Wireless Security


When 802.11b wireless networks were first introduced, proponents maintained that their products were secure because the Wired Equivalent Privacy (WEP) security mechanism included in the IEEE 802.11b specification would keep intruders from intercepting and decoding wireless communications. In addition to preventing eavesdropping on your wireless network, WEP was supposed to keep intruders from joining your wireless network. Unfortunately, the original version of WEP used a shared 40-bit encryption key, making it very easy for knowledgeable hackers to break. It is important to point out that the Wireless Ethernet Compatibility Alliance (WECA), now called the Wi-Fi Alliance, has stated that WEP was never meant to be a single solution for securing a wireless network. Instead, other technologies, such as VPNs (see Chapter 46, "Virtual Private Networks [VPNs] and Tunneling"), as well as other mechanisms (such as secure authentication) typically found on a wired network, were meant to fill this gap.

WEP

Because the first version of WEP used a simple 40-bit encryption key using the RC4 encryption algorithm, and the same key is used on both the Access Point (AP) and the wireless client, it is a simple matter to break this security. Although most current wireless network hardware supports longer 64-bit and 128-bit WEP encryption codes (and some hardware offers 256-bit encryption if all of your hardware is from the same vendor and supports this level of encryption), WEP is still very easy to crack. You can use several utilities on the Internet to determine whether WEP is protecting your network adequately.

Caution

One of the most important reasons you need to take extra steps to secure a wireless network as compared to a wired one is that in a wired network you can physically secure the computers, the network cabling, and even a connection to a WAN (such as the Internet) by using a firewall. Wireless networks, on the other hand, do not offer a physical barrier. Instead, the distance that your wireless network can cover usually includes a range that is accessible outside your building(s). And because the signal cannot easily be controlled using the same physical methods you use for a wired network, interception of transmissions, much less intrusions into your network, becomes a simple matter when relying solely on WEP. WEP was part of the original 802.11 specification, developed in 1997. Much time has passed since thenenough time to break the encryption using simple techniques available today.


You can visit the following websites to gain access to software that can be used by both you and hackers to determine whether your network is secure:

  • WEPCrack This open-source tool is available to everyone, so you might as well use it yourself to determine whether your network is secure. For more information, see http://wepcrack.sourceforge.net.

  • AirSnort This tool simply listens, and saves, 5 to 10 million packets from a wireless network (and that is really not a large number of packets if you have more than just a few clients). When the program determines that enough packets have been intercepted, it can take a second or two to decrypt the shared encryption key. Originally, AirSnort ran only on Linux platforms, but the vendor has now provided instructions for creating a Windows 2000/XP-compatible version. For more information, see http://airsnort.shmoo.com.

At this time it is not illegal to use devices to listen to wireless network transmissions, and it's certainly debatable as to whether it should be. Yet, because these tools are available to everyone, you should probably use them to see whether your network is as secure as you think it is. This is not meant to encourage hackers to use these tools; the tools previously listed are meant for you to use them so at least both sides can have access to the same intrusion applications.

This goes along with the benefits touted by the open-source community. Although the source code and applications are available to everyone (a glass house, so to speak), they enable hackers to search for vulnerabilities, and they also enable users to create solutions to prevent these attacks. This is an argument that is often used to compare proprietary operating systems and applications and open-source ones. I guess it all depends on your perspective. If you want to use proprietary applications, you have to depend on your vendor to fix security problems. If you use open-source applications, there are many programmers worldwide who can develop a solution.

Whom do you trust? This is a difficult decision to make. But, at the very least, you should have access to the same programs that hackers use to determine whether your network is vulnerable, whether or not you use other open-source applications. And if you search the Internet, you will find many other programs used by hackers in addition to those listed previously. A good search, on a regular basis, is recommended by this author.

Eventually WEP was implemented with a stronger 128-bit key, but even that could be easily detected and broken. Although the strongest WEP encryption available is now 256-bit, it can still be compromised by hacking tools such as those mentioned earlier in this section, and is supported only by some wireless Ethernet vendors, including Cisco, Proxim, D-Link and US Robotics. However, other consumer-grade vendors such as Linksys, NETGEAR, Belkin, and other familiar faces at electronics superstores are limited to 128-bit WEP encryption. If you cannot upgrade to wireless devices that support WPA or WPA2 encryption, there are several steps you should take to protect a WEP-based wireless network.

You should separate a wireless network from the wired network using a firewall (see Chapter 45, "Firewalls"). At least this assists in keeping intruders from accessing the entire corporate network, though the wireless portion is still vulnerable. And you should incorporate techniques such as VPNs, as suggested by the Wi-Fi Alliance, to further enhance security on the wireless portions of the network.

Many consumers who purchase inexpensive devices for home networks might think that the SSID (service set identifier) that you enter when installing the network card and Access Point provide security for the wireless network, but this is not the case. Instead, the SSID is simply used to separate wireless networks. The SSID is easily discovered, especially if you do not choose to use additional security mechanisms. The SSID is not a security mechanism! It is simply a method used to associate wireless devices with an AP. If you don't broadcast the SSID, it's harder for a casual snooper to borrow your bandwidth, but it doesn't stop a determined hacker from finding your network. Without using some form of encryption, the SSID is easily discovered by broadcast messages from the AP. When discovered by an eavesdropper, all that is necessary for the intruder is to reset his wireless adapter to use the same SSID, and then join your network. It is useful to change the SSID from the manufacturer's default to make it more difficult for hackers to determine what brand of wireless Access Point you use, but this step alone is not adequate security.

A good website to visit if you are interested in the latest developments in wireless security is www.netstumbler.com. Here you'll find various articles about wireless security, as well as downloads that can help you enhance your current wireless device and check out security lapses.

Tip

If your network includes 802.11b or very early pre-802.11gcompatible hardware that cannot be upgraded to the final 802.11g standard, the strongest encryption possible for your network might be 128-bit WEP encryption. If your SOHO network contains very sensitive information, consider other techniques as mentioned in the main text of this chapter. If you use a broadband connection only to access the Internet, all you really need to worry about is having neighbors intrude on your wireless network and use your broadband connection. This type of invasion has received much attention in the press lately. Yet, because it is typical that a home user does not store sensitive information on a computer (unless using a credit card online), and because most users do not continuously use the entire bandwidth provided by broadband services, you probably won't notice much difference in performance. However, if you work from home or access your home computer remotely, you should use the most secure settings possible to protect your SOHO network. Keep in mind that Windows XP, unlike Windows 9x, does not permit you to use different passwords on different shared folders. To protect yourself, use only the default Shared folder if you need to have a shared folder at all, and keep sensitive information out of it.


Fortunately, WEP is no longer the only security option you have on a wireless network, especially if your network is based on 802.11g or its many proprietary enhancements.

Tip

There is one situation in which you might want to ensure that your wireless network is secure in a home network. Because the distances of the current technologies can range from about 100 to 300 meters, it's quite possible for someone in the house next door to use your wireless Access Point and tap into your broadband Internet connection. If you don't want to have neighbors sharing your bandwidth, you must use whatever security measures your particular technology provides. This should also be a factor when choosing hardware devices.


Wired Protected Access (WPA), WPA2, and 802.11i

In response to the vulnerability and criticism of WEP, the Wi-Fi Alliance created the Wi-Fi Protected Access (WPA) standard in 2003. WPA was designed to be an interim security solution until the completion of the IEEE 802.11i security standard, and its features are a blend of features originally developed for WEP and those being developed for 802.11i.

Like WEP, WPA uses RC4 encryption for its keys, but unlike WEP, WPA modifies the original key for greater security and supports an optional authentication server. WPA is the minimum recommended security standard for network hardware that supports it, such as 802.11g hardware that supports the full 802.11g standard, and most recent 802.11a hardware. Although some vendors of 802.11b hardware have provided upgrades to support WPA, most 802.11b hardware is not compatible with WPA security.

Caution

If your wireless network has a mixture of WEP-compatible and WEP/WPA-compatible hardware, you must use the weaker WEP security standard for all devices. Because WEP-only devices are primarily limited to the 11Mbps 802.11b standard, upgrading to 802.11g hardware, which supports WPA, WPA2 and WEP, improves network security as well as speed.


One of the main complaints about WEP, besides its limited-length keys, is the fact that the same key is used by both sides of the transmission, and the key does not change during a session. These factors make it easy to examine network traffic on a wireless network and eventually crack the encryption key.

WPA solves two problems associated with the earlier WEP security mechanisms. First, it uses encrypted techniques for authentication that should assist in preventing unauthorized clients from becoming part of the wireless network. Second, it uses a constantly changing key instead of the single shared key used for encryption by WEP. By changing in the encryption key at frequent intervals, WPA can be much more difficult to crack. The constant changing of encryption keys is known as the Temporal Key Integrity Protocol (TKIP). This key-changing method makes it very difficult for intruders to decipher keys used by your wireless network, especially when compared to the static keys known by both sides of the communications link used by the simple WEP standards.

WPA also includes an integrity check that is basically a check sum based on the network packet that can detect whether a packet is originating from a valid network user or an intruder who is attempting to crack the key used by your network. Thus, if an unauthorized user uses the standard techniques to attempt to determine a fixed key, you can detect these intrusion attempts and then deal with them.

Overcoming Potential Vulnerabilities in WPA

The version of WPA used in SOHO and small-business networks that lack an authentication server is known as WPA-Personal. The encryption key is known as a Pre-Shared Key (PSK); the PSK must be provided by a network client before it can log into a WPA-based wireless network. The original PSK is encrypted using the TKIP process, which changes the key repeatedly during a connection to help keep the connection secure. WPA-Personal is also known as WPA-PSK (see Figure 23.2, later in this section).

Although WPA is a stronger encryption standard than WEP, several potential weaknesses exist in the way users can configure WPA. These include

  • Encryption keys that are too short The longer the encryption key, the more secure the network is. Network experts recommend an encryption key of at least 20 characters. The Wireless Network Setup Wizard that Microsoft includes in Windows XP Service Pack 2 creates a 63-character WPA key.

  • Plain-text encryption keys A key such as The quick brown fox jumps over the is certainly longer than the 20-character minimum recommended, but because it is comprised of recognizable words, it is relatively easy to crack. Instead, use mixed, random alphanumeric keys. For example, a key such as 2F1ACB67EF90O F77A would be much harder to crack because there are no recognizable words or alphanumeric patterns in it.

To see for yourself the threat that short, plain-text encryption keys pose to your WPA-based wireless network, you can download the WPA Cracker utility from tinyPEAP (www.tinypeap.com). The network packets WPA Cracker needs for analysis can be gathered with the Ethereal open-source network protocol analyzer available from www.ethereal.com. As suggested earlier in this chapter, you should use WPA Cracker and similar tools to analyze your current WPA-based network configuration for vulnerabilities.

For larger, corporate networks, a more powerful version of WPA known as WPA-Enterprise can be used. WPA-Enterprise (also known as WPA-RADIUS) differs from WPA-Personal in these ways:

  • A RADIUS or AAA server is used to authenticate individual users.

  • Authentication uses the IEEE 802.1X standard developed in 2001.

  • WPA supports the Extensible Authentication Protocol (EAP).

Regardless of the version of WPA you might select, your APs and network clients must be configured to use the same settings to make a connection possible, just as with the older WEP security standard.

Figure 23.1 shows a typical router being configured to use WPA encryption, and Figure 23.2 shows a matching configuration for a network client running Windows XP.

Figure 23.1. This router is configured to use WPA-Personal encryption.


Figure 23.2. Configuring a Windows XP client to use WPA-Personal encryption.


Moving to WPA2 (IEEE 802.11i)

Although WPA, particularly in its WPA-Enterprise version, is much more secure than WEP, it is not as secure as it could be. As mentioned previously in this chapter, WPA was designed as an interim solution until the ratification of the IEEE 802.11i standard could take place. IEEE 802.11i was ratified in 2004, and the first products became available in the fall of 2004. IEEE 802.11i-compatible products are known as WPA2-compatible. WPA2 differs from WPA in the use of a stronger encryption algorithm. Although WEP and WPA used RC4 encryption, WPA2 uses the stronger AES encryption algorithm.

To upgrade existing WPA-compatible wireless network hardware to use WPA2/802.11i security, you might need to perform one or more of the following operations:

  • Download and install updated client device drivers Some client adapters might not support WPA2 security because WPA2 security requires more intensive computation than WPA.

  • Download and install updated router and AP firmware Some wireless routes or APs might not support WPA2 security because WPA2 security requires more intensive computation than WPA.

Some vendors don't explicitly state that their products support WPA2. Instead, they might list the security features the adapters support. Table 23.1 cross-references security features to WPA/WPA2 security standards supported.

Table 23.1. Wireless Security Features/Security Standards Cross-Reference

Security Feature

Equivalent Wi-Fi Security Standard

WEP

WEP

TKIP

WPA-Personal

802.1x

WPA-Enterprise

AES

WPA2 (Personal/Enterprise)


How Well Do You Know Your Users?

One of the main concerns of network administrators in the 1980s was that any person in the company network could easily install a modem in her computer and connect to computers outside the network. For digital telephone systems, this was not a problem. But for small businesses using an analog telephone system, this could present a major security headache.

The equivalent today is known as rogue Access Points, and these are difficult to detect with modern network analysis tools. Because APs are so inexpensive, what can you do to stop a user, or a department in your company, from installing an AP and enabling wireless access? In large corporate environments where it can be a complicated process, what is to stop a user from simply connecting an AP to her own network connection, and thus enabling a larger number of computers to connect to the network? Because APs generally use DHCP to assign addresses to clients, and use the single valid address on your network to exchange data for these clients, just how secure is your network?

This is yet another reason to use wireless detection programs on a regular basis, even if you do not authorize wireless networking, to determine whether some user has enabled this access on your wired network.

In Chapter 42, "Basic Security Measures Every Network Administrator Needs to Know," the importance of establishing corporate security policies and procedures is discussed. If you ensure that each employee, contractor, and vendor signs off on these policies (which should include policies on wireless access), you at least have grounds to dismiss those who violate the procedures and possibly to pursue legal action. There's not much you can do about rogue users, and this problem is more common than many administrators think. If a user is stymied by corporate procedures and paperwork, it is not a difficult thing to justify implementing a solution on his own. Again, because these types of security breaches can easily occur, especially in a large network, you should use wireless sniffing programs to determine whether users are bypassing your policies and procedures that are employed in your network.

Although you may indeed use wireless networking at certain junctions in your network, you should regularly test to see whether unauthorized wireless networks are being created by users. When you consider the low cost of an AP today, it is very feasible to install a wireless network anywhere in your large network. And many of the users who have been caught using this method say that the reason they did so is that it would take too long to get permission from the network administrator, or whatever body you use to authorize such connections.

I guess the best thing to say about this topic is "trust no one."




Upgrading and Repairing Networks
Upgrading and Repairing Networks (5th Edition)
ISBN: 078973530X
EAN: 2147483647
Year: 2006
Pages: 411

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net