What are the benefits of wireless networking? Wireless networks offer you mobility, allowing you to physically move about while maintaining a connection to the network. There is also a cost saving when compared with the traditional installation of a wired network.
Introducing a wireless network will introduce risks to your home or enterprise environment if you do not take essential steps to secure it.
We will focus on the 802.11i standard and the components that make up the standard. The elements of confidentiality, integrity and availability (CIA) must be considered when implementing a wireless network. After all this is potentially confidential data floating around in the air.
The 802.11i standard strives to ensure that we achieve the goals of the CIA triangle:
- Confidentiality is compromised if data is able to be read whilst it traverses the wireless network, for example unauthorized users can see other users' emails and documents as they whiz around the network - simply by sniffing/listening to the traffic.
- Integrity is at risk if the attacker can manipulate (change the contents of) the data.
- Availability can be a hard issue to protect against. A simple jammer or physical attack of the wireless access point (AP) can bring down a wireless network.
Before going on any further, though, let's have a look at the wireless standards. The IEEE 802.11 (Institute of Electrical and Electronic Engineers) is a family of standards for wireless security:
- 802.11a is a different standard for wireless LANs operating in the 5GHz radio spectrum with a 54Mbps maximum data rate.
- 802.11b is a standard for wireless LANs operating in the 2.4GHz radio spectrum with an 11Mbps maximum data rate.
- 802.11g is for WLANs operating in the 2.4GHz radio spectrum with a 54Mbps maximum data rate and is backward compatible with 802.11b.
At home or in the office, whenever you communicate over the internet using a wireless network, you should ensure that your communication is protected.
If not you run a great risk that others can intercept your communications and piggyback your internet connection to gain free internet connectivity.
Much worse, people might use your computer for storage and distribution of illegal content or use your connection for committing crimes that could be traced back to you.
Historically a variety of wireless vulnerabilities existed that could have been prevented by following some very simple security procedures to protect the wireless network.
These included not broadcasting the network name or SSID (thus creating a 'closed' wireless LAN), MAC, protocol and port filtering, enabling Wired Equivalent Privacy (WEP), which help to stop casual roaming of your wireless network to turning off the Dynamic Host Configuration Protocol (DHCP) and making use of static IP addresses.
WEP was originally designed to provide a level of security equivalent to that of a wired network. Its main purpose was the protection of the confidentiality and integrity of the wireless traffic. This is moving us closer to our CIA goal.
However WEP used a weak implementation of the RC4 streaming cipher. WEP had limited key generation space and used static keys.
This meant that from an attacker's point of view WEP was highly susceptible to a variety of attacks. An attacker could quickly recover a WEP key (ie break the encryption) using tools such as Airsnort and WEPCrack, decrypting data flowing over wireless networks and spoofing their identity (as only Access Point or AP authentication is possible).
WEP's failure is that it encrypts traffic using a single key used for encryption and authentication that is shared amongst the user base. This therefore means that if the keys become known to unauthorized users, the entire network is compromised.
If an attacker can figure out the key, then because everyone is using the same password (key) to decrypt the messages on the network, the attacker can do the same, providing access to all the data travelling back and forth on the network.
Further, the attacker can communicate on the network and can thus launch more insidious attacks, such as a 'man in the middle' (MITM) attack or breaking into sensitive servers. From an administrator's point of view, key management was typically a manual process, so quite difficult to manage.
Some will say that weak encryption is better than no encryption at all. It did at least keep the opportunistic vandals out, if not the determined thieves.
802.11i to the rescue
The IEEE and the Wi-Fi Alliance realized that they needed to look at WEP's deficiencies and come up with a new standard. They began to look at what was called the 802.11i standard, which would be an addendum to the existing 802.11 wireless standard.
Ratifying a standard does take time, so the Wi-Fi Alliance adopted an interim standard for wireless security called Wi-Fi Protected Access (WPA). This would fill the void until the 802.11i draft was completed.
WPA was supported by a large number of vendors. Implementing WPA generally requires a simple firmware upgrade to most WEP-enabled devices.
So what does WPA consist of? Basically it comprises of three main components: Temporal Key Integrity Protocol (TKIP), Message Integrity Code (MIC) and 802.1X. Each of these components was designed to overcome the weaknesses of our much-loved WEP.
TKIP is a direct replacement for WEP. TKIP, like WEP, uses the RC4 cipher but in a much more secure way. The keys are automatically changed after a specified number of packets. This makes it harder for the attacker to decrypt the traffic.
With 802.1X any client wishing to initiate a network session must first authenticate itself to an authentication server before being allowed to connect to the network. Typically this is a Remote Access Dial-Up User Service (RADIUS) server.
802.1X uses one of several authentication protocols known as Extensible Authentication Protocol (EAP). Basically EAP is responsible for establishing how the authentication process should be carried out. The most popular implementations of EAP include LEAP, PEAP and TTLS.
MIC protects the data integrity by detecting any kind of intentional packet modification.
WPA provides much stronger data protection than WEP by using encryption as well as strong access controls and user authentication.
WPA maintains compatibility with existing 802.11 hardware, thus upgrading to WPA from WEP can generally be carried out via software updates and not hardware replacements.
Here comes the bad news again. A weakness has already been found with WPA. If the pre-shared key is configured with a weak pass phrase, then an attacker has the capability using a tool like coWPAtty to capture authentication messages and then make an offline recovery of the pass phrase. Complex and long pass phrases will therefore reduce the chances of this happening and are strongly recommended if using WPA.
Today we have the final IEEE 802.11i amendment to the 802.11 standard, the second generation of WPA security or WPA2. This basically provides enterprise and home users with a higher level of assurance that only authorized users can access their wireless networks.
802.11i or WPA2 is virtually identical to WPA. In fact it includes all of the WPA capabilities. However 802.11i now uses the Advanced Encryption Standard (AES) to encrypt data. As we know, WPA still made use of the RC4 streaming cipher, leaving it susceptible to attack.
This is a great move forward for wireless networking. However the initial downside of using AES encryption is that it requires much more processing power and may not be supported on older hardware. In enterprise environments suitably sized budgets should be allocated to take this into consideration.
We have looked at some of the early measures that have been available to wireless users in helping them to secure their networks and what is available to them now with 802.11i.
Wireless users are encouraged to use or upgrade to the 802.11i security standard. This provides many more security improvements and avoids almost all of the vulnerabilities from the previous standards.
Using a defence-in-depth approach should also be considered, following the same approach that has been undertaken with security on our wired networks.
For further information on wireless security please visit www.wi-fi.org.
Stuart Compton instructs on the Wi-Fi Security: Hands-On training course at 7Safe Information Security where he is a senior information security consultant. See www.7safe.com.