Archive for the ‘Wireless Security’ Category
Sunday, December 6th, 2009
Many people are working to improve the security of the WLAN. The greatest reason is to upgrade the security functionality. To a lesser degree, but equally important, these efforts also promote assurance to the users and managers of wireless devices. Here are three approaches that have promise for the future of 802.11 WLAN.
nDosa
The future of secure WLAN may rest with products like nDosa Access Point. nDosa Technologies introduced a secure wireless LAN technology based on its nESA (nDosa Enhanced Security Algorithm) that renders its signal invisible to would-be hackers and unauthorized observers, and hence, greatly reduces its vulnerability to hacking and intrusion. It should be noted, however, that although some determined hackers may still be able observe the RF signal and monitor LAN activity over the air, it would be extremely difficult for them to break into the system (Kim & Shin, 2003). Like other WLAN solutions, it is scalable, upgradeable, flexible and can be customized. nDosa secure WLAN users can access not only nDosa secure WLANs but also the standard WLANs deployed widely in public places or in highly secure areas. When needs arise to enhance authentication or key management procedure, nDosa secure WLAN technology can be applied without alteration. Encryption algorithms and security solutions, in general, need to be upgraded continually as they are at war against hackers. According to the literature, nESA is designed to make upgrades simple and easy.
The combination of the proposed wireless LAN scheme with nDosa’s existing secure wireless LAN technology would render the system not only invisible even in the RF band, but also assures that the system will remain relatively impervious to break-ins even if the signal is detected. Implementation of both security measures would provide the wireless LAN with ironclad security that is necessary and appropriate for defense of government applications and data.
WPA
Wi-Fi Protected Access is a specification of standards-based, interoperable security enhancements that strongly increase the level of data protection and access control for existing and future wireless LAN systems. Designed to run on existing hardware as a software upgrade, Wi- Fi Protected Access is derived from and will be forward compatible with the upcoming IEEE 802.11i standard (http://www.wi-fi.org/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf ). WPA is a proactive response by the industry to offer an immediate and strong security solution. An inexpensive software upgrade is now available to installation at the enterprise or SOHO WLANs. This solution is compatible across multiple vendors and is configurable with authentication servers or as a stand-alone. WPA is a subset of the 802.11i draft standard and will maintain forward compatibility.
Wi-Fi Protected Access was constructed to provide an improved data encryption, which was weak in WEP, and to provide user authentication, which was largely missing in WEP. The improvements are centered on the use of enhanced data encryption through Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements including a per-packet key mixing function, a message integrity check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. Through these enhancements, TKIP addresses all WEP’s known vulnerabilities.
|
Table: Comparison Chart
|
| |
WEP |
WPA |
802.11i |
nDOSA |
| Cipher |
RC4 |
RC4 |
CTR-CCMP |
nESA |
| Key Size |
40 bits |
128 bits encryption 64 bits authentication |
128 bits |
128 ~ 256 bits |
| Key Life |
24-bit IV |
48-bit IV |
48-bits IV |
48-bits IV |
| Packet Key |
Concatenated |
Mixing Function |
Not Needed |
Mixing Function |
| Data Integrity |
CRC-32 |
Michael |
CCM |
CRC-32 |
| Header Integrity |
None |
Michael |
CCM |
nESA |
| Replay Attack |
None |
IV Sequence |
IV Sequence |
Encrypted IV |
| Key Management |
None |
EAP |
EAP |
EAP & any other methods |
| Header Encryption |
None |
None |
None |
nESA |
| Hidden Mode |
None |
None |
None |
Yes |
Using the Enterprise-level User Authentication via 802.1x and Extensible Authentication Protocol (EAP) WEP has almost no user authentication mechanism, Wi-Fi Protected Access implements 802.1x and the EAP strengthens user authentication. Together, these implementations provide a framework for strong user authentication. This framework utilizes a central authentication server, such as RADIUS, to authenticate each user on the network before they join it, and also employs “mutual authentication” so that the wireless user does not accidentally join a rogue network that might steal its network credentials.
Tags: Wireless Security
Posted in Wireless Security | No Comments »
Sunday, December 6th, 2009
Management Countermeasures
Management countermeasures set the stage for all that happens on the WLAN. Based on policy, these countermeasures should work to:
· Identify who may use WLAN technology in a corporation and limit access by function, location, and workgroup or security clearance.
· Identify whether Internet access is required beyond the WLAN network. Some WLAN applications are for intranets only.
· Describe who can install access points and other wireless equipment. With the ease of installation and configurations, it is important to verify proper use of the technology.
· Provide limitations on the location of and physical security for access points to minimize the propagation (distance and availability) of the signal.
· Describe the type of information that may be sent over wireless links to reduce compromises of sensitive data.
· Describe conditions under which wireless devices are allowed.
· Define standard security settings for access points to reduce risks and establish uniform configurations standards.
· Describe limitations on how the wireless device may be used, such as location in and outside the building and near sensitive areas, to gain access to personal or sensitive data.
· Describe the hardware and software configuration of all wireless devices.
· Provide guidelines on reporting losses of wireless devices and security incidents
· Provide guidelines for the protection of wireless clients to minimize/ reduce theft.
· Provide guidelines on the use of encryption and key management systems.
· Define the frequency and scope of security assessments to include access point discovery.
Implementation Countermeasures
Implementation countermeasures are the controls in the process. Controls in WLAN management allow or restrict an activity or event from occurring. Think of all wireless networking as unsecured and publicly available. If possible move the access point into a DMZ (a protected sub- network on the LAN) where sensitive data are not available to attackers. Implement firewall protection to protect you from attacks and log attack attempts.
· Only use WAPs and NICs that support at least 64-bit (preferably a 128 bit) WEP.
· Consider using third-party encryption tools and third-party authentication before you permit communication with your access point.
· Try to physically locate the WAP so that its signal will be harder for a network sniffer to locate. Pay close attention to the orientation of the antenna; avoid locating the WAP near windows, or in a room adjacent to a street or parking lot.
· Do a periodic assessment of wireless networks in and around your workplace/home using a sniffer or employing a consulting service. It is easy for an employee to buy an NIC and a WAP and install them on a workstation. Some operating systems automatically bridge a WAP with the wired network, providing network access (behind the firewall) and proprietary information to anyone with a wireless card. An assessment will determine if security measures are in place, or if there have been any changes to the configuration. An assessment will also show how far wireless signals will travel outside your building.
· Purchase wireless technology that has flash upgradeable firmware. New security enhancements such as Wi-Fi Protected Access (WPA) are being developed, and with an upgradeable product, the likelihood of being able to use this technology is greater. Consider using WPA as it becomes available. WPA will have many new wireless security features, including authentication, key management, Temporal Key Integrity Protocol (TKIP), integrity checking, replay protection, and Advanced Encryption Standard (AES) encryption support.
· Ensure that your computers are running at the most current software patch level. This makes it harder to attack your systems and information if hackers gain access to the wireless network.
· Use an antivirus application with the most current virus and worm signature updates. This will help to prevent an attacker who has gained access to your network from installing a Trojan to gain backdoor access to your computer, and will protect your computer from other malicious code.
· Restrict physical access to the access point; keep it out of sight and in a locked area. By restricting access to the WAP you will help to ensure that unauthorized persons are not able to physically reset, control, or reconfigure the device.
Configuration Countermeasures
Configuration countermeasures are the easiest to understand. The countermeasures address the authentication, access control, integrity and confidentiality of the data and hardware on the network. Understanding how to configure the access point is critical to meet the vision stated in your organization’s security policy. Proper configuration will mitigate many threats and go a great distance to limit unforeseen, unanticipated vulnerabilities. A proactive approach is the best way to describe configuration countermeasures. Since instruction manuals come with most technology today, it should be easy to locate the specific settings by reading the manuals. Specific areas of interest include:
1. Enable WEP (wireless encryption protocol). WEP minimizes the risk of radio frequency interception by somebody nearby. WEP is specified for encryption and authentication between clients and APs according to the 802.11 standard. WEP security is based on an encryption algorithm called RC4. Some products allow you to separately set the authentication method to shared key or open system. Use the “shared key” method so that encryption is used to both authenticate your client and encrypt its data. Even though WEP has been broken, it is a cost effective (free), and valuable first layer of security. In my research over the past three years, more than 60% of all access points do not use WEP; while enabling the service may cause an attacker or curious user to move on to an easier target. The encryption algorithm is generated based on a key (a number sequence) entered and controlled by the user. All clients and APs are configured with the same key to encrypt and decrypt transmissions of data. WEP keys are 40 or 128 bits in length and can be configured in three possible modes: no encryption mode, 40- bit or 128-bit encryption.
2. Secure your access point with a password. Your access point should require a password to access its administrative features: if it does not, replace it with one that does. Use strong passwords to protect against password cracking tools. Make sure the access point is not using the default password. Default passwords are well known and will be one of the first exploits tried by an educated attacker. Many wireless detection devices identify the manufacturer based on the media access control (MAC) address; this information makes it easier to guess what type of WAP is being used, even if the SSID has been changed. Change your password periodically.
3. Change the SSID to a truly unique name that does not identify the owner of the access point. The SSID allows a WLAN to be segmented into multiple networks, each with a different identifier. Each of these networks is assigned a unique identifier, which is programmed into one or more APs. To access any of the networks, a client computer must be configured with the corresponding SSID identifier for that network. Thus, SSID acts as a simple password, providing a measure of security. A weakness is created when the SSID is widely known or shared, and it is easily obtained by freeware loaded onto a wireless network client.
4. Disable “broadcast SSID” if this feature is supported by the equipment vendor. Most access points broadcast SSID by default. This will accept any SSID. By disabling broadcast SSID, the SSID configured in the client must match the SSID of the access point.
5. Turn off dynamic host configuration protocol (DHCP) and assign a static IP address to wireless devices. This will keep your WAP from issuing an IP address to any computer that tries to connect with it. Also consider changing the IP subnet to a non-default address. Many access points default to the 192.168.1.0 network, and use 192.168.1.1 as the default router. Changing these defaults provides additional layers of security.
6. Filter devices based on the MAC address. Filtering increases security by configuring an access point with a list of MAC addresses associated with the client computers that are allowed access to the access point. If a client’s MAC address is not on the list, the access point will deny access. This method provides good security but is only suited to small networks. The labor-intensive work of entering MAC addresses and maintaining up-to-date lists on all of the access point devices obviously limits the scalability of this approach. An access point can be set up to provide encryption-only protection in open- system mode, or to add authentication in shared-key mode. MAC address filtering is often used together with this encryption. WEP security is best suited for small networks, as there is no key management protocol. As a result, keys must be manually entered into every client. This can be a huge management task, especially as keys should be changed regularly to provide a higher level of security.
Lengthen the beacon interval of your access point. Beacon frames announce the existence of your wireless network to all. These beacons are transmitted from access points at regular intervals and allow a client station to identify and match configuration parameters in order to join a wireless network. The interval length may be set to its highest value, resulting in an approximate 67-second interval.
As a more secure model, some vendors have developed VPN solutions that create a secure tunnel for your wireless traffic. An evolution of wireless security products now includes the means to authenticate all wireless users before they can gain access to network resources, encrypt data prior to them passing through the air using the advanced encryption standard and controlling user access to network segments through the use of policy servers.
Tags: Wireless Security
Posted in Wireless Security | No Comments »
Sunday, December 6th, 2009
All the vulnerabilities that exist in a conventional wired LAN apply to wireless technologies (Karygiannis & Owens, 2002). Managers must prepare to remedy the WLAN vulnerabilities — weaknesses in the configuration, implementation, design or management of a network or system — with greater vigilance. Wireless networks present unique challenges when trying to mitigate threats — anything that can disrupt the proper functioning of a network or system. The wireless devices bring to the table more problems because of their mobile nature. They move from network to network, gaining connection to the Internet and returning to the corporate WLAN with the possibility of carrying all sorts of malicious code. In a sense, mobile users should be thought of as a “malicious code carrier” and immediately quarantined in the demilitarized zone until they receive proper scanning to remove all know malware (malicious software). Users can inadvertently carry malware and infect the corporate LAN if they have not taken the proper precautions.
The NIST Special Publication 800-48 identifies some of the most prevalent threats and vulnerabilities to wireless devices. They are organized to illustrate which information assurance principle is violated when not properly mitigated.
Confidentiality violations occur if:
· Sensitive information that is not encrypted (or is encrypted with weak cryptographic techniques) and that is transmitted between two wireless devices may be intercepted and disclosed.
· Malicious entities violate the privacy of legitimate users and gain the ability to track their actual movements.
· Handheld devices, which are easily stolen, reveal sensitive information.
Integrity compromises occur if:
· Malicious entities gain unauthorized access to an organization’s computer network through wireless connections, bypassing any firewall protections.
· Malicious entities steal the identity of legitimate users and masquerade on internal or external corporate networks.
· Sensitive data are corrupted during improper synchronization.
· Data are extracted without detection from improperly configured devices.
· Viruses or other malicious code corrupt data on a wireless device and are introduced to a wired network connection.
Availability is reduced if:
· Denials of service (DoS) attacks are directed at wireless connections or devices.
· Malicious entities, through wireless connections, connect to other organizations for the purposes of launching attacks and concealing their activity.
· Interlopers, from insider or out, are able to gain connectivity to network management controls and thereby disable or disrupt operations (NIST Special Publication 800-48).
As WLANs become widespread, the need of business for a more robust security solution is required. Recent demonstrations of the vulnerability of Wired Equivalent Privacy (WEP) encryption make it clear that WEP protection alone is inadequate. The security features in WEP do not offer a high level of assurance. Fluhrer, Mantin and Shamir (2001) describe a passive cipher-text only attack on the RC4 stream cipher used in WEP. The authors stated, “Note that we have not attempted to attack an actual WEP connection, and hence do not claim that WEP is actually vulnerable to this attack.” Later, Stubblefield, Ioannidis and Rubin (2001) successfully implemented an attack, proving the complete vulnerability of WEP.
There is no need to fret about the design flaws identified in WEP. As a security service, WEP does what it was designed to do. As the name states, you get a level of privacy and security equivalent to that of wired LAN users. There were no guarantees and at the time the standard was published there may not have been anyone demanding guaranteed security features. For the WLAN, IEEE defined WEP to perform the following three functions:
· Authentication: A primary goal of WEP was to provide a security service to verify the identity of communicating client stations. This provides access control to the network by denying access to client stations that cannot authenticate properly. This service addresses the question, “Are only authorized persons allowed to gain access to my network?”
· Confidentiality: Confidentiality, or privacy, was a second goal of WEP. It was developed to provide “privacy achieved by a wired network”. The intent was to prevent information compromise from casual eavesdropping (passive attack). This service, in general, addresses the question, “Are only authorized persons allowed to view my data?”
· Integrity: Another goal of WEP was a security service developed to ensure that messages are not modified in transit between the wireless clients and the access point in an active attack. This service addresses the question, “Is the data coming into or exiting the network trustworthy — has it been tampered with?” (Karygiannis & Owens, 2002).
Most of the complaints with WLAN security can be attributed to flaws in the design of the technology or specification. Weaknesses in the design are difficult to fix once the product is purchased. All technologies are susceptible to have a design flaw. To overcome the design weakness, WLAN managers should take extra care to properly configure, implement and managed the network. It is impossible to completely identify all possible vulnerabilities when a product is purchased and before it is added to the network. However, once purchased there is unlimited time to ‘tweak’ the configuration or implementation with strong management practices.
The best countermeasures involve management, implementation and configuration (MIC) activities to mitigate vulnerabilities in the WLAN. Management countermeasures should be applied based on a well-crafted security policy. The policy should be based on management’s vision and give a framework for managing the WLAN. Managers then execute the vision by the way they implement controls and configure settings on the network.
Tags: Wireless Security
Posted in Wireless Security | No Comments »