified packet. If the attacker has partial knowledge of the contents of a packet, he can intercept it and perform selective modification on it. For example, it is possible to alter commands that are sent to the shell over a telnet session, or interactions with a file server. 3.4.3. Active Attack from Both Ends The previous attack can be extended further to decrypt arbitrary traffic. In this case, the attacker makes a guess about not the contents, but rather the headers of a packet. This information is usually quite easy to obtain or guess; in particular, all that is necessary to guess is the destination IP address. Armed with this knowledge, the attacker can flip appropriate bits to transform the destination IP address to send the packet to a machine he controls, somewhere in the Internet, and transmit it using a rogue mobile station. Most wireless installations have Internet connectivity; the packet will be successfully decrypted by the access point and forwarded unencrypted through appropriate gateways and routers to the attacker's machine, revealing the plaintext. If a guess can be made about the TCP headers of the packet, it may even be possible to change the destination port on the packet to be port 80, which will allow it to be forwarded through most firewalls. 14-Jul-09 Version 1.0 Page 5 of 19 WLAN Security White Paper 3.4.4. Table-based Attack The small space of possible initialization vectors allows an attacker to build a decryption table. Once he learns the plaintext for some packet, he can compute the RC4 key stream generated by the IV used. This key stream can be used to decrypt all other packets that use the same IV. Over time, perhaps using the techniques above, the attacker can build up a table of IVs and corresponding key streams. This table requires a fairly small amount of storage (~15GB); once it is built, the attacker can decrypt every packet that is sent over the wireless link.   Active attacks to decrypt traffic, based on tricking the access point. Dictionary-building attack that, after analysis of about a day's worth of traffic, allows real-time automated decryption of all traffic. Note that our attacks apply to both 40-bit and the so-called 128-bit versions of WEP equally well We recommend that anyone using an 802.11 wireless network not rely on WEP for security, and employ other security measures to protect their wireless network. 3.5. Seven Security Problems of 802.11 Wireless 3.5.1. Problem #1: Easy Access Wireless LANs are easy to find. Strictly speaking, this is not a security threat. All wireless networks need to announce their existence so potential clients can link up and use the services provided by the network. 802.11 require that networks periodically announce their existence to the world with special frames called Beacons. However, the information needed to join a network is also the information needed to launch an attack on a network. Beacon frames are not processed by any privacy functions, which means that your 802.11 network and its parameters are available for anybody with an 802.11 card. "War drivers" have used high-gain antennas and software to log the appearance of Beacon frames and associate them with a geographic location using GPS. Short of moving into heavily-shielded office space that does not allow RF signals to escape, there is no solution for this problem. The best you can do is to mitigate the risk by using strong access control and encryption solutions to prevent a wireless network from being used as an easy entry point into the network. Deploy access points outside firewalls, and protect sensitive traffic with VPNs. 14-Jul-09 Version 1.0 Page 6 of 19 WLAN Security White Paper 3.5.2. Problem #2: "Rogue" Access Points Easy access to wireless LANs is coupled with easy deployment. When combined, these two characteristics can cause headaches for network administrators. Any user can run to a nearby computer store, purchase an access point, and connect it to the corporate network without authorization. Many access points are now priced well within the signing authority of even the most junior managers. Departments may also be able to roll out their own wireless LANs without authorization from the powers that be. "Rogue" access points deployed by end users pose great security risks. End users are not security experts, and may not be aware of the risks posed by wireless LANs. Most existing small deployments mapped by war drivers do not enable the security features on products, and many access points have had only minimal changes made to the default settings. It is hard to believe that end users within a large corporation will do much better. Unfortunately, no good solution exists to this concern. Tools like NetStumbler allow network administrators to wander their building looking for unauthorized access points, but it is expensive to devote time to wandering the building looking for new access points. Monitoring tools will also pick up other access points in the area, which may be a concern if you are sharing a building or a floor with another organization. Their access points may cover part of your floor space, but their access points do not directly compromise your network and are not cause for alarm. The periodic "walk-through" of your campus is the only way to address the threat of unauthorized deployment. At least network analyzers are moving to a handheld form, so you won't have to carry as much. 3.5.3. Problem #3: Unauthorized Use of Service Several war drivers have published results indicating that a clear majority of access points are put in service with only minimal modifications to their default configuration. Nearly all of the access points running with default configurations have not activated WEP (Wired Equivalent Privacy) or have a default key used by all the vendor's products out of the box. Without WEP, network access is usually there for the taking. Two problems can result from such open access. In addition to bandwidth charges for unauthorized use, legal problems may result. Unauthorized users may not necessarily obey your service provider's terms of service, and it may take only one spammer to cause your ISP to revoke your connectivity. Whether unauthorized use is a problem depends on the objectives of the service. For corporate users extending wired networks, access to wireless 14-Jul-09 Version 1.0 Page 7 of 19 WLAN Security White Paper networks must be as tightly controlled as for the existing wired network. Strong authentication is a must before access is granted to the network. If you have deployed a VPN to protect the network from wireless clients, it probably has strong authentication capabilities already built-in. Administrators can also choose to use 802.1x to protect the network from unauthorized users at the logical point of attachment. 802.1x also allows administrators to select an authentication method based on Transport Layer Security (TLS), which can be used to ensure that users attach only to authorized access points. Not all networks, however, need to deploy ironclad user authentication. Theft of service was a major concern for connectivity providers in "hot spots" such as hotels and airports. After all, the business model was to charge for network access, so preventing unauthorized access was a business requirement. In the wake of the spectacular failure of some of the former big-name players like Mobile Star, the hot-spot connectivity industry is experimenting with new business models. Newer players in the market have based the business model on the idea that free wireless network access is an amenity that might draw guests and convention business. In this newer business model, user authentication is necessary only to ensure accountability. Authentication using a Web browser is a perfectly acceptable solution because it allows sessions to be identified and does not require specialized client software or a certain model of 802.11 network interface. 3.5.4. Problem #4: Service and Performance Constraints Wireless LANs have limited transmission capacity. Networks based on 802.11b have a bit rate of 11 Mbps, and networks based on the newer 802.11a technology have bit rates up to 54 Mbps. This capacity is shared between all the users associated with an access point. Due to MAC-layer overhead, the actual effective throughput tops out at roughly half of the nominal bit rate. It is not hard to imagine how local area applications might overwhelm such limited capacity, or how an attacker might launch a denial of service attack on the limited resources. Radio capacity can be overwhelmed in several ways. It can be swamped by traffic coming in from the wired network at a rate greater than the radio channel can handle. If an attacker were to launch a ping flood from a Fast Ethernet segment, it could easily overwhelm the capacity of an access point. Depending on the deployment scenario, it might even be possible to overwhelm several access points by using a broadcast address as the destination of the ping flood. Attackers could also inject traffic into the radio network without being attached to a wireless access point. The 802.11 MAC is designed to allow multiple networks to share the same space and radio channel. Attackers 14-Jul-09 Version 1.0 Page 8 of 19 WLAN Security White Paper wishing to take out the wireless network could send their own traffic on the same radio channel, and the target network would accommodate the new traffic as best it could using the CSMA/CA mechanisms in the standard. Large traffic loads need not be maliciously generated, either, as any network engineer can tell you. Large file transfers or complex client/server systems may transfer large amounts of data over the network to assist users with their jobs. If enough users start pulling vast tracts of data through the same access point, network access may resemble sucking molasses through a straw north of the Arctic Circle in January. Addressing performance problems starts with monitoring and discovering them. Many access points will report statistics via SNMP, but not with the level of detail required to make sense of end-user performance complaints. Wireless network analyzers can report on the signal quality and network health at a single location, but tools designed for wireless network administrators are only beginning to emerge. The initial commercial wireless analyzer offerings were straightforward ports of their wired cousins; new products such as Air Magnet’s handheld analyzer look like extremely promising additions to the wireless network engineer's toolkit. No enterprise-class wireless network management system has yet emerged. Some performance complaints could be addressed by deploying a traffic shaper at the point at which a wireless LAN connects to your network backbone. While this will not defend against denial of service attacks, it may help prevent heavy users from monopolizing the radio resources in an area. 3.5.5. Problem #5: MAC Spoofing and Session Hijacking 802.11 networks do not authenticate frames. Every frame has a source address, but there is no guarantee that the station sending the frame actually put the frame "in the air." Just as on traditional Ethernet networks, there is no protection against forgery of frame source addresses. Attackers can use spoofed frames to redirect traffic and corrupt ARP tables. At a much simpler level, attackers can observe the MAC addresses of stations in use on the network and adopt those addresses for malicious transmissions. To prevent this class of attacks, user authentication mechanisms are being developed for 802.11 networks. By requiring authentication by potential users, unauthorized users can be kept from accessing the network. (Denial of service attacks will still be possible, though, because nothing can keep attackers from having access to the radio layer.) The basis for the user authentication mechanism is the 802.1x standard ratified in June 2001. 802.1x can be used to require user authentication 14-Jul-09 Version 1.0 Page 9 of 19 WLAN Security White Paper before accessing the network, but additional features are necessary to provide all of the key management functionality wireless networks require. The additional features are currently being ironed out by Task Group I for eventual ratification as 802.11i. Attackers can use spoofed frames in active attacks as well. In addition to hijacking sessions, attackers can exploit the lack of authentication of access points. Access points are identified by their broadcasts of Beacon frames. Any station that claims to be an access point and broadcasts the right service set identifier (SSID, also commonly called a network name) will appear to be part of an authorized network. Attackers can, however, easily pretend to be an access point because nothing in 802.11 requires an access point to prove it really is an access point. At that point, the attacker could potentially steal credentials and use them to gain access to the network through a man-in-the-middle (MITM) attack. Fortunately, protocols that support mutual authentication are possible with 802.1x. Using methods based on TLS, access points will need to prove their identity before clients provide authentication credentials, and credentials are protected by strong cryptography for transmission over the air. Session hijacking will not be completely solved until the 802.11 MAC adopts per-frame authentication. Until that point, if session hijacking is a concern, you must deploy a cryptographic protocol on top of 802.11 to protect against hijacking. 3.5.6. Problem #6: Traffic Analysis and Eavesdropping 802.11 provide no protection against attacks that passively observe traffic. The main risk is that 802.11 do not provide a way to secure data in transit against eavesdropping. Frame headers are always "in the clear" and are visible to anybody with a wireless network analyzer. Security against eavesdropping was supposed to be provided by the muchmaligned Wired Equivalent Privacy specification. A great deal has been written about the flaws in WEP. It protects only the initial association with the network and user data frames. Management and control frames are not encrypted or authenticated by WEP, leaving an attacker wide latitude to disrupt transmissions with spoofed frames. Early WEP implementations are vulnerable to cracking by tools such as AirSnort and WEPCrack, but the latest firmware releases from most vendors eliminate all known attacks. The latest products go one step farther and use key management protocols to change the WEP key every 15 minutes. Even the busiest wireless LAN does not generate enough data for known attacks to recover the key in 15 minutes. 14-Jul-09 Version 1.0 Page 10 of 19 WLAN Security White Paper Whether you rely on WEP solely, or layer stronger cryptographic solutions on top of it is largely a question of risk management. The latest product releases have no known vulnerabilities. While that is some comfort, the same claim could have been made in July 2001 before release of the current generation of WEP-cracking tools. If your wireless LAN is being used for sensitive data, WEP may very well be insufficient for your needs. Strong cryptographic solutions like SSH, SSL, and IPSec were designed to transmit data securely over public channels and have proven resistant to attack over many years, and will almost certainly provide a higher level of security. 3.5.7. Problem #7: Higher Level Attacks Once an attacker gains access to a wireless network, it can serve as a launch point for attacks on other systems. Many networks have a hard outer shell composed of perimeter security devices that are carefully configured and meticulously monitored. Inside the shell, though, is a soft, vulnerable (and tasty?) center. Wireless LANs can be deployed quickly if they are directly connected to the vulnerable backbone, but that exposes the network to attack. Depending on the perimeter security in place, it may also expose other networks to attack, and you can bet that you will be quite unpopular if your network is used as a launch pad for attacks on the rest of the world. The solution is straightforward in theory: treat the wireless network as something outside the security perimeter, but with special access to the inside of the network. Although security diligence is time consuming, so is being sued. 4. 802.1x Authentication Security for 802.11 networks can be broken down into three components:  Authentication mechanism or framework,  Authentication algorithm  Data frame encryption 802.1X takes advantage of an existing authentication protocol known as the Extensible Authentication Protocol (EAP [RFC 2284]). 802.1X takes EAP, which is written around PPP, and ties it to the physical medium, be it Ethernet, Token Ring or wireless LAN. EAP messages are encapsulated in 802.1X messages and referred to as EAPOL, or EAP over LAN. 802.1X authentication for wireless LANs has three main components: The supplicant (usually the client software); the authenticator (usually the access point); and the authentication server (usually a Remote 14-Jul-09 Version 1.0 Page 11 of 19 WLAN Security White Paper Authentication Dial-In User Service server, although RADIUS is not specifically required by 802.1X). The client tries to connect to the access point. The access point detects the client and enables the client's port. It forces the port into an unauthorized state, so only 802.1X traffic is forwarded. Traffic such as Dynamic Host Configuration Protocol, HTTP, FTP, Simple Mail Transfer Protocol and Post Office Protocol 3 is blocked. The client then sends an EAP-start message. The access point will then reply with an EAP-request identity message to obtain the client's identity. The client's EAP-response packet containing the client's identity is forwarded to the authentication server. The authentication server is configured to authenticate clients with a specific authentication algorithm. The result is an accept or reject packet from the authentication server to the access point. Upon receiving the accept packet, the access point will transition the client's port to an authorized state, and traffic will be forwarded. 802.1X for wireless LANs makes no mention of key distribution or management. This is left for vendor implementation. At logoff, the client will send an EAP-logoff message. This will force the access point to transition the client port to an unauthorized state. 14-Jul-09 Version 1.0 Page 12 of 19 WLAN Security White Paper 5. Layered approach to security      Discovery of rogue access points and vulnerabilities Access point security Encryption & authentication (which may include a virtual private network) Establishment and enforcement of wireless network policies Proactive security with intrusion protection. 6. Simple Security Protections The following techniques offer partial security that works for all applications and are generally adequate for home and small office applications: 6.1. Turn SSID broadcasting "off." This ensures that the access point doesn't include the SSID (service set identifier) in the beacon frames that are sent multiple times per second. Without the broadcasting of SSIDs, operating systems such as Windows XP will not discover the SSID and automatically configure the user's radio NIC. As a result, an intruder will have to find out the SSID through other, more difficult means. 802.11 association frames always include the SSID, even when SSID broadcasting is off. Thus, someone can use an 802.11 packet analyzer (e.g., AirMagnet or AiroPeek) and sniff the air while a legitimate user boots ups and associates with an access point. This requires enough effort (and expense) to cause most snoopers to go elsewhere. In some cases, though, it may not be practical to turn off SSID broadcasting. For example, you should broadcast SSIDs in public wireless LANs to provide open connectivity. Utilize static IP addresses. By default, most wireless LANs utilizes DHCP (dynamic host configuration protocol) to more efficiently assign IP addresses automatically to user devices. A problem is that DHCP doesn't differentiate a legitimate user from a hacker. With a proper SSID, anyone implementing DHCP will obtain an IP address automatically and become a genuine node on the network. By disabling DHCP and assigning static IP addresses to all wireless users, you can minimize the possibility of the hacker obtaining a valid IP address. This limits their ability to access network services. Of course someone can use an 802.11 packet analyzer to sniff the exchange of frames over the network and learn what IP addresses are in use. This helps the intruder guess what IP address to use that falls within the range of ones in use. Thus, the use of static IP 6.2. 14-Jul-09 Version 1.0 Page 13 of 19 WLAN Security White Paper addresses isn't fool proof, but at least it's a deterrent. Also keep in mind that the use of static IP addresses in larger networks is very cumbersome, which may prompt network managers to use DHCP to avoid support issues. 6.3. Turn WEP "on." There are certainly problems with WEP (wired equivalent privacy), but it's better than nothing. WEP encrypts the body of each 802.11 data frame, which makes it very difficult for someone with an 802.11 packet analyzer to decipher the actual data. There are methods and tools that hackers can use to untangle the encrypted data into something meaningful, but that generally requires someone with more technical ability than the common, causal snooper. As a result, the use of WEP acts like having a strong lock on the front door of your home. It keeps most people out, but someone with the right skills and motivation can pick the lock. This problem will eventually go away because 802.11 plans to solve the flaws of WEP through more advanced encryption methods (refer to a past tutorial for more details). 6.4. Utilize shared key authentication. Most wireless LANs on the market today allow the use of this optional 802.11 feature, which helps avoid rogue radio NICs from gaining access to the network. When the authentication process occurs, the access point sends the radio NIC a string of challenge text. The radio NIC must encrypt the challenge text with its WEP key and send the encrypted version to the access point. After decrypting the challenge text with the common WEP key, the access point can determine that the radio NIC has the correct key if the challenge text matches what was sent initially. This forms the basis for allowing the NIC to authenticate with the access point. (Again, this mechanism is only as good as WEP. A determined hacker can still eventually break through.) 6.5. Install/activate personal firewalls. This is something that many people overlook. In smaller networks, you generally keep all of your files on a personal computer or laptop. Without personal firewall protection, someone having legitimate or devious access to the wireless LAN can easily copy and open your files. Keep your files in access-protected directories to avoid others from stealing your files. Of course this applies to wired networks as well. 14-Jul-09 Version 1.0 Page 14 of 19 WLAN Security White Paper 7. Advanced Security Mechanisms In addition to the above security techniques, consider the following tips that offer a greater degree of security to satisfy enterprise and vertical application requirements: 7.1. Utilize a virtual private network (VPN). This involves the use of third-party encryption (e.g., triple Data Encryption Standard or 3DES) that affects all data on the WLAN. Generally, the user installs VPN client software on their wireless device, which communicates securely with the VPN network. This can be a relatively expensive and somewhat inflexible solution, but it provides excellent security. 7.2. Implement mutual authentication mechanisms. Through the addition of a RADIUS server, 802.1X protocols, and possibly an access controller, you'll have a framework for deploying mutual authentication between users and access points. This reduces man-in-the-middle attacks, such as rogue access points. Many enterprise grade access points support these features. 802.1X provides port-based access control and mutual authentication between clients and access points via an authentication server, such as RADIUS. You'll need to also choose an authentication type, such as EAP-TLS or EAP-TTLS. Be sure to implement encryption of user names and passwords or use digital certificates to strengthen the authentication process. 802.1X also provides a method for distributing encryption keys dynamically to wireless LAN devices, which solves the key reuse problem found in the current version of 802.11 WEP. 7.3. Place access points outside the enterprise firewall. To protect intruders from accessing corporate network resources, ensure that the wireless LAN access points remain outside the firewall. You can configure the firewall to enable access from legitimate users based on MAC addresses, which makes it difficult (but not impossible) for a hacker to mimic. In fact, you can also incorporate MAC address filtering using most enterprise-grade wireless LAN access points. 7.4. Minimize radio wave propagation in non-user areas. Try orienting antennas to avoid covering areas outside the physically controlled boundaries of the facility. By steering clear of public areas, such as parking lots, lobbies, and adjacent offices, you'll significantly reduce the ability for an intruder to participate on the wireless LAN. This will also minimize the impact of someone disabling your wireless LAN with jamming techniques. 14-Jul-09 Version 1.0 Page 15 of 19 WLAN Security White Paper 7.5. The Bottom Line Don't count on wireless LANs being secure using factory default configurations and settings. Be sure to take into account security risks and implement techniques that guard against attacks. With today's technologies, you can make a wireless LAN just as secure --or more secure -- than Ethernet-based systems. 8. 802.11 Standard Security Mechanisms The 802.11 standard provides several mechanisms intended to provide a secure operating environment1. In this section, we describe each of these mechanisms as well as a Lucent proprietary method. 8.1. Wired Equivalent Privacy protocol The Wired Equivalent Privacy (WEP) protocol was designed to provide confidentiality for network traffic using the wireless protocol. The details of the algorithm used for WEP are beyond the scope of this paper. 8.2. Open System Authentication Open system authentication is the default authentication protocol for 802.11.As the name implies, open system authentication authenticates anyone who requests authentication. Essentially, it provides a NULL authentication process. Experimentation has shown that stations do perform a mutual authentication using this method when joining a network, and our experiments show that the authentication management frames are sent in the clear even when WEP is enabled. 8.3. Shared Key Authentication Shared key authentication uses a standard challenge and response along with a shared secret key to provide authentication. The station wishing to authenticate, the initiator, sends an authentication request management frame indicating that they wish to use “shared key” authentication. The 14-Jul-09 Version 1.0 Page 16 of 19 WLAN Security White Paper recipient of the authentication request, the responder, responds by sending an authentication management frame containing 128 octets of challenge text to the initiator. The challenge text is generated by using the WEP pseudo-random number generator (PRNG) with the “shared secret” and a random initialization vector (IV) 2. Once the initiator receives the management frame from the responder, they copy the contents of the challenge text into a new management frame body. This new management frame body is then encrypted with WEP using the “shared secret” along with a new IV selected by the initiator. The encrypted management frame is then sent to the responder. The responder decrypts the received frame and verifies that the 32-bit CRC integrity check value (ICV) is valid, and that the challenge text matches that sent in the first message. If they do, then authentication is successful. If the authentication is successful, then the initiator and the responder switch roles and repeat the process to ensure mutual authentication. The entire process is shown in figure 5, and the format of an authentication management frame is shown in figure 4. The format shown is used for all authentication messages. The value of the status code field is set to zero when successful, and to an error value if unsuccessful. The element identifier identifies that the challenge text is included. The length field identifies the length of the challenge text and is fixed at 128. The challenge text includes the random challenge string. Table 1 shows the possible values and when the challenge text is included based on the message sequence number. 14-Jul-09 Version 1.0 Page 17 of 19 WLAN Security White Paper 8.4. Closed Network Access Control Lucent has defined a proprietary access control mechanism called Closed Network. With this mechanism, a network manager can use either an open or a closed network. In an open network, anyone is permitted to join the network. In a closed network, only those clients with knowledge of the network name, or SSID, can join. In essence, the network name acts as a shared secret. Access Control Lists Another mechanism used by vendors (but not defined in the standard) to provide security is the use of access control lists based on the ethernet MAC address of the client. Each access point can limit the clients of the network to those using a listed MAC address. If a client’s MAC address is listed, then they are permitted access to the network. If the address is not listed, then access to the network is prevented. Key Management Key management is a misnomer with respect to 802.11 as it is left as an exercise for vendors. As a result, only a few of the major vendors have implemented any form of key management or key agreement in their high-end products. Unfortunately, none of the vendors provide su±cient information to determine the level of assurance provided by their product. Worse, in some cases, the details that are available indicate that the vendors “solution” worsens the problem by using protocols with wellknown vulnerabilities, e.g. un-authenticated Di±e-Hellman key agreement. The 802.11 standard does, however, provide for two methods for using WEP keys. The first provides a window of four keys. A station or AP can decrypt packets enciphered with any one of the four keys. Transmission, however, is limited to one of the four manually entered keys– the default key. 8.5. 8.6. 14-Jul-09 Version 1.0 Page 18 of 19 WLAN Security White Paper The second method is called a key mappings table. In this method, each Unique MAC address can have a separate key. The size of a key mappings table should be at least ten entries according to the 802.11 specifications. The maximum size, however, is likely chip-set dependent. The use of a separate key for each user mitigates the cryptographic attacks found by others, but enforcing a reasonable key period remains a problem as the keys can only be changed manually. 14-Jul-09 Version 1.0 Page 19 of 19