Introduction Wireless Security - apca-att.org · Introduction Wireless Security Arshad Hussain Tel:...
Transcript of Introduction Wireless Security - apca-att.org · Introduction Wireless Security Arshad Hussain Tel:...
Introduction Wireless Security
Arshad Hussain
Tel: (732) 420-5915
Email: [email protected]: http://www.4a-att.org/National/notices/sj_20061102.html
Page 2
[email protected] November 2, 2006
IEEE 802.11 – OSI model
Application
Presentation
Session
Transport
Network
Data Link
Physical
LLC Layer (802.2)
MAC Layer 802.11• CSMA• Virtual collision Detection• Asynchronous Service• Error Correction, Roaming, etc
Physical Layer Radio (802.11)• 2.4GHz band• DSSS & FHSS• 1 –2Mbps• 10 – 500 meters transmission range
802.11 in the OSI model
Page 4
[email protected] November 2, 2006
Wireless Technologies
BRAN &
HiPER LAN
UMTS802.11a
DS & FH
Range
Ban
dwid
th
10m 30m 100m >400m
802.11bDS
HomeRF
BT
0.5
1
2
11
54MbpsWLAN Multimedia
WLAN Broadband
Short range connectivityFor portables
WLAN High-speed
Wireless WAN
Page 5
[email protected] November 2, 2006
5GHz vs. 2.4GHz
The Better Spectrum Band for Wireless LANs• 2.4GHz Band
– Most LANs operate in this unlicensed band– Several limitations
• Only 80MHz wide• Mandates use of spread spectrum technology• WLAN users must not interfere with primary license holders
• 5GHz Band– Developed after recognition of the limitations of 2.4GHz band– Licensing authorities around the world have allocated large blocks
of spectrum in the 5GHz band– Broad blocks of spectrum & lenient operating rules enable high-
speed operation by large numbers of users
Page 6
[email protected] November 2, 2006
IEEE 802.11 PHY Layer• At the PHY layer, IEEE 802.11 defines three physical characteristics
for wireless LANs
– Diffused infrared operating at baseband– DSSS operating at 2.4 GHz band - Used in IEEE 802.11b– FHSS operating at 2.4 GHz band – speed limited to 2Mbps
• The original 802.11 standard supported 1Mbps & 2Mbps data rates
– All 11 Mbps radios are DSSS– Choice between FHSS & DSSS depends on the users applications &
environment that the system will be operating– Remember DSSS and FHSS are not compatible with each other– Using the frequency hopping technique:
• The 2.4 GHz band is divided into 75 1-MHz subchannels. • The sender and receiver agree on a hopping pattern, and • Data is sent over a sequence of the subchannels.
Page 7
[email protected] November 2, 2006
• Using the Direct Sequence technique:
– The direct sequence signaling technique divides the 2.4 GHz band into 14 22-MHz channels.
– Adjacent channels overlap one another partially, with three of the 14 being completely non-overlapping.
– Data is sent across one of these 22 MHz channels without hopping to other channels.
IEEE 802.11 PHY Layer
Page 8
[email protected] November 2, 2006
IEEE 802.11 WLAN Types• IEEE 802.11 a
– PHY layer: 5 GHz, OFDM– Data rate: 54 Mbps
• IEEE 802.11 b
– PHY layer: 2.4 GHz, DSSS– Data rate: 11 Mbps– Wireless version of the IEEE 802.3 wired Ethernet
• IEEE 802.11 g
– PHY layer: 2.4 GHz, DSSS– Data rate: 6 - 54 Mbps– Design to provide higher speeds and range for
802.11b
Page 9
[email protected] November 2, 2006
Wireless Networking Technology Comparison
DSSS – Direct Sequence Spread SequenceFHSS – Frequency Hopping Spread SpectrumOFDM – Orthogonal Frequency Division Multiplexing
Standards body
PHY Layer
Data Rate (Mbps)
Rage (meters)
Frequency (GHz) Channels
(width)IEEE
802.11aIEEE OFDM 54 TBD 5
8 (20MHz)IEEE
802.11bIEEE DSSS 11 100 2.4
3 (5.5, 2, 1Mbps)
IEEE 802.11g
IEEE DSSS/OFDM
150 2.4 3 (5.5, 2, 1Mbps)
WLAN
Technology
6 - 54
Page 11
[email protected] November 2, 2006
Typical WLAN Configuration
Wired-LANHub
Access Point
No security or security provided thru other means 802.11 Security
Page 12
[email protected] November 2, 2006
Review How Wired-LANs Work– Wired networks can have a physically secure transmission
medium– Access to the network is easily controlled
• Wireless network is more difficult to secure– Since the transmission medium is open to anyone within
the geographical range of a transmitter
– Data privacy is accomplished over a radio medium using encryption & authentication• Encryption comes at increased cost and decreased performance
IEEE 802.11 Security
Page 13
[email protected] November 2, 2006
IEEE 802.11 SecurityWEP Privacy Mechanism• Provides encryption
– Uses RSA Data Security Inc.'s 40-bit RC4 algorithm for encrypting data (plain text) contained in the frames
• Provides protection against unauthorized data modification– Integrity algorithm (CRC-32) operates on the the plaintext to produce the
integrity check value– Produces the ciphertext
• 802.11 Selected WEP Protocol– Reasonably strong– Self synchronizing– Computationally efficient– Exportable outside the US– Optional - Defined as an optional functionality of the MAC
Page 14
[email protected] November 2, 2006
Review How WLANs Work– A WLAN uses radio waves to communicate among devices.
– An access point (AP) with an antenna is physically connected to a conventional wired Ethernet network and serves as a bridge to the wireless network.
– Up to approximately 150 feet, a Wi-Fi 802.11b WLAN typically can deliver broadband performance with a signaling speed of up to 11 Mbps.
– Beyond that distance, it can operate at fallback speeds of 5.5 Mbps, 2 Mbps and 1 Mbps. • At these lower speeds the signal can travel as far as 1,500 feet.
– Actual performance depends upon the signal pattern and the number of walls, floors and other architectural obstacles in the area.
– IEEE 802.11a WLANs can achieve speeds of up to 54 Mbps within a somewhat reduced range.
IEEE 802.11 Security
Page 15
[email protected] November 2, 2006
Review How WLANs Work– In order to indicate its presence to wireless clients in its listening area,
an AP announces itself by beaconing, or broadcasting, a Service Set Identifier (SSID) approximately 10 times per second.
– The SSID identifies the name of the network.
– PCs that are within range and equipped with a wireless network interface card can • Receive the SSID, • Associate with the WLAN and request an IP address that will allow them to
connect to the local network, surf the Internet, and view network folders.
• The Challenge– The open broadcast of the SSID and the ease with which a mobile PC can
associate with an unsecured WLAN
IEEE 802.11 Security
Page 16
[email protected] November 2, 2006
Security - Authentication– Means by which one station is verified to have
authorization to communicate with a second station in a given coverage area
– In the infrastructure mode, authentication is established between an access point (AP) and each station
IEEE 802.11 Security
802.11 Authentication
Open System Auth
• 1-stage challenge response
• Non-Cryptographic (No RC4)
•
Shared-Key Auth
• 2-stage challenge response
• Cryptographic (uses RC4)
• shared-key provide auth
Page 17
[email protected] November 2, 2006
Security - Encryption– Intended to provide wired-LAN compatible security– In IEEE 802.11 the Wired Equivalent Privacy (WEP)
feature uses the RC4 PRNG algorithm from RSA Data Security
– The WEP algorithm was intended to be• Reasonably strong• Self-synchronizing• Computationally efficient• Exportable• Optional
• Encryption comes at increased cost & decreased performance
IEEE 802.11 Security
Page 18
[email protected] November 2, 2006
Security – Data Integrity– To ensure that messages are not modified in transit
between the wireless clients & Access Point
IEEE 802.11 Security
Page 20
[email protected] November 2, 2006
Security problems with WEP include the following:
– The use of static WEP keys
– To initialize the RC4 algorithm, a 24-bit field sent in the clear text – a clear violation of security
– The attack is publicly available as an “attack script”and open source code
– WEP provides no cryptographic integrity protection
IEEE 802.11 Security
Page 21
[email protected] November 2, 2006
Taxonomy of Security Attacks
Attacks
Passive Attacks Active Attacks
Eavesdropping Traffic
Analysis
Masquerade
Replay
Message
Modification
Denial-of-Service
Page 22
[email protected] November 2, 2006
• Identify who may use WLAN technology in an enterprise
• Identify whether Internet access is required
• Describe who can install access points and other wireless equipment
• Provide limitations on the location of and physical security for access points
• Describe the type of information that may be sent over wireless links
• Describe conditions under which wireless devices are allowed
• Define standard security settings for access points
• Describe limitations on how the wireless device may be used, such as location
Management Countermeasures
Page 23
[email protected] November 2, 2006
• Describe the hardware and software configuration of all wireless devices
• Provide guidelines on reporting losses of wireless devices and security incidents
• Provide guidelines for the protection of wireless clients to minimize/reduce theft
• Provide guidelines on the use of encryption and key management
• Define the frequency and scope of security assessments to include access point discovery.
Management Countermeasures
Page 24
[email protected] November 2, 2006
– Updating default passwords
– Establishing proper encryption settings– Controlling the reset function– Using MAC ACL functionality– Changing the SSID– Maximize the Beacon Interval– Disable broadcast SSID feature– Changing default cryptographic keys– Using SNMP– Changing default channel– Using DHCP
Access Point Configuration
Page 26
[email protected] November 2, 2006
WiFi Protected Access• By late 2002, the WiFi alliance started the WPA standard work
• Includes two main features:– 802.1X
• The 802.1X port-based access control provides a framework to allow the use of robust upper layer authentication protocols
• facilitates the use of session keys
– Temporal Key Integrity Protocol (TKIP)• allows for per-packet key construction• provides cryptographic integrity
Page 27
[email protected] November 2, 2006
– Temporal Key Integrity Protocol (TKIP)• Allows for per-packet key construction• Provides cryptographic integrity, and • Provides key derivation and distribution.
• TKIP, through these algorithms– Provides protection against various security attacks
discussed earlier, including replay attacks and attacks on data integrity
– objective of WPA is to bring a standards-based security solution to the marketplace to replace WEP while giving the IEEE 802.11 Task Group i enough time to complete
WiFi Protected Access
Page 28
[email protected] November 2, 2006
• Authentication• Personal Firewalls• Intrusion Detection System (IDS)• Encryption• Security Assessments• Smart Cards• Virtual Private Networks
– Confidentiality– Integrity– Data origin authentication– Traffic analysis protection
How to Secure WLAN
Page 30
[email protected] November 2, 2006
• 802.11i– An amendment to the existing wireless LAN standard– Includes the Advanced Encryption Standard (AES) for
confidentiality and integrity
• Temporal Key Integrity Protocol (TKIP)– address the problems without requiring hardware
changes
• IEEE 802.1X-2001
Emerging Security Standards and Technologies