Wireless Network Security

802.11 WLANs

 

Sameer Baxi

Sunil Masand

Veronica Portas
Wireless networks serve as the transport mechanism between devices and among devices and the traditional wired networks (enterprise networks and the Internet). Wireless networks are many and diverse but are frequently categorized into three groups based on their coverage range: Wireless Wide Area Networks (WWAN), WLANs, and Wireless Personal Area Networks (WPAN).

 

WWAN includes wide coverage area technologies such as 2G cellular, Cellular Digital Packet Data (CDPD), Global System for Mobile Communications (GSM), and Mobitex.

 

WLAN^P includes 802.11, HiperLAN, and several others.

 

WPAN represents wireless personal area network technologies such as Bluetooth and IR.

 

All of these technologies are “tetherless”—they receive and transmit information using electromagnetic (EM) waves. Wireless technologies use wavelengths ranging from the radio frequency (RF) band up to and above the IR band. The frequencies in the RF band cover asignificant portion of the EM radiation spectrum, extending from 9 kilohertz (kHz), the lowest allocated wireless communications frequency, to thousands of gigahertz (GHz). [1]

^PWLANs are based on the IEEE 802.11 standard, which the IEEE first developed in 1997. The IEEE

designed 802.11 to support medium-range, higher data rate applications, such as Ethernet networks, and

to address mobile and portable stations. [3]

Wireless technology, fuelled by the emergence of cross-vendor industry standards such as IEEE 802.11(x)^F, has produced a number of affordable wireless solutions that are growing in popularity with businesses and schools as well as sophisticated applications where network wiring is impossible, such as in warehousing or point-of-sale handheld equipment. [2] Wireless communications offer organizations and users many benefits such as portability and flexibility, increased productivity, and lower installation costs.

 

WLANs allow greater flexibility and portability than do traditional wired local area networks (LAN). Unlike a traditional LAN, which requires a wire to connect a user’s computer to the network, a WLAN connects computers and other components to the network using an access point device. An access point communicates with devices equipped with wireless network adaptors; it connects to a wired Ethernet LAN via an RJ-45 port. Access point devices typically have coverage areas of up to 300 feet (approximately 100 meters). This coverage area is called a cell or range. Users move freely within the cell with their laptop or other network device. Access point cells can be linked together to allow users to even “roam” within a building or between buildings.

Owing to their unique characteristics of enhanced portability, flexibility and cost-effectiveness, WLANS have become the de-facto standard for corporate and home wireless network connectivity.

^F 802.11 is the original WLAN standard, designed for 1 Mbps to 2 Mbps wireless transmissions. It was followed in 1999 by 802.11a, which established a high-speed WLAN standard for the 5 GHz band and supported 54 Mbps. Also completed in 1999 was the 802.11b standard, which operates in the 2.4 - 2.48 GHz band and supports 11 Mbps. The 802.11b standard is currently the dominant standard for WLANs, providing sufficient speeds for most of today’s applications. In 2002 and 2003, WLAN products supporting a new standard called 802.11g began to appear on the scene. IEEE 802.11g attempts to combine the best of both 802.11a and 802.11b. 802.11g supports bandwidth up to 54 Mbps, and it uses the 2.4 Ghz frequency for greater range. 802.11g is backwards compatible with 802.11b, meaning that 802.11g access points will work with 802.11b wireless network adapters and vice versa. [3]

 

 

Much of this this document addresses the potential threats, risks and security issues regarding WLANs and possible solutions to prevent security intrusions and other malicious attacks on unsecured wireless networks. It would be beyond the scope of this paper to comment on other wireless networks (WPANs and WWANs), which differ in terms of technology, topology, interfaces, design and operation. 

 

Wireless Security Threats

In general, attacks on wireless networks fall into four basic categories: passive attacks, active attacks, man-in-the middle attacks, and jamming attacks.

 

A passive attack occurs when someone listens to or eavesdrops on network traffic.  Armed with a wireless network adaptor that supports promiscuous mode, the eavesdropper can capture network traffic for analysis using easily available tools, such as Network Monitor in Microsoft products, or TCPdump in Linux-based products, or AirSnort.  A passive attack on a wireless network may not be malicious in nature. Passive attacks on wireless networks are extremely common, almost to the point of being ubiquitous. [4]

Once an attacker has gained sufficient information from the passive attack, the hacker can then launch an active attack against the network. There are a potentially large number of active attacks that a hacker can launch against a wireless network.  For the most part, these attacks are identical to the kinds of active attacks that are encountered on wired networks.  These include, but are not limited to, unauthorized access, spoofing, and Denial of Service (DoS) and Flooding attacks, as well as the introduction of Malware and the theft of devices.  With the rise in popularity of wireless networks, new variations of traditional attacks specific to wireless networks have emerged along with specific terms to describe them, such as “drive-by spamming” in which a spammer sends out tens or hundreds of thousands of spam messages using a compromised wireless network. [4]

Because of the nature of wireless networks and the weaknesses of WEP(Wired Equivalent Privacy), unauthorized access and spoofing are the most common threats to a wireless networks. Spoofing occurs when an attacker is able to use an unauthorized station to impersonate an authorized station on a wireless network. 

Placing a rogue access point within range of wireless stations is wireless-specific variation of a man-in-the-middle attack. If the attacker knows the SSID^J in use by the network and the rogue Access Point (AP) ^£has enough strength, wireless users will have no way of knowing that they are connecting to an unauthorized AP.  Using a rogue AP, an attacker can gain valuable information about the wireless network, such as authentication requests, the secret key that may be in use, and so on. Often, the attacker will set up a laptop with two wireless adaptors, in which the rogue AP uses one card and the other is used to forward requests through a wireless bridge to the legitimate AP. 

^£ Short for Access Point, a hardware device or a computer's software that acts as a communication hub for users of a wireless device to connect to a wired LAN. APs are important for providing heightened wireless security and for extending the physical range of service a wireless user has access to. [5]

With a sufficiently strong antenna, the rogue AP does not have to be located in close proximity to the legitimate AP. So, for example, the attacker can run the rogue AP from a car or van parked some distance away from the building.  However, it is also common to set up hidden rogue APs (under desks, in closets, etc.) close to and within the same physical area as the legitimate AP.

Jamming is a special kind of DoS attack specific to wireless networks.  Jamming occurs when spurious RF frequencies interfere with the operation of the wireless network.  In some cases, the jamming is not malicious and is caused by the presence of other devices, such as cordless phones, that operate in the same frequency as the wireless network.  In a case like this, the administrator must devise and implement policies regarding the use of these devices, such as banning the use of Bluetooth devices, or choose wireless hardware that uses different frequencies.  Intentional and malicious jamming occurs when an attacker analyzes the spectrum being used by wireless networks and then transmits a powerful signal to interfere with communication on the discovered frequencies.  Fortunately, this kind of attack is not very common because of the expense of acquiring hardware capable of launching jamming attacks.  Plus, jamming a network represents a kind of pyrrhic victory for the attacker—a lot of time and effort expending merely to disable communications for a while.[4]

 Malicious hackers are individuals that break into systems without authorization. These hackers use these systems for their own advantage and can damage it. Hackers tend to use malicious code to attack systems.  "Malicious code involves viruses, worms, Trojan horses, logic bombs or other unwanted software that is designed to damage files or bring down a system." [6]

Viruses are either a programs or a piece of code that can bring a system or use all the available memory easily while it replicates.  Even though there are software to get rid of these malicious code new ones are invented daily to attack computers and wireless networks. Trojan horses are also programs like viruses and worms but they do not replicate. Trojan horses can be used as a backdoor to a computer and they can access personal information. Logic bombs are malicious code that does not automatically run, it waits for a particular time to attack.

 

 

Current Countermeasures to Wireless Home Network Security [6]

1) Change Default Administrator Passwords (and Usernames)

At the core of most Wi-Fi home networks is an access point or router. To set up these pieces of equipment, manufacturers provide Web pages that allow owners to enter their network address and account information. These Web tools are protected with a login screen (username and password) so that only the rightful owner can do this.

2) Turn on (Compatible) WPA / WEP Encryption

All Wi-Fi equipment supports some form of "encryption." Encryption technology scrambles messages sent over wireless networks so that they cannot be easily read. Several encryption technologies exist for Wi-Fi today. It is recommended to pick the strongest form of encryption that works with your wireless network. To function, though, all Wi-Fi devices on your LAN must share the identical encryption settings. Therefore you may need to find a "lowest common demoninator" setting.

3) Change the Default SSID^J

Access points and routers all use a network name called the SSID (Service Set Identifier). Manufacturers normally ship their products with the same SSID set. For example, the SSID for Linksys devices is normally "linksys." True, knowing the SSID does not by itself allow anyone to break into your network, but it is a start. More importantly, when someone finds a default SSID, they see it is a poorly configured network and are much more likely to attack it. Change the default SSID immediately when configuring your LAN.

4) Enable MAC Address Filtering

Each piece of Wi-Fi gear possesses a unique identifier called the "physical address" or "MAC address." MAC stands for Media Access Control.  Access points and routers keep track of the MAC addresses of all devices that connect to them. Many such products offer the owner an option to key in the MAC addresses of their home equipment, that restricts the network to only allow connections from those devices. Do this, but also know that the feature is not so powerful as it may seem. Hacker software programs can fake MAC addresses easily.

5) Disable SSID^J Broadcast

In Wi-Fi networking, the access point or router typically broadcasts the network name (SSID) over the air at regular intervals. This feature was designed for businesses and mobile hotspots where Wi-Fi clients may come and go. In the home, this feature is unnecessary, and it increases the likelihood an unwelcome neighbor or hacker will try to log in to your home network. Fortunately, most Wi-Fi access points allow the SSID broadcast feature to be disabled by the network administrator.

 

^J Short for Service Set IDentifier, a 32-character unique identifier attached to the header of packets sent over a WLAN that acts as a password when a mobile device tries to connect to a WLAN. The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. An SSID is also referred to as a network name because essentially it is a name that identifies a wireless network. [5]

 

6) Assign Static IP Addresses to Devices

Most home networkers grativate toward using dynamic IP addresses. DHCP technology is indeed quick and easy to set up. Unfortunately, this convenience also works to the advantage of network attackers, who can easily obtain valid IP addresses from a network's DHCP pool. Turn off DHCP on the router or access point, set a fixed IP address range, then set each connected device to match. Use a private IP range (like 10.0.0.x) to prevent computers from being directly reached from the Internet.

7) Position the Router or Access Point Safely

Wi-Fi signals normally reach to the exterior of a home. A small amount of "leakage" outdoors is not a problem, but the further this signal reaches, the easier it is for others to detect and exploit. Wi-Fi signals often reach across streets and through neighboring homes. When installing a wireless home network, the position of the access point or router determines it's reach. Try to position these devices near the center of the home rather than near windows to minimize this leakage.

8) Turn Off the Network During Extended Periods of Non-Use

The ultimate in security measures, shutting down the network will most certainly prevent outside hackers from breaking in! While impractical to turn off and on the devices frequently, at least consider doing so during travel or extended periods offline. Computer disk drives have been known to suffer from power cycle wear-and-tear, but broadband modems and routers can easily handle this treatment occasionally.

 

Corporate and Government Agencies Network Wireless Security Countermeasures [1]

 

Management countermeasures for securing wireless networks begin with a comprehensive corporate security policy. A security policy, and compliance therewith, is the foundation on which other countermeasures—the operational and technical—are rationalized and implemented. A good corporate WLAN security policy should be able to do the following:

Identify who may use WLAN technology in an agency

Identify whether Internet access is required

Describe who can install access points and other wireless equipment

Provide limitations on the location of and physical security for access points

Describe the type of information that may be sent over wireless links

Describe conditions under which wireless devices are allowed

Define standard security settings for access points

Describe limitations on how the wireless device may be used, such as location

Describe the hardware and software configuration of all wireless devices

Provide guidelines on reporting losses of wireless devices and security incidents

Provide guidelines for the protection of wireless clients to minimize/reduce theft

Provide guidelines on the use of encryption and key management

Define the frequency and scope of security assessments to include access point discovery.

Corporations should ensure that all critical personnel are properly trained on the use of wireless technology. Network administrators need to be fully aware of the security risks that WLANs and devices pose. They must work to ensure security policy compliance and to know what steps to take in the event of an attack. Technical countermeasures involve the use of hardware and software solutions to help secure the wireless environment. Software countermeasures include proper AP configurations (i.e., the operational and security settings on an AP), software patches and upgrades, authentication, intrusion detection systems (IDS), and encryption. Hardware solutions include smart cards, VPNs, public key infrastructure (PKI), and biometrics.

Technical countermeasures involving software include properly configuring access points, regularly updating software, implementing authentication and IDS solutions, performing security audits, and adopting effective encryption.

Finally, the most important countermeasures are trained and aware users!

 

Conclusion

 

Owing to their unique characteristics of scalability, portability, rapid deployment, OEM standardization, and low-cost, WLANs have today unwired both corporate and home networks offering extendibility to how we connect our computers to the Internet. Nearly all of the disadvantages of deploying WLANs are security related. While corporations can employ skilled network administrators to minimize security threats, the most affected are home-users. Overall, conventional wisdom holds that wireless networks are now "secure enough" to use in the vast majority of homes, but most jargon related to minimizing WLAN intrusion remains in “ geek domain.”

However, every home or business must determine the level of security they are comfortable with, when implementing a wireless network. The better a wireless network is administered, the more secure it becomes.

References

 

Print Publications

[1] Karigiyanis T, and Owens L. Special Publication for the National Institute of Standards and Technology (NIST), US Department of Commerce Wireless Network Security: 802.11, Bluetooth and Handheld Devices.: November 2002

 

Internet Resources

[2]Vicomsoft.  Wireless Networking Q & A <http://www.vicomsoft.com/knowledge/reference/wireless1.html#1> 2006

 

[3] IEEE 802.11. The Working Group Setting the Standards for Wireless LANs

<http://www.ieee802.org/11/> 2006

 

[4] Robert J. Shimonski. Web Attacks Primer.  (netsecurity.about.com)

<http://netsecurity.about.com/gi/dynamic/offsite.htm?zi=1/XJ&sdn=netsecurity&zu=http%3A%2F%2Fwww.windowsecurity.com%2Farticles%2FWireless_Attacks_Primer.html 2003-04>

 

[5]Webopedia. <www.webopedia.com/TERM/>

 

[6] Bradley Mitchell. Wireless Network Home Security Tips. (compnetworking.about.com) <http://compnetworking.about.com/od/wirelesssecurity/tp/wifisecurity.htm>