Securing the Wireless LAN

George Ou
Network Systems Architect
Contributing editor – ZDNet
Contents

 Introduction
 Relative risks of Wireless LANs
 Six dumbest ways to secure a WLAN
 Tools of the wireless LAN hacker
 The best ways to secure the WLAN
 SOHO WLAN implementations
 Enterprise WLAN implementations
Introduction

 Wireless security is a huge headache in IT

 Wireless security widely misunderstood
 Wireless security is everyone’s problem even if
you don’t “think” you have a WLAN
 Banning WLANs often result in “improvised”
home grown solutions
 Wireless LANs can be secured
 Wireless security applicable elsewhere in IT
Relative risks of Wireless LANs

 Wireless security is NOT an oxymoron

 Less dangerous than having an Internet
connection direct or indirect
 Attacks from the Internet can come from
anywhere on the entire globe
 Web/FTP/Mail/DNS Servers
 Back doors R00TK1T5 that can dial home
 Attacks on Wireless LANs are limited to a couple
of kilometers
Six dumbest ways to secure a WLAN
Overview

 MAC “authentication”
 SSID “hiding”

 LEAP authentication

 Disabling DHCP

 Antenna placement and signal suppression

 Switch to 802.11a or Bluetooth Wireless LANs

______________________________________
 Dishonorable mention: WEP

Original article on http://blogs.zdnet.com/Ou

Six dumbest ways to secure a WLAN
MAC “authentication”

 Use of the word “authentication” is laughable

 All that’s happening is MAC address filtering
 MAC addresses are transmitted in clear text
 Extremely easy to capture
 Extremely easy to clone and defeat
 Extremely difficult to manage MAC filtering
Six dumbest ways to secure a WLAN
MAC spoofing
Six dumbest ways to secure a WLAN
SSID “hiding”

 No such thing as “hiding” an SSID

 All that’s happening is Access Point beacon
suppression
 Four other SSID broadcasts not suppressed
 Probe requests
 Probe responses
 Association requests
 Re-association requests

 SSIDs must be transmitted in clear text or else

802.11 cannot function
Six dumbest ways to secure a WLAN
LEAP authentication

 Cisco LEAP authentication is extremely weak

 LEAP successor EAP-FAST not much better
 Cisco dominates Enterprise WLAN market
 Significant percentage of Cisco shops use LEAP
but have started to migrate to EAP-TLS
 LEAP and EAP-FAST are free on client side
 Only Cisco can sell LEAP and EAP-FAST on
Access Points
 Cisco APs support all open authentication
standards like EAP-TLS and PEAP
Six dumbest ways to secure a WLAN
Disabling DHCP

 Disabling DHCP and forcing the use of Static IP

addresses is another common myth
 IP schemes are easy to figure out since the IP
addresses are sent over the air in clear text
 Takes less than a minute to figure out an IP
scheme and statically enter an IP address
Six dumbest ways to secure a WLAN
Antenna placement and signal suppression

 Antenna placement and signal suppression does

nothing to encrypt data
 The hacker’s antenna is bigger than your’s
 Directional high-gain antennas can pick up a
weak signal from several kilometers away
 Lowering the signal hurts legitimate users a lot
more than it hurts the hackers
 Wi-Fi paint or wall paper not 100% leak proof and
very expensive to implement
Six dumbest ways to secure a WLAN
Switch to 802.11a or Bluetooth wireless LANs

 802.11a is a transport mechanism similar to

802.11b or 802.11g
 802.11a has nothing to do with security
 Pray that the hacker doesn’t have 5 GHz 802.11a
capable equipment
 Bluetooth is more of a wireless USB alternative
 Can be used for wireless networking but not
designed as an 802.11 a or b/g replacement
Six dumbest ways to secure a WLAN
Dishonorable mention: WEP

 WEP barely missed the six dumbest list because it

can still hold up for a couple of minutes
 Hacker named “KoreK” releases new WEP
analysis tool in August 2004
 WEP coupled with 802.1x and EAP key rotation
(AKA DWEP) is considered broken
 Packet injection techniques lowers WEP cracking
times to minutes

Article: Next generation WEP cracking tools

Tools of the wireless LAN hacker
Overview

 Software
 Auditor CD
 Kismet
 ASLEAP
 Void11, Aireplay, Airedump, and Aircrack
 Hardware
 Cheap and compatible cardbus adapters
 Omni directional high-gain antennas
 Directional high-gain antennas
 Off the shelf Laptop computer
Tools of the wireless LAN hacker
Auditor CD

 Bootable Linux CD with every security auditing

tool under the sun
 Everything needed to penetrate most wireless
LAN and more
 Mentioned as a favorite of the FBI
 Relatively easy to use
Tools of the wireless LAN hacker
Kismet

 Kismet is a Linux wireless LAN audit tool

 Can see “hidden” SSIDs
 Can see MAC addresses
 Can see IP schemes
 Can capture raw packet
 GUI version lays everything out
Tools of the wireless LAN hacker
ASLEAP

 ASLEAP cracks Cisco LEAP authentication

 Exploits weak MSCHAPv2 authentication
 Uses pre-computed indexed hash tables
 Checks 45 million passwords a second
 Upgraded to support PPTP VPN cracking
Tools of the wireless LAN hacker
Void11, Aireplay, Airedump, and Aircrack

 New set of tools makes WEP cracking hundreds

of times faster
 Void11 forces users to re-authenticate
 Aireplay monitors re-auth session for ARP and
then plays back the ARP request to trigger
responses from legitimate computers
 Airedump captures all of the raw packets
 Aircrack only needs 200,000 packets instead of
10,000,000 packets from previous tools
Tools of the wireless LAN hacker
Hardware: Cheap and compatible cardbus adapters

 Prism 2/3 based 802.11b adapters

 PrismGT based 802.11 b/g adapters
 Atheros based 802.11 a/b/g adapters
 All typically around $40 to $70 USD
 All compatible with Linux cracking tools
Tools of the wireless LAN hacker
Omni directional high-gain antennas

 Typically 7 to 9 dB gain
 General purpose surveying and war driving
 Can be used to create evil twin access point
 Less than $100 USD
Tools of the wireless LAN hacker
Directional high-gain antennas

 Used to aim and focus in on victim

 Picks up weak signals many kilometers away
 Around $100 USD
Tools of the wireless LAN hacker
Off the shelf Laptops

 Any Laptop or PC can be used for hacking

 New Laptops with good cracking speed are as
low as $400 USD
 Wireless hacking is NOT cost prohibitive!
The best ways to secure the WLAN
Overview

 Good cryptography allows secure

communications over unsecured medium
 Follow best practice cryptographic principles
 Strong authentication
 Strong encryption
 WPA and WPA2 standards
The best ways to secure the WLAN
Strong authentication background

 Strong authentication is often overlooked

 Well established secure authentication methods
all use SSL or TLS tunnels
 TLS is the successor of SSL
 SSL has been used for nearly a decade in E-
Commerce
 SSL or TLS requires Digital Certificates
 Digital Certificates usually involves some form of
PKI and Certificate management
The best ways to secure the WLAN
Strong authentication in Wireless LANs

 Wireless LANs typically use 802.1x and EAP

 Common standard EAP types are EAP-TLS,
EAP-TTLS and PEAP
 LEAP and EAP-FAST are not standard
 EAP-TLS requires server and client certificates
 EAP-TTLS and PEAP only require client-side
certificates
 EAP-TTLS created by Funk and Certicom
 PEAP created by Microsoft, Cisco and RSA
Details on EAP types at: http://blogs.zdnet.com/Ou/?p=67
The best ways to secure the WLAN
Strong authentication and RADIUS servers

 EAP authentication requires RADIUS support in

Access Point and one or more RADIUS servers
 Microsoft Windows 2003 Server has fully
functional RADIUS component called IAS
 Supports EAP-TLS and PEAP
 Windows 2000 only supports EAP-TLS
 Easily integrates in to NT domains or Active Directory
 Funk software makes Steelbelted and Odyssey
 Open source FreeRadius supports broad range
of EAP types
The best ways to secure the WLAN
Strong encryption

 Encryption is well understood

 No known methods of breaking good encryption
 DES encryption has never been crypto-analyzed
in nearly 30 years and must be brute forced
 3DES still considered solid but slow
 AES is the official successor to DES and is solid
at 128, 192, or 256 bits
The best ways to secure the WLAN
Strong encryption in Wireless LANs

 RC4 encryption is known to be weak

 WEP uses a form of RC4 encryption
 Dynamic WEP makes WEP cracking harder
 TKIP is a rewritten WEP algorithm
 No known methods against TKIP yet but some
theoretical attacks are on the horizon
 AES encryption mandated in the newest
Wireless LAN standards is rock solid
The best ways to secure the WLAN
WPA and WPA2 standards

 WPA used a trimmed down version of 802.11i

 WPA2 uses the ratified 802.11i standard
 WPA and WPA2 certified EAP types
 EAP-TLS (first certified EAP type)
 EAP-TTLS
 PEAPv0/EAP-MSCHAPv2 (Commonly known as PEAP)
 PEAPv1/EAP-GTC
 EAP-SIM
 WPA requires TKIP capability with AES optional
 WPA2 requires both TKIP and AES capability
Details on EAP types at: http://blogs.zdnet.com/Ou/?p=67
SOHO WLAN implementations
 Minimum encryption should be TKIP
 Run AES encryption if possible
 EAP authentication usually not feasible for Small
offices and home offices
 SOHO WLANs usually rely on WPA-PSK
 PSK (pre-shared keys) are easier than WEP
with 26 HEX digits
 PSK must be at least 8 alphanumeric random
characters
 Zyxel offers Access Points with PEAP RADIUS
built-in
Enterprise WLAN implementations
WPA and WPA2 standards

 Minimum encryption should be TKIP

 Run AES encryption if possible
 EAP-TLS authentication recommended
 PEAP or EAP-TTLS authentication at a minimum
Enterprise WLAN implementations
Wireless Switches

 Wireless LAN switches manage large numbers

of Access Points
 Much easier to manage
 Wireless switch makers
 Symbol
 Cisco Airespace
 Aruba
Enterprise WLAN implementations
Advanced security implementations

 Multiple Virtual SSID and VLAN support

 VLAN assignment based on group membership
 Guest Wireless LANs that are isolated
 Mitigating WEP security risks for WEP only
devices using Firewall or Router ACLs (Access
Control Lists)
 Can be done with single device such as the
Cisco 851W which is a Firewall, Router,
Managed Switch, and Access Point all-in-one