Members-only Printer-friendly version

Wireless Technologies

Wireless networking is becoming more popular every day. This rather new technology requires new security measures. In wired networks an attacker needs to be physically connected, for example, directly to a hub/switch, or thru remote access, to be able to try and gain access to network resources or intercept network traffic. In a wireless network anyone with a notebook and a wireless network card can intercept traffic using publicly available tools, given they are in range of a wireless access point. Before discussing the primary vulnerabilities in wireless networking technologies, we'll first go through the popular wireless networking standards and technologies.


802.11

The IEEE 802.11 standard defines the MAC and Physical layer specifications for Wireless LANs. The 802.11 standard was completed in 1997, but went through several changes until it was finalized in 1999. All 802.11 wireless devices today are based on the 1999 standard. The MAC layer specifications are concerned with how the network devices access the media, in this case a frequency in the RF spectrum. The Physical layer specifications in 802.11 define standards for three different radio technologies: DSSS, FHSS, and IR (InfraRed). The data rates supported by the 802.11 standard are 1 and 2 Mbps. 802.11 uses the 2.4 GHz frequency band.

Two years later, the IEEE approved two new standards, based on the 802.11 equipment, but with additions to the physical layer specifications. These are the 802.11a and 802.11b standards.

802.11b

The first wireless networking products that became widely available are based on the extended IEEE 802.11b standard. Because of the availability and affordability of 802.11b equipment has become popular particularly in SOHOs. According to the standard, 802.11b provides data rates of 5.5 and 11Mbps, and is backwards compatible with the 1 and 2 Mbps data rates of 802.11. An organization called Wireless Ethernet Compatibility Alliance (WECA) is concerned with the compatibility of 802.11b equipment from different manufacturers. When products based upon the 802.11b standard pass the compatibility tests performed by WECA, they will be given the Wi-Fi (Wireless Fidelity) logo. 802.11b uses the 2.4 GHz frequency band.

802.11a

It took several years before a wide range of products based upon the 802.11a standard became available. When they finally did in 2002, more companies became interested in wireless networking. The primary reason for this, is that the 802.11a standard increases the maximum data throughput to 54 Mbps. However, 802.11a is not compatible with 802.11, 802.11b, or 802.11g because it uses the 5 GHz frequency band. 802.11a also uses a different modulation scheme (OFDM) than 802.11 and 802.11b.

802.11g

The 802.11g standard also allows data transfer rates up to 54 Mbps, but is backward-compatible with with both 802.11 and 802.11b, supporting both their data rates (1, 2, 5.5, and 11) and modulation scheme (QPSK). 802.11g also supports the modulation scheme used by 802.11a (OFDM), but is not compatible with 802.11a because 802.11g uses the 2.4 GHz frequency band.

802.11x

The term 802.11x is sometimes used to refer to the entire group of 802.11 WLAN standards of which some are still under development. It includes the standards outlined above, as several others addressing the need for speed, region specific regulations, and security. Check out the 802.11 Alphabet Soup for more details. Do not confuse 802.11x with 802.1x, which will be discussed in other TechNotes. The latter is an authentication protocol that provides authenticated access to 802.11 wireless networks and to wired Ethernet networks. 802.1x minimizes wireless network security risks and uses standard security protocols, such as RADIUS.


802.11 Security

The following tasks are examples of minimal security measures that should be taken in most 802.11 based wireless networks:

• Change the default SSID in access points to something that does not reflect anything obvious such as the organization’s, building's or street's name.
• Disable sending the SSID in the AP's broadcast beacon. This prevents showing the SSID to unauthorized wireless clients.
• Configure strong administrative passwords, and if possible, turn off remote administration features.
• Locate the AP in an area where the signal will not be picked by unauthorized clients. If possible, limit the AP's service area by reducing its power.
• Reserving MAC addresses (in DHCP or an AP) to require a valid MAC address for clients is not a secure solution on itself because MAC addresses can be spoofed easily and are send in clear-text even when WEP encryption is enabled.
• Consider disabling the AP's DCHP feature and assign static IP addresses to all wireless clients.
• Implement a firewall and intrusion detection system between the wireless and wired networks.
• Enable WEP (Wired Equivalent Privacy). Although it doesn't provide very strong security, it should be enabled nevertheless. Use 128-bit WEP encryption keys and rotate the keys often. Don't rely on WEP as your only means of encryption.
• Use VPN technology, such as IPSec or L2TP. Note: the use of a VPN will greatly decrease the throughput of a wireless network.
• If available, use WPA (Wireless Protected Access) with TKIP in place of WEP.
• When possible, use the 802.1X port-based authentication protocol in combination with EAP (Extended Authentication Protocol) to negotiate an authentication method, such as username and password logon or the use of smartcards, and for example, a RADIUS server.

WEP (Wired Equivalent Privacy)

The WEP protocol is part of the 802.11 standard and is developed to increase wireless LAN security. As its name implies, WEP is an effort to provide privacy in wireless networks similar to privacy in wired networks. As mentioned at the beginning of this TechNote, intercepting traffic (eavesdropping) on a wireless network is very easy, hence it is essential that the traffic is encrypted.

When a station powers up, and attempts to establish a wireless connection, it will first be associated with an access point. When the station is associated, it will attempt to authenticate itself to the access point. The IEEE 802.11 standard provide the following two types of authentication:

• Open System Authentication -The client broadcasts its MAC address to identify itself, an AP replies with an authentication verification frame. Although its name implies differently, no actual authentication occurs when Open System Authentication is used.
• Shared Key Authentication - The client will be authenticated only if it is configured with a preshared key. This means that the same key must be configured on both the client station and the AP. The AP sends a challenge text to the client requesting authentication, which is encrypted using WEP and the shared key at the client and send back to the AP where it is decrypted again to see if it matches the original challenge.

The key used for authentication, can also be used for data encryption using WEP. Although this produces a significant amount of overhead, which can be disastrous on low-speed wireless networks such as 802.11b, it should be enabled nevertheless. When WEP data encryption is enabled, secret shared encryption keys are generated based on the the used by the source station and the destination station to alter frame bits" frames send between two wireless stations/APs.

WEP uses an RC4 cipher and a 64 or 128-bits WEP key to encrypt the data payload of frames. This WEP key is a combination of a 24-bit initialization vector (IV) and a 40 or 104-bits secret key. The secret is the key typically configured manually in wireless network cards and access points. One of the main reasons WEP offers rather weak protection is that the IV is also exchanged in clear-text. Another issue with WEP encryption is that the 802.11 standard does not provide dynamic key management and key renewal. This means that stations and access points must be manually configured with a static secret key, which can be a tedious job in large environments. Some manufacturers of wireless networking products do include support for centralized key management, either per session or per packet. Especially the latter produces a lot of overhead.

The IEEE 802.11i workgroup is working on a new version of the current WEP security standard that will bring greater security to wireless networks through improved encryption, key distribution, authentication, and a range of other features appropriate to wireless networks. WEP2 includes support for the use of 802.1X authentication protocol, an improved key distribution system and stronger encryption by using AES (Advanced Encryption Standard) instead of RC4.

WAP (Wireless Application Protocol)

WAP is a protocol developed for use with wireless devices such as mobile phones and PDAs. These devices have a so called microbrowser allowing them to display WML (Wireless Markup Language) pages. WML is similar to, but more limited than HTML.

The following diagram shows the WAP programming model:


A client does not communicate with a content server directly. Instead, it connects to a WAP gateway that is responsible for encoding and decoding requests from the client and responses from the server. The gateway is also responsible for WML Script compiling (a JAVA-like language) and end-user authentication. The gateway server is typically located at the operator providing the mobile connection services.

Similar to the TCP/IP stack, WAP is a suite of protocols providing different functions on separate layers. The most important protocol for CompTIA's Security+ exam is the Wireless Transport Layer Security protocols, which resides at the Security layer of the WAP protocol stack.


WTLS (Wireless Transport Layer Security)

The WTLS protocol provides privacy, data integrity and authentication security services between a mobile device and a WAP gateway. It is used for establishing an encrypted connection preventing data from being tampered with or forged without the two parties becoming aware of it. It is also used for providing authentication services by using digital certificates. WTLS is based upon the Transport Layer Security (TLS) protocol, which is in turn derived from the Secure Sockets Layer (SSL) protocol. WTLS is optimized for use with narrow-band low speed connections and low memory devices. It also supports dynamic key refreshing ensuring the session key used to encrypt the data is updated frequently.

WTLS secures the connection between the client and the gateway. The gateway decrypts the data and encrypts the data again using SSL/TLS to connect to the content server, as depicted in the following diagram:


The most vulnerable part of this system is the WAP gateway performing the translation between WTLS and SSL traffic. For a few milliseconds the information resides in clear-text in the server's memory, this is often referred to as the WAP gap. Because of this vulnerability, it is imperative that additional layers of security are implemented to protect the WAP gateway from being compromised. Examples are hardening of the gateway server's OS, firewall protection, and disabling remote administration functions. It is also important that the translation process occurs as quickly as possible, reducing the period of time the data is in its decrypted form.

The latest version of the WAP specification, version 2.0, does not require a WAP gateway, because the client can connect directly to the application server using HTTP. Nevertheless, WAP gateways are still commonly used for other reasons such as improved performance and backward compatibility.


Site Surveys

A site survey is too often described as an attack where an attacker gathers information about your wireless network, while a site survey will usually be conducted by the people responsible for designing or maintaining the network. A site survey is an analysis of the network and its environment and including the following tasks:

• Measure and establish the coverage of APs to decide the best positions for APs.
• Validate if there should be some sort of external boundary protection in place around the perimeter of the office or building.
• Validate that there are no rogue APs or APs from neighboring offices that might interfere.
• Identify sources of natural and man-made interference that may degrade the performance of a wireless network.

There are several tools that can aid in the process of performing a site survey, some of the most important being RF spectrum and protocol analyzers. The same tools are also used by attackers to gain important information about a target network, such as SSIDs, MAC addresses, protocols being used.

Vulnerabilities

Wireless networks are susceptible to all attacks that wireless network are, including DoS, DDoS, spoofing, Man-in-the-Middle, hijacking, and port scanning. Besides the most common attack on wireless networks, eavesdropping, and the issues with WEP, the following are some other vulnerabilities typical for wireless networks:

Man-in-the-middle attacks - Wireless networks are particularly vulnerable to man-in-the-middle attacks for the same reasons that make eavesdropping so easy. As little as a laptop and two wireless network cards can be used to reroute and capture traffic without a user even knowing it.

War driving - An activity that owes its name to something that hackers used to do frequently in the old days, called war dialing. They would dial random phone numbers to check if there's a modem on the other end. War driving refers to driving around with a powerful antenna on the car, connected to a notebook and use a wireless sniffer, such as NetStumbler, to listen for wireless network traffic.

Jamming - A type of DoS attack whereby a the attacker uses an RF signal generator to cause an unusually high noise level effectively disabling the use of an access point. Bluetooth devices by their nature can effectively jam 802.11 networks.

Related links:
- WAP White Paper
- Security in the WTLS
- 802.11 IEEE Standards
- WI-FIplanet.com
- 802.11 WEP: Concepts and Vulnerability
- NetStumbler

Footnotes:
- Throughout this document I assumed 802.11 based networks are running in infrastructure mode.
- Most of the details in this document are beyond the scope of the Security+ exam. For the exam you will need to focus on the general concept, when to use what, and basic operation.
- As security is one of the most evolving parts of wireless networking, some of the details in this document may become outdated.
- The first revision of the Security+ exam (SY0-101) contains information current as of late 2002. Many of the newer developments in wireless technology described in this TechNote will appear in the next revision of the Security+ exam.