Contact:[email protected]
http://securityportal.com/closet/closet20010207.html 802.11 Wireless Security By Kurt Seifried ([email protected]) for SecurityPortal Kurt's Closet Archive ---------------------------------------------------------------------------- ---- February 07, 2001 - Wireless networks are becoming de rigeur, something you must have if you want to keep up with the Joneses. You can now surf the Web and pick up email while sitting in an airplane lounge, have your laptop in a conference room with no unsightly cables, or read email while in bed. The cost of these networks has plummeted. Base stations like the Apple AirPort can be had for $300, and the cards are around $100 (both support 11 megabit/sec operation). However, like all network technologies, they both solve problems (like where to run cable) and create a lot of new ones (like how to communicate securely). Unfortunately, most sites seem to have implemented 802.11 wireless networks without much (if any) thought for security. A Wild Wireless World The first problem is controlling access to your network. With Ethernet and related (cable-based) technologies, your site was usually physically secure, helping to prevent people from plugging their laptops, etc. into your network. Thus, even if someone managed to plug into your network, they had to manually discover who else was attached. While this wasn't impossible, its difficulty improved the chances of you noticing an attacker (since they couldn't use completely passive techniques). With a wireless network, unless your building is externally shielded or has a large open area around it, an attacker will be able to gain "physical" access to the network just by bringing his laptop into proximity with your network (up to several hundred feet). An attacker can as well use entirely passive methods to monitor network traffic. All they need, again, is a laptop with a wireless card and slightly modified software to grab all the wireless data � instead of ignoring any traffic not destined to their computer. Another largely unremarked problem is that of wandering wireless users. They are likely to leave their wireless card in and operating, meaning an attacker can set up a rogue wireless network to which the users attach themselves. If the users then send any unencrypted data, or have open file shares, for example, they potentially open themselves up for an attack. Attackers can also set themselves up as servers on other legitimate networks, and by running a rogue DHCP server redirect all traffic through their machine or commit other attacks. Users will open themselves up to monitoring of how much data they transfer, what kinds of data, when they transfer it, and so on. If your network is not properly secured, people will use it as a free ISP and likely commit illegal acts to gain access to the Internet. WEP Will Encrypt Everything This is going to be the biggest problem with wireless networking. Once it is up and running, people will be quite pleased with themselves and not likely to spend real time or effort securing it. Since this form of networking is new and not very well understood � not that much of networking is well understood � administrators are likely to think, "well, it has 128-bit WEP encryption, so we're secure." Unfortunately, it is very easy to set up a network (wireless or otherwise) in such a manner that it works and data moves happily between systems � but leave it insecure. You can configure a wireless network to broadcast its name, or not. It's probably wise not to broadcast, so that people are less likely to accidentally discover it. You can configure most wireless access points to allow only certain MAC addresses (like Ethernet 802.11 uses MAC addresses). As with Ethernet, MAC addresses can be spoofed, but restricting them will keep out casual explorers. WEP is sadly rather weak. At least one paper on it is not too encouraging. To quote from "Security of the WEP algorithm": We have discovered a number of flaws in the WEP algorithm, which seriously undermine the security claims of the system. In particular, we found the following types of attacks: Passive attacks to decrypt traffic based on statistical analysis. Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext. Active attacks to decrypt traffic, based on tricking the access point. Dictionary-building attack that, after analysis of about a day's worth of traffic, allows real-time automated decryption of all traffic. Our analysis suggests that all of these attacks are practical to mount using only inexpensive off-the-shelf equipment. We recommend that anyone using an 802.11 wireless network not rely on WEP for security, and employ other security measures to protect their wireless network. They go on in some detail and come to the conclusion: Wired Equivalent Privacy (WEP) isn't. The protocol's problems is a result of misunderstanding of some cryptographic primitives and therefore combining them in insecure ways. These attacks point to the importance of inviting public review from people with expertise in cryptographic protocol design; had this been done, the problems stated here would have surely been avoided. Of the three authors of this report I have met two, one of which did most of the work on Freedom (freedom.net). While it is not yet possible to download a software package that will let you break into wireless networks at will, it is only a matter of time before something like this is released. And of course, such tools exist in private hands already. So How Do I Secure It? I'm glad you asked. (Well, not really � I'd be able to finish this article early if you hadn't.) It's quite obvious at this point that traditional methods are out. Controlling physical access to the wireless network is inadequate unless you shield your building or have a large (empty) buffer zone surrounding it. Depending on WEP to authenticate users and control access is probably a lost cause in the long term. While it will keep out casual attackers, anyone that actively targets you will probably get their hands on the tools needed to break WEP. At this point we are stuck with an Ethernet network that essentially uses hubs to move traffic around. While hub-based networks are exceedingly prone to security problems, they can be secured. The best solution is probably to require the use of IPSec for all hosts on the wireless network. While this will incur a performance penalty, it will solve problems of impersonating users, monitoring user data, and so on. Various IPSec implementations support the use of certificates and other forms of strong authentication. Windows 2000 sports a combination of (integrated) Kerberos, IPSec and Microsoft authentication methods along with policy support (i.e., traffic to foo must be encrypted, but not to bar). With almost universal support for IPSec, and the generally low speeds of 802.11 (maximum 11 megabits, probably shared with others), this plan shouldn't be too difficult to implement or sell to management. Beyond this, you should place a firewall between the wireless network and the rest of your network. Unless a user authenticates properly, they should be contained to the wireless network, where they can do less damage. A system similar to this is used by the University of Alberta for its public Ethernet networks, as described in a paper by Bob Beck. Essentially, users authenticate to a server via Kerberos � which is resistant to passive monitoring and active attacks � after which the firewall allows connections from that IP address for a while (closing it down after a period of inactivity). However, this still allows the attacker access to others on the wireless network, so end security on user machines is still important. Wireless networks are inevitable. 802.11, Bluetooth, and others are coming. They all in general have poor security models and flawed implementations. Relying on their built-in security is not a good long-term choice. Relying on wireless features such as frequency hopping and spread spectrum radio is also not ideal, as the same consumer equipment can usually be used to monitor it. Sad to say, you will likely need to "roll your own" security solution. Notwithstanding, even if this goes correctly an attacker will still be able to attack other wireless users. Any user with a wireless machine should probably be forced to meet a baseline set of security requirements: having a firewall installed, disabling services, etc. Hopefully the next major wireless network protocol will be done correctly. ---------------------------------------------------------------------------- ---- Related Links Apple AirPort http://www.apple.com/airport/ Security of the WEP algorithm http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html Apple AirPort base stations can be upgraded to 128-bit RC4 http://www.msrl.com/airport-gold/ - AirPort configuration tools http://edge.mcs.drexel.edu/GICL/people/sevy/airport/ KarlNet Configurator http://www.karlbridge.com/download/configsetup.exe Dealing with Public Ethernet Jacks - Switches, Gateways, and Authentication http://www.ualberta.ca/~beck/lisa99.html Wireless Network Security http://www.securityportal.com/research/research.wirelessnetwork.html Wireless Security (by my boss Jim Reavis) http://www.nwfusion.com/newsletters/sec/1220sec1.html Hackers poised to land at wireless AirPort http://www.zdnet.com/zdnn/stories/news/0,4586,2681947,00.html?chkpt=zdhpnews 01 Back to the Index