Securing Wireless Networking in Windows XP

Previous page
Table of content
Next page

Windows XP natively supports automatic configuration for the IEEE 802.11 standard for wireless networks, which minimizes the configuration that is required to access wireless networks. Users can roam between different wireless networks without the need to reconfigure the network connection settings on their computer for each location. When a user moves from one wireless network to another, Windows XP searches for available wireless networks and connects to them or prompts the user to select a wireless network to connect to. From a usability standpoint, the automatic and even transparent configuration of wireless networking in Windows XP is great. From a security standpoint, it presents some serious problems. Not all wireless networks are secure, and thus, a user could unwittingly endanger his laptop computer or even the corporate network.

Using Wireless Zero Configuration in Windows XP

The Wireless Zero Configuration service in Windows XP enables automatic connection to the following:

  • Infrastructure networks Computers and devices connect to wireless access points. Access points function as network bridges between the wireless clients and a wired network infrastructure. When a user enters the transmission area of an infrastructure network, where the access points broadcast their service set identifier (SSID), Windows XP will automatically attempt to connect to the access point it gets the strongest signal from. For example, your organization might have more than one building equipped with a wireless network. When a user moves between buildings, Windows XP will always connect to the wireless network without intervention from the user.

    Tip 

    Enable wireless access points to broadcast their SSID only if you intend the network to be public. Consider disabling the broadcasting of SSIDs for networks connected to your corporate network to prevent potential attackers from gaining valuable information about your network. This will, however, prevent the use of the Wireless Zero Configuration functionality.

  • Ad hoc networks Ad hoc networks are formed when computers and devices with wireless network connectivity connect directly to each other, instead of connecting to access points. Unlike infrastructure networks, which operate as network bridges to other networks, ad hoc networks only allow you to access resources on the computer or devices that you connect to.

By default, Windows XP connects to both infrastructure networks and ad hoc networks, even those that the computer has not connected to before. For security purposes, you might not want the laptop computers in your organization to connect to untrusted networks automatically. You can define how Windows XP connects to wireless networks in the advanced wireless network connection properties. To increase the security of Windows XP laptops with wireless network cards, you should select to connect to only infrastructure networks and deselect the option to automatically connect to nonpreferred networks, which are networks that are not stored as preferred networks in the wireless network configuration utility (shown in Figure 19-1).


Figure 19-1: Advanced wireless network connection properties

Configuring Security for 802.11 Wireless Network Connectivity

The most basic type of security for 802.11 wireless networks is Wired Equivalent Privacy, or WEP. WEP provides for authentication and data transmission security for wireless clients to protect against unauthorized access and eavesdropping. Unlike Windows XP, Windows 2000 does not have integrated wireless network management features. In Windows XP, you can configure the network key that is used for WEP. The key is used for authentication to the wireless network. In addition, the data encryption is enabled, which means a shared encryption key is generated to encrypt the data transmission between the computer and the wireless access point. In Windows 2000, 802.11 configuration must be done in the application provided by the wireless network interface vendor.

Configuring 802.11 Security with WEP

802.11 supports two subtypes of network authentication service: open system and shared key. When open system authentication is used, any computer or device can request authentication for the access point, and consequently, any computer or device can connect to the network. Using open system authentication does not prevent data transmission encryption. Unlike open system authentication, shared key authentication requires that the client computer or device have knowledge of a secret key that is shared by the wireless access point and all other wireless clients.

When using shared key authentication, the access point generates a random 64-bit or 128-bit number that is used as a challenge. The wireless client returns the challenge, which is encrypted with the WEP shared key. The encryption process involves using the RC4 stream cipher to perform an exclusive or (XOR) binary operation on the plaintext payload. The RC4 keystream is generated by using a random number generator (RNG). The seed of the RNG is the result of concatenating the 40-bit or 104-bit WEP key with a 24-bit initialization vector. The encrypted payload and the initialization vector are sent to the access point. The access point concatenates the WEP key with the initialization vector to seed the keystream for RC4 to perform an XOR binary operation on the encrypted payload to reveal the plaintext payload.

Unfortunately, an attacker who captures these frames possesses the plaintext challenge, the ciphertext challenge, and the initialization vector. Because of the way that XOR operations work, the attacker will now know the keystream that was used, which is the concatenated initialization vector and the WEP key. Although the attacker still does not know the WEP key, she can attempt to authenticate to the access point and use the keystream derived from the captured packets to encrypt the challenge and retransmit the captured initialization vector.

Note 

Several utilities available on the Internet automate this process of compromising shared key authentication.

start sidebar
How XOR Operations Work

To understand how an attacker can compromise WEP security, you must know how the binary XOR operation works. An XOR takes two binary numbers of equal length and performs a comparison of each bit, yielding a result of bits that is equal to the two numbers. The following list shows the result of XOR operations:

0 XOR 0 = 1
0 XOR 1 = 0
1 XOR 0 = 0
1 XOR 1 = 1

The XOR is frequently used by stream ciphers to encrypt data. For example, the name BEN can be represented in ASCII as 0x42 0x45 0x4E and converted to the binary. The RC4 algorithm might generate the keystream shown next. You then perform an XOR on the plaintext with the keystream. The result is the ciphertext.

Plaintext           01000010    01000101    01001110
Keystream    XOR    01101100    00010111    01101111
Ciphertext          11010001    10101101    11011110

If you convert the ciphertext back to ASCII characters, you get the following: - . The problem with using XOR for encryption is that if you know any two of the three elements, you can determine the one you do not know. For example, if you can intercept the plaintext and the ciphertext, you can determine the keystream by performing an XOR on the plaintext with the ciphertext:

Plaintext           01000010    01000101    01001110
Ciphertext    XOR   11010001    10101101    11011110
Keystream           01101100    00010111    01101111
end sidebar

Although shared key authentication is not completely secure, it does provide more protection than Open System authentication. Thus, when combined with Media Access Control (MAC) address filtering, implementing shared key authentication provides a base level of security for wireless networks against novice attackers. If your organization issues laptops to users with wireless network cards, the users will likely install a home wireless network. To ensure that employees do not expose information contained on their laptops to potential attackers, you should create guidelines for installing home wireless networks, and these guidelines should include enabling shared key authentication.

WEP also provides data encrypted services by using the same process as defined for shared key authentication. Because only 2^24 (roughly 16 million) initialization vectors exist, if you assume that each packet uses a new initialization vector, the probability is that one initialization vector will be repeated after about 4500 packets have been transmitted. This is an example of a birthday attack on a cryptography algorithm. Thus, if an attacker can get the access point to send known plaintext (such as ping packets) and then capture all encrypted packets, he will be able to compute the keystream by performing an XOR on the plaintext with the ciphertext. The attacker could then place the keystream in a database organized by the initialization vector. The next time that the attacker intercepts a packet with that initialization vector, he can look up the keystream in the database and decrypt the packet.

In addition, a known vulnerability exists in the scheduling algorithm in RC4, meaning that a small subset of initialization vectors will be weak. Researchers at AT&T labs estimate that this vulnerability could be exploited by intercepting as few as 1,000,000 packets. By exploiting this vulnerability, an attacker could retrieve the static WEP key. If the attacker knows what the WEP key is, he can decrypt any packet he wants to view. Most newer, enterprise-oriented access points and wireless network cards are programmed not to use these weak initialization vectors. You can protect your wireless clients that use Windows XP by using 802.1x.

Configuring 802.11 Security with 802.1x

At the time of the printing of this book, IEEE 802.1x is a draft standard for port-based network access control, which provides authenticated network access to 802.11 wireless networks and to wired networks. Port-based network access control uses the physical characteristics of a switched LAN infrastructure to authenticate devices that are attached to a LAN port and to prevent access to that port in cases where the authentication process fails.

During a port-based network access control interaction, a LAN port adopts one of two roles: authenticator or supplicant. In the role of authenticator, a LAN port enforces authentication before it allows user access to the services that can be accessed through that port. In the role of supplicant, a LAN port requests access to the services that can be accessed through the authenticator s port. An authentication server, which either can be a separate entity or an entity colocated with the authenticator, checks the supplicant s credentials on behalf of the authenticator. The authentication server then responds to the authenticator, indicating whether the supplicant is authorized to access the authenticator s services.

The authenticator s port-based network access control defines two logical access points to the LAN, through one physical LAN port. The first logical access point, the uncontrolled port, allows data exchange between the authenticator and other computers on the LAN, regardless of the computer s authorization state. The second logical access point, the controlled port, allows data exchange between an authenticated LAN user and the authenticator.

IEEE 802.1x uses standard security protocols, such as Remote Authentication Dial-In User Service (RADIUS), to provide centralized user identification, authentication, dynamic WEP management, and accounting. In Windows XP, you can use X.509 certificates or the Protected Extensible Authentication Protocol (PEAP) with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) to authenticate clients on the Authentication tab on the profile of a preferred wireless network connection, as shown in Figure 19-2.

click to expand
Figure 19-2: Configuring 802.1x authentication for wireless connections in Windows XP

The PEAP authentication has two phases. First, an encrypted TLS channel is established to the RADIUS server using a PEAP exchange. Second, MS-CHAPv2 is used to authenticate the wireless client to the network. After the wireless user and computer have been authenticated, encryption keys can be exchanged.



Previous page
Table of content
Next page
Microsoft Windows XP Professional Resource Kit 2003
Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 338
BUY ON AMAZON
The Complete Cisco VPN Configuration Guide
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
GO! with Microsoft Office 2003 Brief (2nd Edition)
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
.NET System Management Services
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy