Wireless security
Encyclopedia
Wireless security is the prevention of unauthorized access or damage to computers using wireless
networks.
Many laptop computers have wireless cards pre-installed. The ability to enter a network while mobile has great benefits. However, wireless networking is prone to some security issues . Crackers
have found wireless networks relatively easy to break into, and even use wireless technology to crack into wired networks . As a result, it's very important that enterprises define effective wireless security policies that guard against unauthorized access to important resources. Wireless Intrusion Prevention Systems (WIPS) or Wireless Intrusion Detection Systems (WIDS) are commonly used to enforce wireless security policies.
The risks to users of wireless technology have increased as the service has become more popular. There were relatively few dangers when wireless technology was first introduced. Crackers had not yet had time to latch on to the new technology and wireless was not commonly found in the work place. However, there are a great number of security risks associated with the current wireless protocols and encryption
methods, and in the carelessness and ignorance that exists at the user and corporate IT level. Cracking methods have become much more sophisticated and innovative with wireless. Cracking has also become much easier and more accessible with easy-to-use Windows
or Linux
-based tools being made available on the web at no charge.
Some organizations that have no wireless access point
s installed do not feel that they need to address wireless security concerns. In-Stat MDR and META Group have estimated that 95% of all corporate laptop computers that were planned to be purchased in 2005 were equipped with wireless. Issues can arise in a supposedly non-wireless organization when a wireless laptop is plugged into the corporate network. A cracker could sit out in the parking lot and gather info from it through laptops and/or other devices as handhelds, or even break in through this wireless card-equipped laptop and gain access to the wired network.
s in general, and WLANs
in particular, involves the need for security
. Many early access points
could not discern whether or not a particular user had authorization to access the network. Although this problem reflects issues that have long troubled many types of wired networks (it has been possible in the past for individuals to plug computers into randomly available Ethernet jacks and get access to a local network), this did not usually pose a significant problem, since many organizations had reasonably good physical security. However, the fact that radio signals bleed outside of buildings and across property lines makes physical security largely irrelevant to Piggybackers
.
Anyone within the geographical network range of an open, unencrypted wireless network can 'sniff' or capture or record the traffic
, gain unauthorized access to internal network resources as well as to the internet, and then possibly send spam or do other illegal actions using the wireless network's IP address
, all of which are rare for home routers but may be significant concerns for office networks.
If router security is not activated or if the owner deactivates it for convenience, it creates a free hotspot
. Since most 21st century laptop PCs have wireless networking built in (cf. Intel 'Centrino
' technology), they don't need a third-party adapter such as a PCMCIA Card
or USB dongle
. Built in wireless networking might be enabled by default, without the owner realizing it, thus broadcasting the laptop's accessibility to any computer nearby.
Modern operating systems such as Linux
, Mac OS
, or Microsoft Windows
make it fairly easy to set up a PC as a wireless LAN 'base station' using Internet Connection Sharing
, thus allowing all the PCs in the home to access the Internet via the 'base' PC. However, lack of knowledge about the security issues in setting up such systems often means that someone nearby may also use the connection. Such "piggybacking"
is usually achieved without the wireless network operators knowledge; it may even be without the knowledge of the intruding user if their computer automatically selects a nearby unsecured wireless network to use as an access point.
s.
If an employee (trusted entity) in a location brings in an easily available wireless router
, the entire network can be exposed to anyone within range of the signals. If an employee adds a wireless interface to a networked computer via an open USB port, the very same risk may be spread for the respective network. However, for any of these entities concepts are available to protect the computer and the network. Such protection must be applied to all levels of communication, to all entities networked and to all functions used and data processed.
networks are very common, both for organizations and individuals. Many laptop computers have wireless cards pre-installed. The ability to enter a network while mobile has great benefits. However, wireless networking is prone to some security issues . Crackers
have found wireless networks relatively easy to break into, and even use wireless technology to crack into wired networks . As a result, it's very important that enterprises define effective wireless security policies that guard against unauthorized access to important resources. Wireless Intrusion Prevention Systems (WIPS) or Wireless Intrusion Detection Systems (WIDS) are commonly used to enforce wireless security policies.
methods, as carelessness and ignorance exists at the user and corporate IT level. Cracking methods have become much more sophisticated and innovative with wireless.
Accidental association is a case of wireless vulnerability called as "mis-association". Mis-association can be accidental, deliberate (for example, done to bypass corporate firewall) or it can result from deliberate attempts on wireless clients to lure them into connecting to attacker's APs.
. Since wireless networks operate at the Layer 2 level, Layer 3 protections such as network authentication and virtual private networks (VPNs) offer no barrier. Wireless 802.1x authentications do help with protection but are still vulnerable to cracking. The idea behind this type of attack may not be to break into a VPN or other security measures. Most likely the criminal is just trying to take over the client at the Layer 2 level.
networks between wireless computers that do not have an access point in between them. While these types of networks usually have little protection, encryption methods can be used to provide security.
The security hole provided by Ad-hoc networking is not the Ad-hoc network itself but the bridge it provides into other networks, usually in the corporate environment, and the unfortunate default settings in most versions of Microsoft Windows to have this feature turned on unless explicitly disabled. Thus the user may not even know they have an unsecured Ad-hoc network in operation on their computer. If they are also using a wired or wireless infrastructure network at the same time, they are providing a bridge to the secured organizational network through the unsecured Ad-hoc connection. Bridging is in two forms. A direct bridge, which requires the user actually configure a bridge between the two connections and is thus unlikely to be initiated unless explicitly desired, and an indirect bridge which is the shared resources on the user computer. The indirect bridge provides two security hazards. The first is that critical organizational data obtained via the secured network may be on the user's end node computer drive and thus exposed to discovery via the unsecured Ad-hoc network. The second is that a computer virus or otherwise undesirable code may be placed on the user's computer via the unsecured Ad-hoc connection and thus has a route to the organizational secured network. In this case, the person placing the malicious code need not "crack" the passwords to the organizational network, the legitimate user has provided access via a normal and routine log-in. The malfactor simply needs to place the malicious code on the unsuspecting user's end node system via the open (unsecured) Ad-hoc networks.
devices are not safe from cracking and should be regarded as a security risk. Even barcode reader
s, handheld PDA
s, and wireless printers and copiers should be secured. These non-traditional networks can be easily overlooked by IT personnel who have narrowly focused on laptops and access points.
) occurs when a cracker is able to listen in on network traffic and identify the MAC address
of a computer with network privileges. Most wireless systems allow some kind of MAC filtering
to only allow authorized computers with specific MAC IDs to gain access and utilize the network. However, a number of programs exist that have network “sniffing
” capabilities. Combine these programs with other software that allow a computer to pretend it has any MAC address that the cracker desires, and the cracker can easily get around that hurdle.
MAC filtering is only effective for small residential(SOHO)networks, since it only provides protection when the wireless device is "off the air". Any 802.11 device "on the air" freely transmits its unencrypted MAC address in its 802.11 headers, and it requires no special equipment or software to detect it. Anyone with an 802.11 receiver (laptop and wireless adapter) and a freeware wireless packet analyzer can obtain the MAC address of any transmitting 802.11 within range. In an organizational environment, where most wireless devices are "on the air" throughout the active working shift, MAC filtering only provides a false sense of security since it only prevents "casual" or unintended connections to the organizational infrastructure and does nothing to prevent a directed attack.
attacker entices computers to log into a computer which is set up as a soft AP (Access Point
). Once this is done, the hacker connects to a real access point through another wireless card offering a steady flow of traffic through the transparent hacking computer to the real network. The hacker can then sniff the traffic.
One type of man-in-the-middle attack relies on security faults in challenge and handshake protocols to execute a “de-authentication attack”. This attack forces AP-connected computers to drop their connections and reconnect with the cracker’s soft AP.
Man-in-the-middle attacks are enhanced by software such as LANjack and AirJack, which automate multiple steps of the process. What once required some skill can now be done by script kiddie
s. Hotspots
are particularly vulnerable to any attack since there is little to no security on these networks.
(DoS) occurs when an attacker continually bombards a targeted AP (Access Point
) or network with bogus requests, premature successful connection messages, failure messages, and/or other commands. These cause legitimate users to not be able to get on the network and may even cause the network to crash. These attacks rely on the abuse of protocols such as the Extensible Authentication Protocol
(EAP).
The DoS attack in itself does little to expose organizational data to a malicious attacker, since the interruption of the network prevents the flow of data and actually indirectly protects data by preventing it from being transmitted. The usual reason for performing a DoS attack is to observe the recovery of the wireless network, during which all of the initial handshake codes are re-transmitted by all devices, providing an opportunity for the malicious attacker to record these codes and use various "cracking" tools to analyze security weaknesses and exploit them to gain unauthorized access to the system. This works best on weakly encrypted systems such as WEP, where there are a number of tools available which can launch a dictionary style attack of "possibly accepted" security keys based on the "model" security key captured during the network recovery.
” (802.1D), OSPF, RIP
, and HSRP. The cracker injects bogus networking re-configuration commands that affect routers, switches, and intelligent hubs. A whole network can be brought down in this manner and require rebooting or even reprogramming of all intelligent networking devices.
using this exploit. By using a process that targets the Windows
wireless stack, it is possible to obtain the WEP
key from a remote client. By sending a flood of encrypted ARP
requests, the assailant takes advantage of the shared key authentication and the message modification flaws in 802.11 WEP. The attacker uses the ARP responses to obtain the WEP key in less than 6 minutes.
There is no ready designed system to prevent from fraudulent usage of wireless communication or to protect data and functions with wirelessly communicating computers and other entities. However there is a system of qualifying the taken measures as a whole according to a common understanding what shall be seen as state of the art. The system of qualifying is an international consensus as specified in ISO/IEC 15408.
infrastructure, although it may be deployed standalone to enforce no-wireless policies within an organization. WIPS is considered so important to wireless security that in July 2009, the Payment Card Industry Security Standards Council published wireless guidelines for PCI DSS
recommending the use of WIPS to automate wireless scanning and protection for large organizations.
deployment. Certain practices may not be possible due to deployment constraints.
AES. Advanced Encryption Standard (AES) uses a symmetric block data encryption technique and is part of WPA2.
EAP. Extensible Authentication Protocol (EAP) is an 802.1X standard that allows developers to pass authentication data between RADIUS servers and wireless access points. EAP has a number of variants, including: EAP MD5, EAP-TLS, EAP-TTLS, LEAP, and PEAP.
EAP-TLS. EAP Transport Layer Security (EAP-TLS) was developed under the 802.1X standard by Microsoft to use digital certificates for authentication and is currently the industry standard for 802.11i authentication.
IEEE 802.1X. The IEEE 802.1X governs the EAP encapsulation process that occurs between supplicants (clients), authenticators (wireless access points), and authentication servers (RADIUS).
IEEE 802.11. The IEEE 802.11 standard governs over-the-air network communications and includes several specifications that range from the 802.11g, which provides 20+ Mbps traffic in the 2.4 GHz band, to the 802.11i standard, which governs WPA2 encryption and authentication.
IEEE 802.11i. The IEEE 802.11i amendment to the 802.11 standard specifies security methods (WPA2) that make use of AES block cipher to secure origin authentication processes (EAP) to address previous inadequacies in the wireless security standards and specifications.
MS-CHAP v2. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is a password-based, challenge-response, mutual authentication protocol that uses MD4 and DES encryption. Used with PEAP (PEAP-MS-CHAP v2) to secure wireless communication.
PEAP. Protected Extensible Authentication Protocol (PEAP) is a type of EAP communication that addresses security issues associated with clear text EAP transmissions by creating a secure channel encrypted and protected by TLS.
SSID. Service set identifier (SSID) is the name given to a WLAN and used by the client to identify the correct settings and credentials necessary for access to a WLAN.
TKIP. Temporal Key Integrity Protocol (TKIP) is part of the WPA encryption standard for wireless networks. TKIP is the next generation of WEP, which provides per-packet key mixing to address flaws discovered in the WEP standard.
WEP. The Wired Equivalent Privacy (WEP) is part of the IEEE 802.11 standard and uses 64 or 128 bit RC4 encryption. Serious flaws were found in the WEP standard in 2001, mostly due to the length of the initialization vector of the RC4 stream cipher, which allowed for passive decoding of the RC4 key.
WLAN. Wireless local area network.
WPA. In response to weaknesses found in the WEP standard the Wi-Fi Protected Access (WPA) was introduced in 2003 as an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.
WPA2. WPA2 was established in September 2004 by the Wi-Fi Alliance and is the certified interoperable version of the full IEEE 802.11i specification ratified in June 2004. Like its predecessor, WPA2 supports IEEE 802.1X/EAP authentication or PSK technology but includes a new advanced encryption mechanism using Counter-Mode/CBC-MAC Protocol (CCMP) called the Advanced Encryption Standard (AES).
from known, approved MAC addresses. However, this approach gives no security against sniffing, and client devices can easily spoof MAC addresses, leading to the need for more advanced security measures. Most wireless access points contain some type of MAC
ID filtering that allows the administrator to only permit access to computers that have wireless functionalities that contain certain MAC IDs. This can be helpful; however, it must be remembered that MAC IDs over a network can be faked. Cracking utilities such as SMAC are widely available, and some computer hardware also gives the option in the BIOS to select any desired MAC ID for its built in network capability.
Some access points can also support "AP isolation" which isolates all wireless clients and wireless devices on the network from each other. Wireless devices will be able to communicate with the gateway but not with each other in the network.
assignment function of the network's DHCP
server, with the IP addresses of the various network devices then set by hand, will also make it more difficult for a casual or unsophisticated intruder to log onto the network. This is especially effective if the subnet size is also reduced from a standard default setting to what is absolutely necessary and if permitted but unused IP addresses are blocked by the access point's firewall. In this case, where no unused IP addresses are available, a new user can log on without detection using TCP/IP only if he or she stages a successful Man in the Middle Attack using appropriate software.
standard was the original encryption standard for wireless. As its name implies, this standard was intended to make wireless networks as secure as wired networks. Unfortunately, this never happened as flaws were quickly discovered and exploited. There are several open source
utilities like aircrack-ng
, weplab
, WEPCrack, or airsnort
that can be used by crackers to break in by examining packets and looking for patterns in the encryption. WEP comes in different key size
s. The common key lengths are currently 128- and 256-bit. The longer the better as it will increase the difficulty for crackers. However, this type of encryption is now being considered outdated and seriously flawed. In 2005 a group from the FBI held a demonstration where they used publicly available tools to break a WEP encrypted network in three minutes. WEP protection is better than nothing, though generally not as secure as the more sophisticated WPA-PSK encryption. A big problem is that if a cracker can receive packets on a network, it is only a matter of time until the WEP encryption is cracked.
WEP has some serious issues. First, it does not deal with the issue of key management at all. Either the keys have to be manually given to end users, or they have to be distributed in some other authentication method. Since WEP is a shared key system, the AP uses the same key as all the clients and the clients also share the same key with each other. A cracker would only have to compromise the key from a single user, and he would then know the key for all users.
In addition to key management, a paper published in August 2001 describes ways in which WEP can actually be broken (“Weaknesses in the Key Scheduling Algorithm of RC4” by Fluhrer, Mantin and Shamir). This is due to a weakness in RC4 as it is implemented in WEP. If enough traffic can be intercepted, then it can be broken by brute force in a matter of an hour or two. If that weren’t bad enough, the time it takes to crack WEP only grows linearly with key length, so a 104-bit key doesn’t provide any significant protection over a 40-bit key when faced against a determined hacker. There are several freely available programs that allow for the cracking of WEP. WEP is indeed a broken solution, but it should be used, as it is better than nothing. In addition, higher layer encryption (SSL, TLS
, etc.) should be used when possible.
Today very few access points incorporate Wired Equivalent Privacy
(WEP) encryption
and most wireless routers are sold with WEP turned off. Security analysts have criticized WEP's inadequacies, and the U.S. FBI
has demonstrated the ability to break WEP protection in only three minutes using tools available to the general public (see aircrack).
(WPA and WPA2) security protocols were later created to address the problems with WEP. If a weak password, such as a dictionary word or short character string is used, WPA and WPA2 can be cracked. Using a long enough random password (e.g. 14 random letters) or passphrase
(e.g. 5 randomly chosen words
) makes pre-shared key
WPA virtually uncrackable. The second generation of the WPA security protocol (WPA2) is based on the final IEEE 802.11i
amendment to the 802.11 standard and is eligible for FIPS 140-2
compliance. With all those encryption schemes, any client in the network that knows the keys can read all the traffic.
Wi-Fi Protected Access (WPA) is a software/firmware improvement over WEP. All regular WLAN-equipment that worked with WEP are able to be simply upgraded and no new equipment needs to be bought. WPA is a trimmed-down version of the 802.11i security standard that was developed by the IEEE 802.11
to replace WEP. The TKIP encryption algorithm was developed for WPA to provide improvements to WEP that could be fielded as firmware
upgrades to existing 802.11 devices. The WPA profile also provides optional support for the AES-CCMP algorithm that is the preferred algorithm in 802.11i and WPA2.
WPA Enterprise provides RADIUS
based authentication using 802.1x. WPA Personal uses a pre-shared Shared Key (PSK
) to establish the security using an 8 to 63 character passphrase. The PSK may also be entered as a 64 character hexadecimal string. Weak PSK passphrases can be broken using off-line dictionary attacks by capturing the messages in the four-way exchange when the client reconnects after being deauthenticated. Wireless suites such as aircrack-ng
can crack a weak passphrase in less than a minute. Other WEP/WPA crackers are AirSnort
and Auditor Security Collection. Still, WPA Personal is secure when used with ‘good’ passphrases or a full 64-character hexadecimal key.
There is information, however, that Erik Tews (the man who created the fragmentation attack against WEP) is going to reveal a way of breaking the WPA TKIP implementation at Tokyo's PacSec security conference in November 2008, cracking the encryption on a packet in between 12–15 minutes. The announcement of this 'crack' was somewhat overblown by the media, because as of August, 2009, the best attack on WPA (the Beck-Tews attack) is only partially successful in that it only works on short data packets, it cannot decipher the WPA key, and it requires very specific WPA implementations in order to work.
may be added alongside. Also, VPN-networks (non-continuous secure network connections) may be set up under the 802.11-standard. VPN implementations include PPTP, L2TP
, IPSec
and SSH
. However, this extra layer of security may also be cracked with tools such as Anger, Deceit and Ettercap
for PPTP; and ike-scan, IKEProbe, ipsectrace
, and IKEcrack for IPSec-connections.
This stands for Temporal Key Integrity Protocol and the acronym is pronounced as tee-kip. This is part of the IEEE 802.11i standard. TKIP implements per-packet key mixing with a re-keying system and also provides a message integrity check. These avoid the problems of WEP.
The WPA-improvement over the IEEE 802.1X standard already improved the authentication and authorization for access of wireless and wired LAN
s. In addition to this, extra measures such as the Extensible Authentication Protocol
(EAP) have initiated an even greater amount of security. This, as EAP uses a central authentication server. Unfortunately, during 2002 a Maryland professor discovered some shortcomings . Over the next few years these shortcomings were addressed with the use of TLS and other enhancements . This new version of EAP is now called Extended EAP and is available in several versions; these include: EAP-MD5, PEAPv0, PEAPv1, EAP-MSCHAPv2, LEAP, EAP-FAST, EAP-TLS, EAP-TTLS, MSCHAv2, EAP-SIM, ...
EAP-versions include LEAP, PEAP and other EAP's
LEAP
This stands for the Lightweight Extensible Authentication Protocol. This protocol is based on 802.1X and helps minimize the original security flaws by using WEP and a sophisticated key management system. This EAP-version is safer than EAP-MD5. This also uses MAC address authentication. LEAP is not safe against crackers. THC-LeapCracker can be used to break Cisco
’s version of LEAP and be used against computers connected to an access point in the form of a dictionary attack
. Anwrap and asleap finally are other crackers capable of breaking LEAP.
PEAP
This stands for Protected Extensible Authentication Protocol. This protocol allows for a secure transport of data, passwords, and encryption keys without the need of a certificate server. This was developed by Cisco, Microsoft, and RSA Security
.
Other EAPs
There are other types of Extensible Authentication Protocol implementations that are based on the EAP framework. The framework that was established supports existing EAP types as well as future authentication methods. EAP-TLS offers very good protection because of its mutual authentication. Both the client and the network are authenticated using certificates and per-session WEP keys. EAP-FAST also offers good protection. EAP-TTLS is another alternative made by Certicom and Funk Software. It is more convenient as one does not need to distribute certificates to users, yet offers slightly less protection than EAP-TLS.
, IEEE 802.1x, that promises to enhance security on both wired and wireless networks. Wireless access points that incorporate technologies like these often also have routers built in, thus becoming wireless gateway
s.
encryption methods are not good enough for protecting valuable data like passwords and personal emails. Those technologies add encryption only to parts of the communication path, still allowing people to spy on the traffic if they have gained access to the wired network somehow. The solution may be encryption and authorization in the application layer
, using technologies like SSL, SSH
, GnuPG
, PGP
and similar.
The disadvantage with the end to end method is, it may fail to cover all traffic. With encryption on the router level or VPN, a single switch encrypts all traffic, even UDP and DNS lookups. With end-to-end encryption on the other hand, each service to be secured must have its encryption "turned on," and often every connection must also be "turned on" separately. For sending emails, every recipient must support the encryption method, and must exchange keys correctly. For Web, not all web sites offer https, and even if they do, the browser sends out IP addresses in clear text.
The most prized resource is often access to Internet. An office LAN owner seeking to restrict such access will face the non trivial enforcement task of having each user authenticate himself for the router.
Most of the world has switched their WAP from WEP to WPA2, since WEP has been proved too unsecured to be used. It is important to note there is a possible security flaw to the WPA protocol. It is referred to as Hole196. It is a hole in the protocol that exposes the user to insider attacks.
and a WIDS.
government.
to create a powerful algorithm that will very frequently generate a new encryption code. The server will be time synced to the card or token. This is a very secure way to conduct wireless transmissions. Companies in this area make USB tokens, software tokens, and smart card
s. They even make hardware versions that double as an employee picture badge.
Currently the safest security measures are the smart cards / USB tokens. However, these are expensive. The next safest methods are WPA2 or WPA with a RADIUS server. Any one of the three will provide a good base foundation for security.
The third item on the list is to educate both employees and contractors on security risks and personal preventive measures. It is also IT's task to keep the company workers' knowledge base up-to-date on any new dangers that they should be cautious about. If the employees are educated, there will be a much lower chance that anyone will accidentally cause a breach in security by not locking down their laptop or bring in a wide open home access point to extend their mobile range. Employees need to be made aware that company laptop security extends to outside of their site walls as well. This includes places such as coffee houses where workers can be at their most vulnerable.
The last item on the list deals with 24/7 active defense measures to ensure that the company network is secure and compliant. This can take the form of regularly looking at access point, server, and firewall logs to try to detect any unusual activity. For instance, if any large files went through an access point in the early hours of the morning, a serious investigation into the incident would be called for. There are a number of software and hardware devices that can be used to supplement the usual logs and usual other safety measures.
Despite security measures as encryption, hackers may still be able to crack them. This is done using several techniques and tools. An overview of them can be found at the Network encryption cracking
article, to understand what we are dealing with. Understanding the mindset/techniques of the hacker allows one to better protect their system.
For closed networks (like home users and organizations) the most common way is to configure access restrictions in the access points. Those restrictions may include encryption and checks on MAC address. Another option is to disable ESSID broadcasting, making the access point difficult for outsiders to detect. Wireless Intrusion Prevention Systems can be used to provide wireless LAN security in this network model.
For commercial providers, hotspots, and large organizations, the preferred solution is often to have an open and unencrypted, but completely isolated wireless network. The users will at first have no access to the Internet nor to any local network resources. Commercial providers usually forward all web traffic to a captive portal which provides for payment and/or authorization. Another solution is to require the users to connect securely to a privileged network using VPN.
Wireless networks are less secure than wired ones; in many offices intruders can easily visit and hook up their own computer to the wired network without problems, gaining access to the network, and it's also often possible for remote intruders to gain access to the network through backdoors like Back Orifice. One general solution may be end-to-end encryption, with independent authentication on all resources that shouldn't be available to the public.
with 802.1x interface.
Security within mobile devices fall under three categories:
Wireless IPS solutions now offer wireless security for mobile devices.
Mobile patient monitoring devices are becoming an integral part of healthcare industry and these devices will eventually become the method of choice for accessing and implementing health checks for patients located in remote areas.For these types of
patient monitoring systems, security and reliability are critical.
, ADS
, NDS
, or LDAP needs to be integrated. This server can be a computer on the local network, an access point / router with integrated authentication server, or a remote server. AP's/routers with integrated authentication servers are often very expensive and specifically an option for commercial usage like hot spot
s. Hosted 802.1X servers via the Internet require a monthly fee; running a private server is free yet has the disadvantage that one must set it up and that the server needs to be on continuously
To set up a server, server and client software must be installed. Server software required is a enterprise authentication server such as RADIUS
, ADS
, NDS
, or LDAP. The required software can be picked from various suppliers as Microsoft, Cisco, Funk Software, Meetinghouse Data, and from some open-source projects. Software includes:
Client software comes built-in with Windows XP and may be integrated into other OS's using any of following software:
used for remote network access. This service provides an excellent weapon against crackers. RADIUS was originally proprietary but was later published under ISOC documents RFC 2138 and RFC 2139. The idea is to have an inside server act as a gatekeeper through the use of verifying identities through a username and password that is already pre-determined by the user. A RADIUS server can also be configured to enforce user policies and restrictions as well as recording accounting information such as time connected for billing purposes.
(which some consider to be the future of the internet) is already in place. One could roam around and always be connected to Internet if the nodes were open to the public, but due to security concerns, most nodes are encrypted and the users don't know how to disable encryption. Many people consider it proper etiquette to leave access points open to the public, allowing free access to Internet. Others think the default encryption provides substantial protection at small inconvenience, against dangers of open access that they fear may be substantial even on a home DSL router.
The density of access points can even be a problem - there are a limited number of channels available, and they partly overlap. Each channel can handle multiple networks, but places with many private wireless networks (for example, apartment complexes), the limited number of Wi-Fi radio channels might cause slowness and other problems.
According to the advocates of Open Access Points, it shouldn't involve any significant risks to open up wireless networks for the public:
On the other hand, in some countries including Germany , persons providing an open access point may be made (partially) liable for any illegal activity conducted via this access point. Also, many contracts with ISPs specify that the connection may not be shared with other persons.
Wireless
Wireless telecommunications is the transfer of information between two or more points that are not physically connected. Distances can be short, such as a few meters for television remote control, or as far as thousands or even millions of kilometers for deep-space radio communications...
networks.
Many laptop computers have wireless cards pre-installed. The ability to enter a network while mobile has great benefits. However, wireless networking is prone to some security issues . Crackers
Black hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
have found wireless networks relatively easy to break into, and even use wireless technology to crack into wired networks . As a result, it's very important that enterprises define effective wireless security policies that guard against unauthorized access to important resources. Wireless Intrusion Prevention Systems (WIPS) or Wireless Intrusion Detection Systems (WIDS) are commonly used to enforce wireless security policies.
The risks to users of wireless technology have increased as the service has become more popular. There were relatively few dangers when wireless technology was first introduced. Crackers had not yet had time to latch on to the new technology and wireless was not commonly found in the work place. However, there are a great number of security risks associated with the current wireless protocols and encryption
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
methods, and in the carelessness and ignorance that exists at the user and corporate IT level. Cracking methods have become much more sophisticated and innovative with wireless. Cracking has also become much easier and more accessible with easy-to-use Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
or Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
-based tools being made available on the web at no charge.
Some organizations that have no wireless access point
Wireless access point
In computer networking, a wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards...
s installed do not feel that they need to address wireless security concerns. In-Stat MDR and META Group have estimated that 95% of all corporate laptop computers that were planned to be purchased in 2005 were equipped with wireless. Issues can arise in a supposedly non-wireless organization when a wireless laptop is plugged into the corporate network. A cracker could sit out in the parking lot and gather info from it through laptops and/or other devices as handhelds, or even break in through this wireless card-equipped laptop and gain access to the wired network.
Background
One issue with corporate wireless networkWireless network
Wireless network refers to any type of computer network that is not connected by cables of any kind. It is a method by which homes, telecommunications networks and enterprise installations avoid the costly process of introducing cables into a building, or as a connection between various equipment...
s in general, and WLANs
Wireless LAN
A wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...
in particular, involves the need for security
Security
Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition. The Institute for Security and Open Methodologies in the OSSTMM 3 defines security as "a form of protection...
. Many early access points
Wireless access point
In computer networking, a wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards...
could not discern whether or not a particular user had authorization to access the network. Although this problem reflects issues that have long troubled many types of wired networks (it has been possible in the past for individuals to plug computers into randomly available Ethernet jacks and get access to a local network), this did not usually pose a significant problem, since many organizations had reasonably good physical security. However, the fact that radio signals bleed outside of buildings and across property lines makes physical security largely irrelevant to Piggybackers
Piggybacking (internet access)
Piggybacking on Internet access is the practice of establishing a wireless Internet connection by using another subscriber's wireless Internet access service without the subscriber's explicit permission or knowledge. It is a legally and ethically controversial practice, with laws that vary by...
.
Anyone within the geographical network range of an open, unencrypted wireless network can 'sniff' or capture or record the traffic
Internet traffic
-Historical Internet Traffic Growth:Because of the distributed nature of the Internet, there is no single point of measurement for total Internet traffic...
, gain unauthorized access to internal network resources as well as to the internet, and then possibly send spam or do other illegal actions using the wireless network's IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
, all of which are rare for home routers but may be significant concerns for office networks.
If router security is not activated or if the owner deactivates it for convenience, it creates a free hotspot
Hotspot (Wi-Fi)
A hotspot is a site that offers Internet access over a wireless local area network through the use of a router connected to a link to an Internet service provider...
. Since most 21st century laptop PCs have wireless networking built in (cf. Intel 'Centrino
Centrino
The Centrino brand represents Intel Wi-Fi and WiMAX adapters. It was formerly a platform-marketing initiative from Intel until January 7, 2010....
' technology), they don't need a third-party adapter such as a PCMCIA Card
PC Card
In computing, PC Card is the form factor of a peripheral interface designed for laptop computers. The PC Card standard was defined and developed by the Personal Computer Memory Card International Association which itself was created by a number of computer industry companies in the United States...
or USB dongle
Dongle
A software protection dongle is a small piece of hardware that plugs into an electrical connector on a computer and serves as an electronic "key" for a piece of software; the program will only run when the dongle is plugged in...
. Built in wireless networking might be enabled by default, without the owner realizing it, thus broadcasting the laptop's accessibility to any computer nearby.
Modern operating systems such as Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, Mac OS
Mac OS
Mac OS is a series of graphical user interface-based operating systems developed by Apple Inc. for their Macintosh line of computer systems. The Macintosh user experience is credited with popularizing the graphical user interface...
, or Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
make it fairly easy to set up a PC as a wireless LAN 'base station' using Internet Connection Sharing
Internet Connection Sharing
Internet Connection Sharing is the use of a device with Internet access such as 3G cellular service, broadband via Ethernet, or other Internet gateway as an access point for other devices...
, thus allowing all the PCs in the home to access the Internet via the 'base' PC. However, lack of knowledge about the security issues in setting up such systems often means that someone nearby may also use the connection. Such "piggybacking"
Piggybacking (internet access)
Piggybacking on Internet access is the practice of establishing a wireless Internet connection by using another subscriber's wireless Internet access service without the subscriber's explicit permission or knowledge. It is a legally and ethically controversial practice, with laws that vary by...
is usually achieved without the wireless network operators knowledge; it may even be without the knowledge of the intruding user if their computer automatically selects a nearby unsecured wireless network to use as an access point.
The threat situation
Wireless security is just an aspect of computer security. All organizations with any number of members or employees are particularly vulnerable to security breaches caused by rogue access pointRogue access point
A rogue access point is a wireless access point that has either been installed on a secure company network without explicit authorization from a local network administrator, or has been created to allow a hacker to conduct a man-in-the-middle attack...
s.
If an employee (trusted entity) in a location brings in an easily available wireless router
Wireless router
A Wireless router is a device that performs the functions of a router but also includes the functions of a wireless access point and a network switch. They are commonly used to allow access to the Internet or a computer network without the need for a cabled connection. It can function in a wired...
, the entire network can be exposed to anyone within range of the signals. If an employee adds a wireless interface to a networked computer via an open USB port, the very same risk may be spread for the respective network. However, for any of these entities concepts are available to protect the computer and the network. Such protection must be applied to all levels of communication, to all entities networked and to all functions used and data processed.
The mobility advantage
WirelessWireless
Wireless telecommunications is the transfer of information between two or more points that are not physically connected. Distances can be short, such as a few meters for television remote control, or as far as thousands or even millions of kilometers for deep-space radio communications...
networks are very common, both for organizations and individuals. Many laptop computers have wireless cards pre-installed. The ability to enter a network while mobile has great benefits. However, wireless networking is prone to some security issues . Crackers
Black hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
have found wireless networks relatively easy to break into, and even use wireless technology to crack into wired networks . As a result, it's very important that enterprises define effective wireless security policies that guard against unauthorized access to important resources. Wireless Intrusion Prevention Systems (WIPS) or Wireless Intrusion Detection Systems (WIDS) are commonly used to enforce wireless security policies.
The air interface and link corruption risk
There were relatively few dangers when wireless technology was first introduced, as the effort to maintain the communication was high and the effort to intrude is always higher. The variety of risks to users of wireless technology have increased as the service has become more popular and the technology more commonly available. Today there are a great number of security risks associated with the current wireless protocols and encryptionEncryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
methods, as carelessness and ignorance exists at the user and corporate IT level. Cracking methods have become much more sophisticated and innovative with wireless.
Modes of unauthorized access
The modes of unauthorised access to links, to functions and to data is as variable as the respective entities make use of program code. There does not exist a fulls cope model of such threat. To some extent the prevention relies on known modes and methods of attack and relevant methods for suppression of the applied methods. However, each new mode of operation will create new options of threatening. Hence prevention requires a steady thrive for improvement. The described modes of attack are just a snapshot of typical methods and scenarios where to apply.Accidental association
Violation of security perimeter of corporate network can come from a number of different methods and intents. One of these methods is referred to as “accidental association”. When a user turns on a computer and it latches on to a wireless access point from a neighboring company’s overlapping network, the user may not even know that this has occurred. However, it is a security breach in that proprietary company information is exposed and now there could exist a link from one company to the other. This is especially true if the laptop is also hooked to a wired network.Accidental association is a case of wireless vulnerability called as "mis-association". Mis-association can be accidental, deliberate (for example, done to bypass corporate firewall) or it can result from deliberate attempts on wireless clients to lure them into connecting to attacker's APs.
Malicious association
“Malicious associations” are when wireless devices can be actively made by attackers to connect to a company network through their cracking laptop instead of a company access point (AP). These types of laptops are known as “soft APs” and are created when a cyber criminal runs some software that makes his/her wireless network card look like a legitimate access point. Once the thief has gained access, he/she can steal passwords, launch attacks on the wired network, or plant trojansTrojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
. Since wireless networks operate at the Layer 2 level, Layer 3 protections such as network authentication and virtual private networks (VPNs) offer no barrier. Wireless 802.1x authentications do help with protection but are still vulnerable to cracking. The idea behind this type of attack may not be to break into a VPN or other security measures. Most likely the criminal is just trying to take over the client at the Layer 2 level.
Ad-hoc networks
Ad-hoc networks can pose a security threat. Ad-hoc networks are defined as peer-to-peerPeer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
networks between wireless computers that do not have an access point in between them. While these types of networks usually have little protection, encryption methods can be used to provide security.
The security hole provided by Ad-hoc networking is not the Ad-hoc network itself but the bridge it provides into other networks, usually in the corporate environment, and the unfortunate default settings in most versions of Microsoft Windows to have this feature turned on unless explicitly disabled. Thus the user may not even know they have an unsecured Ad-hoc network in operation on their computer. If they are also using a wired or wireless infrastructure network at the same time, they are providing a bridge to the secured organizational network through the unsecured Ad-hoc connection. Bridging is in two forms. A direct bridge, which requires the user actually configure a bridge between the two connections and is thus unlikely to be initiated unless explicitly desired, and an indirect bridge which is the shared resources on the user computer. The indirect bridge provides two security hazards. The first is that critical organizational data obtained via the secured network may be on the user's end node computer drive and thus exposed to discovery via the unsecured Ad-hoc network. The second is that a computer virus or otherwise undesirable code may be placed on the user's computer via the unsecured Ad-hoc connection and thus has a route to the organizational secured network. In this case, the person placing the malicious code need not "crack" the passwords to the organizational network, the legitimate user has provided access via a normal and routine log-in. The malfactor simply needs to place the malicious code on the unsuspecting user's end node system via the open (unsecured) Ad-hoc networks.
Non-traditional networks
Non-traditional networks such as personal network BluetoothBluetooth
Bluetooth is a proprietary open wireless technology standard for exchanging data over short distances from fixed and mobile devices, creating personal area networks with high levels of security...
devices are not safe from cracking and should be regarded as a security risk. Even barcode reader
Barcode reader
A barcode reader is an electronic device for reading printed barcodes. Like a flatbed scanner, it consists of a light source, a lens and a light sensor translating optical impulses into electrical ones...
s, handheld PDA
Personal digital assistant
A personal digital assistant , also known as a palmtop computer, or personal data assistant, is a mobile device that functions as a personal information manager. Current PDAs often have the ability to connect to the Internet...
s, and wireless printers and copiers should be secured. These non-traditional networks can be easily overlooked by IT personnel who have narrowly focused on laptops and access points.
Identity theft (MAC spoofing)
Identity theft (or MAC spoofingMAC spoofing
MAC spoofing is a technique for changing a factory-assigned Media Access Control address of a network interface on a networked device.- Motivation :...
) occurs when a cracker is able to listen in on network traffic and identify the MAC address
MAC address
A Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
of a computer with network privileges. Most wireless systems allow some kind of MAC filtering
MAC filtering
In computer networking, MAC Filtering refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network....
to only allow authorized computers with specific MAC IDs to gain access and utilize the network. However, a number of programs exist that have network “sniffing
Packet sniffer
A packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network...
” capabilities. Combine these programs with other software that allow a computer to pretend it has any MAC address that the cracker desires, and the cracker can easily get around that hurdle.
MAC filtering is only effective for small residential(SOHO)networks, since it only provides protection when the wireless device is "off the air". Any 802.11 device "on the air" freely transmits its unencrypted MAC address in its 802.11 headers, and it requires no special equipment or software to detect it. Anyone with an 802.11 receiver (laptop and wireless adapter) and a freeware wireless packet analyzer can obtain the MAC address of any transmitting 802.11 within range. In an organizational environment, where most wireless devices are "on the air" throughout the active working shift, MAC filtering only provides a false sense of security since it only prevents "casual" or unintended connections to the organizational infrastructure and does nothing to prevent a directed attack.
Man-in-the-middle attacks
A man-in-the-middleMan-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
attacker entices computers to log into a computer which is set up as a soft AP (Access Point
Wireless access point
In computer networking, a wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards...
). Once this is done, the hacker connects to a real access point through another wireless card offering a steady flow of traffic through the transparent hacking computer to the real network. The hacker can then sniff the traffic.
One type of man-in-the-middle attack relies on security faults in challenge and handshake protocols to execute a “de-authentication attack”. This attack forces AP-connected computers to drop their connections and reconnect with the cracker’s soft AP.
Man-in-the-middle attacks are enhanced by software such as LANjack and AirJack, which automate multiple steps of the process. What once required some skill can now be done by script kiddie
Script kiddie
A script kiddie or skiddie, occasionally skid, script bunny, script kitty, script-running juvenile or similar, is a derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks and deface websites.-Characteristics:In a Carnegie...
s. Hotspots
Hotspot (Wi-Fi)
A hotspot is a site that offers Internet access over a wireless local area network through the use of a router connected to a link to an Internet service provider...
are particularly vulnerable to any attack since there is little to no security on these networks.
Denial of service
A Denial-of-Service attackDenial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
(DoS) occurs when an attacker continually bombards a targeted AP (Access Point
Wireless access point
In computer networking, a wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards...
) or network with bogus requests, premature successful connection messages, failure messages, and/or other commands. These cause legitimate users to not be able to get on the network and may even cause the network to crash. These attacks rely on the abuse of protocols such as the Extensible Authentication Protocol
Extensible Authentication Protocol
Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247....
(EAP).
The DoS attack in itself does little to expose organizational data to a malicious attacker, since the interruption of the network prevents the flow of data and actually indirectly protects data by preventing it from being transmitted. The usual reason for performing a DoS attack is to observe the recovery of the wireless network, during which all of the initial handshake codes are re-transmitted by all devices, providing an opportunity for the malicious attacker to record these codes and use various "cracking" tools to analyze security weaknesses and exploit them to gain unauthorized access to the system. This works best on weakly encrypted systems such as WEP, where there are a number of tools available which can launch a dictionary style attack of "possibly accepted" security keys based on the "model" security key captured during the network recovery.
Network injection
In a network injection attack, a cracker can make use of access points that are exposed to non-filtered network traffic, specifically broadcasting network traffic such as “Spanning TreeSpanning tree protocol
The Spanning Tree Protocol is a network protocol that ensures a loop-free topology for any bridged Ethernet local area network. The basic function of STP is to prevent bridge loops and ensuing broadcast radiation...
” (802.1D), OSPF, RIP
Routing Information Protocol
The Routing Information Protocol is a distance-vector routing protocol, which employs the hop count as a routing metric. RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from the source to a destination. The maximum number of hops allowed for RIP is 15....
, and HSRP. The cracker injects bogus networking re-configuration commands that affect routers, switches, and intelligent hubs. A whole network can be brought down in this manner and require rebooting or even reprogramming of all intelligent networking devices.
Caffe Latte attack
The Caffe Latte attack is another way to defeat WEP. It is not necessary for the attacker to be in the area of the networkComputer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
using this exploit. By using a process that targets the Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
wireless stack, it is possible to obtain the WEP
Wired Equivalent Privacy
Wired Equivalent Privacy is a weak security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in September 1999, its intention was to provide data confidentiality comparable to that of a traditional wired network...
key from a remote client. By sending a flood of encrypted ARP
Address Resolution Protocol
Address Resolution Protocol is a telecommunications protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37...
requests, the assailant takes advantage of the shared key authentication and the message modification flaws in 802.11 WEP. The attacker uses the ARP responses to obtain the WEP key in less than 6 minutes.
Wireless Intrusion Prevention Concepts
There are three principal ways to secure a wireless network.- For closed networks (like home users and organizations) the most common way is to configure access restrictions in the access pointsWireless access pointIn computer networking, a wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards...
. Those restrictions may include encryption and checks on MAC addressMAC addressA Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
. Another option is to disable ESSID broadcasting, making the access point difficult for outsiders to detect. Wireless Intrusion Prevention Systems can be used to provide wireless LAN security in this network model. - For commercial providers, hotspotsHotspot (Wi-Fi)A hotspot is a site that offers Internet access over a wireless local area network through the use of a router connected to a link to an Internet service provider...
, and large organizations, the preferred solution is often to have an open and unencrypted, but completely isolated wireless network. The users will at first have no access to the Internet nor to any local network resources. Commercial providers usually forward all web traffic to a captive portalCaptive portalThe captive portal technique forces an HTTP client on a network to see a special web page before using the Internet normally. A captive portal turns a Web browser into an authentication device. This is done by intercepting all packets, regardless of address or port, until the user opens a browser...
which provides for payment and/or authorization. Another solution is to require the users to connect securely to a privileged network using VPN. - Wireless networks are less secure than wired ones; in many offices intruders can easily visit and hook up their own computer to the wired network without problems, gaining access to the network, and it's also often possible for remote intruders to gain access to the network through backdoors like Back OrificeBack OrificeBack Orifice is a controversial computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a word play on Microsoft BackOffice Server software.Back Orifice was designed with...
. One general solution may be end-to-end encryption, with independent authentication on all resources that shouldn't be available to the public.
There is no ready designed system to prevent from fraudulent usage of wireless communication or to protect data and functions with wirelessly communicating computers and other entities. However there is a system of qualifying the taken measures as a whole according to a common understanding what shall be seen as state of the art. The system of qualifying is an international consensus as specified in ISO/IEC 15408.
A Wireless Intrusion Prevention System
A Wireless Intrusion Prevention System (WIPS) is a concept for the most robust way to counteract wireless security risks. However such WIPS does not exist as a ready designed solution to implement as a software package. A WIPS is typically implemented as an overlay to an existing Wireless LANWireless LAN
A wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...
infrastructure, although it may be deployed standalone to enforce no-wireless policies within an organization. WIPS is considered so important to wireless security that in July 2009, the Payment Card Industry Security Standards Council published wireless guidelines for PCI DSS
PCI DSS
The Payment Card Industry Data Security Standard is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards....
recommending the use of WIPS to automate wireless scanning and protection for large organizations.
Wireless Security Best Practices
Though a WIPS is deployed, certain wireless security best practices are recommended for every Wireless LANWireless LAN
A wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...
deployment. Certain practices may not be possible due to deployment constraints.
Terminology
The reader should understand and be familiar with the following terms and concepts that are used in this document.AES. Advanced Encryption Standard (AES) uses a symmetric block data encryption technique and is part of WPA2.
EAP. Extensible Authentication Protocol (EAP) is an 802.1X standard that allows developers to pass authentication data between RADIUS servers and wireless access points. EAP has a number of variants, including: EAP MD5, EAP-TLS, EAP-TTLS, LEAP, and PEAP.
EAP-TLS. EAP Transport Layer Security (EAP-TLS) was developed under the 802.1X standard by Microsoft to use digital certificates for authentication and is currently the industry standard for 802.11i authentication.
IEEE 802.1X. The IEEE 802.1X governs the EAP encapsulation process that occurs between supplicants (clients), authenticators (wireless access points), and authentication servers (RADIUS).
IEEE 802.11. The IEEE 802.11 standard governs over-the-air network communications and includes several specifications that range from the 802.11g, which provides 20+ Mbps traffic in the 2.4 GHz band, to the 802.11i standard, which governs WPA2 encryption and authentication.
IEEE 802.11i. The IEEE 802.11i amendment to the 802.11 standard specifies security methods (WPA2) that make use of AES block cipher to secure origin authentication processes (EAP) to address previous inadequacies in the wireless security standards and specifications.
MS-CHAP v2. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is a password-based, challenge-response, mutual authentication protocol that uses MD4 and DES encryption. Used with PEAP (PEAP-MS-CHAP v2) to secure wireless communication.
PEAP. Protected Extensible Authentication Protocol (PEAP) is a type of EAP communication that addresses security issues associated with clear text EAP transmissions by creating a secure channel encrypted and protected by TLS.
SSID. Service set identifier (SSID) is the name given to a WLAN and used by the client to identify the correct settings and credentials necessary for access to a WLAN.
TKIP. Temporal Key Integrity Protocol (TKIP) is part of the WPA encryption standard for wireless networks. TKIP is the next generation of WEP, which provides per-packet key mixing to address flaws discovered in the WEP standard.
WEP. The Wired Equivalent Privacy (WEP) is part of the IEEE 802.11 standard and uses 64 or 128 bit RC4 encryption. Serious flaws were found in the WEP standard in 2001, mostly due to the length of the initialization vector of the RC4 stream cipher, which allowed for passive decoding of the RC4 key.
WLAN. Wireless local area network.
WPA. In response to weaknesses found in the WEP standard the Wi-Fi Protected Access (WPA) was introduced in 2003 as an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption.
WPA2. WPA2 was established in September 2004 by the Wi-Fi Alliance and is the certified interoperable version of the full IEEE 802.11i specification ratified in June 2004. Like its predecessor, WPA2 supports IEEE 802.1X/EAP authentication or PSK technology but includes a new advanced encryption mechanism using Counter-Mode/CBC-MAC Protocol (CCMP) called the Advanced Encryption Standard (AES).
MAC ID filtering
One of the simplest techniques is to only allow accessMAC filtering
In computer networking, MAC Filtering refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network....
from known, approved MAC addresses. However, this approach gives no security against sniffing, and client devices can easily spoof MAC addresses, leading to the need for more advanced security measures. Most wireless access points contain some type of MAC
MAC address
A Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
ID filtering that allows the administrator to only permit access to computers that have wireless functionalities that contain certain MAC IDs. This can be helpful; however, it must be remembered that MAC IDs over a network can be faked. Cracking utilities such as SMAC are widely available, and some computer hardware also gives the option in the BIOS to select any desired MAC ID for its built in network capability.
Some access points can also support "AP isolation" which isolates all wireless clients and wireless devices on the network from each other. Wireless devices will be able to communicate with the gateway but not with each other in the network.
Static IP addressing
Disabling at least the IP AddressIP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
assignment function of the network's DHCP
Dynamic Host Configuration Protocol
The Dynamic Host Configuration Protocol is a network configuration protocol for hosts on Internet Protocol networks. Computers that are connected to IP networks must be configured before they can communicate with other hosts. The most essential information needed is an IP address, and a default...
server, with the IP addresses of the various network devices then set by hand, will also make it more difficult for a casual or unsophisticated intruder to log onto the network. This is especially effective if the subnet size is also reduced from a standard default setting to what is absolutely necessary and if permitted but unused IP addresses are blocked by the access point's firewall. In this case, where no unused IP addresses are available, a new user can log on without detection using TCP/IP only if he or she stages a successful Man in the Middle Attack using appropriate software.
Regular WEP
The Wired Equivalent Privacy (WEP) encryptionEncryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
standard was the original encryption standard for wireless. As its name implies, this standard was intended to make wireless networks as secure as wired networks. Unfortunately, this never happened as flaws were quickly discovered and exploited. There are several open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
utilities like aircrack-ng
Aircrack-ng
Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g...
, weplab
Weplab
Weplab is a tool designed to teach how the Wired Equivalent Privacy wireless encryption protocol works, explain the security vulnerabilities in the protocol, and demonstrate attacks that can be used to compromise a WEP protected wireless network. Weplab is designed not only to crack WEP keys but...
, WEPCrack, or airsnort
AirSnort
AirSnort is a Linux and Microsoft Windows utility for decrypting WEP encryption on an 802.11b network. Distributed under the GNU General Public License, AirSnort is free software. It is no longer maintained or supported.-External links:***...
that can be used by crackers to break in by examining packets and looking for patterns in the encryption. WEP comes in different key size
Key size
In cryptography, key size or key length is the size measured in bits of the key used in a cryptographic algorithm . An algorithm's key length is distinct from its cryptographic security, which is a logarithmic measure of the fastest known computational attack on the algorithm, also measured in bits...
s. The common key lengths are currently 128- and 256-bit. The longer the better as it will increase the difficulty for crackers. However, this type of encryption is now being considered outdated and seriously flawed. In 2005 a group from the FBI held a demonstration where they used publicly available tools to break a WEP encrypted network in three minutes. WEP protection is better than nothing, though generally not as secure as the more sophisticated WPA-PSK encryption. A big problem is that if a cracker can receive packets on a network, it is only a matter of time until the WEP encryption is cracked.
WEP has some serious issues. First, it does not deal with the issue of key management at all. Either the keys have to be manually given to end users, or they have to be distributed in some other authentication method. Since WEP is a shared key system, the AP uses the same key as all the clients and the clients also share the same key with each other. A cracker would only have to compromise the key from a single user, and he would then know the key for all users.
In addition to key management, a paper published in August 2001 describes ways in which WEP can actually be broken (“Weaknesses in the Key Scheduling Algorithm of RC4” by Fluhrer, Mantin and Shamir). This is due to a weakness in RC4 as it is implemented in WEP. If enough traffic can be intercepted, then it can be broken by brute force in a matter of an hour or two. If that weren’t bad enough, the time it takes to crack WEP only grows linearly with key length, so a 104-bit key doesn’t provide any significant protection over a 40-bit key when faced against a determined hacker. There are several freely available programs that allow for the cracking of WEP. WEP is indeed a broken solution, but it should be used, as it is better than nothing. In addition, higher layer encryption (SSL, TLS
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
, etc.) should be used when possible.
Today very few access points incorporate Wired Equivalent Privacy
Wired Equivalent Privacy
Wired Equivalent Privacy is a weak security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in September 1999, its intention was to provide data confidentiality comparable to that of a traditional wired network...
(WEP) encryption
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
and most wireless routers are sold with WEP turned off. Security analysts have criticized WEP's inadequacies, and the U.S. FBI
Federal Bureau of Investigation
The Federal Bureau of Investigation is an agency of the United States Department of Justice that serves as both a federal criminal investigative body and an internal intelligence agency . The FBI has investigative jurisdiction over violations of more than 200 categories of federal crime...
has demonstrated the ability to break WEP protection in only three minutes using tools available to the general public (see aircrack).
WPAv1
The Wi-Fi Protected AccessWi-Fi Protected Access
Wi-Fi Protected Access and Wi-Fi Protected Access II are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks...
(WPA and WPA2) security protocols were later created to address the problems with WEP. If a weak password, such as a dictionary word or short character string is used, WPA and WPA2 can be cracked. Using a long enough random password (e.g. 14 random letters) or passphrase
Passphrase
A passphrase is a sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security. Passphrases are often used to control both access to, and operation of, cryptographic programs...
(e.g. 5 randomly chosen words
Diceware
Diceware is a method for creating passphrases, passwords, and other cryptographic variables using ordinary dice as a hardware random number generator. For each word in the passphrase, five dice rolls are required. The numbers that come up in the rolls are assembled as a five digit number, e.g....
) makes pre-shared key
Pre-shared key
In cryptography, a pre-shared key or PSK is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. To build a key from shared secret, the key derivation function should be used. Such systems almost always use symmetric key...
WPA virtually uncrackable. The second generation of the WPA security protocol (WPA2) is based on the final IEEE 802.11i
IEEE 802.11i
IEEE 802.11i-2004 or 802.11i, implemented as WPA2, is an amendment to the original IEEE 802.11. The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks. It replaced the short Authentication and privacy clause of the original standard with...
amendment to the 802.11 standard and is eligible for FIPS 140-2
FIPS 140-2
The Federal Information Processing Standard Publication 140-2, , is a U.S. government computer security standard used to accredit cryptographic modules. The title is Security Requirements for Cryptographic Modules...
compliance. With all those encryption schemes, any client in the network that knows the keys can read all the traffic.
Wi-Fi Protected Access (WPA) is a software/firmware improvement over WEP. All regular WLAN-equipment that worked with WEP are able to be simply upgraded and no new equipment needs to be bought. WPA is a trimmed-down version of the 802.11i security standard that was developed by the IEEE 802.11
IEEE 802.11
IEEE 802.11 is a set of standards for implementing wireless local area network computer communication in the 2.4, 3.6 and 5 GHz frequency bands. They are created and maintained by the IEEE LAN/MAN Standards Committee . The base version of the standard IEEE 802.11-2007 has had subsequent...
to replace WEP. The TKIP encryption algorithm was developed for WPA to provide improvements to WEP that could be fielded as firmware
Firmware
In electronic systems and computing, firmware is a term often used to denote the fixed, usually rather small, programs and/or data structures that internally control various electronic devices...
upgrades to existing 802.11 devices. The WPA profile also provides optional support for the AES-CCMP algorithm that is the preferred algorithm in 802.11i and WPA2.
WPA Enterprise provides RADIUS
RADIUS
Remote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers to connect and use a network service...
based authentication using 802.1x. WPA Personal uses a pre-shared Shared Key (PSK
Pre-shared key
In cryptography, a pre-shared key or PSK is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. To build a key from shared secret, the key derivation function should be used. Such systems almost always use symmetric key...
) to establish the security using an 8 to 63 character passphrase. The PSK may also be entered as a 64 character hexadecimal string. Weak PSK passphrases can be broken using off-line dictionary attacks by capturing the messages in the four-way exchange when the client reconnects after being deauthenticated. Wireless suites such as aircrack-ng
Aircrack-ng
Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g...
can crack a weak passphrase in less than a minute. Other WEP/WPA crackers are AirSnort
AirSnort
AirSnort is a Linux and Microsoft Windows utility for decrypting WEP encryption on an 802.11b network. Distributed under the GNU General Public License, AirSnort is free software. It is no longer maintained or supported.-External links:***...
and Auditor Security Collection. Still, WPA Personal is secure when used with ‘good’ passphrases or a full 64-character hexadecimal key.
There is information, however, that Erik Tews (the man who created the fragmentation attack against WEP) is going to reveal a way of breaking the WPA TKIP implementation at Tokyo's PacSec security conference in November 2008, cracking the encryption on a packet in between 12–15 minutes. The announcement of this 'crack' was somewhat overblown by the media, because as of August, 2009, the best attack on WPA (the Beck-Tews attack) is only partially successful in that it only works on short data packets, it cannot decipher the WPA key, and it requires very specific WPA implementations in order to work.
Additions to WPAv1
In addition to WPAv1, TKIP, WIDS and EAPExtensible Authentication Protocol
Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247....
may be added alongside. Also, VPN-networks (non-continuous secure network connections) may be set up under the 802.11-standard. VPN implementations include PPTP, L2TP
L2TP
In computer networking, Layer 2 Tunneling Protocol is a tunneling protocol used to support virtual private networks . It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy.-History:Published in 1999...
, IPSec
IPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
and SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
. However, this extra layer of security may also be cracked with tools such as Anger, Deceit and Ettercap
Ettercap (computing)
Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows...
for PPTP; and ike-scan, IKEProbe, ipsectrace
Ipsectrace
ipsectrace is a software tool designed by Wayne Schroeder to help profile ipsec connections in a packet capture file. The program uses a command line interface to point at a PCP capture and informs the user about what is going on. It is somewhat inspired by tcptrace, which uses the same input of...
, and IKEcrack for IPSec-connections.
TKIP
This stands for Temporal Key Integrity Protocol and the acronym is pronounced as tee-kip. This is part of the IEEE 802.11i standard. TKIP implements per-packet key mixing with a re-keying system and also provides a message integrity check. These avoid the problems of WEP.
EAP
The WPA-improvement over the IEEE 802.1X standard already improved the authentication and authorization for access of wireless and wired LAN
Local area network
A local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
s. In addition to this, extra measures such as the Extensible Authentication Protocol
Extensible Authentication Protocol
Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247....
(EAP) have initiated an even greater amount of security. This, as EAP uses a central authentication server. Unfortunately, during 2002 a Maryland professor discovered some shortcomings . Over the next few years these shortcomings were addressed with the use of TLS and other enhancements . This new version of EAP is now called Extended EAP and is available in several versions; these include: EAP-MD5, PEAPv0, PEAPv1, EAP-MSCHAPv2, LEAP, EAP-FAST, EAP-TLS, EAP-TTLS, MSCHAv2, EAP-SIM, ...
EAP-versions
EAP-versions include LEAP, PEAP and other EAP's
LEAP
This stands for the Lightweight Extensible Authentication Protocol. This protocol is based on 802.1X and helps minimize the original security flaws by using WEP and a sophisticated key management system. This EAP-version is safer than EAP-MD5. This also uses MAC address authentication. LEAP is not safe against crackers. THC-LeapCracker can be used to break Cisco
Cisco
Cisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...
’s version of LEAP and be used against computers connected to an access point in the form of a dictionary attack
Dictionary attack
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...
. Anwrap and asleap finally are other crackers capable of breaking LEAP.
PEAP
This stands for Protected Extensible Authentication Protocol. This protocol allows for a secure transport of data, passwords, and encryption keys without the need of a certificate server. This was developed by Cisco, Microsoft, and RSA Security
RSA Security
RSA, the security division of EMC Corporation, is headquartered in Bedford, Massachusetts, United States, and maintains offices in Australia, Ireland, Israel, the United Kingdom, Singapore, India, China, Hong Kong and Japan....
.
Other EAPs
There are other types of Extensible Authentication Protocol implementations that are based on the EAP framework. The framework that was established supports existing EAP types as well as future authentication methods. EAP-TLS offers very good protection because of its mutual authentication. Both the client and the network are authenticated using certificates and per-session WEP keys. EAP-FAST also offers good protection. EAP-TTLS is another alternative made by Certicom and Funk Software. It is more convenient as one does not need to distribute certificates to users, yet offers slightly less protection than EAP-TLS.
Restricted access networks
Solutions include a newer system for authenticationAuthentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
, IEEE 802.1x, that promises to enhance security on both wired and wireless networks. Wireless access points that incorporate technologies like these often also have routers built in, thus becoming wireless gateway
Wireless gateway
A wireless gateway is a computer networking device that routes packets from a wireless LAN to another network, typically a wired WAN. Wireless gateways combine the functions of a wireless access point, a router, and often provide firewall functions as well. This converged device saves desk space...
s.
End-to-End encryption
One can argue that both layer 2 and layer 3Network Layer
The network layer is layer 3 of the seven-layer OSI model of computer networking.The network layer is responsible for packet forwarding including routing through intermediate routers, whereas the data link layer is responsible for media access control, flow control and error checking.The network...
encryption methods are not good enough for protecting valuable data like passwords and personal emails. Those technologies add encryption only to parts of the communication path, still allowing people to spy on the traffic if they have gained access to the wired network somehow. The solution may be encryption and authorization in the application layer
Application layer
The Internet protocol suite and the Open Systems Interconnection model of computer networking each specify a group of protocols and methods identified by the name application layer....
, using technologies like SSL, SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
, GnuPG
GNU Privacy Guard
GNU Privacy Guard is a GPL Licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF standards track specification of OpenPGP...
, PGP
Pretty Good Privacy
Pretty Good Privacy is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security...
and similar.
The disadvantage with the end to end method is, it may fail to cover all traffic. With encryption on the router level or VPN, a single switch encrypts all traffic, even UDP and DNS lookups. With end-to-end encryption on the other hand, each service to be secured must have its encryption "turned on," and often every connection must also be "turned on" separately. For sending emails, every recipient must support the encryption method, and must exchange keys correctly. For Web, not all web sites offer https, and even if they do, the browser sends out IP addresses in clear text.
The most prized resource is often access to Internet. An office LAN owner seeking to restrict such access will face the non trivial enforcement task of having each user authenticate himself for the router.
802.11i security
The newest and most rigorous security to implement into WLAN's today is the 802.11i RSN-standard. This full-fledged 802.11i standard (which uses WPAv2) however does require the newest hardware (unlike WPAv1), thus potentially requiring the purchase of new equipment. This new hardware required may be either AES-WRAP (an early version of 802.11i) or the newer and better AES-CCMP-equipment. One should make sure one needs WRAP or CCMP-equipment, as the 2 hardware standards are not compatible.WPAv2
WPA2 is a WiFi Alliance branded version of the final 802.11i standard. The primary enhancement over WPA is the inclusion of the AES-CCMP algorithm as a mandatory feature. Both WPA and WPA2 support EAP authentication methods using RADIUS servers and preshared key (PSK).Most of the world has switched their WAP from WEP to WPA2, since WEP has been proved too unsecured to be used. It is important to note there is a possible security flaw to the WPA protocol. It is referred to as Hole196. It is a hole in the protocol that exposes the user to insider attacks.
Additions to WPAv2
Unlike 802.1X, 802.11i already has most other additional security-services such as TKIP, PKI, ... Just as with WPAv1, WPAv2 may work in cooperation with EAPEAP
- Organizations :*EA Patras, a Greek sports club* The business school, which, after merging with ESCP, became ESCP Europe*European Workers Party *European Association for Psychotherapy...
and a WIDS.
WAPI
This stands for WLAN Authentication and Privacy Infrastructure. This is a wireless security standard defined by the ChineseChina
Chinese civilization may refer to:* China for more general discussion of the country.* Chinese culture* Greater China, the transnational community of ethnic Chinese.* History of China* Sinosphere, the area historically affected by Chinese culture...
government.
Smart cards, USB tokens, and software tokens
This is a very strong form of security. When combined with some server software, the hardware or software card or token will use its internal identity code combined with a user entered PINPersonal identification number
A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
to create a powerful algorithm that will very frequently generate a new encryption code. The server will be time synced to the card or token. This is a very secure way to conduct wireless transmissions. Companies in this area make USB tokens, software tokens, and smart card
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
s. They even make hardware versions that double as an employee picture badge.
Currently the safest security measures are the smart cards / USB tokens. However, these are expensive. The next safest methods are WPA2 or WPA with a RADIUS server. Any one of the three will provide a good base foundation for security.
The third item on the list is to educate both employees and contractors on security risks and personal preventive measures. It is also IT's task to keep the company workers' knowledge base up-to-date on any new dangers that they should be cautious about. If the employees are educated, there will be a much lower chance that anyone will accidentally cause a breach in security by not locking down their laptop or bring in a wide open home access point to extend their mobile range. Employees need to be made aware that company laptop security extends to outside of their site walls as well. This includes places such as coffee houses where workers can be at their most vulnerable.
The last item on the list deals with 24/7 active defense measures to ensure that the company network is secure and compliant. This can take the form of regularly looking at access point, server, and firewall logs to try to detect any unusual activity. For instance, if any large files went through an access point in the early hours of the morning, a serious investigation into the incident would be called for. There are a number of software and hardware devices that can be used to supplement the usual logs and usual other safety measures.
RF shielding
It’s practical in some cases to apply specialized wall paint and window film to a room or building to significantly attenuate wireless signals, which keeps the signals from propagating outside a facility. This can significantly improve wireless security because it’s difficult for hackers to receive the signals beyond the controlled area of an enterprise, such as within parking lots.Despite security measures as encryption, hackers may still be able to crack them. This is done using several techniques and tools. An overview of them can be found at the Network encryption cracking
Network encryption cracking
Network encryption cracking is the breaching of network encryptions , usually through the use of a special encryption cracking software. It may be done through a range of attacks including injecting traffic, decrypting traffic, and dictionary-based attacks.-Methods:As mentioned above, several...
article, to understand what we are dealing with. Understanding the mindset/techniques of the hacker allows one to better protect their system.
For closed networks (like home users and organizations) the most common way is to configure access restrictions in the access points. Those restrictions may include encryption and checks on MAC address. Another option is to disable ESSID broadcasting, making the access point difficult for outsiders to detect. Wireless Intrusion Prevention Systems can be used to provide wireless LAN security in this network model.
For commercial providers, hotspots, and large organizations, the preferred solution is often to have an open and unencrypted, but completely isolated wireless network. The users will at first have no access to the Internet nor to any local network resources. Commercial providers usually forward all web traffic to a captive portal which provides for payment and/or authorization. Another solution is to require the users to connect securely to a privileged network using VPN.
Wireless networks are less secure than wired ones; in many offices intruders can easily visit and hook up their own computer to the wired network without problems, gaining access to the network, and it's also often possible for remote intruders to gain access to the network through backdoors like Back Orifice. One general solution may be end-to-end encryption, with independent authentication on all resources that shouldn't be available to the public.
Mobile devices
With increasing number of mobile devices with 802.1x interfaces, security of such mobile devices becomes a concern. While open standards such as Kismet are targeted towards securing laptops, access points solutions should extend towards covering mobile devices also. Host based solutions for mobile handsets and PDA'sPersonal digital assistant
A personal digital assistant , also known as a palmtop computer, or personal data assistant, is a mobile device that functions as a personal information manager. Current PDAs often have the ability to connect to the Internet...
with 802.1x interface.
Security within mobile devices fall under three categories:
-
- Protecting against ad-hoc networks
- Connecting to rogue access points
- Mutual authentication schemes such as WPA2 as described above
Wireless IPS solutions now offer wireless security for mobile devices.
Mobile patient monitoring devices are becoming an integral part of healthcare industry and these devices will eventually become the method of choice for accessing and implementing health checks for patients located in remote areas.For these types of
patient monitoring systems, security and reliability are critical.
Implementing network encryption
In order to implement 802.11i, one must first make sure both that the router/access point(s), as well as all client devices are indeed equipped to support the network encryption. If this is done, a server such as RADIUSRADIUS
Remote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers to connect and use a network service...
, ADS
ADS
ADS or Ads may refer to:In computing:* Advanced Design System, an EDA tool from Agilent EEsof EDA* Advantage Database Server, a Relational Database Management System* Alternate data stream, a filesystem fork in Microsoft NTFS...
, NDS
NDS
NDS is an initialism may stand for:* Low German , a regional language spoken in the north of Germany and the northeast of the Netherlands* Lower Saxony...
, or LDAP needs to be integrated. This server can be a computer on the local network, an access point / router with integrated authentication server, or a remote server. AP's/routers with integrated authentication servers are often very expensive and specifically an option for commercial usage like hot spot
Hotspot (Wi-Fi)
A hotspot is a site that offers Internet access over a wireless local area network through the use of a router connected to a link to an Internet service provider...
s. Hosted 802.1X servers via the Internet require a monthly fee; running a private server is free yet has the disadvantage that one must set it up and that the server needs to be on continuously
To set up a server, server and client software must be installed. Server software required is a enterprise authentication server such as RADIUS
RADIUS
Remote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers to connect and use a network service...
, ADS
ADS
ADS or Ads may refer to:In computing:* Advanced Design System, an EDA tool from Agilent EEsof EDA* Advantage Database Server, a Relational Database Management System* Alternate data stream, a filesystem fork in Microsoft NTFS...
, NDS
NDS
NDS is an initialism may stand for:* Low German , a regional language spoken in the north of Germany and the northeast of the Netherlands* Lower Saxony...
, or LDAP. The required software can be picked from various suppliers as Microsoft, Cisco, Funk Software, Meetinghouse Data, and from some open-source projects. Software includes:
- Cisco Secure Access Control Software
- Microsoft Internet Authentication ServiceInternet Authentication ServiceInternet Authentication Service is a component of Windows Server operating systems that provides centralized user authentication, authorization and accounting.- Overview :...
- Meetinghouse Data EAGIS
- Funk Software Steel Belted RADIUS (Odyssey)
- freeRADIUSFreeRADIUSFreeRADIUS is a modular, high performance free RADIUS suite developed and distributed under the GNU General Public License, version 2, and is free for download and use...
(open-source)
Client software comes built-in with Windows XP and may be integrated into other OS's using any of following software:
- Intel PROSet/Wireless Software
- Cisco ACU-client
- Odyssey client
- AEGIS-client
- XsupplicantXsupplicantXsupplicant is a supplicant that allows a workstation to authenticate with a RADIUS server using 802.1x and the Extensible Authentication Protocol...
(open1X)-project
RADIUS
This stands for Remote Authentication Dial In User Service. This is an AAA (authentication, authorization and accounting) protocolAAA protocol
In computer security, AAA commonly stands for authentication, authorization and accounting.- Authentication :Authentication refers to the process where an entity's identity is authenticated, typically by providing evidence that it holds a specific digital identity such as an identifier and the...
used for remote network access. This service provides an excellent weapon against crackers. RADIUS was originally proprietary but was later published under ISOC documents RFC 2138 and RFC 2139. The idea is to have an inside server act as a gatekeeper through the use of verifying identities through a username and password that is already pre-determined by the user. A RADIUS server can also be configured to enforce user policies and restrictions as well as recording accounting information such as time connected for billing purposes.
Open Access Points
Today, there is almost full wireless network coverage in many urban areas - the infrastructure for the wireless community networkWireless community network
Wireless community networks or wireless community projects are the organizations that attempt to take a grassroots approach to providing a viable alternative to municipal wireless networks for consumers....
(which some consider to be the future of the internet) is already in place. One could roam around and always be connected to Internet if the nodes were open to the public, but due to security concerns, most nodes are encrypted and the users don't know how to disable encryption. Many people consider it proper etiquette to leave access points open to the public, allowing free access to Internet. Others think the default encryption provides substantial protection at small inconvenience, against dangers of open access that they fear may be substantial even on a home DSL router.
The density of access points can even be a problem - there are a limited number of channels available, and they partly overlap. Each channel can handle multiple networks, but places with many private wireless networks (for example, apartment complexes), the limited number of Wi-Fi radio channels might cause slowness and other problems.
According to the advocates of Open Access Points, it shouldn't involve any significant risks to open up wireless networks for the public:
- The wireless network is after all confined to a small geographical area. A computer connected to the Internet and having improper configurations or other security problems can be exploited by anyone from anywhere in the world, while only clients in a small geographical range can exploit an open wireless access point. Thus the exposure is low with an open wireless access point, and the risks with having an open wireless network are small. However, one should be aware that an open wireless router will give access to the local network, often including access to file shares and printers.
- The only way to keep communication truly secure is to use end-to-end encryptionEnd-to-end encryptionEnd-to-end encryption encrypts clear data at source with knowledge of the intended recipient, allowing the encrypted data to travel safely through vulnerable channels End-to-end encryption (E2EE) encrypts clear (red) data at source with knowledge of the intended recipient, allowing the encrypted...
. For example, when accessing an internet bank, one would almost always use strong encryption from the web browser and all the way to the bank - thus it shouldn't be risky to do banking over an unencrypted wireless network. The argument is that anyone can sniff the traffic applies to wired networks too, where system administrators and possible crackers have access to the links and can read the traffic. Also, anyone knowing the keys for an encrypted wireless network can gain access to the data being transferred over the network. - If services like file shares, access to printers etc. are available on the local net, it is advisable to have authentication (i.e. by password) for accessing it (one should never assume that the private network is not accessible from the outside). Correctly set up, it should be safe to allow access to the local network to outsiders.
- With the most popular encryption algorithms today, a sniffer will usually be able to compute the network key in a few minutes.
- It is very common to pay a fixed monthly fee for the Internet connection, and not for the traffic - thus extra traffic will not hurt.
- Where Internet connections are plentiful and cheap, freeloaders will seldom be a prominent nuisance.
On the other hand, in some countries including Germany , persons providing an open access point may be made (partially) liable for any illegal activity conducted via this access point. Also, many contracts with ISPs specify that the connection may not be shared with other persons.
See also
- Electromagnetic shieldingElectromagnetic shieldingElectromagnetic shielding is the process of reducing the electromagnetic field in a space by blocking the field with barriers made of conductive and/or magnetic materials. Shielding is typically applied to enclosures to isolate electrical devices from the 'outside world' and to cables to isolate...
- Kismet
- Stealth wallpaperStealth wallpaperStealth wallpaper has been developed by UK defence contractor BAE Systems to prevent electronic eavesdropping on Wi-Fi and local area network systems, although this product is not yet commercially available....
- TEMPESTTEMPESTTEMPEST is a codename referring to investigations and studies of compromising emission . Compromising emanations are defined as unintentional intelligence-bearing signals which, if intercepted and analyzed, may disclose the information transmitted, received, handled, or otherwise processed by any...
- Wireless LAN security
- PCI DSSPCI DSSThe Payment Card Industry Data Security Standard is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards....
- Wireless Intrusion Prevention System