it-wireless

Wednesday, September 15, 2004

Wireless Security FAQ
Providing mobile IT pros with remote access to all business apps may put a company's vital information at risk. Read Security in the Wireless Revolution to find out about today’s available wireless systems and the type of security you need to avoid costly and dangerous security concerns.
Going wireless is a big step, and maintaining wireless security is an ongoing process. So it's little surprise that IT pros have so many questions about wireless technology. We've gathered some of those most frequently asked and invited our wireless expert, Brien Posey, to answer them. The FAQ list will be constantly evolving, so you're invited to send us other questions you may have. Just mail them to us or post them in the discussion area at the end of this FAQ.
Table of contents
Is it true that WEP can be easily hacked?.............................................................................................2
Can a Pringles can be used as an antenna by hackers?......................................................................2
Can a VPN ensure wireless privacy?....................................................................................................2
If WEP encryption is so insecure, then why does 802.1x rely on it?.....................................................2
Is it true that wireless network users are themselves vulnerable to security breaches even when connected to a corporate LAN via a wireless VPN connection?...........................................................2
Is it safe not to tunnel traffic that is ultimately destined for the Internet?...............................................3
How can a wireless workstation be subject to buffer overflow attacks?................................................3
How does public key security work?......................................................................................................3
Can a hacker attack an access point?...................................................................................................3
Is SSID broadcasting a security threat?................................................................................................4
Does MAC filtering work as a security measure?..................................................................................4
Is DHCP a security threat?....................................................................................................................4
Is signal jamming a security issue?.......................................................................................................4
Can adjusting the signal strength help secure a wireless network?......................................................4
If I have implemented all of the standard security mechanisms, can I guarantee network security?...4
Should I use SNMP to manage my wireless network?..........................................................................5
I can’t adjust the power level on my access point, and the antenna is not removable. Is there any way to help to prevent the signal from leaving the building?........................................................................5
How can I audit a wireless network?.....................................................................................................5
How can I detect rogue access points on my wireless network?..........................................................5
Page 1 Copyright ©2004 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html. Wireless Security FAQ
Is it true that WEP can be easily hacked?
Anyone with a laptop and a wireless network card can sniff encrypted packets as they flow across a wireless network. Depending on the content and structure of captured packets, a hacker simply needs to capture anywhere from 100 MB to 1 GB worth of packets. Such a sampling size guarantees that the hacker will have all of the information he needs to break the WEP encryption. Once the necessary volume of data has been captured, the hacker can simply run a freeware utility against the captured packets to derive the WEP key.
Can a Pringles can be used as an antenna by hackers?
Yes. Although a typical wireless NIC has a range of 100 to 300 feet, faint radio signals are transmitted far beyond the network’s operational area. By investing about ten dollars for a few parts from Radio Shack and for a can of Pringles, you can easily build an antenna that can intercept a signal from as far as 10 miles away (assuming that there is a clear line of sight). Other industrial-strength antennas can intercept a signal from even further away.
Can a VPN ensure wireless privacy?
Setting up a VPN greatly enhances the privacy of a wireless network, especially when used in conjunction to WPA or WEP encryption. If you are considering implementing a wireless VPN though, there are a couple of issues that you need to consider. First, if the wireless signal drops for a second, users' connections will be terminated, and they will have to reestablish their VPN connections. Second, a wireless VPN offers no protection against rogue access points. Third, a wireless VPN doesn’t provide wireless users the same seamless network access as wired users have since they will usually have a separate login for the VPN connection.
If WEP encryption is so insecure, then why does 802.1x rely on it?
802.1x by itself is not secure. 802.1x only becomes secure when combined with the Extensible Authentication Protocol (EAP). EAP makes it possible to securely distribute WEP keys. Rather than relying on static WEP keys, the 802.1x and EAP combination allow each session to have a unique WEP key. Additionally, WEP keys automatically expire every ten minutes. Since each session is frequently rekeyed, it makes it impossible for a hacker to collect the necessary volume of packets between key changes.
Is it true that wireless network users are themselves vulnerable to security breaches even when connected to a corporate LAN via a wireless VPN connection?
Yes, there are three primary ways in which wireless users are at risk. First, if volumes or folders on the users' machines are shared, it is possible for other users within the subnet to access the contents of those shares. Second, someone on the same subnet as the user could perform a buffer overflow attack against the user. Finally, not all traffic is routed over the VPN. Traffic related to Internet usage is routed over the Internet. This traffic is subject to capture through the usual methods.
Page 2 Copyright ©2004 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html. Wireless Security FAQ
If I have never shared any files or folders on my hard disk, is my information still vulnerable to compromise while I am using a wireless connection?
Yes. Even if you never create a share point, Windows has a few shares of its own. There is a share called Admin$ and another share for each hard drive (C$, D$, etc.). You can’t disable these shares because Windows depends on them. To prevent these shares from being exploited, make sure that the system is running a personal firewall. Also change the local Administrator’s username and password to further reduce the chances of these shares being exploited.
Is it safe not to tunnel traffic that is ultimately destined for the Internet?
When a wireless user is connected to the corporate network via a VPN link, it may seem that since traffic destined for the Internet must be first routed through the corporate network that it will pass through the VPN. However, this isn’t always the case. VPN tunnels can become congested rather easily. To conserve bandwidth, some VPN implementations transmit traffic destined for the Internet over the wireless network but outside of the VPN tunnel. This means that Internet traffic is unencrypted. This shouldn’t be a problem since nothing sensitive should be flowing across the Internet. However, some users use the same password for Web sites as they use for access to the corporate network. If such a site doesn’t encrypt passwords, it might be possible for someone to steal a password and use it to gain access to the corporate network.
How can a wireless workstation be subject to buffer overflow attacks?
Unless a workstation is running a personal firewall, other machines on the same subnet as the workstation can communicate with the system across all TCP and UDP ports. The corporate firewall only blocks malicious traffic from the outside world; it does nothing to prevent attacks from within.
How does public key security work?
The basic idea behind public key security is that every user has two mathematical encryption keys, a public key and a private key. A user’s public key is accessible to anyone, but the private key is accessible only to the user. When someone needs to encrypt traffic before sending it to a specific user, the encryption process begins by downloading the user’s public key. The public key is used to encrypt the packets, but is useless for decrypting it. The packets can only be decrypted by the corresponding private key, which is only held by the recipient.
Can a hacker attack an access point?
Absolutely. Almost all access points ship from the factory set to use either 192.168.0.0 or 192.168.1.1 as their IP address. Furthermore, the default login credentials are usually Administrator or Admin and "PASSWORD" or a blank password. Of course, the credentials vary among brands of access points, but it is very easy to perform a simple query against an access point to find out its make and model. From there, it’s simply a matter of looking up the default login credentials on the manufacturer’s Web site. Unless the default password has been changed, the attacker will be able to gain full control over the access point.
Page 3 Copyright ©2004 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html. Wireless Security FAQ
Is SSID broadcasting a security threat?
Have you ever tried to connect to your wireless network only to have a neighbor’s network show up on the list of available wireless networks? The reason your neighbor’s network displayed as an available choice is because SSID broadcasting was enabled. SSID broadcasting causes the wireless access point to tell all available clients the name of the network. If SSID broadcasting is disabled, hackers can still hack the network, but they will have to figure out what the SSID is rather than having it handed to them.
Does MAC filtering work as a security measure?
Many access points allow you to enable MAC filtering so that only clients with specific MAC addresses can connect to the wireless network. MAC filtering works to an extent as a security measure, however, it is fairly easy to spoof a MAC address. You can make it a bit harder by enabling MAC filtering. That way, before a hacker can spoof a MAC address, he must first figure out which MAC addresses are authorized to use the wireless network, which can be done by sniffing packets. So, while MAC filtering will protect you against less skilled hackers, it won’t stop a really determined one. It will only slow him down.
Is DHCP a security threat?
Almost all access points have DHCP (Dynamic Host Configuration Protocol) enabled by default so that they will automatically hand out IP addresses to any workstation that connects to them. In a way, DHCP is an indirect security issue because you are simply handing a hacker an IP address related to your network. On the other hand though, most access points will not issue an IP address until a station’s WEP (Wired Equivalent Privacy) pass phrase has been verified.
Is signal jamming a security issue?
While there have been a few reports of signal jamming being used as a denial of service attack, signal jamming often comes from other sources. 802.11B networks operate in the 2.4-GHz frequency range. This is the same frequency range used by many cordless phones. It is possible for a wireless network signal to be disrupted by a cordless phone, a microwave oven, or another wireless network. In the past, one solution was to upgrade to a wireless network that used the 5.8-GHz frequency range. However, cordless phones now exist that operate on the 5.8-GHz frequency. Further, the signal from a 5.8-GHz network has a tougher time penetrating walls than the signal from a 2.4-GHz network.
Can adjusting the signal strength help secure a wireless network?
When you install a wireless network, it’s tempting to use a big antenna and the highest available transmitting power so that everyone gets a great signal. However, it’s often better to turn down the power in an effort to prevent the signal from leaving the premises. After all, you don’t want people in the parking lot snooping on you.
If I have implemented all of the standard security mechanisms, can I guarantee network security?
Although it’s relatively safe to assume that the network will be secure, it’s important to put your security to the test through penetration testing. Penetration testing is basically hacking your own network to see if vulnerabilities exist.
Page 4 Copyright ©2004 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html. Wireless Security FAQ
Should I use SNMP to manage my wireless network?
SNMP is a double-edged sword. If an access point supports SNMP, then you will be able to manage it in the same way that you would manage any other SNMP-enabled device. At the same time though, if your access point were to be hacked, then the hacker could use SNMP to gain all sorts of information about your network. I recommend disabling SNMP on your access point unless you really need it.
I can’t adjust the power level on my access point, and the antenna is not removable. Is there any way to help to prevent the signal from leaving the building?
Place the access point near the middle of the facility. Avoid having it near a window at all costs and try not to place it near an exterior wall.
How can I audit a wireless network?
You would audit a wireless network in the same way that you audit any other network. The exception is that many access points also compile logs of which stations have connected to them and when. If your access point offers such a feature, then I recommend taking a quick look at the logs at least once a day.
How can I detect rogue access points on my wireless network?
There are a number of free utilities available, such as NetStumbler and WaveRunner, that will scan for wireless devices for you. You can also use commercial products such as RogueWatch that offer more features.
Page 5 Copyright ©2004 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html.
TechRepublic books and CDs:
Wireless Networking Survival Guide
802.11 Wireless Networking Resource Guide
Downloads:
Wireless Equipment Checkout Tool
Wireless policy template
Articles and columns:
At last, real wireless LAN security
VPNs are good but not perfect
Final step in security audit process
How to troubleshoot your wireless network
Related TechRepublic resources:
Page 6 Copyright ©2004 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html.
TechRepublic communities engage IT professionals in the ultimate peer-to-peer experience, providing actionable information, tools, and services to help members get their jobs done. TechRepublic serves the needs of the professionals representing all segments of the IT industry, offering information and tools for IT decision support and professional advice by job function.
CIO Republic: Get analysis and insight on e-business, leadership, executive careers, business strategy, and technology.
IT Manager Republic: Access technology insights, project and personnel management tips, and training resources.
NetAdmin Republic: Get tips on Windows, NetWare and Linux/UNIX administration, infrastructure design, and network security.
Support Republic: Obtain detailed solutions to desktop hardware, software, and end-user support problems.
IT Consultant Republic: Find information and advice on client and vendor relations, project management, and technology.
TechRepublic site features
Free e-newsletters: Keep up-to-date on any aspect of the IT industry with e-newsletters—from tech stocks to daily software tips, from IT careers to hot trends—delivered right to your e-mail Inbox.
Free downloads: We've collected resources to make your job easier, including ready-to-use IT forms and templates, checklists, tools, executables, Gartner product analyses, and white papers.
TechRepublic's books and CDs: Find the latest books and CDs about today's critical IT topics, including PC troubleshooting, VPN, TCP/IP, Windows client and server issues, and Cisco administration.
Discussion center: Open a discussion thread on any article or column or jump into preselected topics: career, technology, management, and miscellaneous. The fully searchable Discussion Center brings you the hottest discussions and threads and allows you to sort them by topic and by republic.
Try our premium subscription product, TechProGuild, free for 30 days. Our online IT community provides real-world solutions and the latest articles, resources, and discussions affecting frontline IT pros. Get access to more than 250 full-text IT books, along with exclusive downloads and in-depth articles on network and system administration, PC troubleshooting, help desk and support issues, and more.
TechRepublic:
The collective voice of IT professionals
Page 7 Copyright ©2004 CNET Networks, Inc. All rights reserved. To see more downloads and get your free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html.

Saturday, September 04, 2004

802.11i, WPA, RSN and What it all Means to Wi-Fi Security

802.11i, WPA, RSN and What it all Means to Wi-Fi Security

In the Beginning: 802.11i The long-anticipated 802.11i specification for wireless LAN security was finally ratified by the IEEE in June 2004. It had been in the works for years. Unlike 802.11a, b and g specifications, all of which define physical layer issues, 802.11i defines a security mechanism that operates between the Media Access Control (MAC) sublayer and the Network layer. The new spec offers significant improvements over the old standard, Wired Equivalent Privacy (WEP). The specifications were developed by the IEEE’s TGi task group, headed by David Halasz of Cisco. However, during 802.11i’s long, long gestation period, WPA emerged as an interim solution. WPA Wi-Fi Protected Access (WPA) was created by the Wi-Fi Alliance in 2002 – in part out of impatience with the slow-moving 802.11i standard. The industry consortium’s consensus was that an alternative to WEP was needed quickly, and WPA was the result. To avoid multiple “standards” and conflicts later on, WPA was designed from the get-go to be compatible with 802.11i and was based on its early draft specifications. This sets WPA apart from a number of proprietary Wireless LAN security solutions that were developed by Proxim, Funk and other vendors. WPA provides several security advantages. First, it uses a stronger key management scheme, by implementing the Temporal Key Integrity Protocol (TKIP). TKIP creates encryption values that are mathematically derived from a master key, and changes these encryption keys and IV values automatically (and transparently to the user) so to prevent key stream reuse. This is important because WEP keys have to be changed manually, and this can be an administrative hassle, leading to administrators not changing the keys often enough (or not at all). TKIP also uses a Message Integrity Code called Michael that uses a 64 bit key. The integrity checker is designed to block forged messages. There are two methods for generating the master key, and WPA operates in two different modes, depending on whether pre-shared keys are used or a central authentication server is available. For home users, WPA offers easy setup (one big problem with WEP was that many users found it too difficult or confusing to set up and manage, so they didn’t). Authentication is based on the Extensible Authentication Protocol (EAP) and can use pre-shared keys that make it simple to configure on the WAP and clients in small network settings: you manually enter a password, and then TKIP does its thing, automatically changing the keys periodically. This is called PSK (for PreShared Key) mode. Tip: It is recommended that when using PSK mode, you should set a password with at least 20 characters. At the large network level, operating in Enterprise mode, WPA supports RADIUS so that users can be authenticated through a centralized server. WPA 802.1x authentication methods include EAP-TLS, EAP-TTLS, EAP-LEAP, EAP-PEAP and other implementations of EAP. WPA uses the same encryption algorithm for encrypting data that WEP uses: the RC-4 cipher stream algorithm. However, TKIP uses a 48 bit initialization vector, as opposed to the weaker 24 bit IV used by WEP. The Wi-Fi Alliance started certifying WPA-capable wireless equipment in April 2003. You can find a list of certified products on the Wi-Fi Alliance Web site at http://www.wi-fi.org/OpenSection/certified_products.asp?TID=2. To use WPA, older WAPs must have a firmware upgrade applied. Some WAPs can support both WEP and WPA clients simultaneously. The client computer’s operating system and wireless network adapter must support WPA. The Windows WPA client is available from Microsoft for Windows XP (with SP1) and Server 2003 systems. The WPA update is included in the Wireless update rollup package for XP (See http://support.microsoft.com/default.aspx?kbid=826942). You can download the WPA patch for XP Professional and Home at http://www.microsoft.com/downloads/details.aspx?FamilyID=009D8425-CE2B-47A4-ABEC-274845DC9E91&displaylang=en. After you install the update and reboot, there will be new dialog boxes added to the Network configuration window, for configuring WPA. Note: If you’re using an operating system other than XP/2003, you must install a third party client program called a supplicant, such as the one available from Funk Software (www.funk.com). You may need to get updated drivers for your wireless network card from the NIC vendor. For step-by-step instructions on upgrading your WAP and network card, see http://www.pcmag.com/print_article/0,3048,a=107756,00.asp. RSN Another element of the 802.11i is Robust Security Network (RSN), which dynamically negotiates the authentication and encryption algorithms to be used for communications between WAPs and wireless clients. This means that as new threats are discovered, new algorithms can be added. RSN uses the Advanced Encryption Standard (AES), along with 802.1x and EAP. The security protocol that RSN builds on AES is called the Counter Mode CBC MAC Protocol (CCMP). AES supports key lengths up to 256 bits, but is not compatible with older hardware. However, there is a specification designed to allow RSN and WEP to coexist on the same wireless LAN; it’s called Transitional Security Network or TSN. It’s important to note, however, that a WLAN on which some devices are still using WEP is not optimally secured. Tip: Current handheld devices (Pocket PCs and Palms) don’t have enough processing power to support AES, so WPA is the best security choice if you have users who store and transmit sensitive data via handhelds. A WPA/802.1x client for Pocket PC 2002/2003 and Palm is available from Meetinghouse (http://www.mtghouse.com/company/index.shtml). Tying it All Together 802.11i takes WPA a step further. For one thing, it requires the use of AES. The good news is that AES meets government security criteria and provides stronger encryption than WPA/TKIP. The bad news is that AES has to have its own coprocessor, which means older existing wireless hardware can’t just be upgraded via software as with the transition to WPA; instead, it will have to be replaced. Hardware purchased in late 2003 and 2004 may be upgradeable via software or firmware to support 802.11i. Now that the specification has been ratified, new equipment that supports AES out of the box should soon become available. In addition, 802.11i will encrypt the whole data frame with AES. In WEP and WPA, the RC4 cipher encrypts the data payload only. The Wi-Fi Alliance refers to the new 802.11i standard as WPA2. Despite the potential costs of implementing it, the new wireless security standard is welcomed by most in the industry as the next, and necessary, step in protecting data that is transmitted over the airwaves. However, those with a large investment in existing hardware this isn’t compliant with AES/802.11i might find it more cost effective to implement WPA at present and transition to 802.11i more slowly.

Wireless LAN security glossary

Wireless LAN security glossary
(1)WEP weak=static key+short IV 24bit reused+ weak RC4 implement.

(2)WPA=TKIP+802.1x(EAP)+MIC

(3)WPA subset of = 802.11i(AES encryption).

(4)802.1X is based on EAP which encompassess many types; like TLS,LEAP,SecureID,MD5, PEAP,SIM,TTLS. It has mutual authentication and key mtg. It is a authentication framework which requires 3 entities -wireless client, AP and radius.

(7) Cisco Wireless Security suite = 802.1X+LEAP+TKIP
i.e.

(i) 802.1X = mutual authentication + key mtg, but didn't specify any authentication algorithm.

(ii) LEAP =user-based authentication+dynamic WEP keys

(iii)TKIP=MIC+per packet keying+dynamic key rotation for broadcast and multicast.
MIC= for frames authenticity.
Per-packet Keying= each frame with unique WEP key
RC4 stream cipher, dynamic key encryption, 48bit IV. It uses diff key to encrypt each wireless packet.

Wireless LAN security glossary

802.1X IEEE 802.11 standard for authentication, which supports multiple authentication modes, including RADIUS, that can be used in wireless and wireline networks.

802.11i IEEE standards group effort that involves “fixing” perceived weakness in 802.1X and WEP (see below).

LEAP Lightweight Extensible Authentication Protocol, which includes Cisco’s proprietary extensions to 802.1X to share authentication data between Cisco Aironet wireless LAN access points and the Cisco Secure Access Control Server.

PEAP Protected Extensible Authentication Protocol, which was developed by Microsoft, Cisco and RSA Security, is now an IETF draft standard. PEAP encrypts authentication data using a tunneling method.

TKIP Temporal Key Integrity Protocol, which was developed by the IEEE 802.11i standards committee as a WEP improvement.

TTLS Tunneled Transport Layer Security, which was developed by Funk Software and Certicom, now is an IETF draft standard. It is an alternative to PEAP.

WEP Wired Equivalent Privacy, a wireless encryption standard, which was developed by the IEEE 802.11 standards committee.