Basic Wireless Security

MAC Address Filtering

Most access points today will allow you to make a list of the Media Access Control (MAC) addresses that you want to allow or deny access to your network via wireless technologies. A MAC address is a number that is unique to every IEEE-compliant network interface. Wireless network devices such as wireless access points and wireless cards include a MAC address.

Open source and commercial software exists today that allows an administrator the ability to "spoof" the MAC address of a network card. An example of commercial software that has spoofing already built in is software for High Availability (HA) server and network devices. Most server configurations requiring HA have software that spoofs the MAC address to allow for quick failover should one of the nodes become unavailable. To complement commercial HA software, there are open source packages that give users the ability to spoof the MAC address, specifically to defeat MAC address filtering.

Administration of allow/deny lists as a security mechanism can vary in burden, depending on the size of the network being deployed to or already deployed on. If a user needs access to all the access points in a large environment, there must be central management software to replicate the MAC address to all of the access points on the network for this to be a feasible alternative. If an administrator had to add or remove MAC addresses in a large number of access points individually, it could make the administrative burden outweigh any potential gain from the allow/deny security. Wireless network access point manufacturers may have a software package that will allow for central administration. This feature set varies from vendor to vendor.

MAC address filtering is, at best, a good mechanism to keep honest wireless users honest. It is beneficial in setting boundaries. An enterprise large enough to require multiple separate wireless LANs could use this method to ensure end users connect to the appropriate wireless network. On the other hand, there are software packages allowing attackers to easily sniff MAC addresses on the wireless LAN (WLAN). Once this information has been gathered, even an attacker with little experience can easily spoof the MAC address with one that is allowed to be on the network. MAC address filtering should only be recommended as one of the layers of an overall security plan for a wireless network, never relied on for security. Even a very casual attacker could penetrate a wireless network only protected by MAC address filtering.

Broadcasting the SSID

The Service Set Identifier (SSID) is a string of characters sent out as part of a beacon. This beacon is used to tell other wireless devices in the area the SSID of the wireless LAN on which it is currently participating. Most operating systems, including the wireless client built into the Mac OS or Microsoft Windows platforms, will detect the beacon and offer to connect to the identified wireless network. The SSID is broadcast over the frequency to any device that can receive the signal in plain text.

By turning off the SSID broadcast on the network access point, the network will not be visible even to devices that are within physical range. This (in theory) "hides" the network from would-be miscreants that are war driving or using some similar reconnaissance-gathering technique. There are tools available, such as SSIDSniff (http://www.bastard.net/$kos/wifi/) and AirMagnet (http://www.airmagnet.com/index.htm), that allow for a miscreant to listen for wireless traffic of users already connected to the LAN legitimately and find the SSID they're using. Since the network cannot be detected while a legitimate user is in the area without the SSID, turning off the SSID will require the administrator to give out the SSID to all users authorized for access. Deployment of the SSID manually is almost impossible as companies almost always have some degree of turnover amongst the ranks. Every time a user that knows the SSID leaves the company, a new SSID should be issued and communicated via a secure method to all authorized users of the wireless infrastructure. Depending on other security packages deployed on the wireless network, having the SSID broadcast turned on or off should be analyzed on a case-by-case basis. Later in this chapter the "wireless jail" will be explained. In the wireless jail scenario, having the SSID broadcast turned on would not pose a major security risk. Having the SSID broadcast off as a sole security measure should never be acceptable.

"Security through obscurity" is a worthy addition to a layered security model. Blackalchemy provides a unique approach to securing the SSID of a wireless access point with the FakeAP product (http://www.blackalchemy.to/project/fakeap/). This product sends out thousands of beacon signals advertising different access points. This will confuse the common sniffing and detection software by making it look like there are thousands of access points. This makes it very difficult for attackers to find wireless network SSIDs that are in use.

Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy works using a secret "shared key" security mechanism that is common in implementations of the 802.11x series standards. The WEP key is usually in a 40- or 128-bit length. There are some variations to this key length, but these are the most common. The tools available to break WEP encryption algorithms currently do not require a large amount of time, even if the chosen key length is 128 bit. Most WEP can be broken in 816 hours. This time is dependent on the number of packets sent out over the wireless network. The more packets transferred, the faster the key can be broken. "Shared key" uses a common key that each of the wireless access devices has and is able to use to encrypt/decrypt all packets that traverse the wireless network. Once a user/miscreant has this shared key, they can both interpret any data that is within range andbeing encrypted with that WEP key.

WEP has a number of vulnerabilities paving the way for simple attack methods to successfully break the WEP encryption key. Combine relatively inexpensive hardware, open source software, a short learning curve, and a few hours administrative time, and a 128-bit encryption key can be broken in 8-16 hours. Ultimately, using a minimally configured laptop/PDA with a large hard drive and a wireless card is all that is necessary. In this scenario, a dual- band card is preferred, so the three most popular standards can all be picked up and the traffic and/or data can be gathered as quickly as possible with the most flexibility.

AirSnort (http://airsnort.shmoo.com/) is an open source program that when combined with WEPCrack (http:// sourceforge .net/projects/ wepcrack ) will execute a series of attacks to exploit known weaknesses of WEP. One of the first publicly available implementations to exploit the weaknesses is described in the document by Scott Fluhrerm, Itsik Mantin, and Adi Shamir, entitled "Weakness in the Key Scheduling Algorithm of RC4" (http://www.drizzle.com/%7Eaboba/IEEE/rc4_ksaproc.pdf). According to the AirSnort web site, the tool is used for the purpose of recovering encryption keys. It also points out that to crack the WEP key, approximately 510 million packets are required to be gathered. During the writing of this chapter, one of the authors (Jesse) has been connected to his home wireless network and has been using the built-in, dual-band wireless network card to connect to the Internet. Almost 3 million packets have been sent and just over 7 million packets received during an eight- hour period. All one would need to do is simply capture the required packets. Then, running a series of programs to crack the WEP key, the miscreant would be able to listen to all the traffic over the wireless network. AirSnort can "guess" the encryption password in one second once it has enough packets. However, hardware can be a factor in the overall processing speed during recovery of a key. To create a doomsday scenario for your wireless network, all a miscreant needs is the use of an inexpensive laptop or a PDA. This can be left near an access point for 816 hours, and one would have what is needed to crack the WEP shared key. Later, a miscreant needs only to recover the reconnaissance device and move to a safe location to work on cracking the key. Once the miscreant has the WEP key, access will be available whenever it is convenient for him. Administrators must realize that WEP alone will not keep wireless networks secure.

Rotating encryption keys can help reduce the effectiveness of this exploit, but solid and standard means of deploying these rotated keys on a regular basis with little to no administrative overhead is beyond the WEP standard. An often-overlooked factor to consider is how to address the security of delivering the WEP key to the end user. How does an administrator ensure social engineering techniques are not used to break the WEP shared secret key? If a user writes down his or her password, why wouldn't the WEP key be written down as well? This especially holds true if the key is changed on a regular basis without an automated deployment system. For most enterprises this would not be acceptable as the administrative burden for end users and administrators alike would be too great. The reality is some enterprises depend on WEP to secure the entire wireless infrastructure. Some even rely on a single shared key that is easily guessable, such as the company name or building number. This type of behavior should be discouraged.

WiFi Protected Access (WPA)

WPA builds on the strengths of WEP and could potentially replace WEP in the future. For a period, these two technologies will work side by side. With this in mind, steps were taken to make WPA interoperable with WEP. WPA uses a stronger encryption algorithm than WEP known as Temporal Key Integrity Protocol (TKIP). Authentication has been added to WPA, which was not available in WEP.

TKIP addresses a number of security weaknesses for which WEP is known, including

• Per-packet key mixing

• Message integrity check

• Extended initialization vector (IV) with sequencing rules

• Re-keying mechanism

These four improvements make WPA more secure and robust than WEP. Most devices currently on the market either incorporate WPA or are software upgradeable to support WPA. End users will take longer to upgrade because of the logistics. However, if WEP was enabled previously, the users can still connect to the access point(s) via WEP until each is upgraded to WPA-enabled clients and access points. WPA also introduced a built-in ability to use extensible authentication mechanisms that will be explained in the next section.