~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

UNIVERSITY OF MAURITIUS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ FACULTY OF ENGINEERING
Assignment

NETWORK ADMINISTRATION & PROGRAMMING (CSE 5211)

Critical Survey of IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

Submitted by:

YOGRAJ SEEBALUCK (0303581) MSC INFORMATION & COMMUNICATION TECHNOLOGY

Level 1

24 April 2004

Seebaluck Yograj
yograj@loveable.com

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

Introduction
Over recent years, the market for wireless communications has enjoyed tremendous growth. Wireless technology now reaches or is capable of reaching virtually every location on the face of the earth. Hundreds of millions of people exchange information every day using pagers, cellular telephones, and other wireless communication products. With tremendous success of wireless technology, it is hardly surprising that wireless communication is beginning to be applied to the realm of personal and business computing. No longer bound by the harnesses of wired networks, people will be able to access and share information on a global scale nearly anywhere they venture. This report covers the various aspects of wireless LAN with emphasis on IEEE 802.11, its weaknesses and how to secure it.

1.

WLAN
The major motivation and benefit from wireless LANs is increased mobility.

Untethered from conventional network connections, network users can move about almost without restriction and access LANs from anywhere. Examples of the practical uses for WN access are limited only by the imagination of the application designer. Medical professionals can obtain not only patient records, but real-time vital signs and other reference data at the patient bedside without relying on reams of paper charts. Wireless connections with real-time sensing allow a remote engineer to diagnose and maintain the health and welfare of manufacturing equipment. The list of possibilities is almost endless. WLANs offer increased flexibility. One can visualize without too much difficulty a meeting in which employees use laptops and wireless links to share and discuss future design plans and products. This "ad hoc" network can be brought up and torn down in a very short time as needed, either around the conference table or around the world. Even students of university campuses have been known to access lecture notes and other course materials while wandering about campus. Sometimes it is more economical to use a WLAN as they offer the connectivity and the convenience of wired LANs without the need for expensive wiring or rewiring.

2.

WLAN Design

The real challenge in designing a WLAN is to strike a balance between its coverage and the bandwidth made available to each user. But there is a trade off between the
Seebaluck Yograj
yograj@loveable.com

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

two. If the range is increased, then the bandwidth per user is lesser and vice versa. Designing and managing a WLAN is not all that simple as it requires careful planning and constant monitoring. Here are the major steps that should be followed in designing a WLAN: Step 1: Determine usage Step 2: Conduct site survey Step 3: Determine number of users per AP Step 4: How much coverage Step 5: Identify equipment Step 6: Devise security policy Step 7: Manageability & support

3.

IEEE 802.11 WLAN Topologies

IEEE 802.11 supports three basic topologies for WLANs: the IBSS, the BSS

and the ESS. All three configurations are supported by the MAC layer implementation. The 802.11 standard defines two modes: ad-hoc/IBSS and infrastructure mode. Logically an ad-hoc configuration is analogous to a peer-to-peer office network in which no single node is required to function as a server. IBSS WLANs include a number of nodes or wireless stations that communicate directly with one another on an ad-hoc, peer-to-peer basis, building a full-mesh or partialmesh topology. Generally ad-hoc implementations cover a limited area and are not connected to any larger network. Using infrastructure mode, the WN consists of at least one AP connected to the wired network infrastructure and a set of wireless end stations. This configuration is called a BSS. Since most corporate WLANs require access to the wired LAN for services (file servers, printers, Internet links), they will operate in infrastructure mode and rely on an AP that acts as the logical server for a single WLAN cell or channel. Communications between two nodes, A and B, actually flow from node A to the AP and then from the AP to node B. The AP is necessary to perform a bridging function and connect multiple WLAN cells or channels, and to connect WLAN cells to a wired enterprise LAN. An ESS is a set of two or more BSSs forming a single subnetwork. ESS configurations consist of multiple BSS cells that can be linked by either wired or wireless backbones. IEEE 802.11 supports ESS configurations as illustrated in the figure 1.
Seebaluck Yograj
yograj@loveable.com

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

Figure 1: IEEE 802.11 BSS and ESS topologies

4.

IEEE 802.11 WLAN Components

802.11 defines a wireless station equipped with wireless NIC and an AP,

which acts as a bridge between the wireless and wired networks. An AP consists of a radio, a wired network interface, and bridging software conforming to the 802.11d bridging standard. The AP acts as the base station for the WN, aggregating access for multiple wireless stations onto the wired network. Wireless end stations can be 802.11 PC Card, PCI, or ISA NICs, or embedded solutions in non-PC clients. An 802.11 WLAN is based on a cellular architecture. Each cell (BSS) is connected to the base station or AP. All APs are connected to a DS which is similar to a backbone. All mentioned components appear as an 802 system for the upper layers of OSI and are known as the ESS. The 802.11 standard does not constrain the composition of the DS; so, it may be 802 compliant or non-standard. If data frames need transmission to and from a non-IEEE 802.11 LAN, then these frames enter and exit through a logical point called a portal. When the DS is constructed with 802-type components, such as 802.3(Ethernet) or 802.5(Token Ring), then the portal and the AP are the same, acting as a translation bridge.

5.

802.11 MAC Layer Services

5.1 Authentication Process & De-authentication Authentication is the process of proving client identity which takes place prior to a wireless client associating with an AP. IEEE 802.11 devices operate in an open system whereby any wireless client can associate with an AP without checking
Seebaluck Yograj
yograj@loveable.com

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

credentials. True authentication is possible with the use of the 802.11 option WEP. Only those devices with a valid shared key will be allowed to be associated to the AP. IEEE 802.1x is a standard for passing EAP over a wired or wireless LAN. With 802.1x EAP messages are packaged in Ethernet frames and for PBNAC, which provides authenticated network access to 802.11 WNs and to wired Ethernet networks. PBNAC uses the physical characteristics of a switched LAN infrastructure to authenticate devices that are attached to a LAN port and to prevent access to that port in cases where the authentication process fails. During a PBNAC interaction, a LAN port adopts one of two roles: authenticator or supplicant. As authenticator, a LAN port enforces authentication before it allows user access to the services that can be accessed through that port. As supplicant, a LAN port requests access to the services that can be accessed through the authenticator's port. An AS, which can either be a separate entity or co-located with the authenticator, checks the supplicant's credentials on behalf of the authenticator. The AS then responds to the authenticator, indicating whether the supplicant is authorized to access the authenticator's services. The authenticators PBNAC defines two logical APs to the LAN, through one physical LAN port. The 1st logical AP, the uncontrolled port, allows data exchange between the authenticator and other computers on the LAN, regardless of the computer's authorization state. The 2nd logical AP, the controlled port, allows data exchange between an authenticated LAN user and the authenticator. IEEE 802.1x uses standard security protocols to provide centralized user identification, authentication, dynamic key management and accounting. The de-authentication function is performed by the base station. It is a process of denying client credentials, based on incorrect authentication settings, or applied IP or MAC filters. 5.2 Association, Disassociation & Re-association The association service enables the establishment of wireless links between wireless clients and APs in infrastructure networks. The disassociation service cancels the wireless links between wireless clients and APs in infrastructure networks. The reassociation service occurs in addition to association when a wireless client moves from one BSS to another. Two adjoining BSSs form an ESS if they are defined by a common ESSID, providing a wireless client with the capability to roam from one area to another. Although re-association is specified in 802.11, the mechanism that allows AP-to-AP coordination to handle roaming is not specified.
Seebaluck Yograj
yograj@loveable.com

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

5.3 Privacy By default, data is transferred in the clear allowing any 802.11-compliant device to potentially eavesdrop on similar 802.11 traffic within its range. The WEP option encrypts data before it is sent wirelessly, using a 40-bit encryption algorithm known as RC4. The same shared key used in authentication is used to encrypt or decrypt the data, allowing only wireless clients with the exact shared key to correctly decipher the data. 5.4 Data Transfer, Distribution, Integration & Power Management The primary service of MAC layer is to provide frame exchange between MAC layers. Wireless clients use a CSMA/CA algorithm as the media access scheme. The distribution function is performed by DS and it is used in special cases in frame transmission between APs. Integration is performed by the portal, where essentially the portal is design to provide logical integration between existing wired LANs and 802.11 LANs. IEEE 802.11 defines two power modes: an active mode, where a wireless client is powered to transmit and receive; and, a power save mode, where a client is not able to transmit or receive, consuming less power. Actual power consumption is not defined and is dependent upon the implementation.

6.

Securing a WLAN
WLANs are based on the IEEE 802.11 standard. Once the standard was

defined, to avoid interoperability problems between 802.11 products from different vendors, the Wi-Fi alliance was formed which coined the term Wi-Fi for WLANs based on IEEE 802.11. Initially the latter had only WEP for its security. However as WLANs became popular, flaws in it were detected and tools to break the WEP security were easily available on the internet. The August 2003 of PCQUEST Magazine pointed out the weaknesses in WEP and even cracked the WEP key using a popular and freely available tool. But this does not mean that WLANS are not secure. Those in the business of security know that there is no such thing as absolute security, but one can make it tougher to breach. There are many ways to do this, starting from MAC address-based filtering to the new IEEE 802.11i security standard. 6.1 WEP security In the WEP security model, the AP is the decision maker to allow people to access the WLAN. If the WEP key is correct the user can access the network, if not he is denied. An attacker after cracking the correct WEP key can use the WLAN with no problems.
Seebaluck Yograj
yograj@loveable.com

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

6.2 MAC Address-Based Filtering This is the 2nd line of defense against attackers after WEP, using which the wireless AP or router can be configured to accept packets only from known MAC addresses. But this method also has its shortcomings. MAC addresses are very easy to fake or spoof and they flow in clear text over the air. Nonetheless, it is a better approach to WEP and most APs and routers support this feature. 6.3 IEEE 802.11i and WPA IEEE 802.11i is a new generation security method for WNs. It defines a new type of WLAN called RSN which requires the wireless devices to have number of new capabilities. However, customers cannot dump their existing products and also the standard is not yet released. So the Wi-Fi alliance has adopted a new standard based on RSN, called WPA. 6.4 Three-Party Security Model of WPA and IEEE 802.11i The new standard based on WPA describes a different security model which takes a three party approach instead of two party approaches used earlier whereby a user wanting to connect to a WN first connects to the AP itself. But now the AP itself cannot allow the user to access the network because the AP connects to a separate AS which takes the decision for access. Thus, even with a valid WEP key, a user cannot access the WLAN until permitted by the AS such that the AP becomes the NAS whose job is to control the access gate to the network under the direction of the AS. IEEE 802.11i also takes the same approach. 6.5 Protocols for Wireless Security EAP In a WLAN, a user identifies himself to the AS using EAP. Using EAP messages, the user provides his identity to the AP, which forwards it to the AS for authentication. Depending on the user information the AS gives a success or failure signal to the user. Whereby the user identity is passed on unprotected which can be easily snooped by an intruder. The n the intruder can disguise as a valid user to access the WN and the administrator has no means to tell whether data is coming from the right source. EAP messages between user and the AP are transported over the EAPOL which is like the PPP connection used for dial-up internet access. 6.6 Upper Layer Authentication Built on EAP To avoid authentication built on EAP, upper authentication such as TLS, Kerberos or PEAP are used in conjunction with EAP. After the initial identification done by EAP, the AS defers success or failure of the EAP session until the above

Seebaluck Yograj
yograj@loveable.com

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

authentication methods are not sure whether the user information is coming from the correct source. 6.7 PEAP PEAP prevents the user identity to fly in the air unprotected. It provides a mutual authentication in which first the AS proves its identity to the client using a digital certificate for instance and also gives the user the public key of the certificate. After this the user identity can be sent to the AS encrypted with the public key of the server which can only be read by the AS using its private key and not by an attacker. 6.8 IEEE 802.1x A security standard featuring a port-based authentication framework and dynamic distribution of session keys for WEP encryption. A RADIUS server is required. EAP messages from the user are passed onto the AS and messages from AS are passed to user. In between the 802.1x AP looks for special EAP messages like success or failure to finally connect or disconnect the user.

Figure 2: 802.1x Authentication 6.9 RADIUS A better way is to have a dedicated AS with the user lists with which the NAS communicates. This communication between the NAS and the AS is done using RADIUS protocol. So in WLANs AS is basically a server running RADIUS protocol supporting EAP extensions to authenticate wireless users on the basis of user list present on it and it should also support other network protocols. So as to use this security model, support at all three levels are required: the client system, the AP and the AS. As a client, Win XP by default has support for 802.1x. Open source implementations are available for Linux clients. For the APs, Cisco and D-Link
Seebaluck Yograj
yograj@loveable.com

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

products support 802.1x. On the server side Windows 2003 server provides necessary support and for Linux, OpenSSL and FreeRadius can be used for 802.1x. 6.10 Proprietary Security To enhance existing protection mechanisms proprietary security solutions exist. As recognized industry leaders of client and infrastructure systems, Intel and Cisco are working together to enable a protected, interoperable, and manageable system. LEAP is Cisco's version of EAP compatible with Cisco Aironet products. CKIP is Cisco's version of TKIP, compatible with Cisco Aironet product which adds security, performance and manageability to a WLAN consisting of Cisco Aironet infrastructure and compatible third-party clients. Also one needs to check for interoperability between your infrastructure and client-side WLAN components. Be sure to look for Wi-Fi CERTIFIED products, as they have been tested for interoperability with other certified products. The Wi-Fi Alliance has a list of certified products on their website.

7.

Current Security Problems of 802.11 Wireless & their Solution

A WN is more vulnerable to attacks than a wired network, so security is a

critical element of WLAN designing. The most prominent security vulnerabilities associated with WLANs and how network engineers could build a secure WN is discussed in this section. Let us see how and where to use these security measures and evaluate the risk involved with them. Problem #1: Very Easy Access WLAN are easy to find. Information needed to join a network is also that needed to launch an attack. To enable clients to find them, networks transmit Beacon frames with network parameters which are not processed by any privacy functions such that the 802.11 network and its parameters are available for anybody with a 802.11 card. Attackers with high-gain antennas can find networks from nearby and launch attacks without having physical access to the WLAN. Solution #1: Secure Airwaves with Encryption & Strong Access Control Ensuring security on a WN is partly a matter of design. NAs should place APs outside of security perimeter devices (firewalls) and use VPNs to provide access to the corporate network. Strong user authentication should be deployed (e.g. 802.1x which defines new frame types for user-based authentication and leverages existing enterprise user databases such as RADIUS). Front end authentication exchanges using 802.1x over the wireless medium are converted to RADIUS requests over the back end wired LAN. NAs should also use a WNA (e.g. AirMagnet WLA) such that the
Seebaluck Yograj
yograj@loveable.com

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

analysis system includes a diagnostic routine for WLANs that watches authentication traffic and provides a diagnostic for the NAs. The WLA analysis system tracks 802.1x authentication messages and key distribution messages from a central screen and the WLAN must be regularly audited to ensure that the deployment is consistent with the security objectives of the design. The WLA analysis engine can perform in-depth analysis on frames and can detect several common 802.11 security problems. Problem #2: Discovery of Rogue Access Points (RAP) Easy access to WLANs is coupled with easy deployment. These two combined can cause headaches for NAs. Any user can purchase an AP and connect it to the corporate network without authorization. So called rogue access deployed by end users pose great security risks as they are not security experts and may not be aware of the risks posed by WLANs. Many deployments that have been logged and mapped by war drivers do not have any security features enabled making them vulnerable. Solution#2: Regular Site Audits & Multi-Dimensional Intrusion Detection WNs require vigilance on the part of the NAs. Given the ease with which technologies can be exploited for access, learning when unauthorised networks have been deployed is a vital task. The obvious way to find unauthorised networks is to imitate an attacker: use an antenna and look for unauthorised networks before attackers exploit them. So, physical site audits should be performed regularly. Walk-through detection often begins with NetStumbler which is a good tool for finding large number of APs and associating them with geographic locations for mapping applications. With the emergence of 802.11a, NAs should look for a hasslefree product that supports both 802.11a and 802.11b. Dual-band 802.11a/b chipsets and cards built with them allow NAs to work on both without hardware changes. So they need to master only one supported platform for both 802.11a and 802.11b which should apply to 802.11g when WNA vendors are certain to adopt 802.11a/b/g cards. Many tools are used to perform site audits and track RAPs, but NAs must be conscious of the need to keep up with the latest techniques used in the cat- &-mouse game played out in the site audit. AP can be deployed in any frequency band defined in 802.11, so it is important that any tools used in audits can scan the entire frequency range. Even if 802.11b is chosen, a WNA used for site audit work should be capable of simultaneously scanning for unauthorised 802.11a APs so that no hardware or software swaps are required during an audit. Some RAPs are beginning to be deployed illegally on 802.11b channels that are not available for transmission. NAs
Seebaluck Yograj
yograj@loveable.com

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

are always pressed for time, and need an efficient way to find RAPs. For instance the AirMagnets expert engine allows NAs to configure a list of authorised APs. Thus any unauthorised AP will trigger an alarm. In response to the alarm, NAs can use the find tool on a WNA to home in an AP on real-time signal strength meters. Problem #3: Unauthorised Service & legal Implications Many benchmarks have published results indicating that a majority of APs are put in service with minimal modifications to the default configuration. Most of the APs running with quasi-default settings have not activated WEP or have a default vendors key. Two problems can arise from such open access. In addition to bandwidth charges for unauthorised use, legal problems may result. Unauthorised users may not necessarily obey your providers terms of service, and it may only take one spammer to cause your ISP to revoke your connectivity. Solution #3: Design and Audit for Strong Authentication A defence against unauthorised use is to prevent unauthorised users from the network. Strong cryptographically protected authentication is a precondition for authorization as access privileges are based on user identity. So VPN solutions deployed to protect traffic in transit across the radio link provide strong authentication. Organizations which perform risk analysis indicate that 802.1x is a sufficient technical countermeasure that ensures a cryptographically secure authentication (PEAP, TLS or TTLS). As part of its monitoring, a WNA detects important 802.1x properties such as the user name and EAP type. Once a WN has been successfully deployed, it is important to ensure that authentication/authorisation policies are rigorously followed. So the solution is to perform regular audits of the WN equipment to ensure that strong authentication are used and that network devices are properly configured. These audits are a vital component of WLAN security for they are used to verify that strong security tools are in place and are required for use to WLAN, as well as sniffing out unauthorised WLAN deployments. So any comprehensive audit tool must detect APs in both the 802.11b (2.4GHz ISM band) and 802.11a (5 GHz U-NII) frequency bands as well as summarize parameters relevant to security. If an unauthorised station is found in the network, a receiver can be used to track down its physical location and verify configuration of APs parameters and raise alarms when APs expose vulnerabilities. Problem #4: Service and Performance Constraints WLANs have limited transmission capacity and WLANs based on 802.11b have a bit rate of 11 Mbps and that based on 802.11a technology have bit rates up to
Seebaluck Yograj
yograj@loveable.com

10

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

54 Mbps. Due to MAC layer overhead, the actual effective throughputs tops out at roughly half of the nominal bit rate. Current shipping APs share that limited capacity between all the users associated with an AP. It is not hard to imagine how local area applications might overwhelm such limited capacity, or how an attacker might launch a denial of service attack on the limited resources. Radio capacity can be overwhelmed in various ways as it can be swamped by traffic coming in from the wired network at a rate greater than the radio channel can handle. If an attacker were to launch a ping flood from broadcast addresses, it is possible to overwhelm several directly connected APs. The 802.11 MAC is designed to take out the WNs to share the same space and radio channel. So attackers wishing to take out the WN could send their own traffic on the same radio channel and the target network would accommodate the new traffic as best it could using the CSMA/CA mechanisms in the standard. Attackers can also overwhelm limited capacity by transmitting spoofed frames or by sending high noise transmissions at a target WN. Large traffic need not be maliciously generated for if many users start pulling vast tracts of data through the same AP, network access begins to resemble the caricature of dial-up access used by purveyors of high-speed broadband services. Solution #4: 24x7 Network Monitoring Addressing performance problems start with monitoring and discovering them. NAs have many channels for performance data ranging from technical measures such as SNMP to non-technical measures such as user performance reports. WNAs are a valuable ally for the NAs by reporting on the signal quality and network health at the current location. Large amount of low-speed transmissions may indicate external interference or severe multipath fading. The ability to display instantaneous speeds on each channel gives a strong indication of the remaining capacity on the channel. Excessive traffic on an AP can be addressed by segmenting the APs coverage area or by applying a traffic shaping solution at the confluence of the WN with the corporate backbone. WNAs are used near trouble spots for diagnosis and observe denial of service attacks. We do have tools that spoof the disassociation messages between APs and clients. Without cryptographic authentication of these messages, clients respond to these forged messages by going offline. Until cryptographic frame authentication of every transmitted frame is required by the standards, the only practical defence against flooding attacks is to locate attackers and apply an appropriate solution.
Seebaluck Yograj
yograj@loveable.com

11

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

Problem #5: MAC Spoofing & Session Hijacking 802.11 networks do not authenticate frames. Each frame has a source address. Attackers can use spoofed frames to redirect traffic and corrupt ARP tables and use spoofed frames in active attacks. In addition to hijacking sessions, they can exploit the lack of authentication of APs which are identified by their broadcast of Beacon frames. Any station which claims to be an AP and broadcast the right SSID will appear to be part of an authorised network. Then the attacker could potentially steal credentials and use them to gain access to the network through a MITM attack. Fortunately protocols that support mutual authentication are possible with 802.1x. Using methods based on TLS, APs will need to prove their identity before clients provide authentication credentials which are protected by strong cryptography for transmission over the air. Session hijacking will not be completely solved until the 802.11 MAC adopts per-frame authentication as part of 802.11i. Solution #5: Use Strong Protocols MAC spoofing will be a threat until the ratification of 802.11i. NAs must isolate WNs affected by MAC spoofing from the core network. Session hijacking can be prevented by using strong cryptographic protocol such as IPSec. Along with VPN protocols, the use of strong user authentication with 802.1x is required which checks the exchanges on the wireless component. After deployment, WNA will decode the authentication type which allows NAs to protect passwords. Problem #6: Traffic Analysis & Network Eavesdropping 802.11 passively observe traffic and provide no protection against attacks. The main risk is that it does not provide a way to protect data in transit against eavesdropping. Frame headers are clearly visible to anybody with a WNA. This problem was supposed to be alleviated by WEP but a great deal has been written about the flaws in it as it protects only the initial association with the network and user data frames. Moreover, management and control frames are not encrypted or authenticated, leaving an attacker to disrupt transmissions with spoofed frames using AirSnort and WEPcrack to crack WEP implemented systems. Fortunately the new products eliminate all known attacks. As an extra precaution, the latest products use key management protocols to change the WEP key every 15 minutes. Solution #6: Perform Risk Analysis To alleviate the problem of eavesdropping, the key decision is to balance the threat of using only WEP against the complexity of deploying a proven solution. WEP has been extensively studied and the security protocols have been fortified against all
Seebaluck Yograj
yograj@loveable.com

12

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

known attacks such that the short re-keying time which prevents hackers from cracking the WEP key before it is replaced periodically. So if WEP key is to be used, NAs should audit the WNs to ensure that it is not susceptible to AirSnort attack. Short re-key time is an important tool used in minimising the risks associated with WLANs. As part of site audit, NAs can use WLA to ensure that any policies on WEP re-keying are implemented by the equipment. But if the WLAN is being used for sensitive data, WEP is insufficient and solutions like SSL and IPSec were designed to transmit data securely over public channels and these have been found resistant to attacks over many years and will certainly continue to provide a higher level of security. WLAs AP display can distinguish between APs that use WEP, 802.1x, and VPN technology, which enables NAs to check that policies mandate strong cryptography usage. Problem #7: Higher Level Attacks After gaining access to a WN, an attacker can use this access as a launch point for attacks on other systems. Normally networks have a hard outer shell composed of perimeter security devices that are carefully configured and monitored whereas the inner part is vulnerable. WLANs can be deployed quickly if they are directly connected to the vulnerable part, but that exposes the network to attacks. These attacks can prove to be very costly if the network is used as a launch pad for attacks on the rest of the world. Solution #7: Protect Core from WLAN WLANs are treated as untrusted networks due to their susceptibility to attacks. Some companies provide guest access ports in training rooms. WLANs can be treated as conceptually similar to guest access ports due to higher probability of access by untrustworthy users. Therefore place the WLAN outside the corporate security perimeter and use strong proven access control technology such as a firewall between the WLAN and the core network. Then provide access to the core network through proven VPN solutions for reliable security of the system. NAs can implement honeypots which are fake networks used to lure in hackers. This enables them to find out more about what type of techniques hackers are using to gain access. One product is Mantrap created by Symantec used as honeypots.

]
Seebaluck Yograj
yograj@loveable.com

13

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

Conclusion
Reasonable precautions can make WNs safe for any organization that wants to reap the benefits of mobility and flexibility. As with many other evolving network technologies, the key is to design a network with security in mind and carry out regular audits to ensure that the design is the actual basis for deployment. Hence, from analysis to troubleshooting to auditing, a WNA is an indispensable tool for wireless NAs. Moreover NAs need to develop WLAN policies for security and management as exemplified in appendix1 and should follow the six steps shown in figure 3. Monitoring for policy compliance plays a critical role that ensures that the policy does not become a useless, unread document. Without auditing the network for policy compliance, the policy cannot be enforced. Hence WLAN must be extremely well managed to maximize performance and troubleshoot issues as they arise.

Figure 3: Steps for WLAN Security and management policies

Seebaluck Yograj
yograj@loveable.com

14

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

Wireless Networking Definitions IEEE 802.11

802.1x: This standard enhances the security of LANs by providing an authentication framework allowing users to authenticate to central authority, such as LDAP or Active Directory. 802.11: The IEEE developed the 802.11 standard for WLANs. There are four specifications including 802.11, 802.11a, 802.11b, and 802.11g. Each 802.11 standard operates in a different GHz range and/or offers a different speed. 802.11 applies to WLANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band using either FHSS or DSSS. 802.11a: An extension to the 802.11 standard that provides a maximum connect rate of 54 Mbps throughput in the 5GHz band. This specification is not backwardly compatible with 802.11b. 802.11b: An extension to the 802.11 standard developed by the IEEE for WN technology. 802.11b applies to wireless LANs and supports a maximum connect rate of 11 Mbps with fallback to 5.5, 2, and 1 Mbps in the 2.4GHz ISM band. This standard was ratified in 1999 and is widely implemented in wireless networking products supplied by most equipment vendors. 802.11g: An extension to the 802.11 standard that allows for a maximum connect rate of 54 Mbps while maintaining compatibility with the 802.11b standard. 802.11h: An extension to the 802.11 standard that will allow flexibility in transmission power and selecting frequencies in order to reduce interference with other devices operating in the same frequency band. 802.11i: An extension to the 802.11 standard to provide improved security over those available under 802.11 extensions. This extension provides for improved encryption methods and for the integration of the IEEE 802.1x authentication protocol. AP: A wireless communications hardware device that creates a central point of wireless connectivity. A wireless AP behaves much like a "hub" in that the total bandwidth is shared among all users for which the device is maintaining an active network connection. An AP is an addressable station, providing an interface to the DS for stations located within various BSSs. DS: The DS is an element that interconnects BSSs within the ESS via APs and it supports the 802.11 mobility types by providing logical services necessary to handle address-to-destination mapping and seamless integration of multiple BSSs. WEP: A security protocol for WNs defined within the 802.11b standard. WEP is designed to provide the same level of security as that of a wired network. Research indicates that the use of WEP alone is insufficient to ensure privacy unless used in conjunction with other mechanisms for data encryption.

Seebaluck Yograj
yograj@loveable.com

15

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

Glossary
AP ARP AS BSS CKIP CSMA/CA DS DSSS EAP EAPOL ESS ESSID FHSS IBSS IEEE IPSec ISM ISP LAN LDAP LLC MAC MITM NA NAS NIC OpenSSL PBNAC PEAP PPP RADIUS RAP RC4 RSN SNMP SSID SSL TLS TTLS VPN WEP WLA WLAN WN WNA WPA Access Point Address Resolution Protocol Authentication Server Basic Service Set Cisco Key Integrity Protocol Collision Sense Multiple Access with Collision Avoidance Distribution System Direct Sequence Spread Spectrum Extensible Authentication Protocol EAP on LAN Extended Service Set Extended Service Set Identifier Frequency Hopping Spread Spectrum Independent Basic Service Set Institute of Electrical and Electronics Engineers Internet Protocol security Industry, Scientific, and Medical Internet Service Provider Local Area Network Lightweight Directory Access Protocol Logical Link Control Media Access Control Man-In-The-Middle Network Administrator Network Access Server Network Interface Card Open Secure Sockets Layer Port-Based Network Access Control Protected-EAP Point-to-Point Protocol Remote Authentication Dial-In User Service Rogue Access Point Rons Code or Rivests Cipher Robust Security Standard Simple Network Management Protocol Service Set Identifier Secure Socket Layer Transport Layer Security Tunneled TLS Virtual Private Network Wired Equivalent Privacy Wireless LAN Analyzer Wireless LAN Wireless Network Wireless Network Analyzer Wi-Fi Protected Access 16
MSc ICT Level 1

Seebaluck Yograj
yograj@loveable.com

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

References
[1] J. Conover, 80211a: Making Space for Speed, Network Computing, 2001. http://www.networkcomputing.com/1201/1201ws1.html [2] M. Andrade, Security for Next Generation, WLANs ver.1.1 http://wwwin.cisco.com/cmc/cc/pd/witc/ao340ap/prodlit/wlanw_in.htm#xtocid191020 [3] http://www.niksula.cs.hut.fi/~mkomu/docs/wirelesslansec.html [4] Matthew Gast, 802.11: The Definitive Guide, OReilly & Associates, 2002 http://www.AirMagnet.com [5] AirDefense, Wireless LAN Policies for Security & Management , Technical white paper, 2003 http://www.airdefense.net [6] http://wi-fiplanet.com [7] Plamen Nedelchev, PhD, Wireless LANs and the 802.11 Standard, Felicia Brych, 2001 [8] http://www.80211report.com/ [9] http://www.meetinghousedata.com/ [10] Wireless LAN Security-How to Protect WLANs, Revised July 2003 http://www.airdefense.net/whitepapers/ [11] Wireless LAN Security: 5 Practical Steps, September 2002 http://www.airdefense.net/whitepapers/

Seebaluck Yograj
yograj@loveable.com

17

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

Appendix1

Seebaluck Yograj
yograj@loveable.com

18

MSc ICT Level 1

CSE5211

IEEE 802.11 Standard & the Network Security Administration Strategy in a Wireless LAN

Figure 3: Example of AirDefenses WLAN policy

Seebaluck Yograj
yograj@loveable.com

19

MSc ICT Level 1