ADVANCED SECURITY MEASURES IN A WIRELESS LAN [pic] KAKATIYA INSTITUTE OF TECHNOLOGY & SCIENCES WARANGAL. AUTHORS: Rathipally Santosh kumar EMAIL:santhosh_rathi@yahoo. co. in III/IV B. Tech. (cse) M. R. Aditya Pranav kumar EMAIL:mr. adityapranav@yahoo. co. in III/IV B. Tech. (cse) ABSTRACT Wireless local area networks (wireless LANs, or WLANs) are metamorphosing the landscape of computer networking. The use of mobile computing devices, such as laptops and personal digital assistants, coupled with the demand for continual network connections without having to “plug in,” are driving the adoption of enterprise WLANs.
Network managers are using WLANs to facilitate network moves, add-ons and changes. In addition, the inherent flexibility of WLANs overcomes limitations created by older buildings, leased spaces, or temporary work areas. This paper not only furnishes the details about Wireless LANs but also bestows an abundant number of methods in which the security of these WLANs can be breached. It also contributes a myriad number of ways in which one can thwart the potential assault on the WLANs network. KEYWORDS: Wireless LAN, Security, Hacking, Access points. INTRODUCTION TO WIRELESS LAN:
High-speed wireless LANs can provide the benefits of network connectivity without the restrictions of being tied to a location or tethered by wires. Wireless connections can extend or replace a wired infrastructure in situations where it is costly or prohibitive to lay cables. Portable access to wireless networks can be achieved using laptop computers and wireless NICs. This enables the user to travel to various locations and still have access to their networked data. Without wireless access, the user would have to carry clumsy cabling and find a network tap to plug into.
For businesses, wireless networks give more mobility and flexibility by allowing employees to stay connected to the Internet and to the network as they roam. Beyond the corporate campus, access to the Internet and even corporate sites could be made available through public wireless “hot spots. ” networks. Airports, restaurants, rail stations, and common areas throughout cities can be provisioned to provide this service. IEEE STANDARDS AND WIRELESS NETWORKS: The IEEE has produced the series of standards referred to as 802. X, which encompassed LANs, MANs and PANs.
The IEEE 802 is confined to standardizing processes and procedures that take place in the bottom two layers of the OSI Reference Model – The Media Access Control (MAC) or link layer and the Physical layer. The committee of IEEE 802 standards is currently divided up into working groups numbered 802. 1 through 802. 17. The figure shows how the 802. 1x wireless security process is supposed to work. The original standard, which is currently used to set up Wireless Networks, is the IEEE 802. 11 standard. Nowadays, there are four types of Wireless networks, ranging from slow and inexpensive to fast and expensive.
They are: WECA (Wireless Ethernet Compatibility Alliance) -WI-Fi, Bluetooth, IrDA (Infrared Direct Access) and HomeRF. TRADITIONAL WLAN SECURITY As with other networks, security for WLANs focuses on access control and privacy. Robust WLAN access control prevents unauthorized users from communicating through access points, the WLAN endpoints on the Ethernet network that link WLAN clients to the network. Strong WLAN access control ensures that legitimate clients associate with trusted, rather than “rogue” access points.
WLAN privacy ensures that only the intended audience understands the transmitted data. The privacy of transmitted WLAN data is protected only when that data is encrypted with a key that can be used only by the intended recipient of the data. Traditional WLAN security includes the use of Service Set Identifiers (SSIDs), open or shared-key authentication, static WEP keys and optional Media Access Control (MAC) authentication. This combination offers a rudimentary level of access control and privacy, but each element can be compromised. ATTACKING A WLAN NETWORK
In this section, the various methods in which one can get illegal access to a WLAN are examined. The tools which are available freely on the internet and are being used for attacking a WLAN are as follows: NetStumbler, Kismet, Wellenreiter, THC-RUT, Ethereal, WEPCrack, AirSnort and HostAP. The different types of attacks are as explained below: 1. Eavesdropping: In the wireless network, eavesdropping is the most significant threat because the attacker can intercept the transmission over the air from a distance away from the premise of the company. . Tampering: The attacker can modify the content of the intercepted packets from the wireless network and this result in a loss of data integrity. 3. Utilizing Antennas: To connect with wireless LANs from distances greater than a few hundred feet, sophisticated hackers use long-range antennas that are either commercially available or home built and can pick up 802. 11 signals from up to 2,000 feet away. 4. War Driving: War driving is simply driving around in a car to discover unprotected wireless LANs.
Windows-based freeware tools probe the airwaves in search of access points that broadcast their SSIDs and offer easy ways to find open networks. 5. Malicious Association: A hacker begins this attack by using freeware HostAP to convert the attacking station to operate as a functioning access point. As the victim’s station broadcasts a probe to associate with an access point, the hacker’s new malicious access point responds to the victim’s request for association and begins a connection between the two.
After providing an IP address to the victim’s workstation (if needed), the malicious access point can begin its attacks. The hacker – acting as an access point – can use a wealth of available hacking tools available that have been tested and proven in a wireless environment. At this time, the hacker can exploit all vulnerabilities on the victim’s laptop, which can include installing the HostAP firmware or any other laptop configuration or programmatic changes. The malicious association attack shows that wireless LANs are subject to diversion and stations do not always know which network or access point they connect to.
Even wireless LANs that have deployed VPNs (Virtual Private Network) are vulnerable to malicious associations. 6. Interference and Jamming: A simple jamming transmitter can make communications impossible. For example, consistently hammering an access point with access requests, whether successful or not, will eventually exhaust its available radio frequency spectrum and knock it off the network. 7. Brute-Force attack: A brute-force network attack is one in which the intruder attempts to derive a WEP key by trying one value at a time.
For standard 128-bit WEP, this would require trying a maximum of 2104 different keys. 8. Mac spoofing– Identity theft: Many enterprises secure their wireless LAN with authentication based on an authorized list of MAC addresses. Any user can easily change the MAC address of a station or access point to change its ‘identity’ and defeat MAC address-based authentication. Software tools such as Kismet or Ethereal are available for hackers to easily pick off the MAC addresses of an authorized user.
The hacker can then assume the identity of that user by asserting the stolen MAC address as his own. 9. Man-in-the-middle attack: To begin this attack, the hacker passively observes the station as it connects to the access point, and the hacker collects the authentication information, including the username, server name, client and server IP address, the ID used to compute the response, and the challenge and associate response. The hacker then tries to associate with the access point by sending a request that appears to be coming from the authenticated station.
The access point sends the VPN challenge to the authenticated station, which computes the required authentic response, and sends the response to the access point. The hacker observes the valid response. The hacker then acts as the access point in presenting a challenge to the authorized station. The station computes the appropriate response, which is sent to the access point. The access point then sends the station a success packet with an imbedded sequence number. Both are captured by the hacker.
After capturing all this data, the hacker then has what he needs to complete the attack and defeat the VPN. The hacker sends a spoofed reply, with large sequence number, which bumps the victim’s station off the network and keeps it from re-associating (i. e. 0x00ffffff). The hacker then enters the network as the authorized station. 10. Denial-of-Service attack: Every network and security manager fears the downtime and loss of productivity from a crippling Denial-of-Service attack. Because 802. 11b wireless LANs operate on the unregulated 2. GHz radio frequency that is also used by microwave ovens, baby monitors, and cordless phones, commonly available consumer products can give hackers the tools for a simple and extremely damaging DoS attack. Unleashing large amounts of noise from these other devices can jam the airwaves and shut down a wireless LAN. Hackers can launch more sophisticated DoS attacks by configuring a station to operate as an access point. As an access point, the hacker can flood the airwaves with persistent disassociate requests that force all stations within range to disconnect from the wireless LAN.
In another variation, the hacker’s malicious access point broadcasts periodic disassociate commands every few minutes that causes a situation where stations are continually kicked off the network, reconnected, and kicked off again. MAKING A WLAN MORE SECURE:- As today’s companies extend their wireless capabilities across their entire enterprise, several issues come to the forefront, not the least of which is the security of their proprietary data. Despite the complexity of the problem, an enterprise can undertake some relatively simple measures to thwart hackers and maintain the integrity of their wireless network.
There are at least ten ways in which we can prevent malicious attacks on a WLAN which are as described below. Avoiding factory default SSIDs: One protection method involves changing the SSID’s factory default because an SSID can be sniffed in plain text from a packet, so as to avoid easy detection. As every access point and all devices attempting to connect to a specific WLAN must use the same SSID, it makes sense to change the SSID. Deploying device-independent authentication: Many companies rely on device authentication to protect their WLAN from intruders, but this approach proves problematic on several fronts.
The optimal solution involves the use of RSA SecurID token deployments whose authenticator requires users to identify themselves with two unique factors before they are granted access. With a constantly changing RSA SecurID authenticator generating an unpredictable code every 60 seconds, tokens add a layer of security that passwords cannot provide. Using VPN technologies to protect data: VPN technologies such as IPsec with 3DES can protect data by ensuring that users authenticate to the etwork and credentials are made available to all access points in the environment that appropriate access control policies are enforced throughout the wireless network, and that encryption is efficiently implemented to protect enterprise data. In additional, cryptographic hashing function such as MD-5 or SHA-1 can also be used to ensure the integrity of the information transmitted over the wireless LAN. Limiting or controlling where WLAN traffic can go: Firewalls normally restrict access to the network itself by implementing packet filters on routers to inspect the IP addresses as a means of determining authorized users.
But if the WLAN is to be used for a selected purpose, then specific packet filters designed to only allow that access should be placed on the WLAN. Moving security from access points to a wiring closet: Access points are situated for ideal throughput and coverage, and as a result are often positioned in an open setting where they are exposed. Unscrupulous visitors and careless employees can easily move, replace, or reset them with alarming ease.
When also considering the fact that many vendors are equipping the access points themselves with security measures, it is important to ensure the integrity of your WLAN’s security by splitting out security from the physical access points to storage in a secured wiring closet. Actively monitoring access point configurations: It is easy for someone to perform a hardware reset on an access point, and then wreak havoc from a misconfigured point on the WLAN. Security measures can be completely counteracted when misconfigured points inadvertently broadcast the WLAN’s location to hackers.
By actively monitoring the AP configuration, you can ensure that the AP is automatically reconfigured should such an event occur. Using monitoring software for rogue WLAN detection: Today’s employees are more than capable of creating a rogue WLAN inside a business. Because this can result in the entire WLAN’s security being impugned, active sniffing for these rogue devices is a critical operational requirement. New software tools to ease this task are now readily available and can detect all the known devices on the network, and differentiate them from foreign wireless devices.
Taking steps to secure client devices: Over a WLAN, an intruder can attack wireless clients themselves in a peer-to-peer fashion. This attack can give the intruder what appears to be legitimate network access by simply using a client as an accepted entry point. To address this issue, desktop firewalls should be deployed, along with network management tools that actively audit and manage the client before permitting access via the WLAN. Policing bandwidth for fair access and attack prevention: Wireless access points have low bandwidth capabilities and are shared by multiple users.
This scenario allows intruders to simply blast traffic over the wireless link to prevent additional traffic with what are known as Denial-of-Service attacks. But even legitimate users can unintentionally hog bandwidth in the course of their everyday responsibilities. As part of the packet filtering solution, a good solution installs software that controls traffic by slowing large downloads in addition to a wide variety of other measures. Deploying real-time policy management: As they are deployed, wireless LANs will span entire campuses and incorporate multiple global sites.
Security policy changes (e. g. valid user lists, access rights, etc. ) will naturally change. These changes must be reflected in real-time throughout the WLAN, to reduce the window of opportunity for intrusion and, more importantly, provide immediate lock-down of detected security holes. Increasing the user security awareness: Users within the company premises should not be allowed to set up their wireless stations in ad-hoc mode and communicate with each other without going through the access point. The user should power down the wireless station when it is not being used for a long period of time.
When the user’s wireless station has become connected to the internal wired network, it should not have concurrent direct connection to any unreliable network, like the Internet. Logging and auditing: Logging of the wireless LAN helps to detect unauthorized network traffic, by using Intrusion Detection System, to detect attacks directed over the wireless LAN. Logging information such as source/destination IP addresses, MAC addresses, user’s logon names/ids and logon time/duration can be logged to aid analysis and investigation in the event of network problem.
On periodical basics, audit should also be performed to detect any exceptions or abnormal network activities and alert should be sent to the network administrators. CONCLUSION It is preferable to have only one access point and make it run under a secure operating system like Linux. It is better to occasionally boot up and trap sections of traffic to look for any attack signatures. The user must connect via a VPN, the access point is secured so it cannot be reset, WEP is enabled, and access point is in a position that limits travel of the radio frequency outside of the premises.
The traffic between the access point and the LAN passes through a firewall to help block any possible DoS attacks on the WLAN from entering the enterprise LAN. WLANs are definitely here to stay, but pose definite security issues which can be minimized. REFERENCES 0. Understanding Wireless LAN security – Dr. Sandeep K. Singhal. 0. Known vulnerabilities in Wireless LAN security – M. Komu & T. Nordstrom. 0. Building secure Wireless Local Area Networks – P. Trudeau. 0. Security in Public Access Wireless LAN Networks – F. Moioli. 0. Wireless LAN Security Threats – A. Chickinsky, Litton. ———————– [pic]
