WIRELESS LAN SECURITY AND LABORATORY DESIGNS Yasir Zahur T. Andrew Yang University of Houston – Clear Lake 17th CCSC Southeastern Conference Georgia Perimeter College - Dunwoody, GA CCSCSE 2003
Agenda Introduction Standards & Specifications Vulnerabilities Alternate Security Solutions Laboratory Setup CCSCSE 2003
Where Does WLAN Fit ? CCSCSE 2003
Source: http://www. jiwire. com/. cid=95&kw=802. 11&se=google (Nov Source: http://www.jiwire.com/?cid=95&kw=802.11&se=google (Nov. 6, 2003) Traveler's Quick Finder Browse by location Free Hotspots 510 hotspots Hotels 5,910 hotspots Airports 432 hotspots Cafes 5,344 hotspots CCSCSE 2003
Growth of WLAN CCSCSE 2003
Infrastructure Mode of WLAN CCSCSE 2003
Typical WLAN Architecture CCSCSE 2003
IEEE 802.11 Standards Standard Description Current Status CCSCSE 2003 Standard for WLAN operations at data rates up to 2 Mbps in the 2.4-GHz ISM band Approved in July 1997 IEEE 802.11a Standard for WLAN operations at data rates up to 54 Mbps in the 5-GHz UNII band Approved in Sept 1999. End-user products began hipping in early 2002 IEEE 802.11b Standard for WLAN operations at data rates up to 11 Mbps in the 2.4-GHz ISM band Sept 1999. End-user products began shipping in early 2000 IEEE 802.11g High-rate extension to 802.11b allowing for data rates up to 54 Mbps in the 2.4-GHz ISM band Draft standard adopted Nov 2001. Full ratification expected late 2002 or early 2003 IEEE 802.11e Enhance the 802.11 MAC to improve and manage Quality of Service, provide classes of service, and enhanced security and authentication mechanisms. These enhancements should provide the quality required for services such as IP telephony and video streaming Still in development, i.e., in the task group (TG) stage IEEE 802.11f Develop recommended practices for an Inter- access Point Protocol (IAPP) which provides the necessary capabilities to achieve multi-vendor AP interoperability across a DS supporting IEEE P802.11 Wireless LAN Links IEEE 802.11i Enhance the 802.11 Medium Access Control (MAC) to enhance security and authentication mechanisms CCSCSE 2003
Interferences (802.11b) 2.4GHz Cordless Phone Some other wireless network Microwave oven Access Point CCSCSE 2003
IEEE 802.11b Specifications (a brief overview) Transmission of approximately 11 Mbps of data Half Duplex protocol Use of CSMA/CA (collision avoidance) instead of CSMA/CD (collision detection) Total of 14 frequency channels. FCC allows channels 1 through 11 within the U.S in 2.4 GHz ISM band Only channels 1, 6 and 11 can be used without causing interference between access points Wired Equivalent Privacy (WEP) based on Symmetric RC4 Encryption algorithm Use of Service Set Identifier (SSID) as network identifier CCSCSE 2003
General WLAN Vulnerabilities Eavesdropping Invasion and Resource Stealing Traffic Redirection Denial Of Service Attack Rogue Access Point No per packet authentication No central authentication, authorization, and accounting (AAA) support CCSCSE 2003
802.11b Vulnerabilities MAC address based authentication One-Way authentication SSID Static WEP Keys WEP key vulnerabilities Manual Key Management Key Size Initialization Vector Decryption Dictionaries CCSCSE 2003
WEP Encryption CCSCSE 2003
IEEE 802.1x IEEE 802.1x is a port based authentication protocol. It forms the basis for IEEE 802.11i standard. There are three different types of entities in a typical 802.1x network including a supplicant, an authenticator, and an authentication server. In an un-authorized state, the port allows only DHCP and EAP (Extensible Authentication Protocol) traffic to pass through. CCSCSE 2003
EAPOL Exchange CCSCSE 2003
IEEE 802.1x – Pros / Cons Dynamic Session Key Management Open Standards Based Centralized User Administration User Based Identification Absence Of Mutual Authentication Lack of clear communication between 802.11 and 802.11i state machines and message authenticity CCSCSE 2003
Absence Of Mutual Authentication Supplicant always trusts the Authenticator but not vice versa This opens the door for “MAN IN THE MIDDLE ATTACK” CCSCSE 2003
Session Hijack Attack 802.11 State Machine 802.11i State Machine CCSCSE 2003
Session Hijack Attack (…cont) CCSCSE 2003
Alternate Solutions Virtual Private Networks (VPN) Cisco LEAP User Authentication Encryption Cisco LEAP Mutual Authentication Per Session based Keys Secure Socket Layer (SSL) Digital Certificates CCSCSE 2003
WEP Attack CCSCSE 2003
Man In The Middle & Session Hijack Attacks CCSCSE 2003
LEAP Enabled Access Point Cisco LEAP Setup LEAP Enabled Client LEAP Enabled Access Point AAA Server CCSCSE 2003
Pass Through Access Point VPN Setup VPN Client Pass Through Access Point VPN Server CCSCSE 2003
Pass Through Access Point SSL Setup SSL Client Pass Through Access Point SSL Server CCSCSE 2003
A Specialized Computer Security Lab NSF CCLI A&I grant: 2003-2005 Two Focuses: DCSL: Distributed Computer Security Lab Between UHCL and UHD Possibly extended to other small or medium-sized colleges Customizable testbed for various security-related experiments/projects Module-based Computer Security Courseware Design On-going Looking for collaborators, courseware developers, users, … CCSCSE 2003
CCSCSE 2003
Computer Security Courseware Module-based Computer Security Courseware Design Units: Modules, submodules, artifacts, … CCSCSE 2003
References John Pescatore, “Wireless Networks: Can Security Catch Up With Business?” Arunesh Mishra, William A. Arbaugh, “An Initial Security Analysis of the IEEE 802.1x Standard”, Department Of Computer Science, University Of Maryland, Feb 06 2002 WLAN Association, “Wireless Networking Standards and Organizations”, WLANA Resource Center, April 17 2002 Cisco Networks, “Cisco Aironet Response to University of Maryland’s paper” John Vollbrecht, David Rago, and Robert Moskowitz. “Wireless LAN Access Control and Authentication”, White Papers at Interlink Networks Resource Library, 2001 Nikita Borisov, Ian Goldberg, and David Wagner “Security of WEP Algorithm”, ISAAC, Computer Science Department, University Of California Berkely CCSCSE 2003