Friday, December 31, 2010

Wireless LAN Security

Centralized Encryption Key Servers

For enterprise wireless LANs using WEP as a basic security mechanism, centralized encryption key servers should be used if possible for the following reasons:
  • Centralized key generation
  • Centralized key distribution
  • Ongoing key rotation
  • Reduced key management overhead

Any number of different devices can act as a centralized key server. Usually a server of
some kind such as a RADIUS server or a specialized application server for the purpose of
handing out new WEP keys on a short time interval is used. Normally, when using WEP, the keys (made up by the administrator) are manually entered into the stations and access points. When using a centralized key server, an automated process between stations, access points, and the key server performs the task of handing out WEP keys. Figure 10.3 illustrates how a typical encryption key server would be setup.


Centralized encryption key servers allow for key generation on a per-packet, per-session or other method, depending on the particular manufacturer’s implementation. Per-packet WEP key distribution calls for a new WEP key to be assigned to both ends of the connection for every packet sent, whereas per-session WEP key distribution uses a new WEP key for each new session between nodes.


WEP Usage

When WEP is initialized, the data payload of the packet being sent using WEP is encrypted; however, part of the packet header – including MAC address – is not encrypted. All layer 3 information including source and destination addresses is encrypted with WEP. When an access point sends out its beacons on a wireless LAN using WEP, the beacons are not encrypted. Remember that the beacons do not include any layer 3 information.

When packets are sent using WEP encryption, those packets must be decrypted. This decryption process consumes CPU cycles and reduces the effective throughput on the wireless LAN, sometimes significantly. Some manufacturers have implemented additional CPUs in their access points for the purpose of performing WEP encryption and decryption. Many manufacturers implement WEP encryption/decryption in software and use the same CPU that's used for access point management, packet forwarding, etc. These access points are generally the ones where WEP will have the most significant effects if enabled. By implementing WEP in hardware, it is very likely that an access point can maintain its 5 Mbps (or more) throughput with WEP enabled. The disadvantage of this implementation is the added cost of a more advanced access point.

WEP can be implemented as a basic security mechanism, but network administrators should first be aware of WEP’s weaknesses and how to compensate for them. The administrator should also be aware of the fact that each vendor’s use of WEP can and may be different, hindering the use of multiple vendor hardware.


Advanced Encryption Standard

The Advanced Encryption Standard (AES) is gaining acceptance as an appropriate replacement for the RC4 algorithm used in WEP. AES uses the Rijndale (pronounced ‘RINE-dale’) algorithm in the following specified key lengths:
  • 128-bit
  • 192-bit
  • 256-bit
AES is considered to be un-crackable by most cryptographers, and the National Institute of Standards and Technology (NIST) has chosen AES for the Federal Information Processing Standard, or FIPS. As part of the effort to improve the 802.11 standard, the 802.11i working committee is considering the use of AES in WEPv2.

AES, if approved by the 802.11i working group to be used in WEPv2, will be implemented in firmware and software by vendors. Access point firmware and client station firmware (the PCMCIA radio cards) will have to be upgraded to support AES. Client station software (drivers and client utilities) will support configuring AES with secret key(s).


Filtering

Filtering is a basic security mechanism that can be used in addition to WEP and/or AES. Filtering literally means to keep out that which is not wanted and to allow that which is wanted. Filtering works the same way as access lists on a router: by defining parameters to which stations must adhere in order to gain access to the network. With wireless LANs, it is not so much what the stations do, but rather who they are and how they are configured. There are three basic types of filtering that can be performed on a wireless LAN:
  • SSID filtering
  • MAC address filtering
  • Protocol filtering
This section will explain what each of these types of filtering are, what each can do for the administrator, and how to configure each one.


SSID Filtering

SSID filtering is a rudimentary method of filtering, and should only be used for the most basic access control. The SSID (service set identifier) is just another term for the network name. The SSID of a wireless LAN station must match the SSID on the access point (infrastructure mode) or of the other stations (ad hoc mode) in order for the client to authenticate and associate to the service set. Since the SSID is broadcast in the clear in every beacon that the access point (or set of stations) sends out, it is very simple to find out the SSID of a network using a sniffer. Many access points have the ability to take the SSID out of the beacon frame. When this is the case, the client must have the matching SSID in order to associate to the access point. When a system is configured in this manner, it is said to be a "closed system." SSID filtering is not considered a reliable method of keeping unauthorized users out of a wireless LAN.

Some manufacturer's access points have the ability to remove the SSID from beacons and/or probe responses. In this case, in order to join the service set, a station must have the SSID configured manually in the driver configuration settings. Some common mistakes that wireless LAN users make in administering SSIDs are listed below:

  • Using the default SSID - This setting is yet another way to give away information about your wireless LAN. It is simple enough to use a sniffer to see that MAC addresses originating from the access point and then look up the MAC address in the OUI table hosted by IEEE. The OUI table lists the different MAC address prefixes that are assigned to each manufacturer. Until Netstumbler came along, this process was manual, but now Netstumbler performs this task automatically. If you don't know how to use Netstumbler or are unfamiliar with network sniffers, then looking for default SSIDs also works well. Each wireless LAN manufacturer uses their own default SSID, and, since there are still a manageable number of wireless LAN manufacturers in the industry, obtaining each of the user manuals from the support section of each manufacturer's website and looking for the default SSID and default IP subnet information is a simple task. Always change the default SSID.
  • Making the SSID something company-related – This type of setting is a security risk because it simplifies the process of a hacker finding the company's physical location. When looking for wireless LANs in any particular geographic region, finding the physical location of the wireless LAN is half the battle. Even after detecting the wireless LAN using tools such as Netstumbler, finding where the signal originates takes time and considerable effort in many cases. When an administrator uses an SSID that names the company or organization, it makesfinding the wireless LAN very easy. Always use non-company-related SSIDs.
  • Using the SSID as a means of securing wireless networks – This practice is highly discouraged since a user must only change the SSID in the configuration setting is his workstation in order to join the network. SSIDs should be used as a means of segmenting the network, not securing it. Again, think of the SSID as the network name. Just as with Windows' Network Neighborhood, changing the workgroup your computer is a part of and is as simple as changing a configuration setting on the client station.
  • Unnecessarily Broadcasting SSIDs - If your access points have the ability to remove SSIDs from beacons and probe responses, configure them that way. This configuration aids in deterring casual eavesdroppers from tinkering with or using your wireless LAN.

MAC Address Filtering

Wireless LANs can filter based on the MAC addresses of client stations. Almost all access points (even very inexpensive ones) have MAC filter functionality. The network administrator can compile, distribute, and maintain a list of allowable MAC addresses and program them into each access point. If a PC card or other client with a MAC address that is not in the access point’s MAC filter list tries to gain access to the wireless LAN, the MAC address filter functionality will not allow that client to associate with that access point. Figure 10.4 illustrates this point.

Of course, programming every wireless client's MAC address into every access point across a large enterprise network would be impractical. MAC filters can be implemented on some RADIUS servers instead of in each access point. This configuration makes MAC filters a much more scalable security solution. Simply entering each MAC address into RADIUS along with user identity information, which would have to be input anyway, is a good solution. RADIUS servers often point to another authentication source, so that other authentication source would need to support MAC filters.

MAC filters can work in reverse as well. For example, consider an employee who left a company and took their wireless LAN card with them. This wireless LAN card holds the WEP key and MAC filters, which, for the sake of this example, are not used. The administrator could then create a filter on all access points to disallow the MAC address of the client device that was taken by the employee. If MAC filters were already being used on this network when the wireless LAN card was stolen, removing the particular client's MAC address from the allow list would work as well.

Although MAC filters may seem to be a good method of securing a wireless LAN in some instances, they are still susceptible to the following intrusions:
  • Theft of a PC card that is in the MAC filter of an access point
  • Sniffing the wireless LAN and then spoofing with the MAC address after business hours

MAC filters are great for home and small office networks where there are a small number of client stations. Using WEP and MAC filters provides an adequate security solution in these instances. This solution is adequate because no intelligent hacker is going to spend the hours it takes to break WEP on a low-use network and expend the energy to circumvent a MAC filter for the purpose of getting to a person's laptop or desktop PC at home.


Circumventing MAC Filters

MAC addresses of wireless LAN clients are broadcast in the clear by access points and bridges, even when WEP is implemented. Therefore, a hacker who can listen to traffic on your network can quickly find out most MAC addresses that are allowed on your wireless network. In order for a sniffer to see a station's MAC address, that station must transmit a frame across the wireless segment.

Some wireless PC cards permit the changing of their MAC address through software or even operating system configuration changes. Once a hacker has a list of allowed MAC addresses, the hacker can simply change the PC card’s MAC address to match one of the PC cards on your network, instantly gaining access to your entire wireless LAN.

Since two stations with the same MAC address cannot peacefully co-exist on a LAN, the hacker must find the MAC address of a mobile station that is removed from the premises at particular times of the day. It is during this time when the mobile station (notebook computer) is not present on the wireless LAN that the hacker can gain access into the network. MAC filters should be used when feasible, but not as the sole security mechanism on your wireless LAN.


Protocol Filtering

Wireless LANs can filter packets traversing the network based on layer 2-7 protocols. In many cases, manufacturers make protocol filters independently configurable for both the wired segment and wireless segment of the access point.

Imagine a scenario where a wireless workgroup bridge is placed on a remote building in a campus wireless LAN that connects back to the main information technology building's access point. Because all users in the remote building are sharing the 5 Mbps of throughput between these buildings, some amount of control over usage must be implemented. If this link was installed for the express purpose of Internet access for these users, then filtering out every protocol except SMTP, POP3, HTTP, HTTPS, FTP, and any instant messaging protocols would limit users from being able to access internal company file servers for example. The ability to set protocol filters such as these is very useful in controlling utilization of the shared medium. Figure 10.5 illustrates how protocol filtering works in a wireless LAN.