Wireless LAN Security in a SOHO Environment: A Holistic Approach

Contents

I. ACKNOWLEDGEMENTS

II. CONTENTS

III. LIST OF FIGURES

IV. LIST OF ABBREVIATIONS

V. ABSTRACT

1. INTRODUCTION

2. LITERATURE REVIEW

3. METHODOLOGY
3.1. Timetable and log-keeping
3.2. The Artefact
3.3. Methodology reflection

4. WLAN BASICS
4.1. The IEEE Standards
4.2. Relationship between the Wi-Fi alliance and the IEEE
4.3. WLAN Architecture
4.3.1. Independent / Ad-Hoc
4.3.2. Infrastructure

5. SECURITY
5.1. Security objectives
5.2. WLAN security
5.3. WEP architecture
5.3.1. How WEP works
5.3.2. WEP - why it doesn’t work
5.3.3. WEP Summary
5.4. New security: 802.11i and WPA
5.4.1. Temporal Key Integrity Protocol (TKIP)
5.4.2. What is WPA?
5.4.3. Counter Mode with CBC-MAC and Robust Secure Networks
5.4.4. Mixed Mode - Transitional Security Network (TSN)
5.4.5. 802.11i Summary
5.5. Interim and extra security solutions
5.5.1. VPN and IPSec
5.5.2. SSL and SSH.
5.5.3. Other alternatives
5.6. A BAD SECURITY EXAMPLE: NINTENDO DS

6. WIRELESS LAN PENETRATION TEST - AN EXPERIMENT
6.1. Assembling the gear
6.2. Gathering basic information
6.3. Attacking WEP
6.4. Getting past the MAC filter
6.5. Getting network settings
6.6. Conclusion

7. PHYSICAL LAYER SECURITY
7.1. Frequencies and their use
7.1.1. 2.4 GHz WLAN technology
7.1.2. 5GHz WLAN technology
7.1.3. Advantages and Disadvantages of the frequencies
7.2. How WLAN Signal Strength is measured
7.3. How the signal is affected
7.3.1. Straight-Line Losses
7.3.2. Interference
7.3.3. Practical Test: Microwave ovens versus WLANs
7.4. Antennas and their Irradiation patterns
7.4.1. Dipole Antennas
7.4.2. Directional Antennas
7.4.3. Antenna size matters

8. EXPERIMENTS
8.1. General Issues
8.1.1. Hardware and Software Configuration
8.1.2. Measuring the WLAN signal strength
8.1.3. Windows and Netstumbler
8.1.4. Linux and Wavemon
8.2. Avoiding interference
8.3. Making the test results comparable
8.4. Experiments and results
8.4.1. Signal loss for obstacles
8.4.2. Using a home-made reflector
8.4.3. Other means to shield the Access Point
8.5. Recommendations for placing the Access Point to increase security

9 CRITICAL EVALUATION
9.1. EVALUATING THE OBJECTIVES
9.2. Evaluating of the process and personal reflection

10. CONCLUSION

11. REFERENCES

12. BIBLIOGRAPHY

13. APPENDICES

A 1. PROJECT ORGANIZATION RELATED
A.1.1 Project Proposal
A 1.2 Project Specification
A 1.3 Gant Chart
A 1.4 Brainstorming Log
A 1.5 Unrealized Artefact ideas
A 1.6 Project Logbook (discontinued)

A 2. INFORMATION GATHERING RELATED
A 2.1 Interview transcript, translated into English
A.2.2 Interview transcript, orginal version, German
A 2.3 Warwalk through Wrexham

A 3. PHYSICAL LAYER RELATED
A 3.1.2.4GHz channels and frequency overview
A.3.2. 5 GHz channels and frequency overview
A.3.3. Ez-12 Parabolic Reflector Template (Erskineape, 2005)

I. Acknowledgements

I would like to thank my flatmate Klaus Schedlbauer for proof reading this paper and for just being there whenever I needed him. Thanks also go to Jürgen Pörsch for helping me to start this project and for the idea to study in Newi and to Nicole Gebert for inspiring me

Special thanks go to my project supervisor John McGinn who was always there when I needed him and was always helping me, without him this project would not be what it is. Günter Zweck, my stepfather, without his support I would not be where I am now

Finally I would like to acknowledge Anton Braun and Keshav Srinivasan, my colleges from overseas, who sacrificed some of their free time to proof-read this paper

III. List of figures

Figure 4-1: A typical 802.1X setup

Figure 4-2: Relationship of Wi-Fi and IEEE 802.11

Figure 4-3: Independent and ad-hoc networks, (adapted from Gast, 2005 p 16)

Figure 5-1: The CIA Triad. (adapted from Brunschweiler, 2004, p. 32)

Figure 5-2: Open and WEP Authentication

Figure 5-3: Generic stream cipher operation (adapted from Gast 2005, p115)

Figure 5-4: The Nintendo DS can connect to WEP networks, but lacks WPA support

Figure 6-1: Kismet in action. It gives us all the basic information needed to start the hack

Figure 6-2: WEP cracking with Aircrack. The 128bit WEP key was found in 4 seconds

Figure 6-3: MAC address spoofing under Linux is easy

Figure 7-1: DSSS Channels in 2.4GHz spectrum (Vladimirov et al., 2004, p. 62)

Figure 7-2 Signal-to-noise ratio and the noise floor (Gast, 2005 p 233)

Figure 7-3 Multiple paths

Figure 7-4: Wave combination by superposition. Wave 1 and Wave 2 are almost opposite of each other, the net result is almost nothing. (Adapted from Gast, 2005, p. 237)

Figure 7-5: Inter-Symbol Interference

Figure 7-6 Signal loss while a microwave oven is operating near an access point

Figure 7-7: A typical dipole antenna, found on almost every 802.11 b/g Access Point

Figure 7-8: Radiation patterns of omnidirectional and directional antennas

Figure 8-1: Netstumbler, the swiss knife of Windows WLAN tools

Figure 8-2: Wavemon is a great tool for 802.11 signal measuring

Figure 8-3: Home made reflectors in action

IV. List of abbreviations

Abbildung in dieser Leseprobe nicht enthalten

V. Abstract

This paper addresses the theory and reality of Wi-Fi security. It provides an overview of security mechanisms and explains how security works in wireless networks. The most important security protocols that are relevant for small office or home office environments are looked upon in more detail. The security of a real-world wireless network is being tested with freely available tools and popular attacking methods. It is demonstrated that old security protocols can no longer be seen as being secure at all. To create a holistic view the idea of Wi-Fi security is then expanded to include the physical level. A series of experiments provides insight on how to make a network more secure with materials and tools available in every household. A WLAN that is nearly unreachable outside the perimeter does not attract any potential hackers. The paper concludes with recommendations on where to place your access point and what can be done to shield it.

1. Introduction

“Those who would sacrifice freedom for security deserve neither” (Benjamin Franklin)

Wireless network security has never been much of an issue for the home user - but maybe it should be.

In the last century our life has become very mobile and a part of this movement were Wireless LANs. They are very comfortable to use, fast enough for most services, and because affordable broadband connections are available nearly everywhere, WLANs have moved into homes and offices worldwide. But this freedom comes at a price. Many people are not aware that there are inherently more dangers in wireless communication than in normal networks. The majority of today’s installations are considered to be insecure.

This paper will examine the security mechanisms available for WLANs in a SOHO environment and their practicality in order to increase security awareness. It will be demonstrated just how easy it is to gain unauthorised access to a typical wireless network that is using outdated security protocols like WEP.

„WEP is not dead, it was never alive.”

(David Dominick from Delta airlines, commenting on the first WEP hacks, 2001)

Luckily the industry learned from its mistakes and therefore newer and better security protocols are available in the form of WPA and 802.11i. But this is not the only way you can ‘guard the airwaves’. There are interim and extra solutions that are in use. This paper expands the security idea to include the physical layer. It will be explored how simply materials and tools that are available in every household can be used to make WLAN networks in a small office or home office (SOHO) environment more secure.

Read on to learn why your wireless LAN may have “no clothes” and what you can do about it.

2. Literature review

802.11

The standard behind Wireless LANs is 802.11 which has some similarities to Ethernet (Gast, 2005 p 12 ff). But unlike his big brother it is not bound to cables, hence that why it is called Wireless. This brings some issues one of which is security which has grabbed the headlines (Gast, 2005, p. 32).

WEP

The first standard to address security was Wired Equivlanet Privacy (WEP). However in the first few years of 802.11s existence “researchers built a strong case of insecurity against WEP” (Gast, 2005, p. 114).

First research of the insecurity of WEP was done by Walker (2000) who concluded that WEP was unsafe at any key size, and that it couldn’t meet its design goal which is to provide data privacy to the level of a wired network. Later Arbaugh and two of his students (2001) did some early academic research into the (in)security of 802.11 and concluded that WLAN presents a large security problem.

Borisov et al (2001) presented the first serious paper on WEP insecurity which received a lot of echo in the press. Only a month later Flurer et al (2001) published a paper called “Weaknesses in the Key Scheduling Algorithm of RC4” which described an attack on the ‘key scheduling algorithm’ which is used by WEP. The FMS attack, as it is called for short, was only theoretical but it didn’t take long till it got adapted into the real world. However it was this paper that started the downfall of WEP in general.

Stubblefield at al (2001) showed that the theoretical attack on WEP could indeed be done in a real network. According to Gast (2005, p. 125) it took the group only a week, including the delivery of the WLAN Card, to crack the WEP key and between five and six million packets where needed to get enough ‘weak IV’. However these tests where still experimental and no easy-to-use tools where available to the public at that time but this soon changed when an open source tool called AirSnort (http://airsnort.shmoo.com/) was released for Linux, which allowed anyone with some computer and networking knowledge to hack into a Wireless LAN.

A first attempt to counter this attack was made by Agere Systems (2001) who developed a more secure version of WEP called ‘WEPPlus’ or WEP+ which greatly reduces the amount of ‘weak IV’ produced by normal WEP implementations and was released as firmware update for their own access points. At the same time Cisco (2001) decided to go for a different approach and introduced ‘Dynamic WEP Keys’ to their Aironet WLAN Products.

But the problem with solutions like this is that they are vendor specific and incompatible with each other.

Matters got even worse for WEP when a talented hacker naming himself Korek (2004) replied to a thread on the netstumbler forum about WEP security. The attack he described was no longer dependent on weak IV. As the FMS attack needs weak IVs hardware vendors tried to avoid producing those as much as possible (Schmidt, 2005). The Korek attack uses statistical crypto-analysis and proved to be more efficient than the FMS attack. Schmidt (2005) went as far as advising users to no longer use WEP without any additional security like SSL or IPSEC. The Korek attack was quickly integrated into WEP cracking and WLAN auditing tools and is now the de facto standard for attacking WEP protected WLANs.

But WEP still provides some sort of basic security - but it has to be activated to be of any use. A recent survey (Pickard, 2003) on the Wireless security of London shows that only a little over a third of the Access Points have WEP encryption enabled. Bachfeld (2004) confirms with these findings when he did a survey of the security situation in Germany where he found around half the WLANs in Germany to be unencrypted.

802.1X - User Authentication

WEP tried to be all in one and included aspects of authentication and encryption but in the end it did neither very well (Gast, 2005 pp. 129-130). 802.1X can take care of the user authentication part. It works on the link layer and allows authenticating users instead of machines. Radius is the ‘de facto’ standard for 802.1X authentication. Because 802.1X is a framework it is rather complicated to understand and setup. Therefore chances are low that it is used in SOHO very often.

WPA

As it became clear that WEP has some serious security issues the TGi, IEEE Task Group 802.11i had already started to work on a new standard to replace WEP. However, the major Wi-Fi manufacturers decided that security was so important to end users that it had to move as fast as possible to deliver a replacement for WEP (Edney, Arbaugh 2003 p. 105). It was also concluded that customers wouldn’t just ‘throw away’ their old hardware and with this in mind the Temporal Key Integrity Protocol (TKIP) was definied and WPA was born. WPA is a subset of 802.11i and has been introduced before 802.11i was finalized. It is a WEP replacement that is more secure and robust to attacks but is still able to run on the same hardware than WEP does. In most cases a simple firmware upgrade of the AP is all that’s needed to be able to change from WEP to WPA and new hardware already comes with WPA support as WPA support is mandatory for Wi-Fi certified hardware since 2004.

But as WPA was only an interim standard it shared some of the flaws of WEP. Moskowitz (2003) concluded that Pre-Shared Keying (PSK) is not secure and those short and/or unsecure passwords are almost as bad as WEP. Based on his work Takahashi (2004) developed a tool called WPAcrack, a proof of concept which allows a brute force offline dictionary attack against the consumer version of WPA. He further concluded that the recommendation of the Wi-Fi alliance to use passwords longer than 20 characters would most likely be not executed in practice by the target audience of WPA.

Another problem of WPA is it is possible vulnerability to a DoS attack (Edney & Arbaugh 2003 pp. 335 - 336). Once an attacker sends 2 modified packets to an AP within a minute the AP will go offline for one minute and has to re-key all connected stations after he comes back online, However this attack is rather theoretical as DoS attacks on WLANs can be achieved easier using other methods.

802.11i - i is for security

WPA with TKIP was only meant as a temporal replacement for WEP until better security was available with the final version of 802.11i which was published in June 2004. One of the reasons for the delay of 802.11i was that 802.1X was still revised (Soltwisch & Hogrefe 2004). The most important difference between 802.11i and WPA is the change of the encryption cipher from RC4 to AES. “AES has took on the tests in the past” (Soltwisch & Hogrefe, 2004) and is secure enough to meet the demands Federal Information Standards (FIPS) 140-2, which is often demanded by public authorities (Nonhoff & Arps, 2004). This new algorithm requires a separate chip for the encryption and therefore new hardware is needed. The Wi-Fi alliance calls hardware which supports this new encryption standard WPA-2, and hardware that included support for it was already available.

Access Control

Although 802.11 does not define access control almost every AP nowadays implements MAC address list filtering, often in the form of simple lists (Edney & Arbaugh, 2003, p. 93). But given the fact that MAC addresses can be forged rather easy (ifconfig under Linux, Registry under Windows) this should only be used as a part of a security strategy.

VPN and IPSec

A different approach for securing WLANs is Virtual Private Network (VPN). This term is used to “describe some sort of security system operating at the TCP/IP Layer” (Edney & Arbaugh, 2004, p. 308). The strong encryption IPSec, which is mainly used for VPN nowadays, is the safest way to secure access within an AP. One of the downsides of VPN is the rather high CPU usage which can limit bandwidth. NEWI’s WLAN is an example of a university using a VPN.

Attackers

But who are the people that try to hack into your WLAN? Edney and Arbaugh (2003, pp. 22­26) classify the attackers according to their motives and distinguish them into 3 groups. The ‘Gaming attacker’ is someone who has too much time available and is interested in the technology and just tries to find out how far he can go. ‘Profit or revenge attackers’ on the other hand are evil guys who try to gain something out of the hacking of a wireless network, and these are the people companies should be mostly afraid of. The ‘ego hacker’ is someone who just wants to hack something just for the sake of it.

Wardriving

A term that has been going through the media in the last 2 years is Wardriving. Hurley et al (2004) describe Wardriving as “the act of moving around a specific area and mapping the population of wireless access points for statistical purposes. These statistics are then used to raise awareness of the security problems”. The term Wardriving has been coined by Peter M. Shipley (2001) who was the first to automate the process of Wardriving. In his observations of the San Francisco Bay Area he found only 15-30% of the Access Points to be encrypted. Since the early days of Wardriving a lot has happened. Many online and offline communities have been created and there are many specialised tools, and WLAN maps floating around on the internet. Wardriving itself isn’t illegal but connecting to a WLAN and using other people’s network resources is Vladimirov et al (2004). In 2004 a 21 year old hacker from Michigan, USA was convicted to 9 years in prison because he tried to steal credit card information from a shop in whose WLAN he has hacked before Pierce (2004). According to the magazine PCFormat (2005) the first UK conviction for Wardriving was made in London in the middle of 2005 where a man kept turning up in his car outside of his victims flat.

Conclusion

Without any doubt it can be said that WEP is dead and that it shouldn’t be used as the single security mechanism in WLANs. If WEP is combined with MAC access lists and a hidden SSID it should still be able to stop ‘script kiddies’. Against serious hackers WPA with a long and secure password is a must. If more security is required VPN and some sort of 802.1X implementation is needed. However this often requires additional hardware and isn’t trivial to set up.

Foresight

With the finalization of 802.11i security in WLANs, this might finally become a reality. The introduction of a new encryption, namely, AES will boost the security of WLANs quite a bit, and will render brute force and similar attacks useless. But as the past has shown this is often just temporary.

Wireless LAN is fast enough for most applications today, things like video-streaming demand higher bandwidth than what is available. 802.11n has been in the making for quite a while now but there is a lot of debate going on whether what exactly should be implemented in the new standard. Recently there has been a movement to try and unite the technologies proposed by the TGnsync and WWiSE interest groups, but if this compromise will be the foundation for the new standard remains to be seen (Endres, 2005). However it seems that something good is coming out of these delays. The original goal of 802.11n was 100 MBit/s or more but it is now believed that the final version of the standard may be as high as 600 MBIt/s. In the meantime first fieldtests with 802.16 aka WiMAX (Worldwide Interoperability for Microwave Access) (Suhl, 2005) have started. This new technology provides up to 70 MBit/s for a range from 1 - 50 km.

Faster and more secure Wireless LANs - that’s definitely something to look forward to!

3. Methodology

To get things going a Brainstorming session was held. Three students came together and discussed each project subject for a while and asked questions about the subject such as “What is it?” “Is this legal?” (See Appendix for Brainstorming log). Brainstorming was chosen as methodology as it allows to quickly get a series of ideas to work on. It is also quite useful to do a Brainstorming session in a group to get other viewpoints and ideas. For example one of my fellow students suggested that WPA might be a good thing to have, but no one knows how to handle it, thus raising the question of practicability, which wasn’t considered at first. The findings from the Brainstorming session were then refined into a first rough project structure, and a series of questions that needed to be answered in the process of the literature review and research. This can be seen as using a top-down approach where the main topics of the projects are defined and are later refined to create the whole project structure. This is useful because it is impossible to know every aspect of the project topic at the beginning and the structure cannot be complete defined at the start, however by using this methodology one has something to start with. In the process of the literature review the original rough draft was refined and adjusted where the review added more topics which haven’t been thought of before.

The main methodology for producing the artefact, were experiments. This methodology was chosen because the WLAN security can be very theoretical to understand and write up. By adding something more practical in between the project itself, it makes the project much more fun and the theory can be applied to practice. The signal measurement experiments were done as “one group pre test/post test” (Walliman, 2004, p. 205). This was done to see the effect, certain obstacles and changes to the AP have on the WLAN signal. There was only one test group used, as the measurement results should be roughly the same at every location and impreciseness can’t be avoided due to the inaccurate measurement equipment. A little impreciseness is also not a problem as only the effect is of interest and not the exact values.

To get some insight on the real-world security needs of a corporate or university wireless network, an interview was made with Stephan Reichholf who is responsible for the build-up and maintenance of the campus WLAN at the University of Applied Sciences Deggendorf, Germany, and the WLAN bridge to the student hostel. As this interview was done via e-mail it had to be structured (Swetnam, 2004, p.64).

As WEP has been in the headlines of the news quite a lot in the last few years information on the insecurities of WEP was easy to find. WEP was perfect as case study of how things should be and what mistakes can be made along the way. In some way, this can be seen as historical research (Swetnam 2004, p.39). Although the downfall of WEP began only a few years ago it can nowadays be seen as being historical, even if it is just a historical failure. This approach was used to understand why WEP failed, and how proper WLAN security should really look like.

At the end of the project, finding motivation to finish it was quite low. To counter this problem a checklist was used. It contained all tasks that still needed to be done divided into must haves, should haves and could haves (MoSCoW see Avison and Fitzgerald, 2003, p. 97). Every time a task was finished, it could be crossed out and the more tasks were crossed out the higher the motivation rose. Sometimes little tricks like this can really help.

3.1. Timetable and log-keeping

A project of this size requires some sort of planning which in this case was a Gantt chart. It helps to set deadlines for individual stages (chapters) of the project and gives “satisfaction and comfort of continuously getting parts of the project out of the way” (Walliman, 2004, p. 85). To keep log of the process a log sheet was used. There, all achievements of one week were summarised and plans were made for the next week. This helped to focus on the project at the beginning but as it became clear that the original timetable had to be adapted anyway, and my project supervisor was not interested in the project log, it was discontinued when the writing up of the report started. The achievements were now clearly visible in the progress of the report and the Gantt chart dictated the plan for the next time period, therefore the log sheet was no longer needed. However it was quite useful to get things going.

3.2. The Artefact

Finding the right artefact for the given subject was not that easy. The final idea came from the project supervisor John McGinn. In order to test the effect different materials have on WLAN signals, a test environment had to be built. Further investigation had to be done into how WLAN signals are produced and basic physics concerning this had to be understood. Once this was done, reliable tools needed to be found to measure the effect on the signal strength.

3.3. Methodology reflection

At the beginning of the project, not much thought had been given on using methodology at all. It was mainly learning by doing. Many of the methodologies were chosen out of pure need e.g. one for interviews. Others were suggested by the project supervisor (Gantt chart) or were selected by pure coincidence, e.g. the project log sheet which I found while checking out the project handbook. In the end it would’ve been a good idea to give more though about using proper research methodologies in the first place. Many things could have been done better or more efficient. The Gantt chart for example was seen by me as being only another annoying thing that needed to be done along the way, but it really proved to be helpful to plan a big project like this. The satisfaction of finishing a chapter in time helped me to get going. It was also quite interesting to see how other students panicked in Easter because they were actually just starting to work on their projects while I had more or less finished the main body. However the satisfaction due to this was maybe to high, because in the end a week was wasted doing nearly nothing. The simple technique of using a check list helped me to finish the project.

4. WLAN Basics

”A successful person is one who can lay a firm foundation with the bricks that others throw at him.” (David Brink)

This chapter will introduce the fundamental basics of 802.11 wireless LANs.

4.1. The IEEE Standards

The IEEE 802 Standards describe different LAN specifications. The 802.11 tree is what is nowadays known as WLAN. It operates on the ISO OSI (Open Systems Interconnection) Layer 1 and to some extent Layer 2. We will now take a closer look at the relevant standards of 802.11.

IEEE 802.11: This was the first and basic WLAN Standard which was released by the IEEE in 1997. It was significantly revised 2 years later (IEEE-SA Standards Board, 1999) and this version has completely replaced the earlier version. This version defines 3 different wireless technologies on the physical Layer (PHY): Two radio-based layers which work in the frequency band of 2.4-2.5 GHz, namely Frequency Hopping Spread Spectrum (FHSS) and Direct Sequence Spread Spectrum (DSSS), and an infrared-based one. All these technologies allow transmissions of around 1 - 2 Mbps. No products where ever developed which utilize the IR. PHY and FHSS became redundant when 802.11b was introduced as DSSS proved to be able to cope with higher bandwidths.

802.11a This standard was released in 1999 and describes the physical layer for the 5 GHZ frequency (IEEE-SA Standards Board, 1999). It uses Orthogonal Frequency Division Multiplexing (OFDM) resulting in speeds of up to 54 Mbps. This standard has been designed keeping rules of the USA in mind and therefore other countries had problems with it. Germany for example allowed the use of this standard in 2002, 3 years after its release, significantly reducing the allowed transmitting power indoors which resulted in often unacceptable ranges from 10 to 15 metres (Ahlers, 2002).

802.11b This standard specifies speeds of up to 11 Mbps in the 2,4 - 2,5 GHz band using a technology called High-Rate Direct Sequence Spread Spectrum (HR/DSSS) (IEEE-SA Standards Board, 2001). It uses Complementary Code Keying (CCK) as new and only technology for the physical layer, and is only compatible with DSSS, and in doing so it drops the support for the infrared and FHSS PHY. This standard is still being used in many Wireless networks today, but nowadays products are usually shipped as 802.11g devices with the networks running in a compatible mode to support both standards.

802.11d was introduced to overcome the problem of the laws in different countries which sometimes reduces the transmitting power of wireless devices. It also includes support for roaming. (IEEE-SA Standards Board, 2003)

802.11g was released in the middle of 2003 and improved the transfer rate in the 2.4 - 2.5 GHz spectrum even more (IEEE-SA Standards Board, 2003). Speeds of up to 54 Mbps are now possible. It uses OFDM which is already known from 802.11a but it is still compatible with CCK from 802.11b thus mixed networks can be realised. Packet Binary Convolution Coding (PBCC) is also introduced in this standard from a former, proprietary, standard for 22 MBit WLAN technology.

802.11h tries to fix some problems of 802.11a in order to be more “compatible” with European laws. Several changes have been made to the MAC layer of 802.11a (IEEE-SA Standards Board, 2003). This allows European users to use the 5 GHz WLAN technology at its full potential, however since the 2.4 GHz standards where also at 54 MBit by the time this standard has been adapted and sold less frequently. But as this standard is operating in another band it can be applied where 2.4 GHz WLANs fail.

802.11i is a standard which focuses completely on the security aspects of WLANs. As it became clear that WEP is insecure work began on a replacement. The main concepts of 802.11 are TKIP and CCMP. 802.11i will be explained later in detail in this paper. (IEEE-SA Standards Board, 2004)

802.11n is the next evolution of the 802.11 wireless speed improvement standards. Modern applications, like video streaming require high bandwidths, something 802.11g cannot provide. After a long process of arguing about what to include in the new standard, the task group seems to have finally reached a consensus and the 802.11n standard might be finalized soon (Ahlers, 2006). The new standard features speeds of up to 540 KB/s - an impressive 10 times the speed of 802.11g. First Pre-N products are expected to hit the shelves at the end of 2006.

IEEE 802.1X, although not part of 802.11, is still interesting for this project as it applies to all standards within the 802 family (IEEE-SA Standards Board, 2004). 802.1X is a framework and is based on the Extensible Authentication Protocol (EAP) of the IETF (Gast, 2005, p.

130) which provides port based authentication. As WEP tries to be many things in one and the authentication part is seriously flawed EAP has gained popularity within WLANs. 802.1X has been specially designed for access control. It divides the network universe into 3 different entities (Edney & Arbaugh, 2003, p. 123):

- Supplicant, which wants to join the network
- Authenticator, which controls the access
- Authentication server, which makes authorization decisions

Although 802.1X is working on the Link Layer it can work with upper layer protocols to decide if a station can join the network or not. RADIUS (Remote Authentication Dial-In User Service), a popular authentication server, can connect to a variety of user-databases like LDAP or Windows Active Directory. In a SOHO environment RADIUS is rarely used for authentication and authentication will be done by the Access Point.

Figure 4-1: A typical 802.1X setup

illustration not visible in this excerpt

4.2. Relationship between the Wi-Fi alliance and the IEEE

The Institute of Electrical and Electronics Engineers (IEEE) operates a group called the Standards Association (SA). This association is responsible for 802.11 and many other standards. 802 is the family of standards for “Local Area and Metropolitan Area Networks”. Working groups produce standards and .11 is the group working for standards for wireless LANs. The original 802.11 standard was ratified in 1997 and became an international standard in 1999. Since then many updates and additions have been made to the 802.11 standard. These are marked with small letters after the standard like 802.11g or 802.11i.

The 802.11 standard is long and complicated and not everything is or can be regulated in it. Also there are a few features that are optional and different manufacturers might implement these features in a different way. To avoid interoperability the Wi-Fi alliance was formed in 1999 as non-profit organization by major manufacturers of network equipment and the logo “Wi-Fi” was created to mark compatible hardware.

Some 802.11 features are not required for the Wi-Fi certification, like the broken WEP authentication, and there are some features that are additional to the standard. The correct behaviour is defined for features that are optional. In summary, Wi-Fi defines a subset of IEEE 802.11 with some extensions.

illustration not visible in this excerpt

Figure 4-2: Relationship of Wi-Fi and IEEE 802.11 (Adapted from Arbaugh & Edney, 2003, p.105)

4.3. WLAN Architecture

Wireless networks that conform to the 802.11 standard can be run as ‘Peer-to-Peer’ networks, the so called Ad-hoc networks, or in an infrastructure mode with one or more central Access Points. In practice the Infrastructure mode is generally used as an Access Points, and are becoming ubiquitous and it is somewhat insecure to operate Ad-Hoc networks. (Gast, 2005, pp. 16-17).

illustration not visible in this excerpt

Figure 4-3: Independent and ad-hoc networks, (adapted from Gast, 2005 p 16)

4.3.1. Independent / Ad-Hoc

In this mode stations communicate directly whit each other and therefore they must be in range with each other. This kind of network typically is only used for a short period of time, say a team meeting where you just want to share some data. Due to their duration this kind of network is often called Ad-Hoc whereas the correct term would be Independent BSS (Basic Service Set).

4.3.2. Infrastructure

This is by far the most common type of WLAN network. One (or more) Access Points forms the core of the network and all stations connect to the Access Point and all communication in the network is done by it. If one station needs to communicate with another the communication must take 2 hops. This greatly increases the range of WLAN networks as individual stations don’t have to be in range of each other, they only need to be in range of one of the Access Points of the network.

In order to be able to communicate with the network an individual station needs to associate with an access point. This describes the process of how a station joins a 802.11 network and can be compared to plugging in a cable into a traditional Ethernet network. A station can only be associated to one Access Point at a time. There is no theoretical limit on how many stations can be connected to an Access Point at a time. However in practice the relatively low throughput of nowadays WLANs often limits the number of connected stations.

5. Security

“The ultimate security is your understanding of reality.” (H. Stanley Judd)

5.1. Security objectives

In networking as well as in cryptography there are certain security objectives which should be reached. Three widely accepted security elements are:

Confidentiality: Transactions have to be kept secret. Information should be restricted to those who are privileged to see it and is usually done by using cryptography. In a WLAN the payload and the data needed for the network connection should be encrypted and the encryption should not be breakable even if an attacker manages to sniff packets.

Integrity: Information should not be changed or tampered with. In a WLAN this also means that the receiver has to be sure that he receives the information from the sender. In case of manipulation the receiver must be able to realise that the information has been changed.

Availability: Information and resources should be available when needed. Availability can be affected by sabotage or overload. Interferences should be avoided as much as possible or the risk should be reduced to an acceptable level. Unfortunately only packets containing payload are encrypted in nowadays networks and management frames are transmitted in the clear allowing attackers to tamper with them as they please.

illustration not visible in this excerpt

Figure 5-1: The CIA Triad. (adapted from Brunschweiler, 2004, p. 32)n

These 3 elements can easily be remembered by the mnemonic “CIA”. It is often called the “The Big Three” or the “CIA triad”.

Besides these rather generic security objectives the following security objectives are also important for wireless networks.

Accountability: Originally not part of the CIA triad this security objective is synonymous with non-repudiation. A receiver cannot deny that he received the information when he did and a sender cannot deny sending information. “Can’t say it wasn’t me” (McGinn, 2006).

Authenticity: The Authenticity of each communication partner needs to be ensured. This is closely related with Integrity as you have to make sure that the data will be received without any changes but you also need to ensure that you are communicating with the correct partner. As WLAN isn’t bound to any location Authenticity is much more important for wireless networks than it is for wired ones. The process by which Authenticity is being achieved is called Authentication

5.2. WLAN security

“A FALSE sense of security is worse than being unsure.” (grc.com)

The 802.11 standard contains basic security mechanisms. The communication between stations and the access to the network should therefore be secure and the security objectives should be fulfilled.

MAC address: Every network card is identified by its unique MAC address. Many Access Points support MAC filtering which is a list of MAC addresses in the AP of stations that are allowed to the access the network, all other devices will not be allowed to access the network. This mechanism could provide Authenticity however MAC addresses aren’t as unchangeable as they seem to be. An attacker can easily sniff the network traffic to see which stations are communicating in the network and can take one MAC address that is allowed to access the network and change his card’s MAC address and access the network. This process is known as MAC spoofing. Therefore MAC access lists can’t be seen as very secure and you always have to keep in mind that those lists have to be taken care of in order to be up-to-date. This can be quite a lot of work in a bigger network. It must also be mentioned that MAC filtering isn’t part of the 802.11 standard and therefore interoperability isn’t guaranteed. (Wi-Fi Alliance, 2003, p. 5)

SSID: A Wireless LAN is identified by its Service Set Identifier (SSID), otherwise know as “Network Name”. Each station in a WLAN network must share the same SSID. The SSID consists of a maximum of 32 alphanumeric characters and is transmitted in the clear in Beacon Frames transmitted by the Access Point regularly. Nowadays most Access Points allow to “hide” the SSID, treating it as a secret. In theory only stations which know the correct SSID will have access to the network and Access Points ignore requests from stations that don’t know the correct SSID. However in order to operate the network the Access Points still need to answer stations with the correct SSID and this management traffic is transmitted in the clear allowing possible attackers to sniff it. This mechanism therefore can only help to fulfil Authenticity. As the SSID can be seen as network name it is also a bad idea to select one which make the network interesting for attackers such as the company name or street and house number where the AP is placed. For example a SSID “Microsoft Corp. Headquarters” is sure to attract attention. However this seems to be common practice in the real world and this leads to far more interesting WarDriving sessions (Edney & Arbaugh, 2003, pp. 31 - 32). Hiding an SSID can also cause problems with 802.11 management as it is a non-standard procedure (Gast, 2005, p. 175)

Wired Equivalent Privacy - WEP: WEP is the original security mechanism of the 802.11 standard. As the name suggests its intention was never to make a WLAN 100% secure but to provide the same security as in a wired network. WEP contains means for the encryption of the network traffic, the data integrity and station authentication. These 3 core elements try to satisfy the security objectives Authenticity, Integrity and Confidentiality. However it has turned out that vulnerabilities exist for each of them, therefore none of the security objectives is reached.

“Humans are a weak link in security.”

(Edney and Arbaugh, 2003, on key management)

WLAN Administration: Because Wireless LANs aren’t bound to physical boundaries the administration of such a network is far more demanding and important. The radio waves a

WLAN produces simply aren’t bound to buildings and an attacker could simply hack into a WLAN from a parked car, or a comfortable pub or hotel just within reach of the nearest Access Point. Administrators have to be aware of the security risks of wireless networks and need to take proper provisions.

5.3. WEP architecture

“You must learn from the mistakes of others. You can’t possibly live long enough to make them all yourself.” (Sam Levenson, 1911 - 1980)

Although you can argue that WEP has failed and will probably disappear in the next few years, it is still useful to see how WEP works and why it doesn’t. It can be very educational to see what went wrong with WEP in order to understand the new security architectures better.

5.3.1. How WEP works

WEP should provide confidentiality, integrity and authenticity in a Wireless LAN. It uses the RC4 stream cipher to provide confidentiality, an Integrity Check Value (ICV) sum for integrity and a simple challenge response method for authenticity.

Authentication: Authentication is the process in which the communication partners prove their identity. Ideally this process is mutual meaning that the station proves its identity and the network (generally the access point) proves its identity too.

illustration not visible in this excerpt

Figure 5-2: Open and WEP Authentication

Open Authentication is not really any authentication at all because when a station wants to authenticate, the AP always accepts the request and allows a station to join the network.

WEP-based Authentication uses 4 messages. When a station requests Authentication the AP sends a challenge-text in the form of a 128-bit (hopefully random) number. The Station encrypts this text with the WEP secret key and sends it back to the AP which decrypts the text, and checks if it is the correct one and grants access to the network if it is. This process only authenticates the station to the access point and not the other way around, therefore a malicious AP can simply pretend that the Authentication was successful without knowing the secret key. It is also worth to mention that an attacker which is listening to the Authentication just got a sample of clear text and the corresponding cipher text - which is definitely a bad thing. Another flaw of this process is that it only happens once and no token is exchanged so an attacker could simply disable a legitimate station and take its place with MAC spoofing. Or similar techniques and would be immediately be authenticated. Because of these serious flaws the Wi-Fi Alliance, the organisation defining interoperability of WLAN devices, dropped WEP authentication completely (Edney & Arbaugh, 2003, pp. 69-72).

[...]