Wireless Security - WAPs - WEF - Wireless VPNs - PDA Security
One of the critical issues involved with the growing wireless market is security. Consumers and home businesses have been purchasing wireless devices to transmit everything from music to photos. However, mid-sized to large businesses, especially financial ones (banks, brokers, etc.) don't trust this technology, and with a good reason. It's not secure.
Layers of Security
A recent article in PC WORLDadvises to "layer" your wireless defenses in this manner:
1. To defend themselves against "war driving," users can simply turn on the WEP encryption that is already built in, and most war drivers will just move on to one of the many wireless LANs that isn't protected.
2. Going to the next step, users can implement user authentication and dynamic WPA, with keys that change, to protect themselves from "script kiddies," teenagers who use packaged hacking tools to infiltrate systems. Those authentication systems should include one of the current versions of the Extensible Authentication Protocol. (More about these later.)
3. For protection against professional hackers, the article recommends going the next step to strong encryption systems such as TKIP (Temporal Key Integrity Protocol), which will be used in WPA and 802.11i, or CKIP (Cisco Key Integrity Protocol), a proprietary implementation of the 802.11i recommendations that Cisco developed as a stop-gap measure.
Maximum wireless security, then, is a combination of several techniques: strong authentication and a strong encryption mechanism, coupled with data integrity.
Wi-Fi security currently has four choices: WEP, VPN, WPA and IDS.
The Wired Equivalence Privacy protocol is the orginal and most widely-used security protocol for wireless devices. There are two problems connected with WEP however. First, it is based on a system of "keys". Hackers using the brute-force or "dictionary" method of entering alphanumeric combinations can eventually uncover the public and private keys.
The keys themselves are short (and therefore easily guessed) and static, instead of being updated dynamically from the server. To update the keys, a technician must visit each device at every location (hot spot, motel, etc). This just isn't practical for most companies.
WAPs (Wireless Access Points) are essentially low-frequency radio devices capable of broadcasting over short distances: ten or twenty feet in a home or up to a few city blocks for a business. You can buy a WAP at Best Buy for about $100. They're manufactured by Microsoft, D-Link, Linksys, Netgear, and similar consumer-oriented companies. You can set up a WAP cable modem in your home, install a WAP card in each of your PCs and you now have a wireless home network, with each device having internet access.
But all radio signals are subject to interference; for example, they can be blocked by buildings and bridges. High-tension electrical cables can jam their signals.
Many WAPs are set up by default to respond to the strongest RF signal available. Therefore, anyone can set up a "rogue" WAP to pull the signals from another WAP. You can eavesdrop on your neighbors' wireless networks by setting up your own WAP in your car and driving through the neighborhood.
Going to the next step, users can implement user authentication and dynamic WEP, with keys that change, to protect themselves from "script kiddies," teenagers who use packaged hacking tools to infiltrate systems.
Virtual private networking is currently being used to secure internet transmissions through phone lines. This is done by encapsulating the data within a protocol and sending the package out via the TCP/IP protocol. A similar use of this "tunneling" technology can be adapted to wireless transmissions.
Although the IPSec VPN is a tried and true security method for dial-up, it is also limited to IP traffic, complex to configure and needs client-side code. However, VPNs might always be necessary for people working in "hot spots" to connect with the company WLAN.
Therefore, the VPN market is clearly here to stay. VPN market leaders include Cisco, Check Point, Nokia, Nortel Networks, and Symantec. Nokia, in fact, is launching compression software to speed the operation of its cell phones. The company is also planning to market the Opera browser on all its phones.
PDAs are subject to a number of security breaches, including password theft, viruses and data theft through line sniffing.
The biggest security risk to PDAs is theft of the device itself. Securing the data on the device in standalone mode is probably the best type of precaution users can take (along with putting it in your pocket when you go for that second cup of coffee).
The encryption solutions that exist for PDAs typically are one of two types: products to secure the data as the PDA sits in standalone mode, or products to secure the link as the data moves back and forth from infrastructure devices (such as the desktop unit that it uses for hot-syncing).
As with other wireless devices, one of the best ways to protect your PDA is to install a VPN client on on it.
VPNs operate using a client-server architecture, therefore PDAs using VPN clients need to connect to a VPN gateway server residing on the destination network. It is not possible to establish a VPN tunnel with the VPN client by itself. Therefore, unless you have a VPN gateway server on the destination network that your PDA client will connect to, there is no point in trying to configure a VPN client. For stronger VPN security, you'll want to use X.509 digital certificates for authentication.
For example, a policy that requires the wireless port be disabled will reduce the risk of sensitive data being transmitted to unauthorized individuals. By creating end-user behavior security policies, organizations can hold the end-users accountable for security violations.
Check Point Security has developed special VPN software for PDAs, and The Intranet Journal has published an excellent primer on PDA security.
Attacker can Introduce a rogue WAP to the WLAN.
Many wireless LANS simply connect to the WAP (Wireless Access Point) with the strongest signal. Low-cost WAPs can be used to detour transmissions which can then be monitored by the attacker. In fact, someone inside a company can install a WAP on the company's wired LAN via the ethernet node in the wall in his office. Hide the WAP under his desk. Then anyone outside the building in a car at midnight has complete access to the corporate LAN. this individual can be detected by monitoring sensors placed at key points around the building.
Denial of Service (DoS) Attacks
This basic form of cyber attack easy to use on WAPs. Like all generators of radio signals, WAPs can be blocked by buildings or bridges and they also can be jammed by other RF devices, including other WAPs. The only drawback for the attacker is that he or she must be physically close to the WAP or else its low-frequency signals can be used. Explain how the DoS attack works.
Wireless Intruder Detection Systems
These are often sniffer devices or software that have been optimized to identify computer system and network intrusions by gathering and analyzing data. The wireless IDS does its work by recognizing patterns of known attacks, identifying abnormal network activity. The software also detects policy violations for WLANs and generates alerts based on predefined signatures or anomalies in the traffic.
Features of a WIDS
1. IDS can be purchased from a vendor or developed in-house. There are also open source solutions like Snort-Wireless and WIDZ.
2. Wireless IDS's can also work in combination with physical sensors because hackers must be within a close physical distance to the WLAN. This procedure also involves the physical deployment of agents to identify the attacker. For this reason IDS technolgy might require more human resources.
3. An IDS typically uses directional antennae to triangulate the 802.11 attacker's signal source. IDS can also spot MAC address spoofing.
4. Wireless IDS is a new technology, so be careful it doesn't interefere with normal WLAN operation by cutting off too many routes and subnets. It can also slow down traffic.
Wi-Fi Protected Access, developed by Microsoft, Cisco and the Wi-Fi Alliance, an industry trade group which also developed WEP.
WPA is the interim protocol before the ratification of 802.11i, WPA includes rapid key updates, stronger encryption algorithms, and stronger authentication.It also periodically and dynamically generates a new encryption key for each client.
WPA is vulnerable to Denial of Service attacks, however. A hacker can bring down a WPA-protected network by sending at least two packets using the wrong key each second. When this occurs, the WAP assumes that an attacker is trying to gain access to the network and it closes down.
Finally, there is the 802.11i protocol, considered the last word in wireless security, and predicted to become the deciding factor for banks and other financial institutions to join the wireless world.
According to PC World, the new protocol will include all the elements of WPA, but with stronger encryption. WEP encrypts data on the wireless network but is flawed because it reuses the same encryption key. A would-be hacker can figure out that key from a small amount of traffic, and WEP also doesn't stop interlopers from altering data as it crosses the network.
Maximum wireless security, then, is a combination of several techniques:strong authentication, a strong encryption mechanism, coupled with data integrity.
Among other improvements, 802.11i will include a system for creating fresh keys at the start of each session. It also will provide a way of checking packets to make sure they are part of a current session and not repeated by hackers to fool network users, Walker said. To manage keys, it will use a RADIUS (Remote Access Dial-In User Service)server to authenticate users and the IEEE 802.1x standard.
The 802.1x Authentication Standard
Among other improvements, the new 802.11i protocol will include a system for creating fresh keys at the start of each session. It also will provide a way of checking packets to make sure they are part of a current session and not repeated by hackers to fool network users. To manage keys, it will use a RADIUS (Remote Access Dial-In User Service)server to authenticate users and the IEEE 802.1x standard.
The authentication process begins when the end user attempts to connect to the WLAN. The authenticator server receives the request and creates a virtual port with the user's device. The authenticator then acts as a proxy for the end user passing authentication information to and from the authentication server on its behalf. The authenticator limits traffic to authentication data to the server. (Note there are TWO servers, a proxy and an authentication server, involved here.)
In a nutshell, the authentication process goes like this:
1. The user (with laptop, PDA or cell phone) sends a message to his business network.
2. The message is encapsulated with the EAP protocol which passes through a proxy server to the network's authentication server. The authentication server sees the EAP header as an "ID card" and then compares it with the other ID numbers in its database.
3. If the end user was accepted, the authenticator (proxy) changes the virtual port with the end user to an authorized state allowing full network access to that end user.
4. When the user logs off, the client virtual port on the server is changed back to the unauthorized state.
The Extensible Authentication Protocol
The 802.1x authentication process outlined above depends on the Extensible Authentication Protocol or EAP.
The problem is that there are currently five different commercial versions of EAP, including a proprietary version from Cisco. In order for 802.1x to work, both client and server must be running the same version of EAP!
Cisco's version, Light EAP (or LEAP) can be compromised by dictionary attacks, and several hospitals that have been using Cisco wireless connectivity. (A denial of service attack on a hospital server could be considered negligent homicide if it caused the death of a patient who was on a life-support system.)
Another version, Protected EAP (PEAP) has ben developed by Cisco, Microsoft and RSA. It uses certifications in a manner similar to SSL and is included in the Windows XP service pack.
(For more details on EAP, consult the Computerworld site.)
In the meantime...
Current measures that a company can take include directional antennae to aim the signal at a specific location and lower transmission power so the signal won't be sent over too large an error.
Measures the home user can take include:
1. Disable or change all default IDs. Many wireless routers or access points come with default IDs. (Cisco uses "tsunami".) The attacker can easily learn the default IDs from the device's manufacturer.
2. Many home devices "broadcast" their existence by default. The broadcast service is useful in corporate environments for workstations to locate a server, but you don't need it in your home - not with war drivers cruising around your neighborhood. Disable the service.
3. Change the default administrator password. Most people do this when they install Windows on their PCs but neglect to do it on a wireless device.
4. Install other security devices that are available. Configure WEP, a fireweall and an ani-virus. These measures might slow down your traffic, so you must be the judge of which is more important: security or speed. If you communicate with your company or do financial transactions from home, these measures might well be worth a little slowness.
But Most Users Don't Care
The average consumers of today's wireless devices aren't overly concerned with security. Instead, they're going for the convenience, speed and novelty of PDAs and cell phones that can transmit pictures. For those people, WEP takes too long to configure and it can actually slow down the processing of their devices. The same is true for VPNs. Unless you have extremely sensitive data (e.g. government classified data), using a VPN on your PDA may not be worth the peformance hits you will suffer.
Okay. That's all I've found out about the current state of wireless security. The 802.11i standard will supposedly be ratified by Spring, 2004, but some changes might happen before then. In the meantime, wireless is still insecure and financial institutions still haven't accepted it. In fact, you can stand in your local mall and eavesdrop on cell phone conversations, just by using your ears.
By: Roy troxel