802.11 report 2004.doc

7/27/2019 802.11 report 2004.doc

1/21

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

UNIVERSITY OF MAURITIUS

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

FACULTY OF ENGINEERING

Assignment

NETWORK ADMINISTRATION & PROGRAMMING

(CSE 5211)

Critical Survey of IEEE 802.11 Standard & the Network

Security Administration Strategy in a Wireless LAN

Submitted by:

YOGRAJ SEEBALUCK(0303581)

MSC INFORMATION & COMMUNICATION

TECHNOLOGY Level 1
http://www.80211report.com/

7/27/2019 802.11 report 2004.doc

2/21

24 April 2004

SeebaluckYograj MSc [email protected] Level 1

3
mailto:[email protected]:[email protected]

7/27/2019 802.11 report 2004.doc

3/21

CSE5211 IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

Introduction

Over recent years, the market for wireless communications has enjoyed

tremendous growth. Wireless technology now reaches or is capable of reaching

virtually every location on the face of the earth. Hundreds of millions of peopleexchange information every day using pagers, cellular telephones, and other wireless

communication products. With tremendous success of wireless technology, it is

hardly surprising that wireless communication is beginning to be applied to the realm

of personal and business computing. No longer bound by the harnesses of wired

networks, people will be able to access and share information on a global scale nearly

anywhere they venture. This report covers the various aspects of wireless LAN with

emphasis on IEEE 802.11, its weaknesses and how to secure it.

1. WLAN

The major motivation and benefit from wireless LANs is increased mobility.

Untethered from conventional network connections, network users can move about

almost without restriction and access LANs from anywhere. Examples of the practical

uses for WN access are limited only by the imagination of the application designer.

Medical professionals can obtain not only patient records, but real-time vital signs andother reference data at the patient bedside without relying on reams of paper charts.

Wireless connections with real-time sensing allow a remote engineer to diagnose and

maintain the health and welfare of manufacturing equipment. The list of possibilities

is almost endless. WLANs offer increased flexibility. One can visualize without too

much difficulty a meeting in which employees use laptops and wireless links to share

and discuss future design plans and products. This "ad hoc" network can be brought

up and torn down in a very short time as needed, either around the conference table or

around the world. Even students of university campuses have been known to access

lecture notes and other course materials while wandering about campus. Sometimes it

is more economical to use a WLAN as they offer the connectivity and the

convenience of wired LANs without the need for expensive wiring or rewiring.

2. WLAN Design

The real challenge in designing a WLAN is to strike a balance between its coverageand the bandwidth made available to each user. But there is a trade off between the


1

7/27/2019 802.11 report 2004.doc

4/21


two. If the range is increased, then the bandwidth per user is lesser and vice versa.

Designing and managing a WLAN is not all that simple as it requires careful planning

and constant monitoring.

Here are the major steps that should be followed in designing a WLAN:

Step 1: Determine usage

Step 2: Conduct site survey

Step 3: Determine number of users per AP

Step 4: How much coverage

Step 5: Identify equipment

Step 6: Devise security policy

Step 7: Manageability & support

3. IEEE 802.11 WLAN Topologies

IEEE 802.11 supports three basic topologies for WLANs: the IBSS, the BSS

and the ESS. All three configurations are supported by the MAC layer

implementation. The 802.11 standard defines two modes: ad-hoc/IBSS and

infrastructure mode. Logically an ad-hoc configuration is analogous to a peer-to-peer

office network in which no single node is required to function as a server. IBSS

WLANs include a number of nodes or wireless stations that communicate directly

with one another on an ad-hoc, peer-to-peer basis, building a full-mesh or partial-

mesh topology. Generally ad-hoc implementations cover a limited area and are not

connected to any larger network. Using infrastructure mode, the WN consists of at

least one AP connected to the wired network infrastructure and a set of wireless end

stations. This configuration is called a BSS.

Since most corporate WLANs require access to the wired LAN for services

(file servers, printers, Internet links), they will operate in infrastructure mode and rely

on an AP that acts as the logical server for a single WLAN cell or channel.

Communications between two nodes, A and B, actually flow from node A to the AP

and then from the AP to node B. The AP is necessary to perform a bridging function

and connect multiple WLAN cells or channels, and to connect WLAN cells to a wired

enterprise LAN. An ESSis a set of two or more BSSs forming a single subnetwork.

ESS configurations consist of multiple BSS cells that can be linked by either wired or

wireless backbones. IEEE 802.11 supports ESS configurations as illustrated in thefigure 1.


2

7/27/2019 802.11 report 2004.doc

5/21


Figure 1: IEEE 802.11 BSS and ESS topologies

4. IEEE 802.11WLAN Components

802.11 defines a wireless station equipped with wireless NIC and an AP,

which acts as a bridge between the wireless and wired networks. An AP consists of a

radio, a wired network interface, and bridging software conforming to the 802.11d

bridging standard. The AP acts as the base station for the WN, aggregating access for

multiple wireless stations onto the wired network. Wireless end stations can be 802.11

PC Card, PCI, or ISA NICs, or embedded solutions in non-PC clients. An 802.11

WLAN is based on a cellular architecture. Each cell (BSS) is connected to the base

station or AP. All APs are connected to a DS which is similar to a backbone. All

mentioned components appear as an 802 system for the upper layers of OSI and are

known as the ESS. The 802.11 standard does not constrain the composition of the DS;

so, it may be 802 compliant or non-standard. If data frames need transmission to and

from a non-IEEE 802.11 LAN, then these frames enter and exit through a logical

point called aportal. When the DS is constructed with 802-type components, such as802.3(Ethernet) or 802.5(Token Ring), then the portal and the AP are the same, acting

as a translation bridge.

5. 802.11 MAC Layer Services

5.1 Authentication Process & De-authentication

Authentication is the process of proving client identity which takes place prior

to a wireless client associating with an AP. IEEE 802.11 devices operate in an open

system whereby any wireless client can associate with an AP without checking


3

7/27/2019 802.11 report 2004.doc

6/21


credentials. True authentication is possible with the use of the 802.11 option WEP.

Only those devices with a valid shared key will be allowed to be associated to the AP.

IEEE 802.1x is a standard for passing EAP over a wired or wireless LAN. With

802.1x EAP messages are packaged in Ethernet frames and for PBNAC, which

provides authenticated network access to 802.11 WNs and to wired Ethernet

networks. PBNAC uses the physical characteristics of a switched LAN infrastructure

to authenticate devices that are attached to a LAN port and to prevent access to that

port in cases where the authentication process fails.

During a PBNAC interaction, a LAN port adopts one of two roles:

authenticator orsupplicant. As authenticator, a LAN port enforces authentication

before it allows user access to the services that can be accessed through that port. As

supplicant, a LAN port requests access to the services that can be accessed through

the authenticator's port. An AS, which can either be a separate entity or co-located

with the authenticator, checks the supplicant's credentials on behalf of the

authenticator. The AS then responds to the authenticator, indicating whether the

supplicant is authorized to access the authenticator's services.

The authenticators PBNAC defines two logical APs to the LAN, through one

physical LAN port. The 1st logical AP, the uncontrolled port, allows data exchange

between the authenticator and other computers on the LAN, regardless of the

computer's authorization state. The 2nd logical AP, the controlled port, allows data

exchange between an authenticated LAN user and the authenticator. IEEE 802.1x uses

standard security protocols to provide centralized user identification, authentication,

dynamic key management and accounting. The de-authentication function is

performed by the base station. It is a process of denying client credentials, based on

incorrect authentication settings, or applied IP or MAC filters.

5.2 Association, Disassociation & Re-associationThe association service enables the establishment of wireless links between

wireless clients and APs in infrastructure networks. The disassociation service cancels

the wireless links between wireless clients and APs in infrastructure networks. The re-

association service occurs in addition to association when a wireless client moves

from one BSS to another. Two adjoining BSSs form an ESS if they are defined by a

common ESSID, providing a wireless client with the capability to roam from one area

to another. Although re-association is specified in 802.11, the mechanism that allows

AP-to-AP coordination to handle roaming is not specified.


4

7/27/2019 802.11 report 2004.doc

7/21


5.3 Privacy

By default, data is transferred in the clear allowing any 802.11-compliant

device to potentially eavesdrop on similar 802.11 traffic within its range. The WEP

option encrypts data before it is sent wirelessly, using a 40-bit encryption algorithm

known as RC4. The same shared key used in authentication is used to encrypt or

decrypt the data, allowing only wireless clients with the exact shared key to correctly

decipher the data.

5.4 Data Transfer, Distribution, Integration & Power Management

The primary service of MAC layer is to provide frame exchange between

MAC layers. Wireless clients use a CSMA/CA algorithm as the media access scheme.

The distribution function is performed by DS and it is used in special cases in frame

transmission between APs. Integration is performed by the portal, where essentiallythe portal is design to provide logical integration between existing wired LANs and

802.11 LANs. IEEE 802.11 defines two power modes: an active mode, where a

wireless client is powered to transmit and receive; and, a power save mode, where a

client is not able to transmit or receive, consuming less power. Actual power

consumption is not defined and is dependent upon the implementation.

6. Securing a WLAN

WLANs are based on the IEEE 802.11 standard. Once the standard was

defined, to avoid interoperability problems between 802.11 products from different

vendors, the Wi-Fi alliance was formed which coined the term Wi-Fi for WLANs

based on IEEE 802.11. Initially the latter had only WEP for its security. However as

WLANs became popular, flaws in it were detected and tools to break the WEP

security were easily available on the internet. The August 2003 of PCQUEST

Magazine pointed out the weaknesses in WEP and even cracked the WEP key using

a popular and freely available tool. But this does not mean that WLANS are not

secure. Those in the business of security know that there is no such thing as absolute

security, but one can make it tougher to breach. There are many ways to do this,

starting from MAC address-based filtering to the new IEEE 802.11i security standard.

6.1 WEP security

In the WEP security model, the AP is the decision maker to allow people to

access the WLAN. If the WEP key is correct the user can access the network, if not he

is denied. An attacker after cracking the correct WEP key can use the WLAN with no

problems.


5

7/27/2019 802.11 report 2004.doc

8/21


6.2 MAC Address-Based Filtering

This is the 2nd line of defense against attackers after WEP, using which the

wireless AP or router can be configured to accept packets only from known MAC

addresses. But this method also has its shortcomings. MAC addresses are very easy to

fake or spoof and they flow in clear text over the air. Nonetheless, it is a better

approach to WEP and most APs and routers support this feature.

6.3 IEEE 802.11i and WPA

IEEE 802.11i is a new generation security method for WNs. It defines a new

type of WLAN called RSN which requires the wireless devices to have number of

new capabilities. However, customers cannot dump their existing products and also

the standard is not yet released. So the Wi-Fi alliance has adopted a new standard

based on RSN, called WPA.6.4 Three-Party Security Model of WPA and IEEE 802.11i

The new standard based on WPA describes a different security model which

takes a three party approach instead of two party approaches used earlier whereby a

user wanting to connect to a WN first connects to the AP itself. But now the AP itself

cannot allow the user to access the network because the AP connects to a separate AS

which takes the decision for access. Thus, even with a valid WEP key, a user cannot

access the WLAN until permitted by the AS such that the AP becomes the NAS

whose job is to control the access gate to the network under the direction of the AS.

IEEE 802.11i also takes the same approach.

6.5 Protocols for Wireless Security EAP

In a WLAN, a user identifies himself to the AS using EAP. Using EAP

messages, the user provides his identity to the AP, which forwards it to the AS for

authentication. Depending on the user information the AS gives a success or failure

signal to the user. Whereby the user identity is passed on unprotected which can be

easily snooped by an intruder. The n the intruder can disguise as a valid user to accessthe WN and the administrator has no means to tell whether data is coming from the

right source. EAP messages between user and the AP are transported over the EAPOL

which is like the PPP connection used for dial-up internet access.

6.6 Upper Layer Authentication Built on EAP

To avoid authentication built on EAP, upper authentication such as TLS,

Kerberos or PEAP are used in conjunction with EAP. After the initial identification

done by EAP, the AS defers success or failure of the EAP session until the above


6

7/27/2019 802.11 report 2004.doc

9/21


authentication methods are not sure whether the user information is coming from the

correct source.

6.7 PEAP

PEAP prevents the user identity to fly in the air unprotected. It provides a

mutual authentication in which first the AS proves its identity to the client using a

digital certificate for instance and also gives the user the public key of the certificate.

After this the user identity can be sent to the AS encrypted with the public key of the

server which can only be read by the AS using its private key and not by an attacker.

6.8 IEEE 802.1x

A security standard featuring a port-based authentication framework and

dynamic distribution of session keys for WEP encryption. A RADIUS server is

required. EAP messages from the user are passed onto the AS and messages from ASare passed to user. In between the 802.1x AP looks for special EAP messages like

success or failure to finally connect or disconnect the user.

Figure 2: 802.1x Authentication

6.9 RADIUSA better way is to have a dedicated AS with the user lists with which the NAS

communicates. This communication between the NAS and the AS is done using

RADIUS protocol. So in WLANs AS is basically a server running RADIUS protocol

supporting EAP extensions to authenticate wireless users on the basis of user list

present on it and it should also support other network protocols. So as to use this

security model, support at all three levels are required: the client system, the AP and

the AS. As a client, Win XP by default has support for 802.1x. Open source

implementations are available for Linux clients. For the APs, Cisco and D-Link


7

7/27/2019 802.11 report 2004.doc

10/21


products support 802.1x. On the server side Windows 2003 server provides necessary

support and for Linux, OpenSSL and FreeRadius can be used for 802.1x.

6.10 Proprietary Security

To enhance existing protection mechanisms proprietary security solutions exist.

As recognized industry leaders of client and infrastructure systems, Intel and Cisco

are working together to enable a protected, interoperable, and manageable system.

LEAP is Cisco's version of EAP compatible with Cisco Aironet products. CKIP is

Cisco's version of TKIP, compatible with Cisco Aironet product which adds security,

performance and manageability to a WLAN consisting of Cisco Aironet infrastructure

and compatible third-party clients. Also one needs to check for interoperability

between your infrastructure and client-side WLAN components. Be sure to look for

Wi-Fi CERTIFIED products, as they have been tested for interoperability with other

certified products. The Wi-Fi Alliance has a list of certified products on their website.

7. Current Security Problems of 802.11 Wireless & their Solution

A WN is more vulnerable to attacks than a wired network, so security is a

critical element of WLAN designing. The most prominent security vulnerabilities

associated with WLANs and how network engineers could build a secure WN is

discussed in this section. Let us see how and where to use these security measures andevaluate the risk involved with them.

Problem #1: Very Easy Access

WLAN are easy to find. Information needed to join a network is also that

needed to launch an attack. To enable clients to find them, networks transmit Beacon

frames with network parameters which are not processed by any privacy functions

such that the 802.11 network and its parameters are available for anybody with a

802.11 card. Attackers with high-gain antennas can find networks from nearby and

launch attacks without having physical access to the WLAN.

Solution #1:Secure Airwaves with Encryption &Strong Access Control

Ensuring security on a WN is partly a matter of design. NAs should place APs

outside of security perimeter devices (firewalls) and use VPNs to provide access to

the corporate network. Strong user authentication should be deployed (e.g. 802.1x

which defines new frame types for user-based authentication and leverages existing

enterprise user databases such as RADIUS). Front end authentication exchanges using

802.1x over the wireless medium are converted to RADIUS requests over the backend wired LAN. NAs should also use a WNA (e.g. AirMagnet WLA) such that the


8

7/27/2019 802.11 report 2004.doc

11/21


analysis system includes a diagnostic routine for WLANs that watches authentication

traffic and provides a diagnostic for the NAs. The WLA analysis system tracks 802.1x

authentication messages and key distribution messages from a central screen and the

WLAN must be regularly audited to ensure that the deployment is consistent with the

security objectives of the design. The WLA analysis engine can perform in-depth

analysis on frames and can detect several common 802.11 security problems.

Problem #2: Discovery of Rogue Access Points (RAP)

Easy access to WLANs is coupled with easy deployment. These two combined

can cause headaches for NAs. Any user can purchase an AP and connect it to the

corporate network without authorization. So called rogue access deployed by end

users pose great security risks as they are not security experts and may not be aware

of the risks posed by WLANs. Many deployments that have been logged and mapped

by war drivers do not have any security features enabled making them vulnerable.

Solution#2:Regular Site Audits & Multi-Dimensional Intrusion Detection

WNs require vigilance on the part of the NAs. Given the ease with which

technologies can be exploited for access, learning when unauthorised networks have

been deployed is a vital task. The obvious way to find unauthorised networks is to

imitate an attacker: use an antenna and look for unauthorised networks before

attackers exploit them. So, physical site audits should be performed regularly.

Walk-through detection often begins with NetStumbler which is a good tool

for finding large number of APs and associating them with geographic locations for

mapping applications. With the emergence of 802.11a, NAs should look for a hassle-

free product that supports both 802.11a and 802.11b. Dual-band 802.11a/b chipsets

and cards built with them allow NAs to work on both without hardware changes. So

they need to master only one supported platform for both 802.11a and 802.11b which

should apply to 802.11g when WNA vendors are certain to adopt 802.11a/b/g cards.

Many tools are used to perform site audits and track RAPs, but NAs must be

conscious of the need to keep up with the latest techniques used in the cat- &-mouse

game played out in the site audit. AP can be deployed in any frequency band defined

in 802.11, so it is important that any tools used in audits can scan the entire frequency

range. Even if 802.11b is chosen, a WNA used for site audit work should be capable

of simultaneously scanning for unauthorised 802.11a APs so that no hardware or

software swaps are required during an audit. Some RAPs are beginning to be

deployed illegally on 802.11b channels that are not available for transmission. NAs


9

7/27/2019 802.11 report 2004.doc

12/21


are always pressed for time, and need an efficient way to find RAPs. For instance the

AirMagnets expert engine allows NAs to configure a list of authorised APs. Thus any

unauthorised AP will trigger an alarm. In response to the alarm, NAs can use the find

tool on a WNA to home in an AP on real-time signal strength meters.

Problem #3: Unauthorised Service & legal Implications

Many benchmarks have published results indicating that a majority of APs are

put in service with minimal modifications to the default configuration. Most of the

APs running with quasi-default settings have not activated WEP or have a default

vendors key. Two problems can arise from such open access. In addition to

bandwidth charges for unauthorised use, legal problems may result. Unauthorised

users may not necessarily obey your providers terms of service, and it may only take

one spammer to cause your ISP to revoke your connectivity.

Solution #3:Design and Audit for Strong Authentication

A defence against unauthorised use is to prevent unauthorised users from the

network. Strong cryptographically protected authentication is a precondition for

authorization as access privileges are based on user identity. So VPN solutions

deployed to protect traffic in transit across the radio link provide strong

authentication. Organizations which perform risk analysis indicate that 802.1x is a

sufficient technical countermeasure that ensures a cryptographically secure

authentication (PEAP, TLS or TTLS). As part of its monitoring, a WNA detects

important 802.1x properties such as the user name and EAP type.

Once a WN has been successfully deployed, it is important to ensure that

authentication/authorisation policies are rigorously followed. So the solution is to

perform regular audits of the WN equipment to ensure that strong authentication are

used and that network devices are properly configured. These audits are a vital

component of WLAN security for they are used to verify that strong security tools are

in place and are required for use to WLAN, as well as sniffing out unauthorised

WLAN deployments. So any comprehensive audit tool must detect APs in both the

802.11b (2.4GHz ISM band) and 802.11a (5 GHz U-NII) frequency bands as well as

summarize parameters relevant to security. If an unauthorised station is found in the

network, a receiver can be used to track down its physical location and verify

configuration of APs parameters and raise alarms when APs expose vulnerabilities.

Problem #4: Service and Performance Constraints

WLANs have limited transmission capacity and WLANs based on 802.11b

have a bit rate of 11 Mbps and that based on 802.11a technology have bit rates up to


10

7/27/2019 802.11 report 2004.doc

13/21


54 Mbps. Due to MAC layer overhead, the actual effective throughputs tops out at

roughly half of the nominal bit rate. Current shipping APs share that limited capacity

between all the users associated with an AP. It is not hard to imagine how local area

applications might overwhelm such limited capacity, or how an attacker might launch

a denial of service attack on the limited resources.

Radio capacity can be overwhelmed in various ways as it can be swamped by

traffic coming in from the wired network at a rate greater than the radio channel can

handle. If an attacker were to launch a ping flood from broadcast addresses, it is

possible to overwhelm several directly connected APs. The 802.11 MAC is designed

to take out the WNs to share the same space and radio channel. So attackers wishing

to take out the WN could send their own traffic on the same radio channel and the

target network would accommodate the new traffic as best it could using the

CSMA/CA mechanisms in the standard. Attackers can also overwhelm limited

capacity by transmitting spoofed frames or by sending high noise transmissions at a

target WN. Large traffic need not be maliciously generated for if many users start

pulling vast tracts of data through the same AP, network access begins to resemble the

caricature of dial-up access used by purveyors of high-speed broadband services.

Solution #4:24x7 Network Monitoring

Addressing performance problems start with monitoring and discovering them.

NAs have many channels for performance data ranging from technical measures such

as SNMP to non-technical measures such as user performance reports. WNAs are a

valuable ally for the NAs by reporting on the signal quality and network health at the

current location. Large amount of low-speed transmissions may indicate external

interference or severe multipath fading. The ability to display instantaneous speeds on

each channel gives a strong indication of the remaining capacity on the channel.

Excessive traffic on an AP can be addressed by segmenting the APs coverage area orby applying a traffic shaping solution at the confluence of the WN with the corporate

backbone.

WNAs are used near trouble spots for diagnosis and observe denial of service

attacks. We do have tools that spoof the disassociation messages between APs and

clients. Without cryptographic authentication of these messages, clients respond to

these forged messages by going offline. Until cryptographic frame authentication of

every transmitted frame is required by the standards, the only practical defence

against flooding attacks is to locate attackers and apply an appropriate solution.


11

7/27/2019 802.11 report 2004.doc

14/21


Problem #5: MAC Spoofing & Session Hijacking

802.11 networks do not authenticate frames. Each frame has a source address.

Attackers can use spoofed frames to redirect traffic and corrupt ARP tables and use

spoofed frames in active attacks. In addition to hijacking sessions, they can exploit the

lack of authentication of APs which are identified by their broadcast of Beacon

frames. Any station which claims to be an AP and broadcast the right SSID will

appear to be part of an authorised network. Then the attacker could potentially steal

credentials and use them to gain access to the network through a MITM attack.

Fortunately protocols that support mutual authentication are possible with 802.1x.

Using methods based on TLS, APs will need to prove their identity before clients

provide authentication credentials which are protected by strong cryptography for

transmission over the air. Session hijacking will not be completely solved until the

802.11 MAC adopts per-frame authentication as part of 802.11i.

Solution #5:Use Strong Protocols

MAC spoofing will be a threat until the ratification of 802.11i. NAs must

isolate WNs affected by MAC spoofing from the core network. Session hijacking can

be prevented by using strong cryptographic protocol such as IPSec. Along with VPN

protocols, the use of strong user authentication with 802.1x is required which checks

the exchanges on the wireless component. After deployment, WNA will decode the

authentication type which allows NAs to protect passwords.

Problem #6: Traffic Analysis & Network Eavesdropping

802.11 passively observe traffic and provide no protection against attacks. The

main risk is that it does not provide a way to protect data in transit against

eavesdropping. Frame headers are clearly visible to anybody with a WNA. This

problem was supposed to be alleviated by WEP but a great deal has been written

about the flaws in it as it protects only the initial association with the network and

user data frames. Moreover, management and control frames are not encrypted or

authenticated, leaving an attacker to disrupt transmissions with spoofed frames using

AirSnort and WEPcrack to crack WEP implemented systems. Fortunately the new

products eliminate all known attacks. As an extra precaution, the latest products use

key management protocols to change the WEP key every 15 minutes.

Solution #6:Perform Risk Analysis

To alleviate the problem of eavesdropping, the key decision is to balance the

threat of using only WEP against the complexity of deploying a proven solution. WEP

has been extensively studied and the security protocols have been fortified against all


12

7/27/2019 802.11 report 2004.doc

15/21


known attacks such that the short re-keying time which prevents hackers from

cracking the WEP key before it is replaced periodically. So if WEP key is to be used,

NAs should audit the WNs to ensure that it is not susceptible to AirSnort attack. Short

re-key time is an important tool used in minimising the risks associated with WLANs.

As part of site audit, NAs can use WLA to ensure that any policies on WEP re-keying

are implemented by the equipment. But if the WLAN is being used for sensitive data,

WEP is insufficient and solutions like SSL and IPSec were designed to transmit data

securely over public channels and these have been found resistant to attacks over

many years and will certainly continue to provide a higher level of security. WLAs

AP display can distinguish between APs that use WEP, 802.1x, and VPN technology,

which enables NAs to check that policies mandate strong cryptography usage.

Problem #7: Higher Level Attacks

After gaining access to a WN, an attacker can use this access as a launch point

for attacks on other systems. Normally networks have a hard outer shell composed of

perimeter security devices that are carefully configured and monitored whereas the

inner part is vulnerable. WLANs can be deployed quickly if they are directly

connected to the vulnerable part, but that exposes the network to attacks. These

attacks can prove to be very costly if the network is used as a launch pad for attacks

on the rest of the world.

Solution #7:Protect Core from WLAN

WLANs are treated as untrusted networks due to their susceptibility to attacks.

Some companies provide guest access ports in training rooms. WLANs can be treated

as conceptually similar to guest access ports due to higher probability of access by

untrustworthy users. Therefore place the WLAN outside the corporate security

perimeter and use strong proven access control technology such as a firewall between

the WLAN and the core network. Then provide access to the core network through

proven VPN solutions for reliable security of the system. NAs can implement

honeypots which are fake networks used to lure in hackers. This enables them to find

out more about what type of techniques hackers are using to gain access. One product

is Mantrap created by Symantec used as honeypots.

]


13

7/27/2019 802.11 report 2004.doc

16/21


Conclusion

Reasonable precautions can make WNs safe for any organization that wants

to reap the benefits of mobility and flexibility. As with many other evolving network

technologies, the key is to design a network with security in mind and carry outregular audits to ensure that the design is the actual basis for deployment. Hence,

from analysis to troubleshooting to auditing, a WNA is an indispensable tool for

wireless NAs. Moreover NAs need to develop WLAN policies for security and

management as exemplified in appendix1 and should follow the six steps shown in

figure 3. Monitoring for policy compliance plays a critical role that ensures that the

policy does not become a useless, unread document. Without auditing the network

for policy compliance, the policy cannot be enforced. Hence WLAN must be

extremely well managed to maximize performance and troubleshoot issues as they

arise.

Figure 3: Steps for WLAN Security and management policies


14

7/27/2019 802.11 report 2004.doc

17/21


Wireless Networking Definitions IEEE 802.11

802.1x: This standard enhances the security of LANs by providing an authentication

framework allowing users to authenticate to central authority, such as LDAP or

Active Directory.

802.11: The IEEE developed the 802.11 standard for WLANs. There are four

specifications including 802.11, 802.11a, 802.11b, and 802.11g. Each 802.11 standard

operates in a different GHz range and/or offers a different speed. 802.11 applies to

WLANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band using either

FHSS or DSSS.

802.11a: An extension to the 802.11 standard that provides a maximum connect rate

of 54 Mbps throughput in the 5GHz band. This specification is not backwardly

compatible with 802.11b.

802.11b: An extension to the 802.11 standard developed by the IEEE for WNtechnology. 802.11b applies to wireless LANs and supports a maximum connect rate

of 11 Mbps with fallback to 5.5, 2, and 1 Mbps in the 2.4GHz ISM band. This

standard was ratified in 1999 and is widely implemented in wireless networking

products supplied by most equipment vendors.

802.11g: An extension to the 802.11 standard that allows for a maximum connect rate

of 54 Mbps while maintaining compatibility with the 802.11b standard.

802.11h: An extension to the 802.11 standard that will allow flexibility in

transmission power and selecting frequencies in order to reduce interference with

other devices operating in the same frequency band.

802.11i: An extension to the 802.11 standard to provide improved security over those

available under 802.11 extensions. This extension provides for improved encryption

methods and for the integration of the IEEE 802.1x authentication protocol.

AP: A wireless communications hardware device that creates a central point of

wireless connectivity. A wireless AP behaves much like a "hub" in that the total

bandwidth is shared among all users for which the device is maintaining an active

network connection. An AP is an addressable station, providing an interface to

the DS for stations located within various BSSs.

DS: The DS is an element that interconnects BSSs within the ESS via APs and it

supports the 802.11 mobility types by providing logical services necessary to handle

address-to-destination mapping and seamless integration of multiple BSSs.

WEP: A security protocol for WNs defined within the 802.11b standard. WEP is

designed to provide the same level of security as that of a wired network. Research

indicates that the use of WEP alone is insufficient to ensure privacy unless used in

conjunction with other mechanisms for data encryption.


15

7/27/2019 802.11 report 2004.doc

18/21


Glossary

AP Access Point

ARP Address Resolution Protocol

AS Authentication Server

BSS Basic Service Set

CKIP Cisco Key Integrity Protocol

CSMA/CA Collision Sense Multiple Access with Collision Avoidance

DS Distribution System

DSSS Direct Sequence Spread Spectrum

EAP Extensible Authentication Protocol

EAPOL EAP on LAN

ESS Extended Service Set

ESSID Extended Service Set Identifier

FHSS Frequency Hopping Spread SpectrumIBSS Independent Basic Service Set

IEEE Institute of Electrical and Electronics Engineers

IPSec Internet Protocol security

ISM Industry, Scientific, and Medical

ISP Internet Service Provider

LAN Local Area Network

LDAP Lightweight Directory Access Protocol

LLC Logical Link Control

MAC Media Access Control

MITM Man-In-The-Middle

NA Network AdministratorNAS Network Access Server

NIC Network Interface Card

OpenSSL OpenSecure Sockets Layer

PBNAC Port-Based Network Access Control

PEAP Protected-EAP

PPP Point-to-Point Protocol

RADIUS Remote Authentication Dial-In User Service

RAP Rogue Access Point

RC4 Rons Code or Rivests Cipher

RSN Robust Security Standard

SNMP Simple Network Management ProtocolSSID Service Set Identifier

SSL Secure Socket Layer

TLS Transport Layer Security

TTLS Tunneled TLS

VPN Virtual Private Network

WEP Wired Equivalent Privacy

WLA Wireless LAN Analyzer

WLAN Wireless LAN

WN Wireless Network

WNA Wireless Network Analyzer

WPA Wi-Fi Protected Access


16

7/27/2019 802.11 report 2004.doc

19/21


References

[1] J. Conover, 80211a: Making Space for Speed, Network Computing, 2001.

http://www.networkcomputing.com/1201/1201ws1.html

[2] M. Andrade, Security for Next Generation, WLANs ver.1.1

http://wwwin.cisco.com/cmc/cc/pd/witc/ao340ap/prodlit/wlanw_in.htm#xtocid191020

[3] http://www.niksula.cs.hut.fi/~mkomu/docs/wirelesslansec.html

[4] Matthew Gast, 802.11: The Definitive Guide, OReilly & Associates, 2002

http://www.AirMagnet.com

[5] AirDefense, Wireless LAN Policies for Security & Management,

Technical white paper, 2003

http://www.airdefense.net

[6] http://wi-fiplanet.com

[7] Plamen Nedelchev, PhD, Wireless LANs and the 802.11 Standard, Felicia

Brych, 2001

[8] http://www.80211report.com/

[9] http://www.meetinghousedata.com/

[10] Wireless LAN Security-How to Protect WLANs, Revised July 2003

http://www.airdefense.net/whitepapers/

[11] Wireless LAN Security: 5 Practical Steps, September 2002

http://www.airdefense.net/whitepapers/


17
http://www.networkcomputing.com/1201/1201ws1.htmlhttp://wwwin.cisco.com/cmc/cc/pd/witc/ao340ap/prodlit/wlanw_in.htm#xtocid191020http://www.niksula.cs.hut.fi/~mkomu/docs/wirelesslansec.htmlhttp://www.airmagnet.com/http://www.airdefense.net/http://wi-fiplanet.com/http://www.80211report.com/http://www.meetinghousedata.com/MDC_8021X_White_Paper.pdfhttp://www.airdefense.net/whitepapers/http://www.airdefense.net/whitepapers/5steps_request2.php4http://www.airdefense.net/whitepapers/mailto:[email protected]://www.networkcomputing.com/1201/1201ws1.htmlhttp://wwwin.cisco.com/cmc/cc/pd/witc/ao340ap/prodlit/wlanw_in.htm#xtocid191020http://www.niksula.cs.hut.fi/~mkomu/docs/wirelesslansec.htmlhttp://www.airmagnet.com/http://www.airdefense.net/http://wi-fiplanet.com/http://www.80211report.com/http://www.meetinghousedata.com/MDC_8021X_White_Paper.pdfhttp://www.airdefense.net/whitepapers/http://www.airdefense.net/whitepapers/5steps_request2.php4http://www.airdefense.net/whitepapers/mailto:[email protected]

7/27/2019 802.11 report 2004.doc

20/21


Appendix1


18

7/27/2019 802.11 report 2004.doc

21/21


Figure 3: Example of AirDefenses WLAN policy

Seebaluck Yograj MSc ICT

Documents

802.11 report 2004.doc