Upload
yograj-seebaluck
View
256
Download
0
Embed Size (px)
Citation preview
7/27/2019 802.11 report 2004.doc
1/21
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
UNIVERSITY OF MAURITIUS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FACULTY OF ENGINEERING
Assignment
NETWORK ADMINISTRATION & PROGRAMMING
(CSE 5211)
Critical Survey of IEEE 802.11 Standard & the Network
Security Administration Strategy in a Wireless LAN
Submitted by:
YOGRAJ SEEBALUCK(0303581)
MSC INFORMATION & COMMUNICATION
TECHNOLOGY Level 1
http://www.80211report.com/7/27/2019 802.11 report 2004.doc
2/21
24 April 2004
SeebaluckYograj MSc [email protected] Level 1
3
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
3/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
Introduction
Over recent years, the market for wireless communications has enjoyed
tremendous growth. Wireless technology now reaches or is capable of reaching
virtually every location on the face of the earth. Hundreds of millions of peopleexchange information every day using pagers, cellular telephones, and other wireless
communication products. With tremendous success of wireless technology, it is
hardly surprising that wireless communication is beginning to be applied to the realm
of personal and business computing. No longer bound by the harnesses of wired
networks, people will be able to access and share information on a global scale nearly
anywhere they venture. This report covers the various aspects of wireless LAN with
emphasis on IEEE 802.11, its weaknesses and how to secure it.
1. WLAN
The major motivation and benefit from wireless LANs is increased mobility.
Untethered from conventional network connections, network users can move about
almost without restriction and access LANs from anywhere. Examples of the practical
uses for WN access are limited only by the imagination of the application designer.
Medical professionals can obtain not only patient records, but real-time vital signs andother reference data at the patient bedside without relying on reams of paper charts.
Wireless connections with real-time sensing allow a remote engineer to diagnose and
maintain the health and welfare of manufacturing equipment. The list of possibilities
is almost endless. WLANs offer increased flexibility. One can visualize without too
much difficulty a meeting in which employees use laptops and wireless links to share
and discuss future design plans and products. This "ad hoc" network can be brought
up and torn down in a very short time as needed, either around the conference table or
around the world. Even students of university campuses have been known to access
lecture notes and other course materials while wandering about campus. Sometimes it
is more economical to use a WLAN as they offer the connectivity and the
convenience of wired LANs without the need for expensive wiring or rewiring.
2. WLAN Design
The real challenge in designing a WLAN is to strike a balance between its coverageand the bandwidth made available to each user. But there is a trade off between the
SeebaluckYograj MSc [email protected] Level 1
1
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
4/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
two. If the range is increased, then the bandwidth per user is lesser and vice versa.
Designing and managing a WLAN is not all that simple as it requires careful planning
and constant monitoring.
Here are the major steps that should be followed in designing a WLAN:
Step 1: Determine usage
Step 2: Conduct site survey
Step 3: Determine number of users per AP
Step 4: How much coverage
Step 5: Identify equipment
Step 6: Devise security policy
Step 7: Manageability & support
3. IEEE 802.11 WLAN Topologies
IEEE 802.11 supports three basic topologies for WLANs: the IBSS, the BSS
and the ESS. All three configurations are supported by the MAC layer
implementation. The 802.11 standard defines two modes: ad-hoc/IBSS and
infrastructure mode. Logically an ad-hoc configuration is analogous to a peer-to-peer
office network in which no single node is required to function as a server. IBSS
WLANs include a number of nodes or wireless stations that communicate directly
with one another on an ad-hoc, peer-to-peer basis, building a full-mesh or partial-
mesh topology. Generally ad-hoc implementations cover a limited area and are not
connected to any larger network. Using infrastructure mode, the WN consists of at
least one AP connected to the wired network infrastructure and a set of wireless end
stations. This configuration is called a BSS.
Since most corporate WLANs require access to the wired LAN for services
(file servers, printers, Internet links), they will operate in infrastructure mode and rely
on an AP that acts as the logical server for a single WLAN cell or channel.
Communications between two nodes, A and B, actually flow from node A to the AP
and then from the AP to node B. The AP is necessary to perform a bridging function
and connect multiple WLAN cells or channels, and to connect WLAN cells to a wired
enterprise LAN. An ESSis a set of two or more BSSs forming a single subnetwork.
ESS configurations consist of multiple BSS cells that can be linked by either wired or
wireless backbones. IEEE 802.11 supports ESS configurations as illustrated in thefigure 1.
SeebaluckYograj MSc [email protected] Level 1
2
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
5/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
Figure 1: IEEE 802.11 BSS and ESS topologies
4. IEEE 802.11WLAN Components
802.11 defines a wireless station equipped with wireless NIC and an AP,
which acts as a bridge between the wireless and wired networks. An AP consists of a
radio, a wired network interface, and bridging software conforming to the 802.11d
bridging standard. The AP acts as the base station for the WN, aggregating access for
multiple wireless stations onto the wired network. Wireless end stations can be 802.11
PC Card, PCI, or ISA NICs, or embedded solutions in non-PC clients. An 802.11
WLAN is based on a cellular architecture. Each cell (BSS) is connected to the base
station or AP. All APs are connected to a DS which is similar to a backbone. All
mentioned components appear as an 802 system for the upper layers of OSI and are
known as the ESS. The 802.11 standard does not constrain the composition of the DS;
so, it may be 802 compliant or non-standard. If data frames need transmission to and
from a non-IEEE 802.11 LAN, then these frames enter and exit through a logical
point called aportal. When the DS is constructed with 802-type components, such as802.3(Ethernet) or 802.5(Token Ring), then the portal and the AP are the same, acting
as a translation bridge.
5. 802.11 MAC Layer Services
5.1 Authentication Process & De-authentication
Authentication is the process of proving client identity which takes place prior
to a wireless client associating with an AP. IEEE 802.11 devices operate in an open
system whereby any wireless client can associate with an AP without checking
SeebaluckYograj MSc [email protected] Level 1
3
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
6/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
credentials. True authentication is possible with the use of the 802.11 option WEP.
Only those devices with a valid shared key will be allowed to be associated to the AP.
IEEE 802.1x is a standard for passing EAP over a wired or wireless LAN. With
802.1x EAP messages are packaged in Ethernet frames and for PBNAC, which
provides authenticated network access to 802.11 WNs and to wired Ethernet
networks. PBNAC uses the physical characteristics of a switched LAN infrastructure
to authenticate devices that are attached to a LAN port and to prevent access to that
port in cases where the authentication process fails.
During a PBNAC interaction, a LAN port adopts one of two roles:
authenticator orsupplicant. As authenticator, a LAN port enforces authentication
before it allows user access to the services that can be accessed through that port. As
supplicant, a LAN port requests access to the services that can be accessed through
the authenticator's port. An AS, which can either be a separate entity or co-located
with the authenticator, checks the supplicant's credentials on behalf of the
authenticator. The AS then responds to the authenticator, indicating whether the
supplicant is authorized to access the authenticator's services.
The authenticators PBNAC defines two logical APs to the LAN, through one
physical LAN port. The 1st logical AP, the uncontrolled port, allows data exchange
between the authenticator and other computers on the LAN, regardless of the
computer's authorization state. The 2nd logical AP, the controlled port, allows data
exchange between an authenticated LAN user and the authenticator. IEEE 802.1x uses
standard security protocols to provide centralized user identification, authentication,
dynamic key management and accounting. The de-authentication function is
performed by the base station. It is a process of denying client credentials, based on
incorrect authentication settings, or applied IP or MAC filters.
5.2 Association, Disassociation & Re-associationThe association service enables the establishment of wireless links between
wireless clients and APs in infrastructure networks. The disassociation service cancels
the wireless links between wireless clients and APs in infrastructure networks. The re-
association service occurs in addition to association when a wireless client moves
from one BSS to another. Two adjoining BSSs form an ESS if they are defined by a
common ESSID, providing a wireless client with the capability to roam from one area
to another. Although re-association is specified in 802.11, the mechanism that allows
AP-to-AP coordination to handle roaming is not specified.
SeebaluckYograj MSc [email protected] Level 1
4
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
7/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
5.3 Privacy
By default, data is transferred in the clear allowing any 802.11-compliant
device to potentially eavesdrop on similar 802.11 traffic within its range. The WEP
option encrypts data before it is sent wirelessly, using a 40-bit encryption algorithm
known as RC4. The same shared key used in authentication is used to encrypt or
decrypt the data, allowing only wireless clients with the exact shared key to correctly
decipher the data.
5.4 Data Transfer, Distribution, Integration & Power Management
The primary service of MAC layer is to provide frame exchange between
MAC layers. Wireless clients use a CSMA/CA algorithm as the media access scheme.
The distribution function is performed by DS and it is used in special cases in frame
transmission between APs. Integration is performed by the portal, where essentiallythe portal is design to provide logical integration between existing wired LANs and
802.11 LANs. IEEE 802.11 defines two power modes: an active mode, where a
wireless client is powered to transmit and receive; and, a power save mode, where a
client is not able to transmit or receive, consuming less power. Actual power
consumption is not defined and is dependent upon the implementation.
6. Securing a WLAN
WLANs are based on the IEEE 802.11 standard. Once the standard was
defined, to avoid interoperability problems between 802.11 products from different
vendors, the Wi-Fi alliance was formed which coined the term Wi-Fi for WLANs
based on IEEE 802.11. Initially the latter had only WEP for its security. However as
WLANs became popular, flaws in it were detected and tools to break the WEP
security were easily available on the internet. The August 2003 of PCQUEST
Magazine pointed out the weaknesses in WEP and even cracked the WEP key using
a popular and freely available tool. But this does not mean that WLANS are not
secure. Those in the business of security know that there is no such thing as absolute
security, but one can make it tougher to breach. There are many ways to do this,
starting from MAC address-based filtering to the new IEEE 802.11i security standard.
6.1 WEP security
In the WEP security model, the AP is the decision maker to allow people to
access the WLAN. If the WEP key is correct the user can access the network, if not he
is denied. An attacker after cracking the correct WEP key can use the WLAN with no
problems.
SeebaluckYograj MSc [email protected] Level 1
5
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
8/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
6.2 MAC Address-Based Filtering
This is the 2nd line of defense against attackers after WEP, using which the
wireless AP or router can be configured to accept packets only from known MAC
addresses. But this method also has its shortcomings. MAC addresses are very easy to
fake or spoof and they flow in clear text over the air. Nonetheless, it is a better
approach to WEP and most APs and routers support this feature.
6.3 IEEE 802.11i and WPA
IEEE 802.11i is a new generation security method for WNs. It defines a new
type of WLAN called RSN which requires the wireless devices to have number of
new capabilities. However, customers cannot dump their existing products and also
the standard is not yet released. So the Wi-Fi alliance has adopted a new standard
based on RSN, called WPA.6.4 Three-Party Security Model of WPA and IEEE 802.11i
The new standard based on WPA describes a different security model which
takes a three party approach instead of two party approaches used earlier whereby a
user wanting to connect to a WN first connects to the AP itself. But now the AP itself
cannot allow the user to access the network because the AP connects to a separate AS
which takes the decision for access. Thus, even with a valid WEP key, a user cannot
access the WLAN until permitted by the AS such that the AP becomes the NAS
whose job is to control the access gate to the network under the direction of the AS.
IEEE 802.11i also takes the same approach.
6.5 Protocols for Wireless Security EAP
In a WLAN, a user identifies himself to the AS using EAP. Using EAP
messages, the user provides his identity to the AP, which forwards it to the AS for
authentication. Depending on the user information the AS gives a success or failure
signal to the user. Whereby the user identity is passed on unprotected which can be
easily snooped by an intruder. The n the intruder can disguise as a valid user to accessthe WN and the administrator has no means to tell whether data is coming from the
right source. EAP messages between user and the AP are transported over the EAPOL
which is like the PPP connection used for dial-up internet access.
6.6 Upper Layer Authentication Built on EAP
To avoid authentication built on EAP, upper authentication such as TLS,
Kerberos or PEAP are used in conjunction with EAP. After the initial identification
done by EAP, the AS defers success or failure of the EAP session until the above
SeebaluckYograj MSc [email protected] Level 1
6
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
9/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
authentication methods are not sure whether the user information is coming from the
correct source.
6.7 PEAP
PEAP prevents the user identity to fly in the air unprotected. It provides a
mutual authentication in which first the AS proves its identity to the client using a
digital certificate for instance and also gives the user the public key of the certificate.
After this the user identity can be sent to the AS encrypted with the public key of the
server which can only be read by the AS using its private key and not by an attacker.
6.8 IEEE 802.1x
A security standard featuring a port-based authentication framework and
dynamic distribution of session keys for WEP encryption. A RADIUS server is
required. EAP messages from the user are passed onto the AS and messages from ASare passed to user. In between the 802.1x AP looks for special EAP messages like
success or failure to finally connect or disconnect the user.
Figure 2: 802.1x Authentication
6.9 RADIUSA better way is to have a dedicated AS with the user lists with which the NAS
communicates. This communication between the NAS and the AS is done using
RADIUS protocol. So in WLANs AS is basically a server running RADIUS protocol
supporting EAP extensions to authenticate wireless users on the basis of user list
present on it and it should also support other network protocols. So as to use this
security model, support at all three levels are required: the client system, the AP and
the AS. As a client, Win XP by default has support for 802.1x. Open source
implementations are available for Linux clients. For the APs, Cisco and D-Link
SeebaluckYograj MSc [email protected] Level 1
7
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
10/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
products support 802.1x. On the server side Windows 2003 server provides necessary
support and for Linux, OpenSSL and FreeRadius can be used for 802.1x.
6.10 Proprietary Security
To enhance existing protection mechanisms proprietary security solutions exist.
As recognized industry leaders of client and infrastructure systems, Intel and Cisco
are working together to enable a protected, interoperable, and manageable system.
LEAP is Cisco's version of EAP compatible with Cisco Aironet products. CKIP is
Cisco's version of TKIP, compatible with Cisco Aironet product which adds security,
performance and manageability to a WLAN consisting of Cisco Aironet infrastructure
and compatible third-party clients. Also one needs to check for interoperability
between your infrastructure and client-side WLAN components. Be sure to look for
Wi-Fi CERTIFIED products, as they have been tested for interoperability with other
certified products. The Wi-Fi Alliance has a list of certified products on their website.
7. Current Security Problems of 802.11 Wireless & their Solution
A WN is more vulnerable to attacks than a wired network, so security is a
critical element of WLAN designing. The most prominent security vulnerabilities
associated with WLANs and how network engineers could build a secure WN is
discussed in this section. Let us see how and where to use these security measures andevaluate the risk involved with them.
Problem #1: Very Easy Access
WLAN are easy to find. Information needed to join a network is also that
needed to launch an attack. To enable clients to find them, networks transmit Beacon
frames with network parameters which are not processed by any privacy functions
such that the 802.11 network and its parameters are available for anybody with a
802.11 card. Attackers with high-gain antennas can find networks from nearby and
launch attacks without having physical access to the WLAN.
Solution #1:Secure Airwaves with Encryption &Strong Access Control
Ensuring security on a WN is partly a matter of design. NAs should place APs
outside of security perimeter devices (firewalls) and use VPNs to provide access to
the corporate network. Strong user authentication should be deployed (e.g. 802.1x
which defines new frame types for user-based authentication and leverages existing
enterprise user databases such as RADIUS). Front end authentication exchanges using
802.1x over the wireless medium are converted to RADIUS requests over the backend wired LAN. NAs should also use a WNA (e.g. AirMagnet WLA) such that the
SeebaluckYograj MSc [email protected] Level 1
8
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
11/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
analysis system includes a diagnostic routine for WLANs that watches authentication
traffic and provides a diagnostic for the NAs. The WLA analysis system tracks 802.1x
authentication messages and key distribution messages from a central screen and the
WLAN must be regularly audited to ensure that the deployment is consistent with the
security objectives of the design. The WLA analysis engine can perform in-depth
analysis on frames and can detect several common 802.11 security problems.
Problem #2: Discovery of Rogue Access Points (RAP)
Easy access to WLANs is coupled with easy deployment. These two combined
can cause headaches for NAs. Any user can purchase an AP and connect it to the
corporate network without authorization. So called rogue access deployed by end
users pose great security risks as they are not security experts and may not be aware
of the risks posed by WLANs. Many deployments that have been logged and mapped
by war drivers do not have any security features enabled making them vulnerable.
Solution#2:Regular Site Audits & Multi-Dimensional Intrusion Detection
WNs require vigilance on the part of the NAs. Given the ease with which
technologies can be exploited for access, learning when unauthorised networks have
been deployed is a vital task. The obvious way to find unauthorised networks is to
imitate an attacker: use an antenna and look for unauthorised networks before
attackers exploit them. So, physical site audits should be performed regularly.
Walk-through detection often begins with NetStumbler which is a good tool
for finding large number of APs and associating them with geographic locations for
mapping applications. With the emergence of 802.11a, NAs should look for a hassle-
free product that supports both 802.11a and 802.11b. Dual-band 802.11a/b chipsets
and cards built with them allow NAs to work on both without hardware changes. So
they need to master only one supported platform for both 802.11a and 802.11b which
should apply to 802.11g when WNA vendors are certain to adopt 802.11a/b/g cards.
Many tools are used to perform site audits and track RAPs, but NAs must be
conscious of the need to keep up with the latest techniques used in the cat- &-mouse
game played out in the site audit. AP can be deployed in any frequency band defined
in 802.11, so it is important that any tools used in audits can scan the entire frequency
range. Even if 802.11b is chosen, a WNA used for site audit work should be capable
of simultaneously scanning for unauthorised 802.11a APs so that no hardware or
software swaps are required during an audit. Some RAPs are beginning to be
deployed illegally on 802.11b channels that are not available for transmission. NAs
SeebaluckYograj MSc [email protected] Level 1
9
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
12/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
are always pressed for time, and need an efficient way to find RAPs. For instance the
AirMagnets expert engine allows NAs to configure a list of authorised APs. Thus any
unauthorised AP will trigger an alarm. In response to the alarm, NAs can use the find
tool on a WNA to home in an AP on real-time signal strength meters.
Problem #3: Unauthorised Service & legal Implications
Many benchmarks have published results indicating that a majority of APs are
put in service with minimal modifications to the default configuration. Most of the
APs running with quasi-default settings have not activated WEP or have a default
vendors key. Two problems can arise from such open access. In addition to
bandwidth charges for unauthorised use, legal problems may result. Unauthorised
users may not necessarily obey your providers terms of service, and it may only take
one spammer to cause your ISP to revoke your connectivity.
Solution #3:Design and Audit for Strong Authentication
A defence against unauthorised use is to prevent unauthorised users from the
network. Strong cryptographically protected authentication is a precondition for
authorization as access privileges are based on user identity. So VPN solutions
deployed to protect traffic in transit across the radio link provide strong
authentication. Organizations which perform risk analysis indicate that 802.1x is a
sufficient technical countermeasure that ensures a cryptographically secure
authentication (PEAP, TLS or TTLS). As part of its monitoring, a WNA detects
important 802.1x properties such as the user name and EAP type.
Once a WN has been successfully deployed, it is important to ensure that
authentication/authorisation policies are rigorously followed. So the solution is to
perform regular audits of the WN equipment to ensure that strong authentication are
used and that network devices are properly configured. These audits are a vital
component of WLAN security for they are used to verify that strong security tools are
in place and are required for use to WLAN, as well as sniffing out unauthorised
WLAN deployments. So any comprehensive audit tool must detect APs in both the
802.11b (2.4GHz ISM band) and 802.11a (5 GHz U-NII) frequency bands as well as
summarize parameters relevant to security. If an unauthorised station is found in the
network, a receiver can be used to track down its physical location and verify
configuration of APs parameters and raise alarms when APs expose vulnerabilities.
Problem #4: Service and Performance Constraints
WLANs have limited transmission capacity and WLANs based on 802.11b
have a bit rate of 11 Mbps and that based on 802.11a technology have bit rates up to
SeebaluckYograj MSc [email protected] Level 1
10
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
13/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
54 Mbps. Due to MAC layer overhead, the actual effective throughputs tops out at
roughly half of the nominal bit rate. Current shipping APs share that limited capacity
between all the users associated with an AP. It is not hard to imagine how local area
applications might overwhelm such limited capacity, or how an attacker might launch
a denial of service attack on the limited resources.
Radio capacity can be overwhelmed in various ways as it can be swamped by
traffic coming in from the wired network at a rate greater than the radio channel can
handle. If an attacker were to launch a ping flood from broadcast addresses, it is
possible to overwhelm several directly connected APs. The 802.11 MAC is designed
to take out the WNs to share the same space and radio channel. So attackers wishing
to take out the WN could send their own traffic on the same radio channel and the
target network would accommodate the new traffic as best it could using the
CSMA/CA mechanisms in the standard. Attackers can also overwhelm limited
capacity by transmitting spoofed frames or by sending high noise transmissions at a
target WN. Large traffic need not be maliciously generated for if many users start
pulling vast tracts of data through the same AP, network access begins to resemble the
caricature of dial-up access used by purveyors of high-speed broadband services.
Solution #4:24x7 Network Monitoring
Addressing performance problems start with monitoring and discovering them.
NAs have many channels for performance data ranging from technical measures such
as SNMP to non-technical measures such as user performance reports. WNAs are a
valuable ally for the NAs by reporting on the signal quality and network health at the
current location. Large amount of low-speed transmissions may indicate external
interference or severe multipath fading. The ability to display instantaneous speeds on
each channel gives a strong indication of the remaining capacity on the channel.
Excessive traffic on an AP can be addressed by segmenting the APs coverage area orby applying a traffic shaping solution at the confluence of the WN with the corporate
backbone.
WNAs are used near trouble spots for diagnosis and observe denial of service
attacks. We do have tools that spoof the disassociation messages between APs and
clients. Without cryptographic authentication of these messages, clients respond to
these forged messages by going offline. Until cryptographic frame authentication of
every transmitted frame is required by the standards, the only practical defence
against flooding attacks is to locate attackers and apply an appropriate solution.
SeebaluckYograj MSc [email protected] Level 1
11
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
14/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
Problem #5: MAC Spoofing & Session Hijacking
802.11 networks do not authenticate frames. Each frame has a source address.
Attackers can use spoofed frames to redirect traffic and corrupt ARP tables and use
spoofed frames in active attacks. In addition to hijacking sessions, they can exploit the
lack of authentication of APs which are identified by their broadcast of Beacon
frames. Any station which claims to be an AP and broadcast the right SSID will
appear to be part of an authorised network. Then the attacker could potentially steal
credentials and use them to gain access to the network through a MITM attack.
Fortunately protocols that support mutual authentication are possible with 802.1x.
Using methods based on TLS, APs will need to prove their identity before clients
provide authentication credentials which are protected by strong cryptography for
transmission over the air. Session hijacking will not be completely solved until the
802.11 MAC adopts per-frame authentication as part of 802.11i.
Solution #5:Use Strong Protocols
MAC spoofing will be a threat until the ratification of 802.11i. NAs must
isolate WNs affected by MAC spoofing from the core network. Session hijacking can
be prevented by using strong cryptographic protocol such as IPSec. Along with VPN
protocols, the use of strong user authentication with 802.1x is required which checks
the exchanges on the wireless component. After deployment, WNA will decode the
authentication type which allows NAs to protect passwords.
Problem #6: Traffic Analysis & Network Eavesdropping
802.11 passively observe traffic and provide no protection against attacks. The
main risk is that it does not provide a way to protect data in transit against
eavesdropping. Frame headers are clearly visible to anybody with a WNA. This
problem was supposed to be alleviated by WEP but a great deal has been written
about the flaws in it as it protects only the initial association with the network and
user data frames. Moreover, management and control frames are not encrypted or
authenticated, leaving an attacker to disrupt transmissions with spoofed frames using
AirSnort and WEPcrack to crack WEP implemented systems. Fortunately the new
products eliminate all known attacks. As an extra precaution, the latest products use
key management protocols to change the WEP key every 15 minutes.
Solution #6:Perform Risk Analysis
To alleviate the problem of eavesdropping, the key decision is to balance the
threat of using only WEP against the complexity of deploying a proven solution. WEP
has been extensively studied and the security protocols have been fortified against all
SeebaluckYograj MSc [email protected] Level 1
12
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
15/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
known attacks such that the short re-keying time which prevents hackers from
cracking the WEP key before it is replaced periodically. So if WEP key is to be used,
NAs should audit the WNs to ensure that it is not susceptible to AirSnort attack. Short
re-key time is an important tool used in minimising the risks associated with WLANs.
As part of site audit, NAs can use WLA to ensure that any policies on WEP re-keying
are implemented by the equipment. But if the WLAN is being used for sensitive data,
WEP is insufficient and solutions like SSL and IPSec were designed to transmit data
securely over public channels and these have been found resistant to attacks over
many years and will certainly continue to provide a higher level of security. WLAs
AP display can distinguish between APs that use WEP, 802.1x, and VPN technology,
which enables NAs to check that policies mandate strong cryptography usage.
Problem #7: Higher Level Attacks
After gaining access to a WN, an attacker can use this access as a launch point
for attacks on other systems. Normally networks have a hard outer shell composed of
perimeter security devices that are carefully configured and monitored whereas the
inner part is vulnerable. WLANs can be deployed quickly if they are directly
connected to the vulnerable part, but that exposes the network to attacks. These
attacks can prove to be very costly if the network is used as a launch pad for attacks
on the rest of the world.
Solution #7:Protect Core from WLAN
WLANs are treated as untrusted networks due to their susceptibility to attacks.
Some companies provide guest access ports in training rooms. WLANs can be treated
as conceptually similar to guest access ports due to higher probability of access by
untrustworthy users. Therefore place the WLAN outside the corporate security
perimeter and use strong proven access control technology such as a firewall between
the WLAN and the core network. Then provide access to the core network through
proven VPN solutions for reliable security of the system. NAs can implement
honeypots which are fake networks used to lure in hackers. This enables them to find
out more about what type of techniques hackers are using to gain access. One product
is Mantrap created by Symantec used as honeypots.
]
SeebaluckYograj MSc [email protected] Level 1
13
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
16/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
Conclusion
Reasonable precautions can make WNs safe for any organization that wants
to reap the benefits of mobility and flexibility. As with many other evolving network
technologies, the key is to design a network with security in mind and carry outregular audits to ensure that the design is the actual basis for deployment. Hence,
from analysis to troubleshooting to auditing, a WNA is an indispensable tool for
wireless NAs. Moreover NAs need to develop WLAN policies for security and
management as exemplified in appendix1 and should follow the six steps shown in
figure 3. Monitoring for policy compliance plays a critical role that ensures that the
policy does not become a useless, unread document. Without auditing the network
for policy compliance, the policy cannot be enforced. Hence WLAN must be
extremely well managed to maximize performance and troubleshoot issues as they
arise.
Figure 3: Steps for WLAN Security and management policies
SeebaluckYograj MSc [email protected] Level 1
14
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
17/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
Wireless Networking Definitions IEEE 802.11
802.1x: This standard enhances the security of LANs by providing an authentication
framework allowing users to authenticate to central authority, such as LDAP or
Active Directory.
802.11: The IEEE developed the 802.11 standard for WLANs. There are four
specifications including 802.11, 802.11a, 802.11b, and 802.11g. Each 802.11 standard
operates in a different GHz range and/or offers a different speed. 802.11 applies to
WLANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band using either
FHSS or DSSS.
802.11a: An extension to the 802.11 standard that provides a maximum connect rate
of 54 Mbps throughput in the 5GHz band. This specification is not backwardly
compatible with 802.11b.
802.11b: An extension to the 802.11 standard developed by the IEEE for WNtechnology. 802.11b applies to wireless LANs and supports a maximum connect rate
of 11 Mbps with fallback to 5.5, 2, and 1 Mbps in the 2.4GHz ISM band. This
standard was ratified in 1999 and is widely implemented in wireless networking
products supplied by most equipment vendors.
802.11g: An extension to the 802.11 standard that allows for a maximum connect rate
of 54 Mbps while maintaining compatibility with the 802.11b standard.
802.11h: An extension to the 802.11 standard that will allow flexibility in
transmission power and selecting frequencies in order to reduce interference with
other devices operating in the same frequency band.
802.11i: An extension to the 802.11 standard to provide improved security over those
available under 802.11 extensions. This extension provides for improved encryption
methods and for the integration of the IEEE 802.1x authentication protocol.
AP: A wireless communications hardware device that creates a central point of
wireless connectivity. A wireless AP behaves much like a "hub" in that the total
bandwidth is shared among all users for which the device is maintaining an active
network connection. An AP is an addressable station, providing an interface to
the DS for stations located within various BSSs.
DS: The DS is an element that interconnects BSSs within the ESS via APs and it
supports the 802.11 mobility types by providing logical services necessary to handle
address-to-destination mapping and seamless integration of multiple BSSs.
WEP: A security protocol for WNs defined within the 802.11b standard. WEP is
designed to provide the same level of security as that of a wired network. Research
indicates that the use of WEP alone is insufficient to ensure privacy unless used in
conjunction with other mechanisms for data encryption.
SeebaluckYograj MSc [email protected] Level 1
15
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
18/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
Glossary
AP Access Point
ARP Address Resolution Protocol
AS Authentication Server
BSS Basic Service Set
CKIP Cisco Key Integrity Protocol
CSMA/CA Collision Sense Multiple Access with Collision Avoidance
DS Distribution System
DSSS Direct Sequence Spread Spectrum
EAP Extensible Authentication Protocol
EAPOL EAP on LAN
ESS Extended Service Set
ESSID Extended Service Set Identifier
FHSS Frequency Hopping Spread SpectrumIBSS Independent Basic Service Set
IEEE Institute of Electrical and Electronics Engineers
IPSec Internet Protocol security
ISM Industry, Scientific, and Medical
ISP Internet Service Provider
LAN Local Area Network
LDAP Lightweight Directory Access Protocol
LLC Logical Link Control
MAC Media Access Control
MITM Man-In-The-Middle
NA Network AdministratorNAS Network Access Server
NIC Network Interface Card
OpenSSL OpenSecure Sockets Layer
PBNAC Port-Based Network Access Control
PEAP Protected-EAP
PPP Point-to-Point Protocol
RADIUS Remote Authentication Dial-In User Service
RAP Rogue Access Point
RC4 Rons Code or Rivests Cipher
RSN Robust Security Standard
SNMP Simple Network Management ProtocolSSID Service Set Identifier
SSL Secure Socket Layer
TLS Transport Layer Security
TTLS Tunneled TLS
VPN Virtual Private Network
WEP Wired Equivalent Privacy
WLA Wireless LAN Analyzer
WLAN Wireless LAN
WN Wireless Network
WNA Wireless Network Analyzer
WPA Wi-Fi Protected Access
SeebaluckYograj MSc [email protected] Level 1
16
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
19/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
References
[1] J. Conover, 80211a: Making Space for Speed, Network Computing, 2001.
http://www.networkcomputing.com/1201/1201ws1.html
[2] M. Andrade, Security for Next Generation, WLANs ver.1.1
http://wwwin.cisco.com/cmc/cc/pd/witc/ao340ap/prodlit/wlanw_in.htm#xtocid191020
[3] http://www.niksula.cs.hut.fi/~mkomu/docs/wirelesslansec.html
[4] Matthew Gast, 802.11: The Definitive Guide, OReilly & Associates, 2002
http://www.AirMagnet.com
[5] AirDefense, Wireless LAN Policies for Security & Management,
Technical white paper, 2003
http://www.airdefense.net
[6] http://wi-fiplanet.com
[7] Plamen Nedelchev, PhD, Wireless LANs and the 802.11 Standard, Felicia
Brych, 2001
[8] http://www.80211report.com/
[9] http://www.meetinghousedata.com/
[10] Wireless LAN Security-How to Protect WLANs, Revised July 2003
http://www.airdefense.net/whitepapers/
[11] Wireless LAN Security: 5 Practical Steps, September 2002
http://www.airdefense.net/whitepapers/
SeebaluckYograj MSc [email protected] Level 1
17
http://www.networkcomputing.com/1201/1201ws1.htmlhttp://wwwin.cisco.com/cmc/cc/pd/witc/ao340ap/prodlit/wlanw_in.htm#xtocid191020http://www.niksula.cs.hut.fi/~mkomu/docs/wirelesslansec.htmlhttp://www.airmagnet.com/http://www.airdefense.net/http://wi-fiplanet.com/http://www.80211report.com/http://www.meetinghousedata.com/MDC_8021X_White_Paper.pdfhttp://www.airdefense.net/whitepapers/http://www.airdefense.net/whitepapers/5steps_request2.php4http://www.airdefense.net/whitepapers/mailto:[email protected]://www.networkcomputing.com/1201/1201ws1.htmlhttp://wwwin.cisco.com/cmc/cc/pd/witc/ao340ap/prodlit/wlanw_in.htm#xtocid191020http://www.niksula.cs.hut.fi/~mkomu/docs/wirelesslansec.htmlhttp://www.airmagnet.com/http://www.airdefense.net/http://wi-fiplanet.com/http://www.80211report.com/http://www.meetinghousedata.com/MDC_8021X_White_Paper.pdfhttp://www.airdefense.net/whitepapers/http://www.airdefense.net/whitepapers/5steps_request2.php4http://www.airdefense.net/whitepapers/mailto:[email protected]7/27/2019 802.11 report 2004.doc
20/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
Appendix1
SeebaluckYograj MSc [email protected] Level 1
18
mailto:[email protected]:[email protected]7/27/2019 802.11 report 2004.doc
21/21
CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN
Figure 3: Example of AirDefenses WLAN policy
Seebaluck Yograj MSc ICT