Wireless Security & Controls: Issues, Treats, Solutions & Trends

Prepared by: Greg Gabet, IBMGS Security & Internet Architect

Abstract

Wireless technology has hit critical mass before the security & controls have matured. Organizations are architecting wireless solutions for current business requirements & homes are integrating wireless environments that are often used as a platform for their business laptops to connect to the workplace. This presentation will exam the architecture, security, & control challenges for SOHO, as well as enterprises. Emerging standards, providers, & best practices for securing & controlling wireless will be discussed. This presentation is for the intermediate to advanced practitioner.

Agenda :

Motivation for Wireless in the Enterprise Wireless Topologies,Characteristics, & Standards Wireless Challenges, Opportunities, & Architecture issues Specific Threats & New Authentication Mechanisms Wireless Management Issues Possible Architectures Trends Summary

Enterprise WLAN Revenues

Millions
$5000

$4000 +30% $3000 +70%

% Laptops Deployed With build-in wireless ------------------------------2002 20% 2003 60% 2004 90% Consumer purchases Are 48% of sales & Enterprises are about 43%. Operators/ISPs Make up remainder. In 2003, 11% was 802.11G.

$2000

+50%

$1000

$0 1998 1999 2000 2001 2002 2003 2004 2005

Source: Cahners In-Stat Group, 2001

Wireless Topologies & Demographics

WAN
(Wide Area Network) 2.5G - 3G Phone

MAN
(Metropolitan Area Network) 802.11, 802.16, MMDS, LMDS

LAN
(Local Area Network) 802.11 & HyperLan2

PAN
(Personal Area Network) Bluetooth

General Characteristics of Wireless Technologies

PAN

LAN/WLAN
802.11A,B,G HiperLAN2 (Europe)
11 & 54 Mbps (now) 22 & 100Mbps (plans)

MAN
802.11/802.16 MMDS, LMDS

WAN
GSM, GPRS, CDMA2000, 2.53G

Stds Speed Range

Bluetooth

< 1Mbps

11 to 100+ Mbps Medium-Long Fixed Last Mi

10 to 384Kbps

Short

Medium (1000ft w/o A.)

Long

Apps

Peer-to-Peer Device-toDevice

Home, SOHO, Enterprise Networks

T1 Replacement, Last Mile Access

PDAs, Mobile Phones, Cellular Access

IEEE 802.11 Standards Activities

Standards
802.11a 802.11b 802.11d 802.11e 802.11f 802.11g 802.11h 802.11i

Description
5GHz, 54Mbps Max 2.4GHz, 11Mbps Max Quality of Service (QoS) Inter-Access Point Protocol (IAPP) 2.4GHz, 54Mbps Max Dynamic Frequency Selection (DFS) & Transmit Power Control (TPC) Security
Note: 22Mbps is proprietary

Multiple Regulatory Domains

802.11- Both Freq. Bands will be Successful

5GHz - 802.11a
54Mbps 8 channels for indoor use (allows honeycomb network deployment. 12 channels total US Higher expected throughput than 802.11g Global Acceptance 5 GHz band has less interference US Government Likes for security reasons (limited distance)

2.4GHz - 802.11b & g

11Mbps 36Mbps 54Mbps 3 channels Worldwide 802.11g is forward-and-backward compatible with 802.11b Easy upgrade path to 802.11g 802.11b has advantages on cost, size, & power consumption, so will continue to be popular, especially with PDAs, phones

Security Challenges & Opportunities

Increased Connection & Management Complexity:

Connections: Difficult to assure C.I.A. of data over multiple 3rd party wireless data networks. Enabling different makes & models of mobile devices (PDAs, Cell Phones, Laptops) work securely with new interfaces to e-business applications, especially when the security capabilities are severely restricted (VPN,PKI,Certs, ECC, CPU). Mgmt & Integration of New Devices, OSs, Protocols & Applications Into Security Architecture: Variety of vendors & AP/Node management options (IBM, CA, CISCO, & Immaturity of wireless devices, operating systems, applications & network technologies (firmware upgrades are frequent, especially for 802.11A & G, LEAP/PEAP) Increased size of the user base increases the threat of hacker & malicious code attacks. New Policies, Procedures, Practices, Personnel, Mechanisms, Services & Objects! The initial psw on wireless devices tend to be deactivated by the manufacturer or user, thus allowing unauthorized access to AP/connected devices.

Password Vulnerability:

Unauthorized configuration of Device:

Wireless devices may have remote configuration facilities, undocumented APIs or software bugs which could be exploited
Jamming or continuous transmissions of large amts of data to the wireless device will use network bandwidth; thus leading to performance degradation or non-availability.

Denial-of-Service Attacks:

Loss-of-Data:

Storage capabilities of mobile devices are increasing. If a device malfunctions, is lost, or data is accidentally deleted, with no recent data backup of lack of restoration capability, the data will be lost forever.

Where & How Does Wireless Affect Corp Architecture?

Security Architecture Layers & Requirements

Objects & Information:

AP, Wireless Cards, Wireless Mgmt Stations, RADIUS/LDAP servers

Security Services

Organization/Personnel responsible for:

Maintenance of AP & Wireless Card firmware upgrades Authentication, Authorization, & Access Control to Wireless subnets/servers Audits, Reviews, Compliance Checks for wireless components & critical settings Network Architecture of Wireless AP Placement, redundancy, & bandwidth Encryption & Integrity of wireless transmissions

Security Mechanisms

Tools

Sniffers, IDS, Vulnerability Assessment hardware & software

Encryption Keys VLANs Firewalls, RADIUS, LDAP, SNMP, etc

Information Security Policies

Wireless Usage Policy (External & Internal) VPN Usage Policy Wireless Placement

Critical Security & Privacy Issues for Wireless LAN According to IDCs Mobile Council Advisory Survey, the most significant wireless security concerns are:

Management of devices security Corruption of data sent to wireless devices Malicious code & Malware (Viruses,Trojans, Worms) Unauthorized users Confidentiality of data sent wirelessly Security of data stored on a handheld device

Why Wireless LANs Create Problems

CIA can be lost for information as it passes over wireless data networks Operators often turn off encryption & anonymous AP resets will set AP back to defaults. Note: Not all vendors provide a physically accessible reset button War driving can collect valuable info that often shared with the Internet Rogue access points can collect valuable info used to later break systems Data Interception on backbone networks can result in information disclosure RF signal jamming can lead to unavailability of mobile devices & network One way authentication: Most wireless clients are authenticated to the network, not vice versa (one sided authentication only). This enables "man-in-themiddle" attacks to eavesdrop on transmissions Paths of communication may pass multiple uncontrolled networks (Execs LAN) Lack of Security Awareness of Users Actually your biggest bang for buck. Weak wireless crypto algorithms allow RF scanning & decryption of WEP keys Physical security issues (Access points and cards are easy to steal!) Lack of Policies, Procedures, Compliance & Audit Understanding Lack of granularity in access Often, an all or nothing approach to access Minimum mainstream network infrastructure support (Probes, Agents, IDS, Radius with LEAP/PEAP/EAP support).

Threats Unauthorized Access Points

Plug-in Unauthorized Clients: An attacker tries to connect his wireless client, typically a laptop to an access point without authorization, intentional or unintentional. This is often used for those requiring free internet access Plug-in Unauthorized Renegade Access Point: Companies are aware that internal employees have deployed wireless capabilities on their network. An internal employee wanting to add their own wireless capabilities to the network plugs in their own access point into the wired intranet thus creating a risk if the access point has not been properly secured. This could lead unauthorized clients then gaining access to unauthorized access points, allowing intruders into the internal network. Internal Client

LAN

Unsecured Rogue AP

Hacker

Internal Client

Secure Valid AP

Threats War Driving Map Created & On Internet

War Driving: a process,
named after the term War Dialing process used by hackers to locate compromisable dialup modems. Requires inexpensive equipment, typically a laptop or a PDA, Wireless card, GPS & an external antenna
As people are "War Driving", locating the APs & recording the GPS coordinates of the AP location, these AP maps are being shared to any attacker on the Internet. If a company has their AP location & information shared on the Internet, their AP becomes a potential target & increases their risk.

Threats: Man-in-the-Middle Access Point Clone intercepting traffic: An attacker can trick
legitimate wireless clients to connect to the attacker's honey pot network by placing an unauthorized base station with a stronger signal within close proximity of the wireless clients that mimic a legitimate base station. This may cause unaware users to attempt to log into the attacker's man in the middle servers. With false login prompts, the user unknowingly can give away sensitive data like passwords. Hacker LAN

Rogue DHCP Server

Rogue AP, not connected to internal LAN

Internal Client

Valid Access Point

Threats: Client Attack

Client Dissociations : Forced client re-association / disassociation attacks. This will effectively causes a denial of of service on the client under attacks. A second form of this attack is to take over an established connection

Hacker

Internal Client

LAN

Rogue Attack Client

Rogue AP internal to the client

Valid Access Point

Threats: Security Controls

Misconfiguration issues: Many access stations analyzed have been configured in a minimal & default secure mode. Unless the administrator of the base station understands the security risks, most of the base stations will remain at a high risk level. Server Set ID (SSID) Attackers can use default SSIDs to attempt to penetrate base stations that are still in their default configuration. Reset Issues: Included in this are reset access points. Often when an access point hangs or crashed, someone may push the reset button on the access point. This clears any WEP keys the access point may have had. Physical Security Issues: Often security guards are not trained to recognize physical wireless attacks, nor how to detect them.

Threats WEP security

WEP Encryption Issues: 802.11b

standard uses encryption called WEP (Wired Equivalent Privacy). WEP has known weaknesses in how the encryption is implemented (IV). Note: WEP is better than no WEP; it at least stops casual sniffers.

Available Tools:Today, there are readily

available tools for most attackers to crack the WEP keys. Airsnort, Yellowjacket, Airfart & others tools take a lot of packets (several million) to get the WEP key, on most networks this takes longer than most people are willing to wait (1 or more days). If the network is very busy, the WEP key can be cracked & obtained within 30 minutes. Because of the WEP weakness, wireless sniffing & hijacking techniques can work despite the WEP encrypted turned on.

Weak Default WEP Keys: Access

points have been seen with manufacturer created WEP keys linked to the Hex encoding of the SSID of the access point. Some manufacturing companies use WEP keys which are the same as the SSID or easily guessable

Limitations of 802.11 WEP Security

Shared, static WEP keys
No centralized key mgmt Poor protection from variety of security attacks

Lack of integrated user admin

Need for separate user databases; no use of RADIUS Potential to identify user only by device attribute like MAC address

No effective way to deal with lost or stolen adapter

Possessor has network access Re-keying of all WLAN client devices is required

Inherent weaknesses in RC4-based WEP keys

No mutual authentication

802.1X WPA

TKIP and AES

802.1X Authentication Types

LEAP (EAP Cisco Wireless)

User authentication via user ID & password Supports Windows, CE, Linux, Mac OS, and DOS Aggressive licensing program by Cisco to other vendors User authentication via client certificates & server certificates Supported in XP, but other Windows versions by 2004 Currently used by Microsoft User authentication via user ID and password or OTP Supported by Cisco Aironet client adapters and by Microsoft in various
Windows versions Uses server-side TLS, which requires only server certificates

EAP-TLS (EAP-Transport Layer Security)

PEAP (Protected EAP)

EAP-TTLS

User authentication via user ID & password or OTP Uses server-side TLS

Note: EAP is Extensible Authentication Protocol

802.1X-based: Mutual Authentication

Access Point AP blocks all requests until authentication completes

RADIUS Server

RADIUS server authenticates client

Client authenticates RADIUS server

Derive key

Derive key

Mutual Authentication is required to prevent rogue clients from accessing your network, AND to prevent rogue APs from stealing data from your clients

802.1X/LEAP Mutual Authentication

RADIUS server
Start Request identity identity

AP blocks all requests until authentication completes

identity

RADIUS server authenticates client

Client authenticates RADIUS server

Derive key

Derive key

Mutual Authentication is required to prevent rogue clients from accessing your network, AND to prevent rogue APs from stealing data from your clients

PEAP Authentication
RADIUS server Use server-side EAP-TLS to authenticate RADIUS server

& builds SSL-encrypted tunnel

user database

user-supplied token Use tunnel to authenticate user via token, One Time Password, or other data

PEAP sets up a secure, encrypted tunnel between client and RADIUS server

Remote Access Security using VPN

VPN
Firewall Enterprise

Internet
Wireless
VPN Client

Hotel/Airport/Home With VPN Client

802.11 Access Using VPNs

Pros Familiar Used in most organizations Makes WLAN and remote access UIs
consistent Trusted for authentication and privacy Supports central security management Ensures 3DES encryption from client to concentrator Compatible with Aironet and other WLAN products

Cons Cost: Requires VPN concentrators

behind APs Performance: Encryption is done in software on client Roaming: Roaming between VPN concentrators forces application restarts QoS: All traffic is IPSec traffic; no QoS, multicast, or multiprotocol support) Clients: Not supported on phones, scanners, or other specialized devices

IEEE 802.11i Security for Enterprise Level Sec.

Mutual Authentication

Dynamic Session Key

Message Integrity Check (MIC) Temporal Key Integrity Protocol (TKIP)

Initialization Vector Sequencing

Rapid Re-Keying Per-packet Key Hashing

Future
Stronger encryption schemes such as AES

WPA = Wi-Fi Protected Access

WPA = 802.1X + TKIP

WPA requires authentication & encryption 802.1X authentication choices include LEAP, PEAP, TLS Adds to 802.1X & TKIP Widespread adoption of WPA will add robust security & remove the security issue from the WLAN industry WPA will become accepted as the standard

WPA has Strong Industry Supporters

WPA compliance is needed for Wi-Fi certification of new products beginning in August 2003

Threats 802.1x issues

Rogue 802.1x Log errors issues : Clients authenticating with rogue access points & rogue Cisco ACS servers will show up in the rogue ACS server logs, showing user ID Failures. Hence the only unknown is the password, as the userID, SSID & MAC can all be determined. 802.1x session termination: Authenticated clients can be sent a session termination string by a rogue access point / client combination allowing the rogue client to continue an established session.

Rogue AP Rogue DHCP Server Rogue ACS Server Error Log Authentication Log 802.1x Internal wireless Client

Valid AP

Threats Internal Issues (ie SNMP)

Weak Internal issues: Wireless base stations may have a SNMP (Simple Network Management Protocol) agent running with the default community string name of public, an internal rogue employee can often both read & write sensitive information & data on the base station. . With the default of most base stations using the community word "public", potentially sensitive information can be obtained from the access point. This includes turning off WEP encryption. Configuration Patches: Some access points can have their configurations downloaded from the internal LANs, due to security configurations issues,

Wireless/Mobile Security Critical Issues

There is a lack of end-to-end model, non-convergent standards, & support for seamless roaming

Massive user base demanding confidentiality & privacy while roaming Insecure pervasive devices

New & innovative applications & technologies introduce many new vulnerabilities

Wireless Devices
Users Personal application services

Wireless Networks
WPAN WLAN WWAN

Wireless Applications

Internet

Wireless transactions Portals

Internet services

Intranet
Corporate office services Wireless messaging Wireless lifestyle facilitation

Weak user Insecure RF authentication interfaces controls Data transmitted over the air with weak authentication & encryption controls

Internet weakness still apply but are made worse by the much larger user base

New network gateways, often with weak security

Threats are often not the biggest issue..

Security Management

Basic Wireless Security Profiles

Enhanced Security Basic Security Open Access
No WEP and Broadcast Mode 40-bit, 128-bit, 256-bit Static Encryption Key
Dynamic Encryption Key Scalable Key Managemt Mutual 802.1x/EAP Authentication TKIP/WPA

Public Access

Telecommuter & SOHO

Enterprise

Public Network Security

Virtual Private Network (VPN)

Traveler

Special Apps./ Business Traveler

Wireless Management Requirements

Standardization of Network management & configuration tools used to manage wireless networks (budget & training) Centralized management from a network operations center Configuration of Access Points (logistics) Configuration of Clients & upgrade procedures (logistics & personnel) Client Management, access revocation, dual access, single signon Wireless policies Logging & accounting at a centralized level Standards Based, such as LDAP Centralized accounting & billing (maybe) Rogue detection & encryption confirmation Wireless LAN Key Management Intrusion detection & response processes will have to be extended to cover wireless Secure Password-protected management functions Differential Access could require multiple new groups/profiles to manage Wireless Technology integration

Wireless Policy Issues

Policy needs to dictate permitted services & usage i.e. what types of connections are permitted ? Wireless Access is often binary. i.e. Full network access or no network access Roles potentially need to be catered for. (scanner vs. full LAN access) One needs a means of identifying & enforcing wireless access policies Existing company security policies need to be updated to cater for wireless security issues Policy needs to indicate how access will be controlled.. i.e. Time of the day Policy requirements dictate that all access needs to be logged User compliance & standards enforcement Centralized control of security policies Wireless management Wireless intrusion alert issues Process to update client Software levels Intrusion detection Policies

Wireless Management of Threats & Risk Mitigation

User involvement & Cost Process Management & Standards Audits & Controls, User & Key administration & authorization Application security Environmental Security 11. Bandwidth Robustness 12. Client security & Awareness 13. Network Security 14. Physical Security 15. 16. 17. 18. 19. 20. 21.

Standards & technology issues Policy Creation Training for Support WEP Key Password Quality Technology (TKIP, AES, WAP) Compliance & Client Detection Tools Technology & Architecture (VPN, RADIUS, FW) Network design & AP Layout Network Review, IDS, & Vulnerability Assessments Education for Policy, Compliance & Access Control Standards, Architecture, Patch Management

Wireless Mgmt Must Balance all Security Weaknesses

User involvement, Awareness & Roles Process Management & Standards 4

Key password quality

3 2 1
Audits & Controls, & IDS

Weakness

User & key administration

Weakness
Application Security

Environment Integrity & Robustness Client Security Strength Network Security & Technology Issues

Weakness

How to Wireless Security Issues

Common challenges faced by our customers include the following: How to ensure business continuity? How to be sure our existing security controls are appropriate? How to justify the cost of security? How to determine what security controls need to be implemented? How to increase awareness & make security a priority within the business? How to be sure our existing security controls are appropriate? How to implement end-to-end solutions covering business & IT? How to leverage new methods & technologies? How to prepare for an industry recognised security certification? How to remain confident over time that we have an appropriate security level? How to find skilled individuals? How to Architect the solution for flexibility, scalability, reliability, & security

Client Differentiation with Separate VLANs

802.1Q wired network w/ VLANs

Channel: 1 SSID: laptop VLAN: 1

Channel: 6 SSID: pda VLAN: 2

Channel: 11 SSID: phone VLAN: 3

SSID: laptop Security: PEAP, TKIP

SSID: pda Security: LEAP, CKIP

SSID: phone Security: WEP

Client Differentiation with VLANs

802.1Q wired network w/ VLANs

Channel: 6 SSID laptop = VLAN 1 SSID pda = VLAN 2 SSID phone = VLAN 3

SSID: laptop Security: PEAP, TKIP SSID: pda Security: LEAP, CKIP

SSID: phone Security: WEP

Using Firewalls to Wireless AP Services

LAN

Internet Firewall
VLAN VLAN

RADIUS AP AP

Challenges & Enablers for Wireless Security

The challenges can be addressed using Major 3rd Party Security Solution Providers

Technology
Session cryptography/VPNs File encryption Content and virus filtering Personal firewalls User and device authentication User authorization Wireless PKI Intrusion detection Security management

Architecture
Structured design method Functional architecture Operational architecture End-to-end security design Managed Intrusion Response Security Services

Secure & Resilient Industry

Solutions

Processes
Risk management process Incident management process Change management process Audit process Security awareness program

Skills
Risk management expertise IT security expertise Architecture and design expertise Industry knowledge

Wireless Security Solution Design Companies

Wireless Security Solution Design Services Look for companies to provide the following comprehensive set of activities from the planning & design phases of proven end-to-end Wireless services. And, can be delivered individually or packaged pieces according to your needs:

Wireless Strategy Wireless Readiness Assessment Wireless Value Wireless Requirements Wireless Policy Conceptual Architecture Functional Architecture Wireless Product Selection Site Selection & Facility Design Component Architecture Process Development

Two Types of Wireless Security Auditing Techniques: Individual or Distributed

Individual: How does it work? Passively monitors the wireless network Reports policy violations Human expert needed Distributed: What does it do? Periodic audits Distributed: wireless clients do the work Real-time: continuous audits Autonomic: network fixes its problems automatically Audit: looks for vulnerabilities, & Locates: rogue access points

Wireless IDS is Needed that can

Detect & Protect against: WAP spoofing man in the middle attacks Denial of Service RF Jamming WAP misconfiguration Rogues APs WarDriving probes Wireless IDS services can significantly reduce your risk from attacks to your internal network & associated data

Conclusion
Wireless is rapidly growing & has potential to increase productivity, especially in SOHO, Homes, certain industries Wireless is currently unsecure, but solutions are maturing rapidly Wireless technology is becoming enbedded in many form factors (laptops, PDAs, cellphones, etc) 802.11 WEP security is insufficient for the enterprise 802.1x & 802.11i offer great improvements and mitigate several security concerns True mobile 802.11 wireless is difficult, but Mobile IP and other technologies are tackling the problem New technologies create new and old challenges People, Process, Policies, & Architecture are require to deploy wireless securely.