Wireless Security Technologies

 < Day Day Up > 

Although wireless networking provides great ease in setting up networked communications and offers mobility among users, it comes at a risk of security. Malicious hackers can easily detect wireless networks and gain access to your corporate network. Although a few methods are in place to enhance security, most are weak and easily broken. Therefore, you should keep your wireless network separate from your critical network and only use it for nonsensitive transmissions, such as Internet access.

Service Set Identifiers (SSIDs)

Wireless networks identify themselves through the use of Service Set Identifiers (SSIDs). SSIDs are like shared passwords used between client machines and APs. When performing a penetration test, you should be on the lookout for the following:

  • Blank SSID

  • "any" SSID/Broadcast SSID

  • Default SSID

Some of the most common mistakes that administrators make are the use of broadcasting SSIDs and default SSIDs.

Broadcasting your SSID means that your AP periodically broadcasts its SSID to clients who are listening. You should disable SSID broadcasts and force clients to manually enter the SSID to gain access to the network.

Default SSIDs are another mistake commonly seen. Here, wireless administrators fail to change the SSID from the factory default. For example, Linksys wireless routers use the default SSID of Linksys and are configured with the IP address of 192.168.1.1. If you see the Linksys SSID on a wireless network, you can most likely find the AP at the 192.168.1.1 IP address.

Simply changing the SSID and turning off the broadcasting option is not enough to secure your wireless network. Active scanning tools such as NetStumbler can detect SSIDs even if you take these security measures. Nevertheless, you should change the SSID from the default and disable broadcasting to provide some security protection, however minor, to your wireless network.

Wired Equivalent Privacy (WEP)

When IEEE established the wireless 802.11 standards, it did not forget about security. Included in the 802.11b standard is Wired Equivalent Privacy (WEP). WEP uses a secret key that is shared between a client and an AP. This secret key is used with the RC4 algorithm to encrypt all communication between clients and the APs.

WEP can operate with 40-bit encryption (64-bit WEP) or 104-bit encryption (128-bit WEP). The stronger the encryption, the more secure your network. This comes at the cost of speed, however.

The problem with WEP is its short initialization vector (IV) value, which makes it easy to crack. The IV makes up the first 24 bits of the WEP key. Many implementations start with using IV values of zero (0) and increment by one for each packet sent. 24 bits equates to 16,777,216 values, so after 16 million packets are sent, the IV returns to a value of 0. This predictable behavior of the first 24 bits of the WEP key makes cracking the IV, and subsequently cracking the WEP key, easy.

Also, many environments do not change their WEP keys on a regular basis, making it easier for malicious hackers to maintain access.

You can easily crack WEP keys using tools such as WEPCrack and AirSnort, discussed later in this chapter.

MAC Filtering

In small networks, wireless administrators might restrict access to specific MAC addresses. The administrator can configure a filter on the AP to allow only certain MAC addresses to use a wireless network.

Although such filtering might provide a mild deterrent to malicious hackers, this security measure is easily circumvented by spoofing MAC addresses. Using a packet sniffer such as Kismet (discussed later in this chapter), a malicious hacker can determine the MAC addresses used on a network. By spoofing a MAC address, he can gain access to the wireless network.

802.1x Port Security

Because it is so easy to spoof a MAC address, IEEE devised another solution to provide added security through network admission control. Although you can use 802.1x on many different types of networks, it has become popular in wireless environments. The IEEE 802.1x port access control standard operates like a bouncer for your AP, deciding who gets access into your network.

802.1x uses the Extensible Authentication Protocol over Wireless (EAPOW) as a mechanism for message exchange between a RADIUS server and a client. Before a client can access a wireless network, it must authenticate through a RADIUS server. Authentication options include everything from a simple username and password to more secure options such as a digital signature.

Although 802.1x addresses authenticity concerns for your network, there is a new version of 802.1x, called 802.1aa, that also addresses confidentiality and integrity. 802.1aa provides a four-way handshake to secure WEP key exchange. This allows for the use of per-session keys instead of static keys used by all clients. The key exchange mechanism also makes man-in-the-middle (MITM) attacks more difficult. 802.1x is enough to deter most malicious hackers, but for the strongest security, look at IP security (IPSec).

IPSec

Probably the best option for securing your wireless network is IPSec. IPSec provides data integrity through hashing algorithms such as MD5 and SHA1, and data confidentiality through encryption algorithms such as DES and 3DES. Both the clients and the APs need to be configured for IPSec. IPSec might slow down your wireless network, but it remains the best option for securing a wireless environment.

Note

A new form of wireless, called Type-1 wireless, is emerging to provide strong security. Type-1 wireless is a National Security Agency (NSA) certified standard using Type 1 encryption. At the time of this writing, Type-1 is only available for the U.S. military, although plans are in the works by Harris Corporation to provide a modified form of this technology for use by the public sector.


     < Day Day Up > 


    Penetration Testing and Network Defense
    Penetration Testing and Network Defense
    ISBN: 1587052083
    EAN: 2147483647
    Year: 2005
    Pages: 209

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net