Sara Nasre

Wireless Lan Security

Research Paper
05/05/2004
IT 6823 Information Security
Instructor: Dr. Andy Ju An Wang
Spring 20041

Table of Contents
1. Abstract………………………………………………………………………2
2. Introduction ………………………………………………………………….2
3. 802.11 Security ………………………………………………………………3
4. Securing WLANs……………………………………………………………..4
a. Eavesdropping………………………………………………………..4
b. Unauthorized Access…………………………………………………4
c. Interference and Jamming…………………………………………….6
d. Physical Threats………………………………………………………6
5. Countermeasures………………………………………………………………7
a. Frequency-Hopping Spread Spectrum…………………………………7
b. Discrete-Sequence Spread Spectrum…………………………………..8
c. Infrared…………………………………………………………………9
d. Narrowband…………………………………………………………….9
6. WEP……………………………………………………………………………9
a. Encryption……………………………………………………………...10
b. Authentication………………………………………………………….10
7. Conclusion……………………………………………………………………..11
8. Bibliography……………………………………………………………………132
Wireless LAN Security
Abstract
Today there is a huge growing market for Wireless LANS but there is a black hole
associated with these types of networks. This paper will provide an overview of the major
security risks, threats and vulnerabilities with WLAN systems, referencing 802.11b. To
combat these risks, some protocols and mechanisms needed to secure this wireless LAN
protocol.
Introduction
Wireless LAN technology standard 802.11b has the strongest force to becoming the main
standard for corporate internal wireless LAN networks. The bandwidth of 802.11b is 11
Mbits and operates at 2.4 GHz Frequency. 802.11b is the most popular standard among
the 802.11x family and has achieved an extensive market acceptance for wireless
networks over other standards ( Barken 2004 ).
As more wireless technology is developed and implemented, the complexity of the types
of attacks will increase, but these appear the standard main methods used to break and
attack wireless systems. These attacks may be very similar against other wireless type
technologies and is not unique to 802.11b. Understanding these risks and how to develop
3
security solution for 802.11b will provide a strong foundation for integrating a good
secure solution to any wireless solution ( Maxim, Pollino 2002 ).
802.11 Security
The 802.11 algorithm provides security through authentication and encryption. IN the Ad
Hoc network mode, authentication can either be dictated by open system and shared key.
The network station which receives a request can grant authentication to any request or
only to this stations on a predefined list. In a shared key approach, only those stations that
possess an encrypted key will be granted access.
IEEE 802.11 specifies an optional encryption capability called Wired Equivalent Privacy
( WEP ). The purpose is to establish security to wired networks. WEP incorporates the
RC4 algorithm from RSA Data Security. This algorithm encrypts over-the-air
transmissions.
Unlike 802.11, 802.11b removes FHSS ( Frequency-Hopping Spread Spectrum ) as a
data transmissions mode and instead incorporates DSSS ( Discrete-Sequence Spread
Spectrum ) as the standard technology.
Vendors are currently generating 802.11b equipment with network interface cards
(NICs) that have a distinct MAN address and a unique public- and private-key pair (
Dubendorf 2003 ). These enhancements allow WLAN administrators to require all 4
hardware address and public-key combinations be entered into the access points ( APs)
before a network can be established. By doing so, an administrator can prevent an attack
to it’s network via MAC address spoofing.
Securing WLANs
Typically a WLAN operates in the same fashion as a wired LAN except that data is
transported through a wireless medium rather than cables. The following sections
describe common threats that WLANs are faced with and some countermeasures that can
be employed to protect against such threats.
Eavesdropping
The main threat posed to a WLAN is the potential for unauthorized persons to eavesdrop
on radio signals transferred between a wireless station and an AP which compromises the
privacy of sens itive information and data ( Barken 2004 ). Eavesdropping and considered
a passive attack. For example, when a radio operator sends a message over a radio path,
other users who are equipped with a compatible receiver within the range of the
transmission are able to listen. Also, because an eavesdropper has the ability to listen to a
message without modifying the data, the sender and intended receiver of the message are
unaware that there has been an intrusion.5
Unauthorized Access
Another threat to WLANs is when an intruder enters a WLAN disguised as an authorized
user. When the intruder has gained access, he can violate the confidentiality and integrity
of the network traffic by sending, receiving, altering, or forging messages ( Nichols,
Lekkas 2002 ). This is classified as an active attack and can be executed using a wireless
adapter, which is compatible with the network.
One of the best protections against this type of unauthorized access is to deploy
authentication mechanisms to ensure that only users who are authorized can gain access
to the network. One of the hardest tasks for WLANs is to detect intrusions when they
occur. This is because unsuccessful attacks might be misinterpreted as merely
unsuccessful logon attempts caused by high bit error rate.
Another example of unauthorized access is an attacker who sets up a pseudo-AP. By
doing so, an attacker can lure a station onto his network in order to capture secret keys
and passwords (Nichols, Lekkas 2002). Another way to accomplish this is that the
attacker rejects the logon attempts but record the messages transmitted during the logon
process.
The first attack described is very hard to execute because the attacker must have specific
details in order to deceive the station into believing that it has accessed its home network.
The second attack mentioned is easier to implement because in this case all that is
required by the attacker is a receiver and an antenna that is compatible with the stations. 6
In addition to this, the attack is more difficult to detect. This is because the unsuccessful
logons are common in WLAN environments. The best method to protect against these
types of attacks is to employ an efficient mechanism that allows wireless stations to
authenticate to APs without disclosing confidential keys or passwords.
Interference and Jamming
A third threat to WLAN security is radio interference which can deteriorate bandwidth. In
most cases the interference is accidental. Since WLANs use unlicensed radio waves,
other electromagnetic devices can coincide with WLAN traffic ( Barken 2004 ). Sources
of interference can include high power amateur, military, and industrial, scientific, and
military transmitters.
Interference may also be intentional. If an attacker has a powerful transmission, he can
produce a radio signal strong enough to overwhelm weaker signals which can disrupt
communications. This is known as jamming and is a denial-o f-service attack. There are
two types of jammers that can be utilized against WLAN traffic; high power pulsed and
lower-power partial-band jammers ( Maxim, Pollino 2002 ). Jamming equipment is
available to consumers or can be created by attackers. These types of attacks can be
mounted remotely from the targeted network.
Physical Threats
The physical structure of a WLAN can be impacted if it is damaged. Similar to a wired
LAN, a WLAN operating in infrastructure mode is dependant upon a number of physical
7
components. These include APs, cables, antennas, wireless adapter, and software. Harm
to any of these could significantly reduce the strength of the signal, limit coverage area,
or reduce bandwidth.
Infrastructure components are also vulnerable to the conditions of its environment,
especially if outdoors ( Nichols, Lekkas 2002 ). APs can be affected by snow and ice.
Antennas which are placed on poles or buildings have the risk of being knocked down by
winds, rain, or ice which can change the beam width for transmitting signals. Finally,
accidents and improper handling can harm wireless adapters and wireless stations.
Physical components can be attacked. For example, an attacker could cut the cabling that
connects an AP to the wired network, isolating affected microcells and disrupting power
to the receiver. Another potential attack could involve stealing or compromising wireless
station or adapter and see it to try and intercept WLAN traffic or to gain unauthorized
access to the network.
Countermeasures
WLANs incorporate Spread-Spectrum technology to transmit data. This type of
technology is architect to resist eavesdropping, interference, and noise. To a listener the
signal sounds like regular background noise. Spread-Spectrum requires more bandwidth
than narrowband transmissions. 8
Frequency-Hopping Spread Spectrum ( FHSS )
The 2.4GHz band is sectioned into 75 one-MHz channels. A radio signal is transmitted
over all 75 frequencies in accordance with a pseudo-random code sequence that is both
the transmitter and receiver are aware of. The FHS physical layer has 22 hop patterns
where the pattern chosen by the transmitter is extracted from a predetermined set
specified by code ( Maxim, Pollino 2002 ). When the transmitter and receiver are
properly synchronized, data is transmitted over an essential single channel. To an
eavesdropper, this signal appears to be unintelligible short duration impulse noise.
Because the signal is dispersed across numerous frequencies, the potential for
interference is minimized.
Direct-Sequence Spread Spectrum ( DSSS )
Under the 802.11b standard, DSSS utilizes 64 8-bit code words to disperse the signal.
Any unauthorized users see the DSSS signal as a low-power wideband noise.
Consequently, most narrowband receivers neglect it. The signal is spread across a wide
range frequencies therefore interference is again minimized.
Both FHSS and DHSS create obstacles for attackers attempting to intercept radio signals.
With FHSS, an eavesdropper must know the hopping patter that the transmission uses.
Whereas with DHSS, he must know the code words. With both cases, the eavesdropper
must also know the frequency band and modulation techniques in order to precisely read
the signal.9
Spread-Spectrum technology is most secure if the hopping pattern or code words are
unknown to the eavesdropper. However, these parameters are published in the
802.11standard therefore public knowledge. The modulation method is also provided.
With this useful information, the eavesdropper could build a receiver to intercept and
read unprotected signals. Regardless of these facts, the built in strength that
SpreadSpectrum technology possessed are enough to defeat most eavesdroppers therefore
contributing to WLAN communications.
Infrared
IR is the third radio technology specified in the original 802.11 standard ( ). This
technology transmits data at high frequencies just below visible light on the
electromagnetic system. IR signals are susceptible to interception, interference, and
jamming. Therefore, IR systems are typically utilized for high-security applications in
enclosed facilities ( Barken 2004 ). It is also more expensive than the Spread-Spectrum
technologies mentioned above in addition to its data rate being low ( 1 – 2 Mbps ).
Narrowband
Narrowband transmits and receives radio signals on a specific frequency. This keeps the
radio signal as narrow as possible. This method prevents cross-talk among radio channels
by coordinating different channel frequencies. A drawback of narrowband is that
eavesdroppers can easily detect transmitted signals. It also requires a license from the
FCC for each site that it is used at. 10
WEP
WEP ( Wired Equivalent Privacy ) is implemented in the 802.11 specification to provide
basic levels of authentication and data encryption. 802.11b utilizes WEP. It is a crucial
element for securing confidentiality and integrity of on WLAN systems in addition to
providing access control through authentication ( Mallick 2003 ).
Encryption
WEP uses a shared secret key between a wireless stations and an access point. The data
sent and received between the station and AP can be encrypted using the shared key.
WEP provides data encryption with a 128-bit secret key and a RC4 Pseudo Random
Generator. There are two processes that are applied to plaintext data; one encrypts the
plaintext and the other protects it from unauthorized modification during transition (
Mallick 2003 ). After the secret key has encrypted the text, it returns the encrypted text
back to the AP. If the text matches the text that was sent then the client is authorized and
granted access.
A problem that this method has is that the key distribution. Most WLANs share one key
across all stations and APs in the network. It’s not likely that a key shared among several
users will remain secret forever. Some network administrators address this issue by
configuring wireless stations with the secret key as opposed to allowing users to execute
11
this task. A better solution is to assign a unique key to each station and to change keys
frequently ( Nichols, Lekkas 2002 ).
Authentication
There are two types of authentication that WEP provides; a default Open System ( all
users are permitted to access a WLAN ) and shared key authentication ( controls access
to WLAN and prevents unauthorized network access ). Comparatively, shared key
authentication is the more secure mode ( Dubendorf 2003 ). It employs a secret key that
is shared among all stations and APs in a WLAN. Shared key works only if WEP
encryption is enabled. If not, the system will default to Open System mode which will
permit most any station within range of an AP to access the network. This will permit an
intruder to enter the system where he can interfere with your messages. It is important to
ensure that WEP is enabled whenever secure authentication is required.
In many WLAN systems, the key utilized for authentication is the same key used for
encryption. This presents a weakness which strengthens the problems mentioned above.
If the attacker has control of the shared key he can access the network in addition to
decrypt the messages. The solution is to distribute separate keys throughout the system –
one for authentication and one for encryption ( Barken 2004 ).
Conclusion
Wireless local area network solutions comprise one of the fastest growing segments of
telecomm industry. Although this is the case, research suggests that the perceived
insecurity of wireless networks is a major inhibitor to further growth in the area of 12
WLANs. To ensure the best protection to WLANs, we must implement rigorous security
policies which integrate the technologies/methods indicated in this paper. In addition,
the 802.11i protocol for wireless encryption is to become an IEEE standard by June 2004.
This protocol is intended for shielding wireless data from over-the-air attacks. Cisco has
already started informing their customer base of this new protocol and its plans to
implement. 13
Bibliography
Maxim, Merrit and Daivd Pollino. Wireless Security. McGraw-Hill/Osborne, 2002.
Barken, Lee. How Secure Is Your Wireless Network? Saddle River, NJ: Prentice Hall
PTR, 2004
Dubendorf, Vern A. Wireless Data Technologies. West Sussex, England: John Wiley &
Sons Ltd, 2003
Nichols, Randall K. and Panos C. Lekkas. Wireless Security: Models, Threats, and
Solutions. McGraw-Hill, 2002
Mallick, Martyn. Mobile & Wireless Design Essentials. Wiley Publishing, Inc:
Indianapolis, Indiana, 2003