Download Wireless LAN Management

Wireless LAN Management
w.lilakiatsakun
Topics

Wireless LAN fundamental




Wireless LAN Solution




Link characteristic
Band and spectrum
IEEE 802.11 architecture /channel allocation
Adhoc / infrastructure
Load balancing /Extended Service Set (Roaming)
Wireless repeater /bridge
Wireless LAN security
Wireless Link Characteristics
Differences from wired link ….
 decreased signal strength: radio signal
attenuates as it propagates through matter
(path loss)
 interference from other sources: standardized
wireless network frequencies (e.g., 2.4 GHz)
shared by other devices (e.g., phone); devices
(motors) interfere as well
 multipath propagation: radio signal reflects off
objects ground, arriving ad destination at
slightly different times
Transmission over wireless link induces loss and
error more often
Wireless network characteristics
A
B
Hidden terminal problem
B, A hear each other
 B, C hear each other
 A, C can not hear each
other
means A, C unaware of their
interference at B

B
A
C
C
C’s signal
strength
A’s signal
strength
space
Signal fading:



B, A hear each other
B, C hear each other
A, C can not hear each
other interfering at B
Unlicensed Spectrum


ISM stands for Industrial Scientific and
Medical
Implementing ISM bands is different for
countries
Band
FCC-Freq.(us) ETSI-Freq.(Eu) Main Use
ISM-900
902-908MHz
890-906MHz
Food Process
ISM-2.4
2.4-2.4835GHz
2.4-2.5GHz
Microwave
Oven
ISM-5.8
5.725-5.850
GHz
5.725-5.875GHz
Medical
Scanner
ISM Band

Only ISM-2.4 band is available for
every country




Microwave oven
Medical equipment
Communication e.g. wireless LAN, Bluetooth
But, it is too crowded

Communication use “Spread Spectrum” to
avoid interference
IEEE 802.11 Wireless LAN

802.11b






2.4 GHz unlicensed radio spectrum
Using CCK (Complementary Code Keying) to improve
data rate
Backward compatible with DSSS system
Not compatible with FHSS system
Max. at 11 Mbps - Theoretical max capacity (raw data
rate)
Max data rate is only 6 Mbps. (only short range and no
interference)
IEEE 802.11 Wireless LAN

802.11a



802.11g



5 GHz range ,OFDM
up to 54 Mbps (31 Mbps – Real throughput)
2.4 GHz range - CCK-OFDM backward compatible
with IEEE 802.11b
up to 54 Mbps (31 Mbps – Real throughput)
All use CSMA/CA for multiple access
Wireless LAN standards
802.11 LAN architecture

Internet
AP
hub, switch
or router
BSS 1
AP
BSS 2

wireless host communicates
with base station
 base station = access
point (AP)
Basic Service Set (BSS) (aka
“cell”) in infrastructure mode
contains:
 wireless hosts
 access point (AP): base
station
 ad hoc mode: hosts only
IEEE 802.11: multiple access


avoid collisions: 2+ nodes transmitting at same
time
802.11: CSMA - sense before transmitting


don’t collide with ongoing transmission by other node
802.11: no collision detection!



difficult to receive (sense collisions) when
transmitting due to weak received signals (fading)
can’t sense all collisions in any case: hidden terminal,
fading
goal: avoid collisions: CSMA/C(ollision)A(voidance)
IEEE 802.11 MAC Protocol: CSMA/CA
802.11 sender
1 if sense channel idle for DIFS then
transmit entire frame (no CD)
2 if sense channel busy then
start random backoff time
timer counts down while channel idle
transmit when timer expires
if no ACK, increase random backoff
interval, repeat 2
sender
receiver
DIFS
802.11 receiver
- if frame received OK return ACK after SIFS
data
SIFS
ACK
Avoiding collisions (more)
idea: allow sender to “reserve” channel rather than random



access of data frames: avoid collisions of long data frames
sender first transmits small request-to-send (RTS) packets to
BS using CSMA
 RTSs may still collide with each other (but they’re short)
BS broadcasts clear-to-send CTS in response to RTS
CTS heard by all nodes
 sender transmits data frame
 other stations defer transmissions
Avoid data frame collisions completely
using small reservation packets!
Collision Avoidance: RTS-CTS
exchange
A
AP
B
reservation collision
DATA (A)
time
defer
Channel partitioning in
wireless LAN



With DSSS modulation technique, bandwidth
used for one channel is 22 Mbps
In 2.4 GHz band , bandwidth is only 83 MHz
available
So, we need 5 channel space for nonoverlapping channel


Avoiding interference between each other
Consider in frequency reuse and capacity
increment
Channel Allocation
Relationship between Data
rate and signal strength
802.11: Channels, association


802.11b: 2.4GHz-2.485GHz spectrum divided into
11 channels at different frequencies
 AP admin chooses frequency for AP
 interference possible: channel can be same as
that chosen by neighboring AP!
host: must associate with an AP



scans channels, listening for beacon frames
containing AP’s name (SSID) and MAC address
selects AP to associate with
may perform authentication
Interferences in wireless LAN

Microwave oven – 2450 MHz (1000 watts)





Around channel 7-10
Bluetooth device (0.01 W)
Cordless Phone
Toys and etc
Use Network Strumbler to show signal / noise
ratio on wireless LAN channels
Network Strumbler
Wireless Solution







Adhoc
Infrastructure
Load balancing
Connect wireless LAN without access point
Extended Service Set
Extend range with wireless repeater
Wireless bridge
Ad hoc


Configuration – set as Adhoc / Peer to peer
Set BSSID and channel to use
Infrastructure
Load balancing



5 channel space
Maximum 3 access
point assigned on
overlapped area
Channel 1 /6 /11
Connect wireless LAN without
access point

Use a host act as
gateway
Extended Service Set
Support mobility
Extend range with Wireless
repeater
Wireless bridge
(Point to point link)
Wireless LAN security
management (1/2)

Common attack and vulnerability





The weakness in WEP & key management & user
behavior
Sniffing, interception and eavesdropping
Spoofing and unauthorized access
Network hijacking and modification
Denial of Service and flooding attacks
Wireless LAN security
management (2/2)

Security countermeasure






Revisiting policy
Analysis threat
Implementing WEP
Filtering MAC
Using closed systems and Networks
Securing user
The weakness in WEP & key
management & user behavior

Several papers were published to show vulnerabilities
on WEP and tools to recover encryption key



AirSnort (http://airsnort.shmoo.com)
WEPCrack http://sourceforge.net/projects/wepcrack/
IEEE 802.11 outline that the secret key used by WEP
needs to be controlled by external key management


Normally, key management is done by user (define 4
different secret keys)
RADIUS (Remote Dial-In User Service) not use in small
business or home users
The weakness in WEP & key
management & user behavior

Users often operate the devices on default
configuration


SSID broadcast – turn on
Default password as a secret key


3com product – comcomcom
Lucent product is the last five digit of network ID
Sniffing, interception and
eavesdropping




Sniffing is the electronic form of
eavesdropping on the communications that
computer have across network
Wireless networks is a broadcast (shared) link
Every communication across the wireless
network is viewable to anyone who is listening
to the network
Not even need to associated with the network
Sniffing tools


All software packages will put network card in
promiscuous mode, every packet that pass its
interface is captured and displayed
Ethereal


OmniPeek


http://www.wildpackets.com/products/omnipeek
Tcpdump


www.ethereal.com/
www.tcpdump.org/
Ngrep

http://ngrep.sourceforge.net/
Spoofing and unauthorized
access


Spoofing- An attacker is able to trick your
network equipment into thinking that the
connection is from one of allowed machines
Several way to accomplish




Redefine MAC address to a valid MAC address
simple Registry edit for windows
On unix with a simple command from root shell
SMAC (software packages on windows)
Network hijacking and
modification



Malicious user able to send message to
routing devices and APs stating that their MAC
address is associated with a known IP address
From then on, all traffic that goes through that
router (switch) destined for hijacked IP
address will be handoff to the hijacker
machine
ARP spoof or ARP poisoning
Network hijacking and
modification

If the attacker spoofs as the default gateway



All machines trying to get to the network will
connect to the attacker
To get passwords and necessary information
Use of rogue AP

To receive authentication requests and information
Denial of Service and flooding
attacks

One of the original DoS attacks is known as a ping
flood


One of possible attack would be through a massive
amount of invalid or valid authentication requests.


A large number of hosts or devices to send and ICMP echo
to a specified target
Users attempting to authenticate themselves would have
difficulties in acquiring a valid session
If hacker can spoof as a default gateway, it can
prevent any machine from wireless network to access
the wired network
Revisiting policy


Adjust corporate security policy to
accommodate wireless networks and the users
who depend on them ,
Because of wireless environment



no visible connection – good authentication
required
Ease of capture of RF traffic – good policy should
not broadcast SSID and should implement WEP
Not use default name or password in operating AP
devices
Analyzing the threat (1/2)



Identify assets and the method of accessing
these from an authorized perspective
Identify the likelihood that someone other
than an authorized user can access the assets
Identify potential damages




Defacement
Modification
Theft
Destruction of data
Analyzing the threat (2/2)



Identify he cost to replace, fix, or track the
loss
Identify security countermeasures
Identify the cost in implementation of the
countermeasures



Hardware/software/personnel
Procedures /limitations on access across the
corporate structure
Compare costs of securing the resources
versus the cost of damage
Implementing WEP


To protect data sniffing during session
128-bit encryption should be considered as a
minimum


Most APs support both 40-bit and 128-bit
encryption
WEP advantages



All messages are encrypted so privacy is
maintained
Easy to implement
WEP keys are user definable and unlimited
Implementing WEP

WEP disadvantages



The RC4 encryption algorithm is a known stream
cipher can be broken
Once the key is changed, it needs to be informed
to everyone
WEP does not provide adequate WLAN security


Only eliminate the curious hacker who lacks the means
or desire to really hack your network
WEP has to be implemented on every client as
well as every AP to be effective
Filtering MAC

To minimize the a number of attack



It can be performed at the switch attached to
the AP or on the AP itself
MAC filtering advantages


More practical on small networks
Predefined users are accepted/ filtered MAC do not
get access
MAC filtering advantages


Administrative overhead- large amount of users
MAC address can be reprogrammed
Using closed systems and
networks



Turn off broadcasting SSID, use proper
password (WEP)
Select “close wireless system”
Advantages




AP does not accept unrecognized network requests
Preventing Netstrumbler snooping software
Easy to implement
Disadvantages

Administration required for new users and changes
Securing users

Educate the users to the threats and where
they are at risk


Provide policies that enable them to
successfully secure themselves



How proper password is set ?
Change password on regular interval
At least password length
Create policies that secure user behind the
scenes

Filtering traffic
Securing users

Some of the rule sets that should be in place
with the respect to wireless 802.11




No rogue access point
Inventory all wireless cards and their
corresponding MAC address
No antennas without administrative consent
Strong password on wireless network devices
Other methods





VPN
WEP + RADIUS
WPA (Wi-Fi Protected Access) – IEE802.11i
WPA + RADIUS
802.1x + RADIUS


EAP-MD5, LEAP (cisco), EAP-TLS, EAP-TTLS
MAC filtering +WEP + RADIUS

Mahanakorn solution
Web recommendation
http://www.thaicert.nectec.or.th/paper/wireless/IEEE80211_4.php