Document Sample

      Yasir Zahur      T. Andrew Yang

     University of Houston – Clear Lake

       17th CCSC Southeastern Conference
    Georgia Perimeter College - Dunwoody, GA

                 CCSCSE 2003                   1

 Introduction
 Standards & Specifications
 Vulnerabilities
 Alternate Security Solutions
 Laboratory Setup

                   CCSCSE 2003   2
Where Does WLAN Fit ?

      CCSCSE 2003       3
      (Nov. 6, 2003)

Traveler's Quick Finder
Browse by location
 Free Hotspots 510 hotspots

 Hotels 5,910 hotspots

 Airports 432 hotspots

 Cafes 5,344 hotspots

                              CCSCSE 2003                 4
Growth of WLAN

    CCSCSE 2003   5
Infrastructure Mode of WLAN

         CCSCSE 2003          6
Typical WLAN Architecture

        CCSCSE 2003         7
                IEEE 802.11 Standards
Standard                              Description                                               Current Status
IEEE 802.11    Standard for WLAN operations at data rates up to 2 Mbps in the                   Approved in July 1997
                                  2.4-GHz ISM band

IEEE 802.11a   Standard for WLAN operations at data rates up to 54 Mbps in the     Approved in Sept 1999. End-user products began
                                   5-GHz UNII band                                              hipping in early 2002

IEEE 802.11b   Standard for WLAN operations at data rates up to 11 Mbps in the     Sept 1999. End-user products began shipping in
                                   2.4-GHz ISM band                                                 early 2000

IEEE 802.11g             High-rate extension to 802.11b allowing for                     Draft standard adopted Nov 2001.
                          data rates up to 54 Mbps in the 2.4-GHz                        Full ratification expected late 2002
                                          ISM band                                                   or early 2003

IEEE 802.11e     Enhance the 802.11 MAC to improve and manage Quality of           Still in development, i.e., in the task group (TG)
                 Service, provide classes of service, and enhanced security and                          stage
               authentication mechanisms. These enhancements should provide
                the quality required for services such as IP telephony and video

IEEE 802.11f      Develop recommended practices for an Inter- access Point         Still in development, i.e., in the task group (TG)
                 Protocol (IAPP) which provides the necessary capabilities to                            stage
               achieve multi-vendor AP interoperability across a DS supporting
                             IEEE P802.11 Wireless LAN Links

IEEE 802.11i   Enhance the 802.11 Medium Access Control (MAC) to enhance           Still in development, i.e., in the task group (TG)
                          security and authentication mechanisms                                         stage

                                               CCSCSE 2003                                                                              8
   Interferences (802.11b)

Cordless                                        Some other
 Phone                                        wireless network


                    CCSCSE 2003                              9
            IEEE 802.11b Specifications
                         (a brief overview)

 Transmission of approximately 11 Mbps of data
 Half Duplex protocol
 Use of CSMA/CA (collision avoidance) instead of CSMA/CD (collision
 Total of 14 frequency channels. FCC allows channels 1 through 11
  within the U.S in 2.4 GHz ISM band
 Only channels 1, 6 and 11 can be used without causing interference
  between access points
 Wired Equivalent Privacy (WEP) based on Symmetric RC4 Encryption
 Use of Service Set Identifier (SSID) as network identifier

                            CCSCSE 2003                            10
    General WLAN Vulnerabilities
•   Eavesdropping
•   Invasion and Resource Stealing
•   Traffic Redirection
•   Denial Of Service Attack
•   Rogue Access Point
•   No per packet authentication
•   No central authentication, authorization, and
    accounting (AAA) support

                       CCSCSE 2003                  11
            802.11b Vulnerabilities

•       MAC address based authentication
•       One-Way authentication
•       SSID
•       Static WEP Keys
•       WEP key vulnerabilities
    o     Manual Key Management
    o     Key Size
    o     Initialization Vector
    o     Decryption Dictionaries

                          CCSCSE 2003      12
WEP Encryption

   CCSCSE 2003   13
                         IEEE 802.1x
 IEEE 802.1x is a port based authentication protocol.
 It forms the basis for IEEE 802.11i standard.
 There are three different types of entities in a typical 802.1x network
  including a supplicant, an authenticator, and an authentication server.
 In an un-authorized state, the port allows only DHCP and EAP
  (Extensible Authentication Protocol) traffic to pass through.

                               CCSCSE 2003                                  14
EAPOL Exchange

    CCSCSE 2003   15
        IEEE 802.1x – Pros / Cons

   Dynamic Session Key Management
   Open Standards Based
   Centralized User Administration
   User Based Identification
   Absence Of Mutual Authentication
   Lack of clear communication between 802.11 and 802.11i
    state machines and message authenticity

                        CCSCSE 2003                     16
      Absence Of Mutual Authentication

 Supplicant always trusts the Authenticator but not vice versa
 This opens the door for “MAN IN THE MIDDLE ATTACK”

                            CCSCSE 2003                           17
          Session Hijack Attack

802.11 State Machine                 802.11i State Machine

                       CCSCSE 2003                           18
Session Hijack Attack (…cont)

          CCSCSE 2003       19
            Alternate Solutions

 Virtual Private Networks (VPN)
     User Authentication
     Encryption
 Cisco LEAP
     Mutual Authentication
     Per Session based Keys
 Secure Socket Layer (SSL)
     Encryption
     Digital Certificates

                        CCSCSE 2003   20
WEP Attack

 CCSCSE 2003   21
Man In The Middle &
Session Hijack Attacks

       CCSCSE 2003       22
               Cisco LEAP Setup

LEAP Enabled          LEAP Enabled    AAA Server
   Client              Access Point

                     CCSCSE 2003                   23
             VPN Setup

VPN Client     Pass Through   VPN Server
               Access Point

              CCSCSE 2003                  24
             SSL Setup

SSL Client     Pass Through   SSL Server
               Access Point

              CCSCSE 2003                  25
         A Specialized Computer Security
        NSF CCLI A&I grant: 2003-2005
        Two Focuses:
    a)     DCSL: Distributed Computer Security Lab
          Between UHCL and UHD
          Possibly extended to other small or medium-sized colleges
          Customizable testbed for various security-related

    b)     Module-based Computer Security Courseware Design
          Looking for collaborators, courseware developers, users, …

                                CCSCSE 2003                            26
CCSCSE 2003   27
      Computer Security Courseware

b)    Module-based Computer Security Courseware Design
     Units: Modules, submodules, artifacts, …

                             CCSCSE 2003                 28

 John Pescatore, “Wireless Networks: Can Security Catch Up With Business?”
 Arunesh Mishra, William A. Arbaugh, “An Initial Security Analysis of the IEEE
  802.1x Standard”, Department Of Computer Science, University Of Maryland,
  Feb 06 2002
 WLAN Association, “Wireless Networking Standards and Organizations”,
  WLANA Resource Center, April 17 2002
 Cisco Networks, “Cisco Aironet Response to University of Maryland’s paper”
 John Vollbrecht, David Rago, and Robert Moskowitz. “Wireless LAN Access
  Control and Authentication”, White Papers at Interlink Networks Resource
  Library, 2001
 Nikita Borisov, Ian Goldberg, and David Wagner “Security of WEP Algorithm”,
  ISAAC, Computer Science Department, University Of California Berkely

                                CCSCSE 2003                                  29

Shared By: