1. Securing a Wireless Network

2. Wireless networks are rapidly becoming pervasive. How many of you have web-enabled cell phones? How many of you have web-enabled cell phones? How many of you have networked PDAs and Pocket PCs? How many of you have networked PDAs and Pocket PCs? How many of you have laptops with wireless network cards? How many of you have laptops with wireless network cards? How many of you have wireless networks at work? at home? How many of you have wireless networks at work? at home? How many of you use wireless networks when you are out and about? How many of you use wireless networks when you are out and about?

3. Securing a Wireless Network Of those of you who have wireless devices, how many of you: protect your wireless device with a password? protect your wireless device with a password? encrypt the data in your wireless device? encrypt the data in your wireless device? employ any type of security with your wireless device? employ any type of security with your wireless device? employ security with your wireless network? employ security with your wireless network?

4. Securing a Wireless Network Wireless Technology Wireless Technology Wireless Technology Wireless Technology Security Vulnerabilities with Wireless Networks Security Vulnerabilities with Wireless Networks Security Vulnerabilities with Wireless Networks Security Vulnerabilities with Wireless Networks Wireless Security Solutions Wireless Security Solutions Wireless Security Solutions Wireless Security Solutions Precautions Precautions Precautions

5. Securing a Wireless Network Most wireless networks today use the 802.11 standard for communication. 802.11b became the standard wireless ethernet networking technology for both business and home in 2000. The IEEE 802.11 Standard is an interoperability standard for wireless LAN devices, that identifies three major distribution systems for wireless data communication: Direct Sequence Spread Spectrum (DSSS) Radio Technology Direct Sequence Spread Spectrum (DSSS) Radio Technology Direct Sequence Spread Spectrum (DSSS) Radio Technology Direct Sequence Spread Spectrum (DSSS) Radio Technology Frequency Hopping Spread Spectrum (FHSS) Radio Technology Frequency Hopping Spread Spectrum (FHSS) Radio Technology Frequency Hopping Spread Spectrum (FHSS) Radio Technology Frequency Hopping Spread Spectrum (FHSS) Radio Technology Infrared Technology Infrared Technology Infrared Technology Infrared Technology

6. Independent Basic Service Set (IBSS) - computers talk directly to each other

7. [Basic Service Set (BSS)] Network - all traffic passes through a wireless access point

8. Extended Service Set (ESS) Network - traffic passes through multiple wireless access points

9. IEEE 802.11b specification wireless transmission of approximately 11 Mbps of raw data wireless transmission of approximately 11 Mbps of raw data indoor distances from several dozen to several hundred feet indoor distances from several dozen to several hundred feet outdoor distances of several to tens of miles outdoor distances of several to tens of miles use of the 2.4 GHz band. use of the 2.4 GHz band. 802.11b appeared in commercial form in mid-1999. 802.11b appeared in commercial form in mid-1999. Wireless Ethernet Compatibility Alliance (WECA) certifies equipment as conforming to the 802.11b standard, and allows compliant hardware to be stamped Wi-Fi compatible. Wireless Ethernet Compatibility Alliance (WECA) certifies equipment as conforming to the 802.11b standard, and allows compliant hardware to be stamped Wi-Fi compatible. wireless NICs transmit in the range of 11, 5.5, 2 and 1 Mbit/s at a frequency of 2.4 GHz. wireless NICs transmit in the range of 11, 5.5, 2 and 1 Mbit/s at a frequency of 2.4 GHz. 802.11b is a half duplex protocol 802.11b is a half duplex protocol

10. IEEE 802.11b specification Multiple 802.11b access points can operate in the same overlapping area over different channels, which are subdivisions for the 2.4 GHz band. There are 14 channels, which are staggered at a few megahertz intervals, from 2.4000 to 2.4835 GHz. Only channels 1, 6, and 11 have no overlap among them. Multiple 802.11b access points can operate in the same overlapping area over different channels, which are subdivisions for the 2.4 GHz band. There are 14 channels, which are staggered at a few megahertz intervals, from 2.4000 to 2.4835 GHz. Only channels 1, 6, and 11 have no overlap among them. cards equipped with the Wired Equivalent Privacy (WEP) data encryption, based on the 64 bit RC4 encryption algorithm as defined in the IEEE 802.11b standard on wireless LANs. In addition, there are more expensive cards that are able to use 128 bit encryption. All your nodes must be at the same encryption level with the same key to operate. cards equipped with the Wired Equivalent Privacy (WEP) data encryption, based on the 64 bit RC4 encryption algorithm as defined in the IEEE 802.11b standard on wireless LANs. In addition, there are more expensive cards that are able to use 128 bit encryption. All your nodes must be at the same encryption level with the same key to operate.

11. IEEE 802.11b specification Any network adapter coming within range of another 802.11b network adapter or access point can instantly connect and join the network unless WEP – wireless encryption protocol – is enabled. WEP is secure enough for most homes and business’ but don’t think it can’t be hacked. There are several flaws in WEP making it unusable for high security applications. At this point, it takes some serious hacking abilities to bust into a WEP enabled network so home users should not worry. Any network adapter coming within range of another 802.11b network adapter or access point can instantly connect and join the network unless WEP – wireless encryption protocol – is enabled. WEP is secure enough for most homes and business’ but don’t think it can’t be hacked. There are several flaws in WEP making it unusable for high security applications. At this point, it takes some serious hacking abilities to bust into a WEP enabled network so home users should not worry. Full strength 802.11b signal will get you about 3.5-4.5 Mbps without WEP enabled. With WEP enabled, expect 2.5-3.5 Mbps. As you put walls and distance between your wireless adapter and your access point, your speed will drop. Don’t expect to put more than a few walls between you and your access point. Full strength 802.11b signal will get you about 3.5-4.5 Mbps without WEP enabled. With WEP enabled, expect 2.5-3.5 Mbps. As you put walls and distance between your wireless adapter and your access point, your speed will drop. Don’t expect to put more than a few walls between you and your access point.

12. IEEE 802.11a specification Within the last year, devices that comply with the 802.1a standard (54 Mbps over the 5 GHz band) have been released. 802.11a also has 12 channels (eight in the low part of the band and four in the upper) which do not overlap, allowing denser installations. 802.11a's range is apparently less, but it can often transmit at higher speeds at similar distances compared to 802.11b. Within the last year, devices that comply with the 802.1a standard (54 Mbps over the 5 GHz band) have been released. 802.11a also has 12 channels (eight in the low part of the band and four in the upper) which do not overlap, allowing denser installations. 802.11a's range is apparently less, but it can often transmit at higher speeds at similar distances compared to 802.11b. 802.11a devices use the same Wired Equivalent Privacy (WEP) security. Some vendors, such as Orinoco and Proxim, have included configurable (albeit non-standard) high-encryption capabilities into their access points to prevent simple WEP cracking. 802.11a devices use the same Wired Equivalent Privacy (WEP) security. Some vendors, such as Orinoco and Proxim, have included configurable (albeit non-standard) high-encryption capabilities into their access points to prevent simple WEP cracking.

13. IEEE 802.11g… specification 802.11g devices (54 Mbps over 2.4 GHz) will be released in mid-2003. 802.11g features backwards compatibility with 802.11b, and offers three additional encodings (one mandatory, two optional) that boost its speed. 802.11g devices (54 Mbps over 2.4 GHz) will be released in mid-2003. 802.11g features backwards compatibility with 802.11b, and offers three additional encodings (one mandatory, two optional) that boost its speed. Several related IEEE protocols address security, quality of service, and adaptive signal use (802.11e, h, and i, among others). : 802.11i will offer additional security for 802.11. This standard will replace WEP and build on IEEE 802.1X. Several related IEEE protocols address security, quality of service, and adaptive signal use (802.11e, h, and i, among others). : 802.11i will offer additional security for 802.11. This standard will replace WEP and build on IEEE 802.1X. IEEE 802.1x is a standard for passing EAP over a wired or wireless LAN IEEE 802.1x is a standard for passing EAP over a wired or wireless LAN

14. Security Vulnerabilities packet sniffing - war drivers; higain antenna packet sniffing - war drivers; higain antenna War Driver Map of LA War Driver Map of LA War Driver Map of LA War Driver Map of LA Antenna on the Cheap (er, Chip) - Pringle's can antenna Antenna on the Cheap (er, Chip) - Pringle's can antenna Antenna on the Cheap (er, Chip) - Pringle's can antenna Antenna on the Cheap (er, Chip) - Pringle's can antenna Coffee Can Antenna Coffee Can Antenna Coffee Can Antenna Coffee Can Antenna resource stealing - using a valid station's MAC address resource stealing - using a valid station's MAC address traffic redirection - modifying ARP tables traffic redirection - modifying ARP tables rogue networks and station redirection [network administrators also rely on manufacturers' default Service Set IDentifiers (SSIDs)] The Gartner Group estimates that at least 20 percent of enterprises have rogue wireless LANs attached to their networks. rogue networks and station redirection [network administrators also rely on manufacturers' default Service Set IDentifiers (SSIDs)] The Gartner Group estimates that at least 20 percent of enterprises have rogue wireless LANs attached to their networks. DoS (any radio source including 2.4 Ghz cordless phones) DoS (any radio source including 2.4 Ghz cordless phones)

15. Security Vulnerabilities Wired Equivalent Privacy (WEP) algorithm used to protect wireless communication from eavesdropping. secondary function of WEP is to prevent unauthorized access to a wireless network. Wired Equivalent Privacy (WEP) algorithm used to protect wireless communication from eavesdropping. secondary function of WEP is to prevent unauthorized access to a wireless network. WEP relies on a secret key that is shared between a mobile station and an access point. The secret key is used to encrypt packets before they are transmitted, and an integrity check is used to ensure that packets are not modified in transit. Most installations use a single key that is shared between all mobile stations and access points. More sophisticated key management techniques can be used to help defend from attacks. WEP relies on a secret key that is shared between a mobile station and an access point. The secret key is used to encrypt packets before they are transmitted, and an integrity check is used to ensure that packets are not modified in transit. Most installations use a single key that is shared between all mobile stations and access points. More sophisticated key management techniques can be used to help defend from attacks.

16. Security Vulnerabilities WEP uses the RC4 encryption algorithm, known as a stream cipher. A stream cipher expands a short key into infinite pseudo-random key stream. The sender XORs the key stream with the plaintext to produce ciphertext. The receiver has a copy of the same key, and uses it to generate identical key stream. XORing the key stream with the ciphertext yields the original plaintext. WEP uses the RC4 encryption algorithm, known as a stream cipher. A stream cipher expands a short key into infinite pseudo-random key stream. The sender XORs the key stream with the plaintext to produce ciphertext. The receiver has a copy of the same key, and uses it to generate identical key stream. XORing the key stream with the ciphertext yields the original plaintext. If an attacker flips a bit in the ciphertext, then upon decryption, the corresponding bit in the plaintext will be flipped. Also, if an eavesdropper intercepts two ciphertexts encrypted with the same key stream, it is possible to obtain the XOR of the two plaintexts. Once one of the plaintexts becomes known, it is trivial to recover all of the others. If an attacker flips a bit in the ciphertext, then upon decryption, the corresponding bit in the plaintext will be flipped. Also, if an eavesdropper intercepts two ciphertexts encrypted with the same key stream, it is possible to obtain the XOR of the two plaintexts. Once one of the plaintexts becomes known, it is trivial to recover all of the others.

17. Security Solutions Wired Equivalent Privacy (WEP) and WEP2 Wired Equivalent Privacy (WEP) and WEP2 Media access control (MAC) addresses: configuring access points to permit only particular MAC addresses onto the network. Easy to implement, but fairly easy to defeat. Media access control (MAC) addresses: configuring access points to permit only particular MAC addresses onto the network. Easy to implement, but fairly easy to defeat. IEEE 802.1X: This standard, supported by Windows XP, defines a framework for MAC-level authentication. Susceptible to session-hijacking and man-in-the-middle attacks. IEEE 802.1X: This standard, supported by Windows XP, defines a framework for MAC-level authentication. Susceptible to session-hijacking and man-in-the-middle attacks. VPNs: using a VPN to encrypt data on wireless networks. VPNs require a lot of management and client configuration. VPNs: using a VPN to encrypt data on wireless networks. VPNs require a lot of management and client configuration. User authentication User authentication The Temporal Key Integrity Protocol (TKIP) [IEEE 802.11i] The Temporal Key Integrity Protocol (TKIP) [IEEE 802.11i]

18. Security Solutions Advanced Encryption Standard (AES) encryption [IEEE 802.11i] Advanced Encryption Standard (AES) encryption [IEEE 802.11i] "Key-hopping" technology that can change the encryption key as often as every few seconds. "Key-hopping" technology that can change the encryption key as often as every few seconds. EAP-TTLS (Extensible Authentication Protocol (EAP) - Tunneled Transport Layer Security) EAP-TTLS (Extensible Authentication Protocol (EAP) - Tunneled Transport Layer Security) Enhanced Security Network (ESN) - Extended Service Set with Enhanced Security Network (ESN) - Extended Service Set with enhanced authentication mechanism for both STAs and APs based on 802.11x enhanced authentication mechanism for both STAs and APs based on 802.11x key management key management dynamic, association-specific cryptographic keys dynamic, association-specific cryptographic keys enhanced data encapsulation using AES enhanced data encapsulation using AES

19. Security Solutions Wireless Protocol Analyzers. They can: Wireless Protocol Analyzers. They can: check for unknown MAC (Media Access Control) addresses and alert the network manager check for unknown MAC (Media Access Control) addresses and alert the network manager log attempts to gain unauthorized access to the network log attempts to gain unauthorized access to the network filter access attempts based on the type of network card filter access attempts based on the type of network card conduct site survey of traffic usage conduct site survey of traffic usage find dead zones in the wireless network find dead zones in the wireless network

20. Wireless Security Precautions Change default names Change default names Add passwords to all devices Add passwords to all devices Disable broadcasting on network hubs Disable broadcasting on network hubs Don't give the network a name that identifies your company Don't give the network a name that identifies your company Move wireless hubs away from windows Move wireless hubs away from windows Use the built-in encryption Use the built-in encryption Disable the features you don't use Disable the features you don't use Put a firewall between the wireless network and other company computers Put a firewall between the wireless network and other company computers Encrypt data Encrypt data Regularly test wireless network security Regularly test wireless network security

21. Securing a Wireless Network "What's happening with wireless networks is that it's no more or less secure than anything else. It's just [that] with a wireless LAN [local area network] you need a new page in the rule book. Security doesn't stop at the perimeter of the company building.“ [Geoff Davies, managing director of I-SEC, a specialist information security company, reprinted in Financial Times, July 1 2002]