Grill of my dreams
A substitute for human interaction

Wireless Security Notes

The key to a stable and functional wireless network is the ability to access system services and resources while keeping the data safe and secure.  

WEP or Wired Equivalent Protocol, is a encryption method used on wireless networks. WEP is very insecure for many reasons. The goal for WEP was to make WLAN’s as secure as a actual LAN. This would allow WLANS and LANS to be in the same topology.

WEP provides two critical pieces for security, Authentication and confidentiality. WEP uses a shared key structure and a symmetric encryption cipher. The client must have the same key and encryption as the AP uses. The standard is a 40 bit key but 128 bit has been implemented for greater security.

Encryption of the data stream provides confidentiality of the data being transmitted between the two WLAN devices. WEP uses a symmetric cipher which means that the same key that is used to encrypt the data is used to decrypt the data. First the data packet is checked and then it is added to the data to form the full data payload. the transmitting device then creates a random 24 bit number (2^24) called the IV or initialization vector. The device uses the IV and the shared key to encrypt the data using the RC4 algorithm. The receiving device then uses the IV and the shared key that it received form the transmitting device to decrypt the data.

Authentication with an AP can happen two ways. The first way is when the AP and device are specified as “open”. when devices are declared open, there is pretty much no authentication, its more of an association then anything. Station A and Station B will identify themselves to each other and thats it, association complete. The second way of authentication is through a shared method. Station A will send a nonce ( random number) such as 6 to Station B. Station B receives the nonce ( 6 ) and encrypts it with WEP and sends it back to Station A. Station A decrypts the nonce and compares the two random numbers together. If Station A received a number 6, or what ever the random number was, back from Station B then the authentication is complete and association is formed. The random numbers used for nonce is not the same random numbers used for IV’s.

Key management is a big problem with WEP because every host on the wireless network uses the exact same key to encrypt and decrypt. So any one could decrypt traffic and data going to other devices, as long as they knew how. Also an uneducated but trustworthy person can give out the key to another person such as a friend or family member that has stopped by the office for a visit. That family member or friend can then in turn give out the same key to many other people and tell them were the office is and they could connect to the wireless thus compromising its security. Keys should and MUST be rotated periodically so that people with old keys can not connect to the wireless network.

Since there are only 16,777,216 IV’s possible, a busy network will repeat IV’s often. The IV is a random number between 0 and 16,777,216. Its not a true random due to a flaw in the mechanism. For example, the letter A in the algorithm could point to the letter W. so anytime the attacker receives a W he knows it is really the letter A. If the attacker uses a sniffer such as Airsnort, it will pick out duplicated IV’s and figure out parts of the WEP key. Enough of these duplicate IV’s you can get the whole WEP key.

Attacks against WEP are passive meaning that the attacker places his WLAN card in monitor mode. WEP passive attacks are very difficult to detect.

Denial of Service attacks aim to prevent access to the network and network resources. they are difficult to protect against because there are a wide variety of DoS attacks that can be implemented on a network. A typical DoS attack involves flooding the network with so much traffic that it chokes the transmission lines preventing other users to access the network. DoS attacks can target many different layers of the network.

  • An application (OSI Layer 7) layer attack is accomplished by sending large amounts of requests to a network server such as a web server. The web server gets so slammed with requests that it cant process any other users at that time. The goal of this attack is to simply Deny service the network server and resources.

  • A DoS at layer 4 involves sending a crap load of SYN requests to the host PC. A SYN request is the first step in making a TCP connection. An Operating System generally has a limit to how many TCP sessions it can process per second and a maximum it can maintain at once. A successful SYN attack leaves the host computer unable to access network resources because it can not maintain or hold an active TCP connection with the server.

  • A network layer attack is accomplished by sending large amounts of data to the computer. For example, if a computer can only handle 10mbps and the attacker sends data at 100mbps, the slower PC is going to drop packets. The ping of death was an old school way of causing a network layer DoS attack. If the attacker sends large ping packets to the targeted PC multiple times and generates massive amounts of ICMP traffic. This will cause the CPU’s in the networking equipment to work harde causing more and more problems. Here is an example that a friend and I have done in the past. Dan loves to play Counter Strike and the server he wanted was full. So he sent a ping to the server. The ping was 65536 bytes worth of data. A pc can only handle its MTU which is 1500. So the server saw that it had a huge amount of IP traffic to digest. The cool thing is that the server was set up so that any time there was a huge spike in IP congestion it would drop the person with the highest amount of LAG or LATENCY. The server thinks that the massive amount of IP traffic is another PC with high LATENCY. The server then drops the PC that it thinks is causing this. Even though the PC that was dropped had a good connection, it was still dropped because of the DoS attack. Dan was then able to log into the server.

There are also wireless DoS attacks that can be performed on a wifi network. Since the wireless signal can be picked up out side of a building, its a lot easier to preform a DoS attack on a wifi than an Ethernet network. With Ethernet networks , you have to be attached to the network physically by hooking up a cat5 cable to your NIC. With wifi, the network is every where due to the radio signal being radiated from the antennas. Physical attacks on a wifi network are preformed by RF jamming or frequency jamming. A device simple inexpensive device will output noise and saturate the wireless network with so much noise that the clients go offline because they can not pick up a valid network signal.

There are several common household items that can create noise and interfere with the wireless network. A 2.4 ghz cordless phone will generate noise and shutdown a wifi network. A microwave can do the same thing. If you have a cordless phone, just switch them over to a different channel and frequency.

Another type of attack on a wireless network would be a data link DoS. What this is, is when an Access Point has two antennas. Antenna A is sending trafic to room A and antenna B is sending to room B. Client BB in room B changes his MAC to match client AA in room A. Clearly BB can now move closer to the AP or use an amplifier and kick AA of the network because since BB’s signal is stronger, antenna A is now going to send data to BB’s MAC. (802.11 security page 22)

IF you know the SSID of a network, you can set up a hidden AP with the same SSID and use a directional antenna or an antenna that has a stronger output level to ensure that all clients with the same SSID as the hidden AP are sending traffic to it. The hidden AP can monitor all the traffic sent to it by the client or you can configure it to drop the packets.

Man in the middle attacks are accomplished by a technique called ARP poisoning. In order to understand ARP poisoning, you need to understand how a switch works. A switch will send frames to the host based off of the switches CAM table. The Cam table lists all the source MAC addresses of all the PC’s connected to it. When a switch receives a packet from a router and needs to send it to a host, the switch will look in its Cam table for the MAC address that belongs to the IP address of the packets destination. How a switch builds its Cam table is by a process called ARP. Address Resolution Protocol is where the switch will send out a ARP flood out ALL its ports, asking all hosts to reply with there MAC addresses. When a router sends a packet to the switch with an ip address and the switch does not have an matching MAC for that IP in its Cam table, it then does an ARP request out all ports and waits for the reply. When the host that has that IP address replies, it sends a ARP reply with its MAC address. If a switch has two entries for the same MAC, it will use the most current one based off of time stamps. ARP poisoning is when an attacker sets up a machine onto the network and clones his MAC to match one of the others on the network. Then he altars the timing of the ARP replies so that his MAC becomes the most current MAC in the switches Cam table, allowing him to manipulate frames.

There are a few authentication types used in wireless security. Link layer authentication is part of 802.1X. 802.1X is based off of EAP or Extensible Authentication Protocol. Link layer authentication is port based security on the AP. Once the “virtual network port” on the AP has been associated with the client, then other security protocols can be issued to allow authentication to the network and AP. 802.1X is often used to refer to any one of the authentication types used over EAP. EAP is also known as WPA enterprise. 802.1AE is MAC security such as MAC filtering.

Securing a wireless network for security professionals can be tough because many of the professionals fall into a trap of knowing more theory than hands on. When securing a network from all types of threats is great, but its more important to consider the risk associated with each type of attack and figure out what to do when that type of an attack happens. For example, if an attacker uses your AP to hack a system and the ISP throws a lawsuit on you because it originated form your IP address assigned to your AP. What are you going to do? How will you pay for that? do you have money set aside for such scenarios? You have to think about “what if” situations because “what ifs” are very real and can happen to any one. An attacker doesnt go after your company because of what you have to offer on your servers such as passwords, ID’s, emails, database transactions. They go after you because you are simply running a vulnerable service that is easy to break. Here are some things to think about when securing your network.

  • How vulnerable is my network and its assets?

  • Do I have counter measures in place, such as money set aside for lawsuits, Lawyers and other various measures? Place microwaves away from Access Points.

  • How well does our IDS/IPS perform? Do we have enough physical security and full time security systems that will detect attackers. How good are my lawyers?

Probably the most important part of wireless security is that of the station or PC itself. The reason being is that a PC or station is what holds many valuable resources such as proprietary company documents, online transactions, personal information and so on. Stations are what generate so much traffic on a network from email to browsing the internet to instant messaging. if a station is insecure, your whole network is insecure. Wireless networks are like chains, they are only as strong as the weakest link. Most attacks on a wireless network are targeted on insecure stations. Insecure stations are used by normal everyday users and not by a team of professional IT engineers. The stations may not be under the same scrutiny as a fileserver or a firewall would be. unfortunately, a insecure station can be an excellent way to bring down an entire infrastructure.

There are two main security considerations for Client security goals that an IT engineer would implement for station security. The first is preventing a compromise of the client itself (station not person). A compromise is when someone steals or corrupts data on that station, either by physically being there or somehow cracking into the station and manipulating it. the other goal is using secure methods for communication between clients and clients to servers across a single network or multiple networks. Using such communication methods as SSL and SSH for remote access or for sending data to and from stations is one way for safer communication between networks and resources.

To prevent access to clients a Firewall such as Smoothwall (www.smoothwall.org) is put in place before the network. A FW, short for Firewall, is used to block incoming connections to the network and only allow certain incoming connections to the network. A good practice for a FW is to have it block all incoming connections by default and then have the Administrator configure the FW to only allow the ones needed. To have all outbound traffic allowed is ok. Connections from one wireless client directly to another should also be blocked. If a client has to speak with either another client or a server with in the DMZ (ORANGE) then a “pinhole” should be created for the wireless network (PURPLE) to communicate with the DMZ. A “pinhole” is where the admin configures the FW to allow a source IP to talk to a destination IP. Im not entirely sure but I think you can have pinholes set up so that it will use secure communication methods like SSH, SSL or even IPSec VPN. I think with a FW you can have it even block wired clients from talking with another wired client with in the Local network(GREEN). For remote administration ONLY allow one or two external IP’s have permission to enter the FW for administration.

In addition to the FW, all unneeded services should be disabled on the client. If a service needs to be enabled, set up FW rules so that the traffic to that service is allowed. It is vital that ALL exposed services are running with up to date software and updates so that a particular service is not compromised. Using static ARP will help protect the network from Man-in-the-middle attacks. The use of static ARP’s will help prevent these attacks because the host wont be able to modify its ARP table if a malicious ARP request is sent.(read above for man in the middle attacks)

Security updates should be downloaded from the vendor specific websites. These updates ensure that all software is updated and security risks are lessened. Make a habit of preforming these regular updates. Also check system and security logs of each computer and FW. These logs can provide notification of attempted security breaches. They also provide notification of attempted or successful compromises of the systems security.

Secure communication is just as important as host security. The manner in which you access data or services across the network is vital to protect users and Business partners private information secure. WEP is a very insecure way of securing a wireless network. An attacker can crack a WEP key in less than 3 minutes using a program such as Airsnort. it only takes a million unique data packets from a WIFI network to break the key. Depending on how busy the network is, it can take anywhere from 3 minutes to 8 hours if there is no body on the Wireless medium. No matter how “fire” proof your FW is, there are still security leaks. IMAP for email sends username and passwords in clear text. Someone who has physical access to your network can use wireshark and view those emails along with username and passwords. in order for sensitive data to be protected, you have to be able to encrypt it at a higher level in the stack. This means to encrypt the data a second or even third time. Dont let the wireless encryption protocols be the first and last line of defense. For example, instead of using telnet to connect and make a session with the NDS server in the computer room. It would be safer and more secure to use SSH (SecureSHell) to make the connection. So your first defense would be the FW to stop incoming traffic, the second line of defense would be a wireless encryption and authentication method for the wireless medium, and third would be to use secure communication with in the network for safer and more reliable data security. There are many methods used to secure data with in the network. I will breifly describe a few of them in this next section.

SSL

Secure Socket Layer (SSL) is a public-key, cryptography-based confidentiality based method of secure communication. SSL is historically associated with secure HTTP (HTTPS). The cool thing about SSL is that any protocol can be encapsulated with in SSL for secure network transmission. SSL works great with web traffic and even email such as IMAP over SSL. A user must be careful when authenticating with a server on the internet, such as a web based email site or even sites like newegg. When a user enters in their log in information, it is sent across the wireless medium to the router then from there it is transmitted to the website. Make sure that the site is using HTTPS when logging in, if it is not your info will be in clear text.

Using IMAP over SSL is a good practice to keep peoples email private to any body who may be sniffing the line. Email is sent in clear text across the wires and wireshark can and will pick it up. Using SSL will encrypt the email messages. However using SSL in a high volume mail system can put a heavy load on the mail server. You can use SMTP over SSL, but no login information is sent when using SMTP to get your email. Using SMTP is not a common practice.

SSH

Secure Shell is a secure replacement for the r-commands such as rlogin,rcmd, and rshell. SSH uses secure public-keys just like SSL. SSH SHOULD always be used when logging into a remote machine over the wireless network. When SSH is used properly, it will ensure that the data and login credentials are kept secure.SSH also provides tunneling and can be forwarded to other ports. For example: A users machine requests for its mail on port 143. The Users machine will forward the request to port 22 and create an SSH tunnel across the wireless network and the mail server will receive on port 22 and forward the request to port 143. (page 36 802.11 security.)

There are many security protocols and authentication methods for wireless security. IpSec(IPSecurity) is one of those very powerful protocols , that if properly used can provide a very high degree of security, integrity and confidentiality, all in which a wireless network has either of.

Even though IPSec is very powerful it can be very difficult to setup and configure. Sometimes it is worth the trouble to have the extra security that IPSec has to offer. IPSec VPN is where you have a separate network for your wireless outside of the FW. The hosts can browse the Internet but they can not access the LAN unless they go through a VPN tunnel. Smoothwall Firewall kind of uses this idea by default. They have it set up where the PURPLE network can not talk to any internal network unless a pinhole is made.

There are two modes for IPSec. The first mode is called Transport mode:

  1. Transport mode is used to send secure data from node to node. It can not pass throw switches or any other devices. Transport mode will add a new header to the original IP packet to allow for cryptographic functions to be placed on the IP packet.

  2. IPSec can also be placed in Tunnel mode. Tunnel mode encapsulate the entire IP packet into another IP packet to ensure that ALL data is encrypted. This allows a gateway or router to provide IPSec protection through out the entire network since the IP header is still the same and all IP information is not changed.

Tunneling mode has two types of protocols. The Authentication Header(AH) provides authentication in order for traffic to flow back and forth between devices. AH does not secure or protect the data or keep it private. Encapsulated Security Payload is what protects, secures, and keeps the data private. ESP and AH can be used on their own or in conjunction with each other. Given the nature of a wireless network and its lack of security, it is highly recommended that you implement BOTH protocols to ensure the safety and security of your data.

A security association is a underlined relationship between two IPSec peers. In order for traffic to flow back ad forth with in the network, an SA must exist for each direction. The SA includes information about the link, what type of connection exists, what cryptic algorithms are being used and the keys that are being used. Setting up SA’s is an annoying task. You have to set up each host on the network with keys and all other info, thankfully there is a software solution to thisproblem. The Internet Key Exchange(IKE) can handle the creation of SA’s and keys for us. It can become very difficult and frustrating to use IKE when intergrating between two IPSec implementations. With wireless networks keep it simple. MAKE sure EVERYTHING works first with the VPN tunnels and THEN fine tune IKE.

NOTE IKE USES UDP PORT 500. MAKE SURE YOUR FIREWALL IS SET UP TO ALLOW PORT 500 TO ALLOW HOSTS TO SETUP AN IPSEC CONNECTION.

In a general purpose wireless network, the wireless medium is the least trustworthy part of the entire flow of the data between two hosts. In order to overcome this, IPSec can be run on all stations in tunnel mode with ESP and Ahfor both authentication and confidentiality. Even if an attacker were to break your WEP key, he would not be able to see any data because its all going through the tunnel. The only thing he could do is browse the Internet. Since the firewall is what allows only certain machines with the SA and keys through, any one with out those SA’s and keys can not send or receive any encrypted traffic. Since the SA’s and keys are what make an end to end secure connection between two hosts, each host has to be manually configured with the right SA and key information.

Notice on the diagram below that the wireless network (PURPLE) is on its own network. As stated earlier, the PURPLE network can not talk to any one on the GREEN(Local) network unless a pinhole is made. You can use IPSec VPN with Smoothwall to allow better security.

A captive portal is a router or gateway that will not allow any traffic to pass unless authentication takes place. These are deployed in areas such as hotels and airports where you have to pay for access to the portal server in order to gain access to the Internet. The operation of a portal server breaks down into a few simple steps:

  1. Assign a new computer on the network an IP address via DHCP.

  2. Block all traffic, except to the captive server.

  3. Redirect any web traffic the new user attempts and send it to the captive portal server.

  4. Display terms of service and use, billing information and or login screen.

  5. Once the user has agreed to the terms of service or logged in, allow them access.

  6. Optionally: When some defined amount of time has passed, remove their access.

There are many ways of using a captive portal. Closed captive portals can be used for limiting access to users with either a user name and password or have paid and received a user name and password form the administrator or service desk at a hotel or airport. Open captive portals only require the agreement and service terms to be accepted and agreed with before any access is granted. No payment is required for open captive portals. There are some open source software projects for captive portals that are deployed on Linux and BSD servers. NoCat and WiCap are two of the most popular open source captive portal software. NoCat is by far the most robust but with its robustness comes complexity during configuration. NoCat supports both Open and Closed modes of portals along with central authentication servers. WiCap is much simpler. It is written with perl scripts for OpenBSD. It only runs as an open captive portal and offers time limited access