Download wireless insecurity

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
Document related concepts

Wake-on-LAN wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Computer network wikipedia , lookup

Network tap wikipedia , lookup

Distributed firewall wikipedia , lookup

Hacker wikipedia , lookup

IEEE 802.11 wikipedia , lookup

Wireless USB wikipedia , lookup

Wi-Fi wikipedia , lookup

Computer security wikipedia , lookup

Policies promoting wireless broadband in the United States wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Wireless security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Transcript 
Security for Wireless Computing
Running head: SECURITY FOR WIRELESS COMPUTING
Security for Wireless Computing
Anthony Gauvin
1
Security for Wireless Computing
2
Abstract
Many corporations and small business are moving to 802.11
wireless technologies for their local area networks without a
complete understanding of the security risks involved. According
to published research, many of the original security solutions
to wireless local area network (WLAN) security are inherently
weak and do not provide adequate security. Newer, more robust,
wireless security technologies are being developed but have not
had widespread acceptance within corporate information
infrastructures. Corporations and organizations with wireless
networks are at risk. This paper seeks to educate Information
Technology managers and professionals about the security risks
of WLAN technologies and provide some viable approaches to
securing a wireless network.
Security for Wireless Computing
3
Table of Contents
Introduction................................................... 4
How Wireless Computing Works................................... 4
Security Issues with WLANS..................................... 7
Existing Wireless Security Solutions........................... 9
New Solutions to Wireless Security............................ 15
Conclusions................................................... 19
References ................................................... 21
Security for Wireless Computing
Security for Wireless Computing
4
Introduction
One of the more exciting information technologies to come
about in the last several years was wireless computing. No
longer do computer users have to be tied to massive desktop
computers to accomplish their daily tasks. With a wireless
enabled laptop or personal digital assistant (PDA), employees
can roam freely throughout office buildings while continuing to
work and converse on organizational information networks. The
freedom to roam and work has increased productivity and morale,
earning praise for wireless networks from workers and management
alike. The information technology personnel are also enamored of
wireless computing. It has reduced the cost of providing
networks since the cost of wireless access points and the
supporting wireless access cards is much less than the cost of
running data wiring to each computer enabled office.(Lewis,
2004) The physical work involved in deploying wireless networks
is also decreased. It is no wonder that wireless networks grew
at such rapid rates. All this growth quickly stalled however,
when wireless security concerns became known.
How Wireless Computing Works
A discussion of the relative insecurity of wireless
computing cannot begin until a discussion of how wireless
computing was originally designed is presented. The insecurity
Security for Wireless Computing
5
of wireless computing originates from the desire of the
designers of wireless computing to provide roaming, unencumbered
access to computer networks for wireless users.
This desire to
provide free, open and easy access to computer networks often
conflicts with many organizations’ desire to keep their data
safe from prying eyes. Security and wireless computing is simply
a case of you can’t have your cake and eat it too.
The dominant wireless networking standard is defined in the
Institute for Electrical and Electronics Engineers (IEEE) 802.11
specifications for wireless Ethernet networks. This is a
publicly available specification and the intent is to have all
wireless vendors adhere to the specification and insure
interoperability of components from competitors. The three most
popular wireless local area network (WLAN) standards are
802.11a, 802.11b and 802.11g. 802.11b is the market leader with
802.11g quickly gaining ground. All three standards are similar
in operation and are differentiated by bandwidth and the
frequency band of the signals transmitted and received. The
insecurity of WLAN is not manifested in the bandwidth or
frequency of operation so we will refer to 802.11 WLANs in
general and not to any specific standard. (Siegel, Levine, &
Siegel, 2004)
WLANs operate in one of two modes, ad-hoc or
infrastructure. Ad-hoc defines a method of wireless computer
peers to exchange data without a predefined network
infrastructure and has not met with great success. The
infrastructure mode of operation is predominantly used for
Security for Wireless Computing
construction of wireless networks and requires two components;
wireless access point(s) connected to a traditional wired
network and wireless network interface card(s) installed into
the computing devices. The access points act as electronic
bridges, converting and translating data from the wireless
network to wired networks and vice versa. Access points can be
deployed singly or in groups called a distribution system. The
wireless network interface cards installed in the computers
converse with the access point(s) and through the access
point(s) can access to the wired networks and other wireless
computing devices. (Krouse & Ross, 2002)
Wireless enabled computing devices must gain knowledge of
the access points in order to establish communications with the
network. The process of learning about available wireless
network is called association. The method of identification for
association is a Service Set Identifier or SSID. This SSID can
either be entered into the computer manually or discovered
dynamically. In the case of manually inserted information, the
computing device must then broadcast this SSID in search of the
correct access point to respond, establish communications and
create the association. Dynamic configuration requires the
access points to broadcast a beacon frame announcing its
presence with the correct SSID in the beacon frame for the
wireless computing devices to respond and create the
association. (Arbaugh, Shankar, & Wan, 2001)
An analogy would
be that either the device shouts the correct name (SSID) out or
6
Security for Wireless Computing
the access points do. The association is created when the other
side responds “Yes, that’s me. Here I am.”
Once an association is created between the access point and
the wireless computing device, the computing device becomes a
peer on wireless network and through the access point bridging
capabilities, a peer on the wired network. The association
process corresponds to the plugging in of a network cable
between a device and the network on a wired network.
Organizational network policy may require other authentication
and configuration protocol after association but generally
whatever protocol are established for the computers physically
wired to the network apply to the wireless computers also.
Security Issues with WLANS
It should be become very obvious from the previous
discussion that limitations of access was not a design concern
for WLAN, in fact, ease of access was the primary concern. The
process of association on WLANs is easily subverted. A miscreant
computer user merely has to get his computer to lie about the
SSID to become a peer on a WLAN. If the wireless access point is
broadcasting beacon frames, than the miscreant computer user
merely has to respond in the affirmative and access is gained.
If the access point is silent, the miscreant computer waits for
any other device to create an association with the access and
then mimic the electronic conversations of the other device to
gain access. This process of gaining access has become a popular
7
Security for Wireless Computing
activity with hackers and has been termed “War-Driving”.
(Berghel, 2004)
War-driving relies on the nature of radio frequency (RF)
propagation of the wireless access point and wireless devices.
While different standards determine different frequencies and
power requirements for transmitting and receiving RF signals, a
good assumption is the WLAN RF propagation has a range of about
100 feet. The area in which the signals from a wireless device
can be utilized is about a one acre large circle centered on the
device. Clearly, WLAN RF propagation can extend beyond the
building and even beyond the property owned by the organization
that deployed the wireless devices. As a result, access to the
wireless network is available to a hacker, with the right
equipment, that is driving by on a publicly accessible roadway
or parked in the corporate parking lot. These hackers can do
more than just access and listen. They can “mount denial-of
service attacks; insert viruses, worms and spam into the
networks; and do other mischief.”(Panko, 2004, p. 239)
The standard method for securing data from prying eyes is
encryption. The 802.11 WLAN standards include Wired Equivalent
Privacy (WEP) encryption protocol. WEP is a symmetric (one-key)
encryption protocol that uses a static shared key that must be
known both to the access point and the wireless enabled devices
before encryption can occur. This shared key is used to both
authenticate the access point and wireless devices to each other
and to encrypt the data sent between them. (Campbell, Calvert, &
Boswell, 2003) WEP was intended to provide the same level of
8
Security for Wireless Computing
9
security that was available on wired networks. The reality
however is that WEP has severe mathematical flaws and an
attacker can break the encryption code easily with freely
available software from the Internet. (Liska, 2003)
The greatest security hole created by WLAN technology is
the ease and low cost of deployment. Several networking venders
are selling “Do it yourself” WLAN kits that cost under $100 to
purchase and deploy. Many companies are finding “rogue” WLANs in
their corporation information infrastructures set-up by
employees that wanted all the advantages of the WLANS but did
not want bother the IT folks to set-up a WLAN for them. These
rouge WLAN are often deployed with none of the security options
enabled since most of the do-it-yourself installers have no
knowledge of the inherent security risks of WLANs. An
organization that has implemented a progressive security policy
becomes just as vulnerable as one that hasn’t as these rogue
WLANs become open door invitations for hackers. (Pescatore,
2004)
Existing Wireless Security Solutions
The are many existing solutions to providing security for
wireless networks and in this section we will discuss the first
generation of these security solutions along with some reasons
why these solutions do not provide the desired level of
security. Security was not a concern for the original
development of WLAN so most these solutions were implemented
Security for Wireless Computing
10
after the fact and as such are merely band-aids over gaping
wounds.
The first security solution deals with locating the access
points nearer to the physical center of the enterprise. Since
the RF propagation limits are fixed, if the access points can be
deployed such that none of the RF leaks beyond the physical
limits of a physically secured building than the hacker will not
be able to access the wireless networks. While this seems to be
a very common sense approach, it relies on the hackers playing
by the rules and only using the standard, vendor supplied
equipment for wireless devices. Hackers, however, have developed
more sensitive antennas. Methods for constructing these
specialty antennas are well known and published on the internet.
(Berghel, 2004) The most often used war-driving antenna is
constructed from an empty can of Pringles potato chips and some
wiring. The instruction for constructing the antenna can be
found at http://verma.sfsu.edu/users/wireless/pringles.php
The SSID and the association process provide another level
of security for wireless networks. As stated before in the
discussion of how WLANs work, the SSID is used to identify
wireless devices to each other and as such provides
authentication. Disabling the access point from broadcasting the
SSID requires every device desiring to connect to the access
point to know the correct SSID before accessing the WLAN. There
are two problems with this approach. The first is that
configuring SSIDs on the access point is a complicated task and
most IT professionals will leave the access point configured
Security for Wireless Computing
11
with the default SSID that was configured at the factory. Table
1 (Liska, 2003, p.186) shows the default SSIDS from the more
popular manufactures of wireless access points. Hackers simply
try the default SSIDs to gain access. The second problem with
using SSID as an authentication method is that the intruder can
simply monitor the WLAN traffic till a new device joins the WLAN
and broadcasts the supposable secret SSID for the intruder to
read. Even if encryption is enabled on the WLAN the SSID is
allways broadcast in the clear (un-encrypted).
Table 1
Default SSIDS for More Popular Manufactures
Manufacturer
Default SSID
Cisco
2 or tsunami
Compaq
Compaq
DLink
WLAN
INTEL
Intel,xlan, or 101
SMC
WLAN
Another method to limit access to a wireless networks is
similar to a method used to control access to a wired network.
All devices that are able to connect to an Ethernet networks
(WLANS are a subset of Ethernet networks) have a unique Media
Access Control (MAC) address that uniquely identifies each
communicating device. These MAC addresses are “burned-in” at the
factory into all devices that can connect to an Ethernet network
and. MAC addresses are globally unique, no two devices can have
Security for Wireless Computing
the same MAC.
12
These MAC(s) can be used to limit access to the
corporate networks. While a MAC addresses identifies each
device, a higher order address, usually TCP/IP, is required to
participate on the network. The process that assigns these
higher-order addresses is generally done by a Dynamic Host
Configuration Protocol Server (DHCP). By limiting the DHCP
server to assigning addresses to those devices that have known
MAC(s), you can deny unknown devices from getting the higher
order addresses needed to participate on the network.
The network access points can also be configured to allow
associations only from known MAC(s) Most access points
manufactures allow the storage of up to 255 known good MAC(s) in
to an allowable device list stored on the access point. The
access point will then only allow associations from the list of
known good MAC(s). This, of course, means that the access point
must be reconfigured before a new user is allowed to join the
WLAN. Most IT professionals will not enable this option since it
creates more work for them. Every time a new wireless device is
purchased, all access points must be reconfigured to accept the
new MAC. (Liska, 2003)
Both of the methods of filtering out intruder devices by
the MACS addresses can be defeated by a wireless device that can
set any arbitrary MAC in the network data packets it sends out.
While the MAC(s) are burned into the NIC and cannot be changed,
the process that takes the burnt-in MAC and places it into the
network packet is software and software is easily modified. All
an intruder device has to do is discover a good MAC and use it
Security for Wireless Computing
13
to gain access. This can be done by guessing or by listening in
on the existing WLAN network traffic. All Ethernet network
traffic carries the MACs of both the sender and the receiver in
clear text. The intruder device simply steals the MAC address of
an allowed device and uses that MAC to gain access. This process
of subverting address is called spoofing and is used by hackers
on both wired and wireless networks. (Liska, 2003)
WEP can be used to encrypt data in wireless transmission
but it cannot be used to encrypt MAC or higher order addresses.
WEP only encrypts data between the access points and a wireless
device that has associated with that particular access point.
Since access points were intended to be low-cost devices, the
encryption algorithm chosen for WEP is not a computational
intensive double-key system but a single-key symmetric algorithm
called RC4. The strength of any encryption system using keys is
total number of possible keys that can be used for encryption.
If the number of possible keys is small, a hacker will try all
possible keys till they are able to decrypt the encrypted text.
(Bishop, 2003) While RC4 does not define the key length, most
implementations provide key lengths of 40 to 128 bit keys,
allowing 240 to 2128 possible keys. While this number of possible
keys should be sufficient, there are number of flaws in the RC4
algorithm that mathematically reduce this number of possible
keys. (Flurher, Mantin, & Shamir, 2001) Borisov, Goldberg, and
Wagner, (2001) have also documented implementation problems in
the WEP protocol that limit its effectiveness. While the
technical treatments of these two discovery papers are beyond
Security for Wireless Computing
14
most hackers to implement, that job has been made easier for
hackers by downloading AirSnort (http://airsnort.shmoo.com/) or
WebCrack (http://sourceforge.net/projects/wepcrack), two free
WEP key cracking tools that implement the techniques describe in
the two papers.
The last of the exiting security mechanism discussed which
is currently available for WLANs is a Remote Authentication Dial
in User Service (RADUIS). RADIUS is a server that is used for
centralized account authentication. Requiring access points to
use RADIUS authentication means that any device wishing to
create an association with the access point must supply a
username and password that has been stored in the RADIUS server.
While this provides stronger security than the previously
discussed methodology, hackers have long known how to defeat
RADIUS and password are easily guessed. Since RADIUS is simply
an authentication scheme and not an encryptions device, data is
still subject to electronic eavesdropping. (Liska, 2003)
Before the discussion of the more robust ways of securing a
WLAN, an appropriate step is to determine the current security
measures the corporate world is using to secure their WLANs.
Every year, an informal organization of hackers embarks on a
world-wide war driving effort to find as many access points as
they can, survey the security measures employed, record the data
for others to use and publish the results of that effort on the
Internet at http://www.worldwidewardrive.org/. A summary of 2004
world-wide war-drive results is given in Table 2. (Hurley, 2004)
The reality is sobering, not even the simplest of security
Security for Wireless Computing
15
protocols are being used on most WLANs. The more serious problem
is, despite all the recent publications about WLAN insecurity,
the percentage of WLANs that are deployed with no security
measures at all has increased.
Table 2
Summary of June 2004 World Wide War Drive
Category
Total
Total APs Found
228537
WEP Enabled
87647
No WEP Enabled
Default SSID
Default SSID and
No WEP
Percent
Percent Change
from last year
100%
N/A
38.30%
+6.04%
140890
61.6%
-6.04%
71805
31.4%
+3.57%
62859
27.5%
+2.74%
New Solutions to Wireless Security
The IEEE has also been looking into wireless security and
has been developing a new set of security protocols for wireless
computing. This new suite of tools is part of the 801.11i
standards. While the new specification has yet to be ratified,
some of the current work done in developing the new standard has
resulted in improvements to WEP such as Temporal Key Integrity
Security for Wireless Computing
16
Protocol (TKIP) and an new encryption scheme, Wi-Fi Protected
Access (WPA), that replaces RC4 with the more secure Advance
Encryption System (AES) developed by the National Security
Agency (NSA).(Farrow, 2003) While these modifications greatly
enhance the security of WLANs, vendors have been slow to
implement these new technologies since the technologies make
their existing inventories of 802.11 wireless products obsolete.
Organization will be required to scrap their existing WLAN
infrastructures in favor of the new products since there are
minimal backwards capabilities in new 802.11i specification.
(Liska, 2003)
One of the more exciting technologies for enhancing WLAN
security is Frequency Selective Surfaces. (Institution of
Electrical Engineers, 2004) Frequency Selective Surfaces (FSS)
are smart building panels that can block out chosen wavelengths
of RF while allowing others to pass. This provides a new
approach to providing security for wireless networks by
modifying building construction to prevent the wireless radio
frequency (RF) signals from propagating into unsecured physical
spaces. A concern is while companies need to limit RF
propagation for wireless networks they do not want to attenuate
any cellular and other wireless phone signal which also operate
in an adjacent band in the RF spectrum. FFS can attenuate
signals in one band and not disturb signals in a nearby band.
Building construction with FSS construction panels and FSS
window treatments can effectively constrain the wireless
networks RF signals to the desired physical spaces. It would
Security for Wireless Computing
17
greatly enhance security for wireless networks since any access
must be from within predefined physical areas which can be made
secure. This would effectively stop the war driving method of
gaining access to wireless networks. FSS technology makes
wireless networks the security equivalent of wired networks.
(Newbold, 2004)
By now you are wondering why anyone would be foolish enough
to deploy a WLAN. The reasons for creating a WLAN are still
valid. WLANs provide freedom and ease of use, save money on
deployment and provide ubiquitous access. In fact, these are
some of the same very reasons companies connected to the
Internet. The answer to WLAN security is the same answer to
Internet security; treat the WLAN network as a HOSTILE network
just like the Internet! Industry has had solutions for
connecting secure private networks to and through the Internet
for years now and these same technologies can be used for WLANS.
These technologies include Firewalls, Intrusion Detections
Systems, Virtual Private Networks and robust public/private key
encryptions system. These same systems can be used to secure a
wireless network. With the right security tools, Internet and
wireless computing can be made safe.
Having been a network security professional for several
years, my approach to deploying WLANs was the same approach I
used when connecting remote users to secure networks. That
approach was to use a combination of Firewall and Virtual
Private Networks (VPN) technologies. Key to the use of these
technologies is the assumption that the WLAN is a hostile
Security for Wireless Computing
18
network and that hackers can and will use this WLAN to try to
penetrate and compromise the secure corporate network. Access
points must be deployed on the outside of firewall. If the
access point is compromised, the secure network is not. All
access through the firewall must be encrypted traffic and part
of a VPN tunnel of traffic that originated from a VPN enabled
wireless device on the WLAN and terminates in a VPN concentrator
that is sandwiched into a demilitarized zone (DMZ) bordered by
two firewalls. Figure 1 shows the desired configuration.
Figure 1
Securing a WLAN through VPN technology
Wireless laptop
WLAN
Wireless PDA
unn
NT
VP
Certficate Server
Secure Network
els
DMZ
WLAN Firewall
DMZ Firwall
KEY Server
VPN Concentrator
The WLAN firewall is configured to allow only properly
configured VPN tunnels to pass through it. Any device that tries
Security for Wireless Computing
19
to connect through the WLAN to the secure network must have a
properly configured VPN client. The DMZ firewall is configured
the allow traffic that originates from or terminates to the VPN
concentrator. The only way that a hacker can penetrate through
the WLAN is to get control of a properly configured wireless
device or to clone a properly configured device. While this is
not impossible, it is highly improbable and most hackers will
seek out softer targets. This solution adds cost to a WLAN
deployment and, as such, means many organizations will not use
this technique. If you must have a secure WLAN, this is
certainly one way to proceed.
Conclusions
As with every Information technology project, security must
be a primary consideration. For security to effective, it must
be deployed proportional to risk. WLANs present a security risk
to organizations but providing security for WLANs is not an
insurmountable challenge. There are security solutions available
for WLANs to mitigate those most conceivable risks. What
organizations must ask is the cost of securing a WLAN worth the
benefits gained from deploying the WLAN? The answer will be
different for many organizations. Many will elect not to deploy
WLAN. Others will deploy WLANs since benefits overcome the
inherent risks and will deploy WLAN with little to no security
enabled.
Security for Wireless Computing
20
References
Arbaugh, W. A., Shankar, N., & Wan, J. Y. (2001). Your 802.11
Wireless Network has No Clothes. Unpublished manuscript,
University of Maryland at College Park. Retrieved October
21, 2004, from http://www.cs.umd.edu/%7Ewaa/wireless.pdf
Berghel, H. (2004). Wireless Infidelity I: War Driving.
Communications of the ACM, 47(9), 21-28.
Bishop, M. (2003). Computer Security, Art and Science. Boston:
Addison Wesley.
Borisov, N., Goldberg, I., & Wagner, D. (2001). Intercepting
Mobile Communications, The Insecurity of 802.11. Seventh
Annual Conference on Mobile Computing and Networking.
Campbell, P., Calvert, B., & Boswell, S. (2003). Security+ Guide
to Network Security Fundamentals. Boston: Thomson Course
Technology.
Farrow, R. (2003). Wireless Security: Send in the Clowns?
Network Magazine, 18(9), 57-57. Retrieved October 24, 2004,
from Academic Search Premier Web Site:
http://search.epnet.com/login.aspx?direct=true&authtype=coo
kie,ip,url,uid&db=aph$an=10785802
Flurher, S., Mantin, I., & Shamir, A. (2001). Weakness in the
Key Scheduling Algorithm of RC4. Eighth Annual Workshop on
Selected Areas in Cryptography. Retrieved October 20, 2004,
from http://www.drizzle.com/%7Eaboba/IEEE/rc4_ksaproc.pdf
Hurley, C. (n.d.). WWWW4 Stats. Retrieved October 28, 2004, from
http://www.worldwidewardrive.org/
Security for Wireless Computing
21
Institution of Electrical Engineers (2004). Islands Boost
Wireless Efficiency. IEE Review, 50(30), 15-20. Retrieved
October 27, 2004, from Academic Search Premier Web Site:
http://search.epnet.com/login.aspx?direct=true&authtype=coo
kie,ip,url,uid&db=aph$an=12840593
Krouse, F. K., & Ross, K. W. (2002). Computer Networking (2nd
ed.). Boston: Addison Wesley.
Lewis, M. (2004). A primer on wireless networks. Family Practice
Management, 11(2), 69-71. Retrieved October 28, 2004, from
Academic Search Premier Web Site:
http://seacrh.epnet.com/login.aspx?direct=true&authtype=coo
kie,ip,url,uid&db=aph&an=12444520
Liska, A. (2003). The Practice of Network Security, Deployment
Strategies for Production Networks. Upper Saddle River, NJ:
Prentice Hall.
Newbold, A. (2004). Designing Buildings for the Digital Age.
Computing and Control Engineering, 15(14), 36-40. Retrieved
September 25, 2004, from
http://search.epnet.com/login.aspx?direct=true&authtype=coo
kie,ip,url,uid&db=buh$an=13478871
Panko, R. (2004). Business Data Networks and Telecommunications
(5th ed.). Upper Saddle River, NJ: Prentice Hall.
Pescatore, J. (2004). DIY Wireless Nets open Security Holes. IEE
Review, 50(8), 13-14.
Security for Wireless Computing
22
Siegel, J. G., Levine, M. H., & Siegel, R. M. (2004). Security
safeguards over wireless networks. CPA Journal, 74(6), 6871. Retrieved October 22, 2004, from Business Source
Premier Web Site:
http://search.epnet.com/login.aspx?direct=true&authtype=coo
kie,ip,url,uid&db=buh$an=13478871
Related documents
(P1) How networks communicate
(P1) How networks communicate
88% 73%
88% 73%
Polytel® Remote Data Termininal (RDT)
Polytel® Remote Data Termininal (RDT)
MPLS Based Web Switching
MPLS Based Web Switching
Chpt 10 - 07 test.doc
Chpt 10 - 07 test.doc
PPT presentation
PPT presentation
Wireless Monitoring System
Wireless Monitoring System
The Internet is a global communication network which acts as a
The Internet is a global communication network which acts as a
Nauman Parkar
Nauman Parkar
Bell Canada Holdings Strategic Plan 2004
Bell Canada Holdings Strategic Plan 2004
Security challenges in the lighting use case
Security challenges in the lighting use case