Network Security

Wireless Network Security

IS364, 2009 1
 Why Wireless?
„There are some obvious locations
– Lecture rooms
– Libraries
– Hard-to-wire areas
„Or for specific reasons
– Conferences
– Meetings
– Mobility

IS364, 2009 2
 Categories Of Wireless Networks

• Most commonly categorized into three

groups:
oWireless Wide Area Networks (WWAN)
oWireless Local Area Networks (WLAN)
oWireless Personal Area Networks (WPAN)

IS364, 2009 3
 Elements of WLAN Security

„ To effectively secure a wireless network

consider:
– Authentication of the person or device
connecting to the wireless network
– Authorization of the person or device to
use the WLAN
– Protection of the data transmitted over the
WLAN
IS364, 2009 4
 Wireless Problems
„ Security – out of the box product is
insecure
„ Privacy – snooping – passwords, data
„ ‘Hub’ style operation – anyone can see
all traffic
„ Hacker tools readily available

IS364, 2009 5
Wireless Problems
„ Common security attacks and
countermeasures
– Firewalls & Intrusion Detection Systems
– Denial of Service Attacks
– TCP Attacks
– Packet Sniffing
– Social Problems

IS364, 2009 6
TCP Attacks
„ Recall how IP works…
– End hosts create IP packets and routers process
them purely based on destination address alone
„ Problem: End hosts may lie about other fields
which do not affect delivery
– Source address – host may trick destination into
believing that the packet is from a trusted source
• Especially applications which use IP addresses as a
simple authentication method
• Solution – use better authentication methods

IS364, 2009 7
TCP Attacks
„ TCP connections have associated state
– Starting sequence numbers, port numbers
„ Problem – what if an attacker learns these
values?
– Port numbers are sometimes well known to begin
with (ex. HTTP uses port 80)
– Sequence numbers are sometimes chosen in
very predictable ways

IS364, 2009 8
TCP Attacks
„ Ifan attacker learns the associated TCP
state for the connection, then the connection
can be hijacked!
„ Attacker can insert malicious data into the
TCP stream, and the recipient will believe it
came from the original source
– Ex. Instead of downloading and running new
program, you download a virus and execute it

IS364, 2009 9
TCP Attacks
„ Say hello to Alice, Bob and David

Alice Bob

David

IS364, 2009 10
TCP Attacks
„ Alice and Bob have an established TCP
connection

Alice Bob

David

IS364, 2009 11
TCP Attacks
„ Mr. David lies on the path between Alice and
Bob on the network
– He can intercept all of their packets

Alice Bob

David

IS364, 2009 12
TCP Attacks
„ First, David must drop all of Alice’s packets
since they must not be delivered to Bob
(why?)

Alice
Packets

The Void
David

IS364, 2009 13
TCP Attacks
„ Then, David sends his malicious packet with
the next ISN (sniffed from the network)

Alice

ISN, Source Reading

David Code (SRC)=Alice

IS364, 2009 14
TCP Attacks
„ What if David is unable to sniff the packets between
Alice and Bob?
– Can just DoS Alice instead of dropping her packets
– Can just send guesses of what the ISN is until it is
accepted
„ How do you know when the (Initial Sequence
Number (ISN) is accepted?
– Mitnick: payload is “add self to .rhosts”
– Or, “xterm -display David:0”

IS364, 2009 15
TCP Attacks
„ Why are these types of TCP attacks so
dangerous?

Alice Bob
Web server Trusting web client

David
IS364, 2009 Malicious user 16
TCP Attacks
„ How do we prevent this?
„ IPSec
– Provides source authentication, so David cannot
pretend to be Alice
– Encrypts data before transport, so David cannot
talk to Bob without knowing what the session key
is

IS364, 2009 17
Packet Sniffing
„ Recall how Ethernet works …
„ When someone wants to send a packet to
some else …
„ They put the bits on the wire with the
destination MAC address …
„ And remember that other hosts are listening
on the wire to detect for collisions …
„ It couldn’t get any easier to figure out what
data is being transmitted over the network!
IS364, 2009 18
Packet Sniffing
„ This works for wireless too!
„ In fact, it works for any broadcast-based
medium

IS364, 2009 19
Packet Sniffing
„ What kinds of data can we get?
„ Asked another way, what kind of information
would be most useful to a malicious user?
„ Answer: Anything in plain text
– Passwords are the most popular

IS364, 2009 20
Packet Sniffing
„ How can packet sniffing be prevented?
„ SSH (Secure Shell)
– Some networks still use Telnet and send their password in the clear (use
PuTTY instead!)
– Now that you have been told this, please do not exploit this information
– Packet sniffing is, by the way, prohibited by all Computing Services
authorities
„ HTTP over SSL
– Especially when making purchases with credit cards!
„ SFTP, not FTP
– Unless you really don’t care about the password or data
– Can also use KerbFTP (download from internet)
„ IPSec
– Provides network-layer confidentiality

IS364, 2009 21
Social Problems
„ People can be just as dangerous as
unprotected computer systems
– People can be lied to, manipulated, bribed,
threatened, harmed, tortured, etc. to give up
valuable information
– Most humans will breakdown once they are at
the “harmed” stage, unless they have been
specially trained
• Think government here…

IS364, 2009 22
Social Problems
„ Fun Example 1:
– Someone calls you in the middle of the night
• “Have you been calling Egypt for the last six hours?”
• “No”
• “Well, we have a call that’s actually active right now,
it’s on your calling card and it’s to Egypt and as a
matter of fact, you’ve got about $2000 worth of
charges on your card and … read off your AT&T card
number and PIN and then I’ll get rid of the charge for
you”

IS364, 2009 23
Social Problems
„ There aren’t always solutions to all of these problems
– Humans will continue to be tricked into giving out information they
shouldn’t
– Educating them may help a little here, but, depending on how bad
you want the information, there are a lot of bad things you can do to
get it
„ So, the best that can be done is to implement a wide variety
of solutions and more closely monitor who has access to
what network resources and information
– But, this solution is still not perfect

IS364, 2009 24
 Wired Equivalent Privacy (WEP)
protocol
ƒ Wireless technology uses the IEEE 802.11 specification.
ƒ The IEEE 802.11 specification identifies several services to ensure a
secure network environment.
ƒ The security services are largely provided by Wired Equivalent Privacy
(WEP) protocol (WEP is a part of the IEEE 802.11 specification). This
provides security of data during wireless transmission between clients
and access points.
ƒ The most basic security features of the WEP are:
– Authentication – This provides access control to the network by denying access to
clients that can’t properly authenticate themselves. (Shared key authentication.
– Confidentiality – This provides security against casual eavesdropping of data
transmission. Applied to layers (TCP/IP, Internet Packet Exchange (IPX), Hyper Text
Transfer Protocol (HTTP)
– Integrity – This secures the data from being modified during transmission. Cyclic
Redundancy Check (CRC-32) and encryption are is used.

IS364, 2009 25
Principle of the WEP
„ WEP relies on a secret key which is shared
between the sender and the receiver.
– SENDER: Mobile station (e.g. Laptop with a wireless
ethernet card)
– RECEIVER: Access Point (e.g. base station)
„ Secret Key is used to encrypt packets before they
are transmitted
„ Integrity Check is used to ensure packets are not
modified in transit.
„ In practice, most installations use a single key
which is shared between all mobile stations and
access points.
IS364, 2009 26
Conclusions
„ The Internet works only because we implicitly
trust one another
„ It is very easy to exploit this trust
„ It is important to stay on top of the latest
CERT security advisories to know how to
patch any security holes

IS364, 2009 27
Reading Assignment

1. Discuss WEP protocol problems and

possible countermeasures.
2. Describe types of attacks that can be
launched against the WEP protocol.

IS364, 2009 28
References
„ N. Borisov, I. Goldberg, D. Wagner. Intercepting
„ mobile communications: The insecurity of 802.11. 7th Annual International
Conference on Mobile
„ Computing and Networking. July 16-21,2001. Rome, Italy.
„ I. Goldberg. An analysis of the Wired Equivalent
„ Privacy protocol. Black Hat Briefings, July 11, 2001.
http://www.cypherpunks.ca/bh2001/
„ Security of the WEP algorithm, uc Berkeley.
http://www.isaac.cs.berkeley.edu/isaac/wep-faq.ht
„ http://www.robertgraham.com/pubs/network-intrusion-detection.html
„ http://online.securityfocus.com/infocus/1527
„ http://www.snort.org/
„ http://www.cert.org/
„ http://www.nmap.org/
„ http://grc.com/dos/grcdos.htm
„ http://lcamtuf.coredump.cx/newtcp/

IS364, 2009 29