Chapter 7:

WIRELESS
SECURITY
Topics Covered
• Introduction
• Basic operation
• Current wireless technology
• Wireless security issues
• How to deploy wireless safely
Learning
Objectives
• By the end of this sessions, students should be able to;
1. Discuss the standard architectures and basic operation of
wireless LAN (WLAN)
2. Understand the security issues involved in WLAN
3. Know how-to deploy a wireless safely
Introduction
• The main standard for Wireless Local Area Network
(WLAN) – 802.11 family of standards ( 802.11x [a,b,g…] )
• Signals travel a few tens of meters
• Ethernet (wired) uses physical transmission media – copper
wire, optical cable
• WLANs use radio transmission – spread signals widely
• Why wireless is invented and used?
• Advantages?
• Disadvantages?
Topics Covered
• Introduction
• Basic operation
• Current wireless technology
• Wireless security issues
• How to deploy wireless safely
Basic Operation
Consists of main wired network, access points (AP)
and wireless stations
Basic Operation
• Main Wired Network
• WLAN connected to site’s main wired LAN
• Assume that the LAN is Ethernet
• Main Ethernet LAN is needed because most wireless devices are
client machines and servers they connected to located on the Ethernet
LAN
• Access Points (AP)
• Also called wireless access point – serves a number of functions
• 1. a bridge between the main wired LAN and wireless LAN. Bridges
are devices that connect two LANs of different technology –
802.3 (Ethernet) and 802.11 (wireless)
• 2. access point controls the wireless stations. Example -> it tells
stations what signal power to use when they transmit
Authenticity of WAP
• With a wired network, a system administrator
might determine who generated certain traffic
based on the physical port that the traffic came in
on.
• By assuming that inbound traffic on a particular
port is always coming from a certain source, there
is no need to constantly verify where the traffic
was coming from.
• In wireless networking, many users can access
the network at the same access point, making it
more difficult to map who did what.
Eavesdropping in WAP
• All wireless packets are available to anyone who
listens
• It is impossible to physically keep people away
from the WAP
• Erecting a fence around your building, solutions
tend to rely on encryption in one form or another.
• This can include a static shared key, a key
generated from a static key, a dynamically-
generated key, or negotiated keys..
 Basic Operation

• Wireless Stations
• Normally need an add-in card called wireless NIC (network
interface card) – built in radios & antennas
Basic Operation

Ethernet Switch

802.3 Frame
containing packet
802.11 Frame
containing packet
Basic Operation
• When a wireless station has a message to send
• It places a packet in an 802.11 frame and transmits
the frame to the access point
• The access point removes the packet from the
802.11 frame, places the packet in an Ethernet
frame 802.3.
• Sends the Ethernet frame to the server
• When the server replies, its reply packet contained
in an Ethernet frame goes to AP
Basic Operation
• AP removes the packet from Ethernet frame, places
packet in 802.11 frame and transmits 802.11 frame
to the wireless station
• Radio signals propagate only few tens of meters,
distance increase so the propagation difficulties
grow
• Wireless station and AP cope with these difficulties
by reducing the transmission speed for distant
stations
• Handoffs – one AP just covered fairly nearby
devices. To create larger area – how?
Basic Operation
• Handoffs – one AP just covered fairly nearby
devices. To create larger area – how?
Topics Covered

• Basic operation
• Current wireless technology
• Wireless security issues
• How to deploy wireless safely
Current Wireless
Technology
Standard Rated Speed (a) Unlicensed Radio Effective Distance
Band (b)
802.11b 11 Mbps 2.4 GHz ~ 30 – 50 meters
802.11a 54 Mbps 5 GHz ~ 10 – 30 meters
802.11g 54 Mbps 2.4 GHz ?
 Multiple 802.11 standards exist
 Standards vary in rated speed, radio band used and
propagation distance
 (a) actual speeds are much lower and decline with distance
 (b) these distances for good communication; attackers can
read some signals and send attack frames from longer
distances
Current Wireless
Technology
• All 802.11 versions use spread spectrum
transmission – signal is spread over a wide range of
frequencies
• Used in military for security, however the types
used in 802.11 offer no security
• Designed to make it easy for stations to find and
hear one another
Transmission
Security
• WLAN use air as a media (the signals are open to
anyone who happens to be in range), the security of
transmission is very important
• 802.11x standard defines – Wired Equivalent
Privacy (WEP) protocol to protect info as it passes
over the WLAN
• WEP offers 3 basic services:-
• Authentication
• Confidentiality
• Integrity
Authentication
• Used to authenticate station to the AP
• With Open System authentication – Station
considered authenticated if it responds with a MAC
address during initial exchange with AP
• This form of authentication provides no proof to
the AP of the station’s identity  MAC Spoofing
• WEP can also used a cryptographic authentication
mechanism – relies on knowledge of a shared secret
which used with RC4 algo to prove identity of
station
 Authentication

•No mechanism to authenticate AP back to the station –

•leaves the station open to attaching to rogue AP
•The whole exchange is open to man-in-the-middle or
interception attacks
Confidentiality
• Relies on RC4
• RC4 :-
• Is a well known strong algo thus is not easily
attacked
• Protects all of the protocol header info and data
above the 802.11x protocol (above layer 2)
• WEP supports keys of 40 bits and 128 bits
• Rely on static keys because WEP does not specify a key
management mechanism
Problems with WEP
• Service Set Identifier (SSID)
• 32-byte string (clear text) used as the network name
• In order for a station to associate with an AP, both
must have the same SSID
• At first – this appears to be a form of authentication
• If station does not have proper SSID, it cannot
associate and thus cannot be placed on the net
• Unfortunately, SSID is broadcast by many Aps
• This means any station that is listening can pick up
the SSID and attempt to add itself to the net
Problems with WEP
• WEP provides an authentication service
• Unfortunately, this service only authenticates the
station to the AP
• It does not provide mutual authentication, so the
station has no proof that the AP is in fact a valid
AP on the net
• Thus the use of WEP does not prevent an
interception or man-in-the-middle attack
Problems with WEP
Problems with WEP
• Off by Default
• Biggest problem with WEP is that it is not turned on by
default
• 40-bit passwords
• Forty bits is too short for good security
• However, many vendors now offer optional 128-bit
passwords (really 104-bit passwords with 24-bit
initialization vectors)
• Other issue - the choice of initialization vector
• Initialization vector is sent in clear portion of packet,
thus allowing an eavesdropper to see it
 Problems with WEP
• Since intruder can capture initialization vectors, it is
possible for intruder to capture a sufficient
number of packets to determine the encryption key
• In fact, a tool to do just this is available
(WEPCrack)
• So, the final analysis is although the RC4 algo is not
weak, the implementation of RC4 in WEP is flawed
and open to compromise
• Shared Passwords
• AP and all stations using it use the same reusable
password – bad idea
Problems with WEP
• Difficult to change shared passwords because the
change must be coordinated on the AP and
every mobile device that uses the AP
• Shared passwords are rarely changed, given
enough time, attackers can crack the password
• In addition, because “everybody knows” the
password, people share the password freely even
when they should not
Problems with WEP

• Flawed Algorithms
• Should always use well-tested algorithm
• Cryptanalysts found a number of serious
weaknesses in the WEP security algo that allowed
anyone listening to traffic to break the encryption
in a reasonable period of time
Topics Covered
• Introduction
• Basic operation
• Current wireless technology
• Wireless security issues
• How to deploy wireless safely
Wireless Security
Issues
• With the deployment of WLAN, it is important to
understand the security risks that these networks
pose

• The risks range from eavesdropping to direct

internal attacks and even attacks against external
sites
Wireless Security
Issues
• Some APs allow MAC addresses of authorized
stations to be used for authentication purposes
• Allow communication only with MAC addresses
that it is aware of
• Administrator adding the MAC address to a list of
approved devices
• MAC address must be transmitted in clear;
otherwise the net would not function
• If intruder listen to the traffic, he could identify
authorized MAC addresses and configure his own
system to use one of those MAC addresses to
communicate with AP
Wireless Security
Issues
• WLAN Detection
• It is very easy to detect a WLAN
• In fact, several tools have been developed such as
NetStumbler – will identify the SSID of WLAN
and whether it is using WEP
• Kismet – identify station that are talking to AP
and their MAC addresses
• The use of an external antenna with a portable
computer makes it possible to drive around a
neighborhood or a city and identify WLANs that
may be accessible - Wardriving
Wireless Security
Issues
• Eavesdropping
• Most obvious security risk of a wireless net is an intruder’s
ability to gain access to an organization’s internal network
• Wireless network – allow computers that are some distance
from the physical network to communicate as if they were on
that network
Wireless Security
Issues
• This type of network access in and of itself may
not worry some organizations
• Example: universities have established wireless
networks so that the network is available to
students and staff anywhere on campus
• However, this is a perfect opportunity for an
intruder to eavesdrop on the internal network
• Even when use WEP are vulnerable to eavesdrop
Wireless Security
Issues
• Active Attacks
• Instead of attacking internally, intruder could use
the network to attack externally – potential legal
issues as well
Topics Covered
• Introduction
• Basic operation
• Current wireless technology
• Wireless security issues
• How to deploy wireless safely
 How to Deploy Wireless
Safely
A. Access Point Security
o Set a WEP key that cannot be easily guessed
o Use MAC addresses to limit stations that are
allowed to connect – increase overhead
o AP does not broadcast SSID if possible
o Use strong password to prevent easy access
o Location – try position AP so that their range
outside your facility is limited as much as
possible
 How to Deploy Wireless
Safely
o Transmission Security
 Use WEP although has serious vulnerabilities –
no reason to give an intruder a free ride
 Use another type of encryption system on top of
WLAN – use VPN if an organization treat
WLAN as a semi-trusted or untrusted segment of
network (same type of protection used by remote
employees to gain access to internal systems)
 Place WLAN behind a firewall or other access
device and use VPN to that system
How to Deploy Wireless
Safely
B. Wireless Station Security
• It is possible to directly attack station on WLAN
• Sniffers can identify other stations
• Protection for stations on a WLAN is no different
than desktops anywhere (HIDS, anti-virus,
personal firewalls )
C. Site Security
• Segmented from the internal network
• Install firewall between WLAN and internal net
• Deploy NIDS to detect unauthorized visitors
• Scan for illegitimate or unauthorized AP – using
tool like NetStumbler or APTools or FoundScan
How To Deploy NIDS
wireless sensors
Considerations that should come into play when
deciding on the locations for NIDS wireless sensors.
•Physical Security.
•Sensor Range, The actual range of a sensor varies
based on the surrounding facilities (e.g., walls, doors).
•Cost- Ideally, an organization could deploy sensors
throughout its facilities to perform full wireless
monitoring.
•AP and Wireless Switch Locations.
Challenges of deploying an IDS in
the wireless network
 Wireless network is heavy traffic network (the high
amount of traffic overloads is added by the IDS
sensor).
 Is wireless network switched network? (in switched
networks, an IDS needs to see the traffic on each
switch segment. In switched networks there is no
ideal location to connect NIDS – and Switched Port
Analyzer (switch SPAN) ports can't keep up with all
the traffic on the switch. Thus, deploying IDS on
each segment may be cost prohibitive.
Challenges of deploying an IDS in the
wireless network
• Wireless network is asymmetrical network (In
asymmetrically routed networks the traffic can
traverse multiple paths before it reaches the NIDS
and the IDS will only see parts of the conversation
(flow); thus missing an attack.
• Generally, in wireless network, it is not possible to
have an active full-powered agent inside every
node in a sensor network. Each node is totally
independent, sending data and receiving control
packets from a central system called Base Station,
usually managed by a human user.
Attack Trees
• Attack trees provide a formal, methodical way
of describing the security of systems, based on
varying attacks.
• Represent attacks against a system in a tree
structure, with the goal as the root node and
different ways of achieving that goal as leaf
nodes.
Attack Trees
• Figure 1,the goal is opening the safe.
• To open the safe, attackers can pick the lock,
learn the combination, cut open the safe, or
install the safe improperly so that they can
easily open it later.
• To learn the combination, they either have to
find the combination written down or get the
combination from the safe owner.
• And so on. Each node becomes a subgoal,
and children of that node are ways to achieve
that subgoal.
Figure 1
Difference between Wired Equivalent
Privacy (WEP) and Wi-Fi Protected Access
(WPA)
• WEP (Wired Equivalent Privacy) is the older form of encryption
developed around 1999 to secure wireless Access Points, but when
some weaknesses were found on this type of encryption WPA (Wi-
Fi Protected Access) was adopted in 2003 along with the full IEEE
802.11 security standard dubbed (WPA2) which was adopted in
2004.

• WPA is better than WEP; WPA uses the TKIP (Temporal Integrity
Protocol) which changes key automatically. WPA2 is built on WPA
adding an encryption algorithm named CCMP (Counter Mode with
Cipher Block Chaining Message authentication Code Protocol)
which is supposedly be really secure. All Wireless Routers built
today requires WPA2 encryption support.
Quiz
Ms. Victim has gone to cafe to login to her personal account
on a bank website by using public wireless connection. Mr.
Devil is around looking for his target. As a security
professional, analyse the possible security threats in the café
wireless network and accordingly report what kind of attack
may threaten Ms. Victim. Justify your answer.
The End . . .