Wireless LAN Security Issues

Rajesh Manandhar Student ID: 1240630 5/15/2013

Wireless LANs Security Issues

Table of content Introduction 1.0 Components of WLAN 1.1 Access Points (AP) 1.2 Network Interface Cards(NIC)/Network Adaptor 2.0 WLAN Architecture 2.1 Independent WLAN 2.2 Infrastructure WLAN 2.3 Microcells and Roaming 3.0 WLAN Security Threats 3.1 Passive Attack 3.2 Active Attack 3.2.1 Denial of Service (DoS) 3.2.2 ICMP Flood 3.3 Man-in-the-Middle Attack 3.4 Session Hijacking 3.5 Different Other Security Threats 4.0 WLAN Security Services 4.1 Service Set IDs (SSID) 4.2 Authentication 4.3 Access Control List (ACL) 4.4 Privacy and Authentication 4.5 Wired Equivalent Privacy (WEP) 4.5.1 Security Weakness in WEP 4.5.1.1 IV Reuse Problem 4.5.1.2 Integrity Check Value Insecurity (ICV) 4.5.1.3 Key Management and Key Size 4.6 Wi-Fi Protected Access (WPA) 4.7 WPA2 4.8 802.11i 4.9 Siemens HiPath Wireles Security 5.0 New Technology 6.0 Conclusion References 2 2 2 2 3 3 4 4 5 5 5 5 5 5 5 5 6 6 6 6 7 7 7 7 7 8 8 8 8 8 9 9 10

Introduction: Internet has become one of the most important parts in our daily life. Internet is not just one huge cable that travels from one major city to another. Instead, it is the combination of networks to networks. There are mainly two kinds of network available for the institution or business, one is wired and another wireless. LAN is a local area network which connects a small physical area, like a building, school, home, offices, university etc., to connect computers in an organisation for sharing resources. And these networks can be connected to the internet through wired or wireless network. Nowadays there is nothing that a well designed wireless local area network cant do that a wired network can do. Wireless network are getting more and more popular in this smart world. And wireless local area network has been used in many places and sectors due to the convenience, easy access, flexibility, scalability and cost. Regardless of these many advantages, wireless LAN has some security threats. Unlike a wired network requiring wires to access a computer or servers, a wireless network can be exploited without any physical connection and can be targeted from a distance.

1.0 Components of WLAN: Wireless network required high frequency radio waves for transmission of data from one place to another through antenna and operates at several hundreds feet between two devices for data transmission. The antenna used for transmission purpose is connected with a wired LAN or DSL. It is easy to install wireless LAN system and the physical architecture of WLAN is quite simple. It basically contain two basic component, those are 1.1 Access points (AP) 1.2 Network Interface Cards (NIC) / Network Adapter 1.1 Access Points: Access points are specifically configured nodes on Wireless LAN. It performs as a central transmitter and receiver of wireless LAN radio signals. It is a dedicated hardware devices featuring a built in network adapter, radio transmitter and antenna. It allows the wireless client to connect to the access point and routes traffic between the wireless and wired backbone through a standard Ethernet cable, and communicates with wireless device by means of an antenna. An AP operates within a specific frequency spectrum and uses 802.11 standard specified modulation techniques. Access point gives the wireless clients about its availability, authentication and association to the wireless network. 1.2 Network Interface Cards (NIC) / Network Adapters: The network interface card is the printed circuit board that are plugged onto the bus of both user machine and servers in a local area network. A NIC technically is network adapter hardware in the form 2

of an add-in card such as a PCI or PCMCIA card. The Wi-Fi network interface cards contain built in transmitter and receivers. It connects desktop, laptops, mobile computing devices and other wireless devices wirelessly to all network resources. Because network interface card establishes a network node, it has a physical network address called MAC address which is burned into the NIC at the factory, so every NIC have a unique MAC address.

2.0 WLAN Architecture: The above mentioned WLAN components are connected in certain configuration. There are mainly three types of WLAN Architecture: 2.1 Independent WLANs 2.2 Infrastructure WLANs 2.3 Microcells and Roaming 2.1 Independent WLAN: The simplest WLAN configuration is an independent or peer-to-peer WLAN which connects several PCs with wireless adapters. Each computer on this architecture is equipped with NIC/network adapters, which is configured at the same radio channel to enable peer-to-peer networking, so access point is not necessary. An independent network can be established at any time when two or more wireless adapters are within the range of each other.

Fig a: Independent WLAN

Fig b: Extended-range independent WLAN using Access Point as Repeater

Fig b shows extended range independent WLAN using Access pointer as repeater, effectively doublind the distance between wireless PCs. 2.2 Infrastructure WLAN: Infrastructure WLAN consist of many access points combined with a distribution system such as Ethernet which allows the wireless users to share network resources efficiently. The access point and all 3

wireless clients must be configured to use the same SSID to join WLAN. To increase the reach of the infrastructure and support to any number of wireless clients, additional APs can be added to the LAN. Compared to the independent WLAN or ad-hoc wireless networks, it has the advantage of scalability, improved reach and centralized security management.

Fig c: Infrastructure WLAN 2.3 Microcells and Roaming: The benefit of WLAN is its mobility, so it is important to ensure that users are connected all the time, and dont need to log on and off. Therefore WLANs use cells, called microcells which will extend the range of wireless connection. Seamless roaming is only possible if the access points exchange information of the user connected with each other. The WLAN system hands over the strongest and highest quality signal access point to the roaming users.

Fig d: Handing off the WLAN connection between the access points.

3.0 WLAN Security Threats: Unlike wired networks, wireless network cannot be physically protected, which makes them vulnerable to different kinds of attack. In the wired network the cables are mostly inside the building, so a hacker 4

must defeat physical security measures like door locks, security personnel and ID cards. However, the radio waves of wireless networking can be used from the parking area. So there is a great risk of security attack of WLAN. These security attacks can be broadly divided into 3.1 Passive Attack 3.2 Active attack 3.1 Passive Attack: In a passive attack, the attacker eavesdrops on the transmission to monitor the wireless session. Anyone with a suitable receiver can eavesdrop on the message by staying in the range of the transmission. It is difficult to detect, the attacker can use powerful antennas to receive 802.11 transmissions from hundreds of feet to collect and read data that is being transmitted. 3.2 Active Attack: An active attack involves creating fraudulent packets, altering or destroying transmission data or unauthorised change of the system. There are many types of active attacks in wireless LAN 3.2.1 Denial of Service:

The attacker floods the network by sending external communication requests so much that it cannot respond to legitimate traffic which leads to a server overload. This attack makes the machine or network shutdown, making it inaccessible to its legitimate clients. The most common DoS attack is buffer overflow attacks, which send more traffic to a network address than the system can handle. 3.2.2 ICMP flood: It is where you send large ICMP ping packets that ping every computer on the targeted network, instead of single machine. This is also known as smurf attack or ping of death. SYN flood: It sends a request to connect to server but never completes the handshake, and continue sending to all open ports till none are available to other legitimate users. 3.3 Man-in-the-Middle Attack: The man-in-the-middle attack is one in which the attacker intercepts or modify messages in a public key exchange and then retransmit his own public key for the requested one. In the process, the two original parties communicate normally without knowing that the message they were getting are from unknown attacker, who is trying to access or modify their original message to his and retransmitting them. 3.4 Session Hijacking: This is where the attacker takes an authorized and authenticated session away from its legitimate user, pretending to be a legitimate user to the wireless network. The attacker has the capability to stop the legitimate user having the session without giving the actual user any clue that their session has been

hijacked. And the attacker can use the session for an extended period of time and for their desired purposes. 3.5 Different other security Threats are: 3.51 Rogue Aps 3.52 Wireless Intruders 3.53 Misconfigured Aps 3.54 AD Hocs and Soft Aps 3.55 Misbehaving Clients 3.56 Endpoint Attacks 3.57 Evil Twin Aps 3.58 Wireless Phishing 3.59 Honeypot APs

4.0 WLAN Security Services: Wireless network security is a big topic and extremely dynamic. Everyday we are getting new technology, threats and solutions for them. In WLAN, security takes place in two levels, frame level and the radio frequency level. Security for WLANs focuses on access control lists, Service Set IDs (SSID), privacy and authentication. SSID and access control list doesnt provide much security. The IEEE 802.11 standard defines the WEP protocol to provide authentication and privacy to WLAN. 4.1 Service Set IDs (SSID): SSID is a common network name which is used by all the Aps and wireless clients communicating in same network. To communicate in the network the clients must have legitimate SSID otherwise they are not permitted. The SSID is not a strong security measure because the attacker can read it by eavesdropping on communication between AP and the client. So it should be used in conjunction with other security such as WPA or WEP. 4.2 Authentication: There are two types of authentication specified by IEEE 802.11, open system authentication and shared key authentication. Any wireless station can request for the authentication in open system authentication. The station that needs to authenticate sends an authentication management frame containing the identity of the sending station. The receiving station returns a frame which indicates the recognition of the sending station.

Shared key authentication uses a challenge and response scheme along with a shared key. The identity of the station is known by the knowledge of the shared secret. 4.3 Access Control List (ACL): Every 802.11 enabled device is identified with a unique MAC address as a genuine user in the network. The access control list in the AP consists of this MAC address who is allowed to access the network. The clients whose MAC address is not listed in that ACL are not allowed to access the network. But attacker can sniff the MAC address and make it legitimate by reconfiguring the MAC address of other wireless network card and gain access to the network. 4.4 Privacy and Authentication: Strong user authentication and privacy mechanism are required to prevent network from unauthorised users. Authentication provides the ability to control WLAN access by requiring all wireless clients to establish their identities to the wireless station. Privacy keeps the confidential data and protects them from transmitting its content. 4.5 Wired Equivalent Privacy (WEP): The Wired Equivalent Privacy (WEP) is used to provide privacy to the data travelling in the air. WEP relies on the secret key that is shared between the access point and the user, which is used to encrypt packets before transmitting to ensure that the packets are not modified in transit. WEP utilizes a data encryption scheme called RC4 symmetric cipher along with a secret key, which is used for encryption and decryption. The original implementations of WEP supported encryption keys is of length 40 bits, however to increase the security the encryption methods were extended to support longer keys including 104 bits. The protocol encrypts the data stream using these secret keys which would make unreadable for human but still can be recognised by the receiving devices while communicating over the wireless connection. These keys are generally stored on the windows registry or wireless network adapter. 4.5.1 Security weakness in WEP: WEP have several security flaws that severely undermine its encryption and authentication capabilities. And it has been widely criticized for a number of weaknesses. 4.5.1.1 IV Reuse Problem: It is a 24 bit field sent in the clear text portion of the message, which is used to initialize the key stream generated by the RC4 algorithm and is relatively small field when used for cryptographic purposes. The RC4 cipher stream is exclusive or (XOR) with the original packet to give the encrypted packet that is transmitted, and the IV is sent in the clear with each packet. This is the IV reuse problem. An attacker can decrypt the packets which are encrypted with the same IV or forge packets, if the RC4 cipher stream for a given IV is found. 7

4.5.1.2 Integrity Check Value Insecurity (ICV): To calculate ICV, a CRC-32 checksum algorithm is used which forms part of the encrypted payload of the WEP frame. But the CRC checksum is not a cryptographically secure authentication code such as MD5 or SHA-1. The WEP checksum is a unkeyed function allowing anyone to introduce arbitrary traffic into the network. It is easy to calculate the key stream for the specific IV if attacker captures the complete plaintext of an encrypted frame.

4.5.1.3 Key Management and Key Size: Key management protocols are specified in WEP standard. Most of the wireless network uses a single WEP key that is shared between all wireless nodes that makes the overall network insecure. Because any station can intercept and decrypt traffic that was intended for another station. Access point and client stations must be programmed with the same WEP keys. The key remain in place for a long time allowing attackers to use various attacking method to obtain the keys and decrypt the traffic. All the users in the network have knowledge of the shared keys which doesnt help much to increase the security. 4.6 Wi-Fi protected Access (WPA): Wi-Fi Protected Access (WPA) was designed as a replacement for WEP. The WPA protocol implements much of IEEE 802.11i standard. The Temporal Key Integrity Protocol (TKIP) is an improvement over WEP which dynamically generates a new 128-bit key for each packet and prevents the attack which is compromised by WEP. WPA uses a message integrity check (MIC) to ensure packet integrity which is stronger than CRC used in WEP, an extended initialization vector and a rekeying mechanism. 4.7 WPA2: WPA2 is the latest version of WPA. The most important difference between these two is the encryption. WPA uses RC4, whereas WPA2 uses Advanced Encryption Standard (AES). WPA2 requires two phase authentication, an open system authentication and Extensible Authentication Protocol (EAP). It requires the determination of a mutual PMK based on the EAP or PSK authentication processes and the calculation of pairwise transient keys through a 4-way handshake. WPA2 protocol uses an encryption type known as the Advanced Encryption Standard (AES). AES is much more secure encryption method which uses a much more advanced encryption algorithm that cannot be defeated. WPA2 also uses Data Encryption Standard (DES) as an encryption method that uses a secret key. It provides 72 quadrillion possible keys and the keys are randomly chosen from the enormous pool, so its tough to break. 4.8 802.11i

802.11i WLAN security standard is backward compatible with WPA and includes TKIP and 802.1x protocols. It uses two different authentication methods and other features like Key caching. It deliver the level of data confidentiality and user authentication, in conjunction with a strong intrusion detection and prevention solution. 4.9 Siemens HiPath Wireless Security: The HiPath Wireless Manager architecture delivers sophisticated radio frequency security, location, performance optimization. The unique integrated framework provides real time coverage which allows services to leverage one another. HiPath Wireless Manager HiGuard deployed in a Sensor-Less configuration and then gradually introduce sensors in high risk areas to run in mixed mode until the whole place is protected using dedicated sensors for maximum security. The benefits of HiPath Wireless Manager are: It enhance security as sensor all Wi-Fi radio bands and channels to identify and neutralize most sophisticated attacks. Automatic threat classification and the flexibility to locate rogues, even deny them access to the network. Intrusion information is forwarded to management server.

New Technology: Maybe from next year another technology called White Space may be introduced which will enable to use internet in rural areas as well. White Space refers to the gaps between heavily-used radio frequency bands. Conclusion: Wireless technology is one of the most fast growing technologies which connect to the internet to make things easier and simpler. Now-a-days it is used in most of the electronic devices like laptop, mobiles, tv etc. It gives greater mobility than other types of infrastructures like wired networks. Wireless LAN saves money in terms of installation and maintenance of network. But security issues can be both beneficial and disadvantage for the wireless LAN. Network using wireless technology are more likely for the security breaches. As it uses radio frequencies, it presents a vulnerability to any outside intruders who want to hack the network. Increasing wireless AP also increases the number of entryways for the hackers. We can use different methods to secure the WLAN like encrypting and other method which is explained above. Wireless security will have to continually evolve to keep up with the newest and most sophisticated attacks.

Reference: 1. Mohammad Ilyas, & Syed Ahson (2005). Handbook of wireless local area network: applications, technology, security, and standard. Broken sound parkway NW: CRC press 2. Gary S. Rogers, & John Edwards (2003). An introduction to wireless technology. Upper Saddle River, NJ: Prentice Hall. 3. Toby J. Velte, & Anthony T. Velte (2006). Cisco 802.11 wireless networking quick reference. Indianapolis, Ind: Cisco Press 4. Seymour Bosworth, M.E. Kabay, & Eric Whyne (2009). Computer security handbook (Volume 15th ed.). Hoboken, NJ: John Wileys & Sons. 5. Guy, T. C. (n.d.). The Cable Guy - May 2005. Resources and Tools for IT Professionals | TechNet. Retrieved May 14, 2013, from http://technet.microsoft.com/library/bb878054 6. Sequeira, A. (n.d.). Wireless LAN Security > CCENT/CCNA ICND1 Exam Guide: Introduction to Wireless LANs. Cisco Press: Source for Cisco Technology, CCNA, CCNP, CCIE Self-Study. Retrieved May 14, 2013, from http://www.ciscopress.com/articles/article.asp?p=791594&seqNum=5 7. Technology. (n.d.). Wireless Access Points, Cloud Based Solutions, Data Center Solutions.

Network Infrastructure, Network Security, and Management Solutions. Retrieved May 14, 2013, from http://www.enterasys.com/company/resource-library/ 8. Understanding Basic WLAN Security Issues. (n.d.). Wi-Fi Planet - The Source for Wi-Fi Business andTechnology.RetrievedMay14,2013,fromhttp://www.wifiplanet.com/tutorials/article.php/95 3561 9. WEP (wired equivalent privacy). Network World. Retrieved May 14, 2013, from http://www.networkworld.com/details/715.html

10