Security in Wireless Local Area Network

1
Security in Wireless Local Area Network

• Qing Yu
• University of Rochester

2
Outline

• Introduction
• Wireless and Security Review
• Security Technology in Wireless LAN
• Thoughts and Recommendations on Wireless Security
• Recent Proposal

3
Introduction

• What is security
• Earliest epoch-life security
• Current society-wealth security, health security,
  vehicle security, housing security etc
• Protected by insurance policy offered by
  insurance company
• Security in Wireless LAN
• Encryption Algorithm-Insurance Policy
• Network Protocol-Insurance Company

4
Introduction to wireless world

• What wireless is
• Networking based on radio waves rather than wired
  cables.
• A tool with supreme convenience especially for
  the cases when mobility is required.
• A beautiful solution when short-term or emergency
  connections are needed.
• A technology which can solved the problems
  unsolvable for wired network.
• What wireless is not
• An absolutely replacement for wired network.
• Secure, fast or reliable.

5
Introduction to wireless world

• Why wireless is insecure
• Data are broadcasted on an open radio channel all
  over the range the base station or accessing
  point covers and it is possible for any receiver
  within the coverage area to access the network
  and share the data.
• Wireless network does come with encrypted
  protocol i.e. WEP (wired equivalent
  protection/privacy), but it still can be easily
  cracked down.

6
Wireless LAN (WLAN)

• Wireless LAN is simply trying to simulate the
  structure of the wired LANs, via transmitting
  data over electromagnetic waves which are mainly
  either radio frequency (RF) or infrared frequency
  (IR) rather the wired cables.

Structure of Wireless LAN
7
Wireless LAN (WLAN)

• Wireless LANs system is compromised of two
  main parts Clients Devices and Access Points
  (AP). The AP device unites the clients to form a
  Wireless LAN. When one of the clients tries to
  communicate with the others, it will send data to
  AP and AP will switch the date between the
  communicating parties.

BSS-Basic Service Set
8
Security Challenge

• LEAKY BUILDINGS
• UNAPPROVED DEPLOYMENTS
• EXPOSURE OF WIRELESS DEVICES
• SIGNAL INTERFERENCE
• EVOLVING IEEE STANDARDS

9
Security Attack
Set up a rogue access point which can simulate
not to be detected
10
Security Attack
Steal the MAC address of one of the client
computers in the wireless network which would
occupy the priority of the client and kick him
off the line sniff the wireless traffic and
crack the WEP code if necessary
11
Security Attacks

• Traffic Analysis
• Passive Eavesdropping
• Active Eavesdropping
• Unauthorized Access
• Man-in-the-middle Attacks
• Session High-Jacking
• Replay Attacks
• Rouge AP
• Dos Attacks

12
802.11 Standards

• The 802.11 IEEE standard was standardized
  in 1997. It consists of three layers Physical
  layer, MAC (Medium Access Control) layer, and LLC
  (Logical Link Control) layer (As Figure Shown).
  The first version of the standard supported only
  2 Mbps bandwidth, which motivated the developing
  teams to come up with other standards to support
  up to 54Mbps.

13
802.11 Standards
Comparison of different protocols in 802.11 family
14
WLAN Based On 802.11b

• The 802.11b amendment to the original standard
  was ratified in 1999. 802.11b has a maximum raw
  data rate of 11 Mb/s and uses the same CSMA/CA
  media access method defined in the original
  standard. Due to the CSMA/CA protocol overhead,
  in practice the maximum 802.11b throughput that
  an application can achieve is about 5.9 Mb/s
  using TCP and 7.1 Mb/s using UDP.
• 802.11b products have appeared on the market very
  quickly, since 802.11b is a direct extension of
  the DSSS (Direct-sequence spread spectrum)
  modulation technique defined in the original
  standard. Technically, the 802.11b standard uses
  Complementary code keying (CCK) as its modulation
  technique, which is a variation of CDMA. Hence,
  chipsets and products were easily upgraded to
  support the 802.11b enhancements. The dramatic
  increase in throughput of 802.11b (compared to
  the original standard) along with substantial
  price reductions led to the rapid acceptance of
  802.11b as the definitive wireless LAN technology

15
WLAN Based On 802.11b

• Accompanying with the birth of
  802.11b, the possible attacks over network keep
  increasing. However, currently, most 802.11b
  risks fall into seven basic categories
• Insertion attacks
• Interception and unauthorized monitoring of
  wireless traffic
• Jamming
• Client-to-Client attacks
• Brute force attacks against access point
  passwords
• Encryption attacks
• Misconfigurations

16
WLAN Based On 802.11b

• Insertion attacks-Insertion attacks are based on
  deploying unauthorized devices or creating new
  wireless networks without going through security
  process and review.
• __Unauthorized Clients An attacker tries to
  connect a wireless client, typically a laptop or
  PDA, to an access point without authorization.
• __Unauthorized or Renegade Access Points An
  organization may not be aware that internal
  employees have deployed wireless capabilities on
  their network. This lack of awareness could lead
  to the previously described attack, with
  unauthorized clients gaining access to corporate
  resources through a rogue access point.
• Interception and unauthorized monitoring of
  wireless traffic
• __Wireless Packet Analysis A skilled attacker
  captures wireless traffic using techniques
  similar to those employed on wired networks.
• __Broadcast Monitoring If an access point is
  connected to a hub rather than a switch, any
  network traffic across that hub can be
  potentially broadcasted out over the wireless
  network.
• __Access Point Clone Traffic Interception An
  attacker fools legitimate wireless clients into
  connecting to the attackers own network by
  placing an unauthorized access point with a
  stronger signal in close proximity to wireless
  clients.

17
WLAN Based On 802.11b

• Jamming
• Denial of service attacks are also easily applied
  to wireless networks, where legitimate traffic
  can not reach clients or the access point because
  illegitimate traffic overwhelms the frequencies.
• Client-to-Client Attacks
• File Sharing and Other TCP/IP Service Attacks
  Wireless clients running TCP/IP services such as
  a Web server or file sharing are open to the same
  exploits and misconfigurations as any user on a
  wired network.
• DOS (Denial of Service) A wireless device
  floods other wireless client with bogus packets,
  creating a denial of service attack. In addition,
  duplicate IP or MAC addresses, both intentional
  and accidental, can cause disruption on the
  network.

18
WLAN Based On 802.11b

• Brute Force Attacks Against Access Point
  Passwords
• Most access points use a single key or password
  that is shared with all connecting wireless
  clients. Brute force dictionary attacks attempt
  to compromise this key by methodically testing
  every possible password. The intruder gains
  access to the access point once the password is
  guessed.
• Attacks against Encryption
• 802.11b standard uses an encryption system called
  WEP (Wired Equivalent Privacy). WEP has known
  weaknesses and these issues are not slated to be
  addressed before 2002. Not many tools are readily
  available for exploiting this issue, but
  sophisticated attackers can certainly build their
  own.
• Misconfiguration
• Many access points ship in an unsecured
  configuration in order to emphasize ease of use
  and rapid deployment. Unless administrators
  understand wireless security risks and properly
  configure each unit prior to deployment, these
  access points will remain at a high risk for
  attack or misuse..

19
WEP

• WEP has three goals to achieve for
  wireless LAN confidentiality, availability and
  integrity. WEP is now considered insecure for
  many reasons nonetheless it served its purpose
  for a certain amount of time.

20
WEP

• WEP uses CRC (Cyclical Redundancy
  Checking) to verify message integrity. On the
  other side (receiver AP) the decryption process
  is the same but reversed. The AP uses the IV
  value sent in plain text to decrypt the message
  by joining it with the shared WEP key.

21
WEP

• WEP Weakness
• One of the major reasons behind WEP weaknesses is
  its key length. WEP has a 40-bit key, which can
  be broken in less than five hours using parallel
  attacks with the help of normal computer
  machines. This issue urged vendors to update WEP
  from using 40-bit to 104-bit key the new release
  is called WEP2.
• The main disadvantage of WEP however, is the lack
  of key management. Some SOHO users (Small Office/
  Home Office) never change their WEP key.
• WEP does not support mutual authentication. It
  only authenticates the client, making it open to
  rouge AP attacks.
• While CRC is a good integrity provision standard,
  it lacks the cryptography feature. CRC is known
  to be linear. By using a form of induction, the
  WEP key can be resolved.
• RC4 suffers from a deadly symptom. It tends to
  repeat IV values (even if it is auto generated),
  making the exposing of the traffic easier.

22
Other 802.11x Protocols

• IEEE 802.11 - THE WLAN STANDARD was original 1
  Mbit/s and 2 Mb/s, 2.4 GHz RF and IR standard
  (1997), all the others listed below are
  Amendments to this standard, except for
  Recommended Practices 802.11F and 802.11T.
• IEEE 802.11a - 54 Mbit/s, 5 GHz standard (1999,
  shipping products in 2001)
• IEEE 802.11b - Enhancements to 802.11 to support
  5.5 and 11 Mb/s (1999)
• IEEE 802.11c - Bridge operation procedures
  included in the IEEE 802.1D standard (2001)
• IEEE 802.11d - International (country-to-country)
  roaming extensions (2001)
• IEEE 802.11e - Enhancements QoS, including
  packet bursting (2005)
• IEEE 802.11F - Inter-Access Point Protocol (2003)
  Withdrawn February 2006
• IEEE 802.11g - 54 Mb/s, 2.4 GHz standard
  (backwards compatible with b) (2003)
• IEEE 802.11h - Spectrum Managed 802.11a (5 GHz)
  for European compatibility (2004)
• IEEE 802.11i - Enhanced security (2004)
• IEEE 802.11j - Extensions for Japan (2004)
• IEEE 802.11k - Radio resource measurement
  enhancements (proposed - 2007?)

23
Other 802.11x Protocols

• IEEE 802.11l - (reserved and will not be used)
• IEEE 802.11m - Maintenance of the standard odds
  and ends. (ongoing)
• IEEE 802.11n - Higher throughput improvements
  using MIMO (multiple input, multiple output
  antennas) (pre-draft - 2009?)
• IEEE 802.11o - (reserved and will not be used)
• IEEE 802.11p - WAVE - Wireless Access for the
  Vehicular Environment (such as ambulances and
  passenger cars) (working - 2009?)
• IEEE 802.11q - (reserved and will not be used,
  can be confused with 802.1Q VLAN trunking)
• IEEE 802.11r - Fast roaming Working "Task Group
  r" - 2007?
• IEEE 802.11s - ESS Extended Service Set Mesh
  Networking (working - 2008?)
• IEEE 802.11T - Wireless Performance Prediction
  (WPP) - test methods and metrics Recommendation
  (working - 2008?)
• IEEE 802.11u - Interworking with non-802 networks
  (for example, cellular) (proposal evaluation - ?)
  
• IEEE 802.11v - Wireless network management (early
  proposal stages - ?)
• IEEE 802.11w - Protected Management Frames (early
  proposal stages - 2008?)
• IEEE 802.11x - (reserved and will not be used,
  can be confused with 802.1x Network Access
  Control)
• IEEE 802.11y - 3650-3700 Operation in the U.S.
  (early proposal stages - ?)

24
802.11a

• When 802.11b was developed, IEEE created a second
  extension to the original 802.11 standard called
  802.11a. Because 802.11b gained in popularity
  much faster than did 802.11a, some folks believe
  that 802.11a was created after 802.11b. In fact,
  802.11a was created at the same time. Due to its
  higher cost, 802.11a is usually found on business
  networks whereas 802.11b better serves the home
  market.
• Pros of 802.11a - fastest maximum speed supports
  more simultaneous users regulated frequencies
  prevent signal interference from other devices
• Cons of 802.11a - highest cost shorter range
  signal that is more easily obstructed

25
802.11g

• In 2002 and 2003, WLAN products supporting a
  newer standard called 802.11g began to appear on
  the scene. 802.11g attempts to combine the best
  of both 802.11a and 802.11b. 802.11g supports
  bandwidth up to 54 Mbps, and it uses the 2.4 Ghz
  frequency for greater range. 802.11g is backwards
  compatible with 802.11b, meaning that 802.11g
  access points will work with 802.11b wireless
  network adapters and vice versa.
• Pros of 802.11g - fastest maximum speed supports
  more simultaneous users signal range is best and
  is not easily obstructed
• Cons of 802.11g - costs more than 802.11b
  appliances may interfere on the unregulated
  signal frequency

26
Security in 802.11i

• The 802.11i (released June 2004) security
  standard is supposed to be the final solution to
  wireless security issue. It improves
  authentication, integrity and data transfer.
• 802.11i supports two methods of authentication.
  The first method is the one described before by
  using 802.1x and EAP to authenticate users.
  Another method was proposed to use per-session
  key per-device.
• To solve the integrity problem with WEP, a new
  algorithm named Michael is used to calculate an
  8-byte integrity check called MIC (Message
  Integrity Code). Michael differs from the old CRC
  method by protecting both data and the header.
  Michael implements a frame counter which helps to
  protect against replay attacks.

27
Security in 802.11i

• To improve data transfer, 802.11i
  specifies three protocols TKIP, CCMP and WRAP.
• TKIP (Temporal Key Integrity Management) was
  introduced as a "band-aid" solution to WEP
  problems. One of the major advantages of
  implementing TKIP is that you do not need to
  update the hardware of the devices to run it.
  TKIP ensures that every data packet is sent with
  its own unique encryption key. TKIP is included
  in 802.11i mainly for backward compatibility.
• CCMP (Counter with Cipher Block Chaining Message
  Authentication Code Protocol) is considered the
  optimal solution for secure data transfer under
  802.11i. CCMP uses AES for encryption. The use of
  AES will require a hardware upgrade to support
  the new encryption algorithm.
• WRAP (Wireless Robust Authenticated Protocol) is
  the LAN implementation of the AES encryption
  standard introduced earlier. It was ported to
  wireless to get the benefits of AES encryption.
  WRAP has intellectual property issues, where
  three parties have filed for its patent. This
  problem caused IEEE to replace it with CCMP.

28
Security Recommendation

• With all these proposed new technologies
  and security standards over the last years to
  solve the wireless security problems, we still
  can not say that our wireless networks are
  secure. The human factor is the major drawback.
  In spite the fact that people want security, they
  tend to prefer less secure system in favor of
  ease of use. Moreover, adding security features
  to wireless components make it more expensive
  than other less secure systems, and regular
  people prefer cheap equipments over good
  equipments.
• Establish wireless LAN security policies and
  practices
• Design for security
• Logically separate internal networks
• Enable VPN access only
• Remove unnecessary protocols
• Restrict AP connections
• Protect wireless devices.

29
Recent Proposal-PANA

• PANA is a new method to authenticate WLAN
  users over IP based networks. The goal of this
  proposal is to identify a link-layer protocol to
  allow host and network to authenticate each other
  for network access. The protocol runs between PaC
  (PANA Client) and PAA (PANA Authentication
  Agent). The purpose of this protocol is to
  provide the carrier for the existed security
  protocols.

30
References

• 1." Wireless Communications Security," Artech
  House Publishers 2006
• 2. " Wireless LAN Security" Symantec Inc. 2006
• 3. "Wireless LAN security and IEEE 802.11i,"
  Wireless Communications, IEEE Volume 12, Issue 1,
  Feb. 2005
• 4. " Wireless LAN Security-802.11b and corporate
  network" An ISS Technical White Paper
• 5."Wireless LAN," http//cnscenter.future.co.kr/ho
  t-20topic/wlan.html
• 6. "802.11 standards" http//compnetworking.about.
  com/cs/wireless80211/a/aa80211standard.htm
• 7. "PANA" http//people.nokia.net/patil/IETF56/PA
  NA/PANA_Solution_Slides_7.pdf