WLAN Security

1
WLAN Security
2
Wi-Fi Security Threats

• Wireless technology doesnt remove any old
  security issues, but introduces new ones
• Eavesdropping
• Man-in-the-middle attacks
• Denial of Service

3
Eavesdropping

• Easy to perform, almost impossible to detect
• By default, everything is transmitted in clear
  text
• Usernames, passwords, content ...
• No security offered by the transmission medium
• Different tools available on the internet
• Network sniffers, protocol analysers . . .
• Password collectors
• With the right equipment, its possible to
  eavesdrop traffic from few kilometers away

4
MITM Attack

• Attacker spoofes a disassociate message from the
  victim
• The victim starts to look for a new access point,
  and the attacker advertises his own AP on a
  different channel, using the real APs MAC
  address
• The attacker connects to the real AP using
  victims MAC address

5
Denial of Service

• Attack on transmission frequecy used
• Frequency jamming
• Not very technical, but works
• Attack on MAC layer
• Spoofed deauthentication / disassociation
  messages
• can target one specific user
• Attacks on higher layer protocol (TCP/IP
  protocol)
• SYN Flooding

6
Wi-Fi Security

• The requirements for Wi-Fi network security can
  be broken down into two primary components
• Authentication
• User Authentication
• Server Authentication
• Privacy

7
Authentication

• Keeping unauthorized users off the network
• User Authentication
• Authentication Server is used
• Username and password
• Risk
• Data (username password) send before secure
  channel established
• Prone to passive eavesdropping by attacker
• Solution
• Establishing a encrypted channel before sending
  username and password

8
Authentication (cont..)

• Server Authentication
• Digital Certificate is used
• Validation of digital certificate occurs
  automatically within client software

9
Types of WLAN Security

• Service Set Identifier (SSID)
• Required by all clients to include this in every
  packet
• Included as plain text ?Easy to break
• Wired Equivalent Privacy (WEP)
• Requires that user enter a key manually (to NIC
  and AP)
• Communications encrypted using this key
• Short key (40-128 bits) ? Easy to break by brute
  force
• 802.1X Access Control
• Extensible Authentication Protocol (EAP)
• WEP keys created dynamically after correct login
• Requires a login (with password) to a server
• After logout, WEP keys discarded by the server
• Wi-Fi Protected Access (WPA) new standard
• A longer key, changed for every packet
• IEEE 802.11i

10
First Generation WLANs

• Minimal set of security features in 802.11b
  standard
• Service Set Identifier (SSID)
• Medium Access Control (MAC) address filters
• Wired Equivalent Privacy (WEP) encryption
• 64-bit RC4 data encryption (flawed) 128-bit
  WEP also available
• Does prevent casual eavesdropping (if turned
  on)
• Requires a sharing of the key between each mobile
  device and the access point
• No procedure for key management

11
First Generation WLANs

• Main Security Vulnerabilities
• Security settings are not enabled by default
• By default, access points broadcast SSID in clear
  text
• MAC address of valid client can be sniffed and
  then spoofed
• WEP is easily broken, only authenticates client
• Rogue access points are easy to deploy
• Man-in-the-middle attacks
• WLANs are easily crashed by DoS attacks

12
Service Set Identifier (SSID)

• SSID is used to identify an 802.11 network
• It can be pre-configured or advertised in beacon
  broadcast
• It is transmitted in clear text
• Provide very little security

13
First Generation WLANs

• Security Controls
• Turn off the broadcast SSIDs
• Use automated MAC-based access control mechanisms
• Enable WEP encryption
• Lower power levels of access points / limit
  transmission rates (11 / 5.5 Mbps)

14
802.11 Authentication and Association

• The 802.11 standard includes rudimentary
  authentication and confidentiality controls.
• Authentication is handled in its most basic form
  by the 802.11 access point (AP).
• It forces the clients to perform a handshake when
  attempting to associate to the AP. Association
  is the process needed before the AP will allow
  the client to talk across the AP to the network.
• Association occurs only if the client has all the
  correct parameters needed such as the service set
  identifier (SSID) in the handshake.

15
WLAN Security

• SSID Service Set Identifier (AP ID)
• Packets must have correct AP SSID to have it
  processed.
• Zero security
• WEP Wired Equivalent Privacy
• Requires a key.
• Must be manually typed into client computer.
• Difficult for implement for large organizations.
• Easy to share key.

16
Wired Equivalent Privacy (WEP)

• Provide same level of security as by wired
  network
• Original security solution offered by the IEEE
  802.11 standard
• Uses RC4 encryption with pre-shared keys and 24
  bit initialization vectors (IV)
• key schedule is generated by concatenating the
  shared secret key with a random generated 24-bit
  IV
• 32 bit ICV (Integrity check value)
• No. of bits in keyschedule is equal to sum of
  length of the plaintext and ICV

17
Wired Equivalent Privacy (WEP) (cont.)

• 64 bit preshared key-WEP
• 128 bit preshared key-WEP2
• Encrypt data only between 802.11 stations.once it
  enters the wired side of the network (between
  access point) WEP is no longer valid
• Security Issue with WEP
• Short IV
• Static key
• Offers very little security at all

18
Second Generation WLANs

• 802.1X Framework for Authentication
• (EAP Extensible Authentication Prototcol)
• Transport Layer Security (EAP-TLS) used in
  802.1X clients for Windows XP
• Lightweight EAP (LEAP) CISCO product used in
  Aironet products (dynamic WEP)
• Protected EAP (PEAP) CISCO/Microsoft/RSA
  doesnt require certificates supports dynamic
  WEP
• Tunneled Transport Layer Security (EAP-TTLS)
  Funk Software/Certicom only requires server
  certification
• EAP Extensible Authentication Protocol
• Works to generate WEP keys dynamically.
• User login to server
• After valid login, server will generate WEP key
  for the session.
• Still easy to break by professional hackers

19
Second Generation WLANs

• WPA Wi-Fi Protected Access
• Very similar to WEP EAP
• Better encryption with longer keys
• New key with every packet transmitted to client.
• interim encryption standard FLAWED
• 802.11i
• Temporal Key Integrity Protocol (TKIP)
• uses RC4
• generates new key every 10 Kb
• hashes Initialization Vector
• Message Integrity Check
• Advanced Encryption Standard (AES)

20
802.1x Access Control

• Designed as a general purpose network access
  control mechanism
• Not Wi-Fi specific
• Authenticate each client connected to AP (for
  WLAN) or switch port (for Ethernet)
• Authentication is done with the RADIUS server,
  which tells the access point whether access to
  controlled ports should be allowed or not
• AP forces the user into an unauthorized state
• user send an EAP start message
• AP return an EAP message requesting the users
  identity
• Identity send by user is then forwared to the
  authentication server by AP
• Authentication server authenticate user and
  return an accept or reject message back to the AP
• If accept message is return, the AP changes the
  clients state to authorized and normal traffic
  flows

21
802.1x Access Control
22
Wireless Protected Access (WPA)

• WPA is a specification of standard based,
  interoperable security enhancements that strongly
  increase the level of data protection and access
  control for existing and future wireless LAN
  system.
• User Authentication
• 802.1x
• EAP
• TKIP (Temporal Key Integrity Protocol) encryption
• RC4, dynamic encryption keys (session based)
• 48 bit IV
• per packet key mixing function
• Fixes all issues found from WEP
• Uses Message Integrity Code (MIC) Michael
• Ensures data integrity
• Old hardware should be upgradeable to WPA

23
Wireless Protected Access (WPA)(cont.)

• WPA comes in two flavors
• WPA-PSK
• use pre-shared key
• For SOHO environments
• Single master key used for all users
• WPA Enterprise
• For large organisation
• Most secure method
• Unique keys for each user
• Separate username password for each user

24
WPA and Security Threats

• Data is encrypted
• Protection against eavesdropping and
  man-in-the-middle attacks
• Denial of Service
• Attack based on fake massages can not be used.
• As a security precaution, if WPA equipment sees
  two packets with invalid MICs within a second, it
  disassociates all its clients, and stops all
  activity for a minute
• Only two packets a minute enough to completely
  stop a wireless network

25
802.11i

• Provides standard for WLAN security
• Authentication
• 802.1x
• Data encryption
• AES protocol is used
• Secure fast handoff-This allow roaming between
  APs without requiring client to fully
  reauthenticate to every AP.
• Will require new hardware

26
Advantages

• Mobility
• Ease of Installation
• Flexibility
• Cost
• Reliability
• Security
• Use unlicensed part of the radio spectrum
• Roaming
• Speed

27
Limitations

• Interference
• Degradation in performance
• High power consumption
• Limited range

28
Second Generation WLANs

• VPN (Virtual Private Network)
• Wireless Gateway (simplifies roaming and provides
  opportunity to implement QoS)
• AirDefense WLAN Monitoring
• AirFortress provides for encryption at the MAC
  layer, hiding data and network information

29
Policies, Training, Awareness

• Physical location of access points
• Logical location of access points (in DMZ)
• Ban rogue access points (monitor)
• Disable ad-hoc (peer-to-peer) mode on all clients
• Properly configure all devices
• Standardize on one vendor
• Perform frequent site surveys
• Monitor logs
• Keep patches up to date

30
The Security AttackRecon and Access

• War Chalking, War Driving, War Flying, Blue
  Snarfing

31
War Driving

• War driving (drive-by hacking or LAN-jacking) is
  a play on war dialing
• War dialing, in turn, comes from the 1983 movie
  War Games
• now a classic in computer cracking circles
• People can drive, walk or other wise approach the
  area that the wireless equipment can transmit in
• using a laptops to pick up unsecured wireless
  networks for anonymous and free high-speed
  Internet access
• share your internet access or connect to your
  computer
• stealing long-distance phone service
• Geocaching
• Equipment
• Laptop
• NIC card
• The software
• Antennas
• GPS

32
War Chalking

• Welcome to Warchalking! Warchalking is the
  practice of marking a series of symbols on
  sidewalks and walls to indicate nearby wireless
  access
• That way, other computer users can pop open their
  laptops and connect to the Internet wirelessly
• It was inspired by the practice of hobos during
  the Great Depression to use chalk marks to
  indicate which homes were friendly

33
War Flying

• War flying uses airplanes to find the wireless
  access points
• The obvious advantage is the extra height
  provides an unobstructed line
• Some people think war driving is illegal
• Actually accessing someone's network is illegal,
  but detecting the network is not
• You can think of war driving as walking up to a
  house, and checking to see if the door is
  unlocked
• If you find an unlocked door, you write down the
  address and move to the next house
• It becomes illegal when you open the door and
  walk in, which is similar to accessing the
  Internet through a AP without the owner's
  permission

34
WLAN Security Hierarchy
Enhanced Security
802.1x, TKIP/WPA Encryption, Mutual
Authentication, Scalable Key Mgmt., etc.
Basic Security
Open Access
40-bit or 128-bitStatic WEP Encryption
No Encryption, Basic Authentication
Home Use
Public Hotspots
Business
VirtualPrivateNetwork (VPN)
Business Traveler, Telecommuter
Remote Access
35
802.11 Security Tools

• WEP
• WPA,
• 802.11i
• SSID
• MAC Filtering
• VPN
• Userid and Password

36
Firewall Security

• The term firewall is a blanket term describing
  security measures that protect a network.
• A router with a built-in firewall protects your
  entire local network, like an alarm system for
  your house.
• Software firewalls implemented on individual
  computers protect the computers themselves.
• Using SPI (stateful packet inspection), the
  firewall in the WRT54GS will inspect the source
  and destination addresses of data packets passing
  through from the internal network and the
  Internet. 
• If an incoming packet from the Internet does not
  belong to a currently opened connection from the
  internal network, it is dropped and not allowed
  to pass.

37
WEP

• WEP is a key.
• WEP scrambles communications between AP and
  client.
• AP and client must use same WEP keys.
• WEP keys encrypt unicast and multicast.
• WEP is easily attacked

38
Port Forwarding and Port Triggering

• Port forwarding is a method that allows you to
  run a server behind the router
• Port Forwarding opens a specific port to a
  computer behind the router, allowing all Incoming
  Traffic on that port to be sent directly to that
  server
• It should be used to setup servers behind the
  router, typically Port Triggering is a better
  choice for non server applications
• Such as instant messengers and game servers
• Port Triggering is a method which allows multiple
  computers on your LAN to access a server
• Such as a game server or an instant messenger
• Port triggering will only work if an out going,
  "Trigger" request is made
• Once the trigger request is sent out, the router
  will open the "Incoming" ports for that computer

39
Conclusions

• Ubiquitous wireless networks
• Home use
• Coffee shops, local communities
• IEEE 802.16 (WiMAX) - 75 Mb/sec, up to 30 miles
• Need to teach students how to secure them

40
(No Transcript)