Wireless networks are widely found within residential and small office areas. Compared to wired networks, wireless networks are easier to install and less expensive than running wires through walls; however, wireless networks are not ideal in all situations. In This article friends I will explore some basic wireless LAN infrastructures, security implications, and some mitigation options.
WIRELESS SPECTRUM
Most wireless networks are based on the IEEE 802.11 set of standards. Different versions of the standards define different physical layer requirements. Currently, the most common are 802.11a, 802.11b, and 802.11g.
- 802.11a: Specifies the 5 GHz radio frequency with a maximum link rate of 54 Mbps per channel.
- 802.11b: Specifies the 2.4 GHz radio frequency with a maximum link rate of 11 Mbps per channel.
- 802.11g: Specifies the same spectrum as 802.11b but permits a link rate of 54 Mbps.
The 2.4 GHz and 5 GHz frequency bands were selected based guidelines from the Federal Communication Commission (FCC). The FCC defined these frequencies as ISM and U-NII and designated them for general use.
ISM: The frequency range 2.4 GHz to 2.485 GHz was originally defined for use by industry, scientific, and medical (ISM) purposes. Today, the ISM band operates as a general-purpose, unlicensed frequency range. Besides hosting 802.11b and 802.11g, the 2.4 GHz band also hosts cordless phones, garage door openers, pagers, and other wireless devices.
U-NII: The frequency ranges 5.15 to 5.35 GHz and 5.725 to 5.825 GHz are designated as the Unlicensed National Information Infrastructure (UNII) band. The use of U-NII is similar to ISB: cordless phones, pages, and wireless devices, including 802.11a, use this frequency range.
Both ISM and U-NII are license-free, general-purpose frequencies. This means any wireless device can use these frequencies without registering with the FCC or acquiring a specific broadcast license. These are relatively crowded spectrums, with interference from other devices being an occasional but significant problem. Overcrowding usually appears as a weak wireless signal or a signal with occasional disconnects. Besides defining the frequency band, 802.11b and 802.11g define 11 channels within the band. The channels are intended to relieve band congestion— whereas one channel may be overly crowded or yield a weak signal, another channel may offer better performance.
Besides being license-free, these radio bands have physical properties that are useful for wireless networks. 2.4 GHz and 5 GHz are microwave frequencies, which means they are not significantly impacted by reflection or refraction as they pass through physical objects. Similarly, they are not impacted by natural events such as temperature inversions or solar flares, and the signals can easily pass though most building materials such as wood and drywall. A home user is unlikely to have problems with the signal itself.
The primary preference for 802.11b/g over 802.11a stems from the line-of-sight range. The U-NII band is a little more susceptible to line-of-sight interference, including walls, metals, water, and people (people being 70 percent water).
Stop That Signal!
Wireless radio signals travel in a straight line, allowing line-of-sight connections. (If the antenna is visible, then it can access the signal.) The main factors for limiting wireless radio wave propagation are transmitted power, material density, and moisture. As radio waves get farther from the transmission source, the signal becomes weaker. Wireless network signals have well-defined power and frequency requirements, and, in most cases, cannot be received beyond 1,000 feet (with normal antennas).
This means a home user is unlikely to worry about his network being accessible across town, but the next-door neighbor is fair game. Microwaves cannot pass though dense materials such as granite, marble, or metal—particularly when the metal is grounded. Solid barriers such as steel doors, elevator shafts, and even filing cabinets may block wireless network access. Similarly, water absorbs microwaves, so placing the wireless access point next to a fish tank may not be a good idea.
WIRELESS PROTOCOLS
The 802.11 specification is part of the IEEE 802 suite of standards that define both medium (wireless frequencies or physical wires) and device identification. Because many wireless devices may share the same frequency, 802.11 defines how a wireless network subscriber point (SP) identifies the correct wireless network access point (AP). These include a service set identifier (SSID) and wired equivalent privacy (WEP).
SSID
The service set identifier (SSID) is a 32-character text string used to identify an AP and distinguish it from other APs. For example, 802.11b defines a frequency range (2.4 GHz) and 11 channels within that range. An AP may be placed on any single channel, but many APs may share the same channel. The SSID is used to distinguish APs that share a channel.
WEP
IEEE 802.11 defines the wired equivalent privacy (WEP) protocol, providing a degree of security to wireless networks. In a wired network, privacy is limited tophysical access—if an attacker cannot gain physical access to the network, then the physical network is likely secure. In contrast, wireless networks broadcast a radio signal. Anyone who can receive the signal immediately gains physical access to the medium. WEP defines a cryptographic authentication system that deters unauthenticated SP access. The WEP cryptography includes keys and encryption. But, the cryptographic algorithm specified by WEP is weak and easily compromised.
WEP Keys
WEP supports two types of encryption: 64 bit and 128 bit. These correspond with 40-bit and 104-bit length secret keys, respectively. These keys are used to authenticate network access.
There are two ways to create the secret key. The first method simply allows the user to enter in the 8- or 16-character hexadecimal number that represents the key; however, this is not a convenient method for most people. As an alternative, many AP configurations permit the use of a text-based password for generating the secret keys. A text password is hashed into a 40-bit (or 104-bit) encryption key. To maintain device compatibility, nearly every wireless vendor implements the same hash functions. The same text password should generate the same key independent of the vendor.
Regardless of the generation method, the AP and SP must have the same key. Although this key is never transmitted, it is used for encrypting the wireless data stream.
WEP Encryption
WEP encryption uses the RC4 stream cipher encryption algorithm. For each packet being transmitted, an initial vector (IV) is generated. For 64-bit WEP, the IV is 14 bits long; the IV for 128-bit encryption is 24 bits long. The IV is combined with the secret key to seed the RC4 encryption. RC4 then encrypts the data. The transmitted packet includes the unencoded IV, the encoded data stream, and a CRC checksum.
In most cases, the IV is changed between every packet to prevent data repetition. When the AP or SP receives data, the encryption process is reversed. The RC4 algorithm combines the secret key with the unencoded IV that was transmitted with the packet. This combination is used to decode the encrypted data. The final CRC is checked to validate the decoded data.
WEP Cracking
Although the concept behind WEP encryption is solid, the implementation uses weak security elements. In particular, there are relatively few IV values. For attackers to crack the WEP encryption, they only need to determine the secret key. There are two main approaches for cracking WEP: brute-force password guessing and data analysis. Although RC4 is not considered an extremely strong encryption algorithm by today’s standards, the weaknesses in WEP are not primarily centered on RC4. The WEP weaknesses are due to weak key and IV selections.
Brute-Force WEP Cracking
The WEP password is usually based on a hash from a dictionary or common word. Simply guessing passwords and encoding them as a WEP key may quickly crack a WEP system. A dictionary attack cycles through a word list, trying every word as a possible key.
WEP and 802.11 define no method for deterring dictionary attacks—an attacker can try thousands of keys without ever being denied access and without ever having the AP generate a log entry concerning a possible attack. From the AP’s viewpoint, there is no distinction between a corrupt packet due to a CRC error (e.g., poor radio signal) and a corrupt packet due to a decryption problem (bruteforce key attack).
Many APs are configured using weak passwords. These may include people’s names, addresses, or manufacturer brands. Amazingly, one security professional reported that a significant number of WEP keys are the same as the SSID. If the SSID says “ABC Corporation” then the WEP key may be the text string “ABC Corporation.”
Data Analysis WEP Cracking
WEP encryption makes one weak assumption: if an attacker does not see the same IV, then he cannot crack the data stream. In reality, IV values repeat. For 64-bit encryption, there are only 4,096 (212) different IV values. If the IV does not change between packets, then a duplicate is immediately available. But if the IV changes between each packet, then a duplicate IV will be observed after no more than 4097 packets.
When an attacker captures two packets with a duplicate IV, it is just a matter of trying different key sequences to find the ones that result in an RC4 decryption with the correct CRC checksum. By assuming weak passwords for creating the secret key, the search process can be sped up.
Given two packets with the same IV, the entire 64-bit WEP analysis can take a few minutes. 128-bit encryption may take a few hours, depending on the computer’s speed. The primary limiting factor is packet volume: if there is very little network traffic, then an attacker must wait a long time before seeing a duplicate IV. But a patient attacker will eventually see a duplicate IV. And given a duplicate IV,it is only a matter of time before an attacker determines the secret key.
WIRELESS RISKS
Wireless networks face a number of risks that do not appear in wired infrastructures. These include packet sniffing, SSID information, impersonations, parasites, and direct security breaches.
Packet Sniffing
Packet sniffing is the simplest form of network attack. The data flow on a wireless network is essentially a bus topology. Whereas individual SPs may not necessarily hear each other, every SP receives all data transmitted by the AP. This means that anyone connected to the AP can observe at least half of a client’s network traffic (and usually all the traffic). This can directly lead to session hijacking or attacks against other OSI layers.
SSID Information
Many residential and corporate wireless networks provide an attractive nuisance. SSIDs are commonly set to a company’s name, family name, or street address. This suggests to potential attackers the type of data they may be able to compromise. For example, an SSID that broadcasts “Bank of Colorado” is much more attractive to attackers than one that broadcasts “Default” or “GL27.” The value in the SSID may attract attackers as well as assist users.
Impersonation
AP impersonation may be intentional or accidental. Anyone can enable an AP, and the SSID can say anything. Attackers may establish a new AP near an existing AP and assign it the same SSID. This creates an impersonation problem for SPs, called an Evil Twin attack. If users want to connect to a known AP, such as their company or a local coffee shop, which AP should they connect to? For sites that provide multiple APs, such as hotels, libraries, or schools, how can a SP distinguish the real APs from an impostor? From the SP’s viewpoint, all APs with the same SSID look identical. WEP may be useful as a distinguishing factor for separating imposter APs from true sites. Unfortunately, with WEP cracking, an attacker can determine the WEP secret key and assign it to the imposter’s AP.
An imposter has many options after catching an unaware victim:
DoS: The attacker may choose to prevent network access, causing a DoS against the victim.
Man-in-the-middle (MitM): The imposter may tunnel traffic through a collection system, intercepting or modifying data intended for use by the victim. The victim may identify a MitM attack if a LAN resource is unavailable.
Tunneling: Using an SP as well as an AP, an attacker can create a tunnel between the imposter AP and the true AP. The victim cannot readily identify this sophisticated MitM attack because all desired LAN access is available. Unintentionally, two sites, such as residential neighbors, may enable APs using the same (usually default) settings. In this situation, they may not be aware or even care that they are using someone else’s network.
Parasites
In wireless networking terms, a parasite (or leech) is an unwelcome person that simply wants to access the Internet through an open AP. If a wireless network is open (no WEP), a parasite may connect to surf the Web or check email. Parasites are usually uninterested in LAN services and do not obey (or care about) network usage costs, LAN policies such as “no porn,” or bandwidth limitations—they just want to access the Internet. These people frequently appear in hotels, coffee shops, bookstores, and other places where laptops are common but Internet access may not be available or free. Fortunately, most parasites are sufficiently deterred by WEP.
Direct Security Breaches
Although rare, some attackers are not interested in “a” network—they want “your” network. In this situation, wireless networks permit direct access to the physical network layer. As mentioned earlier, WEP is not a deterrent against a determined attacker.
RISK MITIGATION OPTIONS
As with wired networks, wireless mediums provide no inherent security mechanisms. Any attacker who can intercept the wireless signal gains immediate access to the physical network. To mitigate this situation, there are three types of solutions. The first set of options lessens the attractiveness of the wireless network. This is technically security-by-obscurity, but labeling the SSID, disabling SSID broadcasting, and selective antenna placement are active ingredients toward defense-indepth.
The second set of options limit an attacker’s ability to connect and use the wireless router. MAC filtering, WEP, and other cryptographic systems define different stages for an authentication stack. Finally, the type of network architecture can limit the impact from a successful attacker.
SSID Labeling
The value set in the SSID may provide information to an attacker. All things being equal, an attacker is more likely to attack a known target. For example, the SSID string “Baby Care,” “Sandwiches,” or “Corporate Office” may advertise to an attacker the type of company that owns the wireless router. Other SSIDs may advertise a router’s owner or location, such as “The Walters” or “203 Sunnybrook.” In contrast, default SSID values, such as “Default” or “Linksys,” may suggest a weakened target for an attacker—if the administrator did not configure this default value, then other systems accessible by the wireless network are also likely set to default values.
In a best case, the SSID should be informative to the owner but obscure to an attacker. For example, “CSL3-5” may indicate the Computer Security Lab #3 router in building 5. Other creative settings may include warnings, such as “DO NOT ENTER” or “Go away.”
Broadcasting SSID
The default setting for most wireless routers includes SSID broadcasting. The router broadcasts the SSID every few seconds so other users looking for the AP will be able to find it. The constant broadcast can be disabled, requiring users to know the SSID’s name prior to connecting. Although this does not disable all of the different SSID broadcast mechanisms, it does significantly reduce the risk of discovery by war drivers and parasites.
Antenna Placement
Where the wireless antenna is placed directly impacts who can access the signal. APs placed on the second floor of a home, near a front window are very likely to be received by people across the street. In contrast, an antenna placed in the corner of a basement has the range limited by the surrounding materials; rebar in basement walls act as a grounding plane and the moisture in the soil significantly reduces signal range. Many companies resort to grounded metal hoods over the antennas to restrict signal propagation to a specific direction.
Although careful antenna placement may limit a signal’s strength in a particular direction, it is unlikely to prevent a determined attacker. Directional antenna scan boost a SPs capability to connect to an AP by accessing signals that are very distant and very weak.
MAC Filtering
Although careful SSID management and antenna placement may lower the risk from casual attackers, they provide no mitigation option for a determined attacker. Instead, an authentication stack can restrict access from an attacker who can receive the wireless signal. The additional stack adds another layer of protection by requiring specific credentials to connect.
The simplest type of authentication is based on the OSI layer 2 media access control (MAC). As covered in Part III, the MAC address is a pseudo-unique identifier assigned to every network card. Many APs permit an administrator to explicitly list the MAC addresses that may connect to the router. This prevents attackers from connecting with an unknown MAC addresses. Unfortunately, most network cards permit the user to specify alternate MAC addresses. Because the MAC is transmitted in every packet, an attacker only needs to receive a packet to identify a valid MAC address.
WEP: Better Than Nothing
Although WEP is not a significant deterrent for a technical attacker, it is certainly a better alternative to providing an open network. Any security is better than no security, even if it is weak. A skilled attacker can trivially bypass SSID settings, antenna placement, and MAC filtering. These mitigation options limit discovery but do not prevent wireless connections.
In contrast, WEP actively prevents connections, even if only for a few minutes. From a legal viewpoint, WEP has a significant purpose: WEP defines intent. An attacker who enters an unprotected network (no WEP) may claim that the wireless network posed an attractive nuisance, or that he was not aware that the network was private. This makes successful prosecution (assuming the attacker can be identified) based strictly on wireless access difficult. In contrast, an attacker who decrypts and accesses a WEP-enabled network clearly demonstrates intent.
Cryptographic Systems
WEP is one example of a cryptographic system used in a wireless network authentication stack, but it is not the only cryptographic system available. For example, IEEE 802.11i defines a method for supporting authentication protocols called theWi-Fi Protected Access (WPA). Authentication systems, such as the 802.11i-based Temporal Key Integrity Protocol (TKIP), address the issues surrounding static WEP keys. Other systems include the Extensible Authentication Protocol (EAP), which is designed to deter MitM attacks.
The suite of authentication protocols is not limited to open standards. In 2000, Cisco introduced a proprietary variant of EAP called LEAP. This protocol has since been cracked by software such as ASLEAP (http://asleap.sourceforge.net/). Although many of these alternatives to WEP provide sufficient security for limiting unauthorized connections, they have two primary drawbacks: compatibility and observability.
Alternate Authentication Compatibility
WEP is essentially universally available and accepted. Nearly all wireless network routers support WEP, and WEP from any vendor’s network card will work with WEP from any other vendor’s wireless router. This universal acceptance leads to a higher likelihood of adoption.
There are many other authentication systems, such as TTLS, TLS, EAP, LEAP, PEAP, and MD5. Although different vendors support some of these protocols, few vendors support all of them. Currently, none of these authentication alternatives are universally supported. This leads to an incompatibility between vendor hardware and drivers. The authentication stack offered by one vendor may not be supported or compatible with other vendors. Users are left with the option of either (1) using a strong authentication stack but being locked to a specific vendor and risking incompatibility with other wireless sites, or (2) using the known-weak WEP authentication but retaining compatibility. As seen with Cisco’s LEAP (and cracking tool ASLEAP), being locked to one vendor may not enhance the security of your network: authentication systems that are secure today may not be secure tomorrow.
Alternate Authentication Observability
A wireless network authentication stack ensures that only authorized SPs connect to the AP. And combining the stack with encryption deters an attacker from monitoring network data. But these security measures do not prevent an attacker from gaining insight. Even if attackers cannot access a network, they can still count packets. By monitoring network traffic volume, an attacker can gain insight into how the network is being used.
No packets: A wireless network that generates no measurable volume is inactive. An attacker can determine when a network is in use.
Packet directions: In many cases, the attacker can determine whether the data is flowing from the AP to SP, or vice versa. Even if the data is encrypted at a lowOSI layer (preventing the packet from disclosing direction), a directional antenna system can determine which transmitter is in use.
High directional volume: A significant and constant data flow likely represents an upload or download. The duration of the volume can be used to estimate the transfer size.
High bidirectional volume: A significant and constant bidirectional data flow may indicate a network application such as X-Windows or an online game.
Low volume: Low volume packets with irregular pauses are likely a human typing over the network. The attacker may not know what is being typed, but he can determine “typing.”
Depending on the volume, duration, and pause patterns, an attacker may be able to determine the type of network usage. An attacker may not know the details of what a network is transporting, but the attacker can make an educated guess as to the type of traffic based on volume analysis.
Network Architecture
Wireless networks permit anyone within receiving range to access the physical medium. Whereas authentication stacks may deter attackers from connecting, a properly designed network architecture can limit the impact from an attacker who successfully connects to the wireless router. Architectural decisions, such as a DMZ or VPN, can restrict the activities from a connected attacker.
Wireless and DMZ
The DMZ separates a potentially hostile network from the internal LAN. When used with a wireless network, the DMZ isolates the wireless systems from the remainder of the LAN. In this configuration, any SP that connects to the AP is only able to access the DMZ. Further access requires the ability to authenticate or bypass the DMZ’s firewalls.
Although most residential wireless routers act as a firewall, separating the WAN from the LAN, more residential wireless routers do not separate the wireless hosts from the wired hosts—both reside on the same LAN. A simple solution (Figure 1) uses two home firewalls. The first contains the AP and connects to the WAN. The second, internal router does not support wireless and separates the internal LAN from the wireless network. Although all users on the wireless network can connect to the WAN, the LAN remains protected. The primary limitation with this approach is usability—a home user may not be able to file-share with a wireless system. But this limitation may be countered by the security consideration: do you really want to share files with anyone who connects to the AP, even if it is an uninvited guest?
FIGURE 1 A simple home DMZ for isolating the wireless network from the LAN.
Wireless and VPN
In addition to a DMZ or firewall to separate the wireless network from the LAN, the network may be configured to require a virtual private network (VPN). Just as the authentication stack is a network stack in series with the host’s network stack, a VPN resides in series. The VPN tunnels network traffic between hosts or subnets, ensuring privacy along a public path. Solutions such as Secure Shell (SSH), Open- VPN (a solution based on secure socket layer—SSL—technology), CIPE, PPTP,
Virtual Tunnel (VTun), Tinc, and many others are widely available and supported. Different VPN solutions have different tradeoffs, such as the capability to tunnel TCP or UDP, and impact to speed, but a firewall that requires an established VPN is much less vulnerable to attack.
In an ideal architecture that uses an onion or garlic configuration, the AP is placed in a core, and the core firewall only permits access beyond the core through an established VPN. Hosts on the VPN are granted access to the LAN and WAN. In this scenario, an attacker can connect to the AP but cannot access the LAN or WAN due to the firewall. In contrast, authorized users can access the LAN and perform tasks, such as checking email, sharing files, or administrating the network, in a secure manner.
The 2.4 GHz and 5 GHz bands are not the only type of wireless mediums. Microwave networks, Bluetooth-enabled devices, and infrared systems all have similar limitations. The primary differences among these mediums are range, power requirements, and bandwidth. The limitations found in Wi-Fi networks can be directly applied to other wireless mediums.
Although wireless networks face the same risks as wired networks—anyone with access to the medium can attack the network—the problem is expanded due to the broadcast nature of the network. In a wired network, only people with physical access to the wire can access the network medium. There is relatively little fear from attackers that lack physical access. In a wireless network, anyone who receives the signal, regardless of distance or location, can attack the network. The risks from wireless networks can be mitigated through the combination of authentication stacks, firewalls, and VPNs, creating a secure network topology.