Figure 1.1 Wireless LAN Architecture
11.10.1999
Asma Yasmin
Department of Electrical and Communication
Engineering
Helsinki University of Technology
ayasmin@cc.hut.fi
Abstract
Wireless Local Area Networks are becoming
a respectable alternative in indoor communications. It offers flexibility
and mobility in networking environments, as the user is not bound to a
certain workplace anymore. Wireless technology allows the network to go
where wire cannot go. Mobile workforce who require real time access to
data benefit from wireless LAN connectivity since they can access it almost
any time any place. Wireless LANs are also ideal for providing mobility
in home and hot spot environments. Unfortunately, disgruntled employees,
hackers, viruses, industrial espionage, and other forms of destruction
are not uncommon in today's Networks. This essay addresses the common vulnerabilities
to the security of the wireless LAN.
1. Introduction to Wireless Local Area Network
1.1
Wireless LAN Architecture
1.2
Benefits of Wireless Local
2. Known vulnerabilities
in WLAN
2.1 Inherent flaws
2.2 Hackers, Virus, and Intruder
2.3 Distribution file and quality of
password
2.4 Interception
2.5 Masquerading
2.6 A denial-of-service attack
2.7 Others
3. Conclusion
1. Introduction to Wireless Local Area Network
Conventional Local Area Networks are fixed and deploy cables as physical medium. They were developed for interconnecting computers to enable sharing of resources, and to interconnect various organizations. LANs are typically restricted in size and offer a maximum throughput from 10 Mbit/s to 100 Mbit/s. The increased use of mobile phones and laptop computers has created a need for communication methods that would enable a user to access network resources from anywhere and at anytime. Office workers may spend a lot of their working time away from their desks, and yet they need to access the network resources without physically being at their desks. Due to bandwidth limitations and expensive technologies, cellular data networks, such as Global Systems for Mobile Communications (GSM), are not suitable for local area high speed data networking. Various wireless LAN standards have been developed to address the needs of mobile users [3].
1.1 Wireless Local Area Network Architecture
Due to its architectural inheritance,
wireless LAN poses some intrinsic security flaws. So It seems to me incomplete
if something regarding the wireless LAN architecture is not mentioned in
this study before going to discuss it's security vulnerabilities.
Figure 1.1 Wireless LAN Architecture
The wireless LAN consists of access points and terminals that have a wireless LAN connectivity. Finding the optimal locations for access points is important, and can be achieved by measuring the relative signal strength of the access points. Placing the access points in a corporation network opens an access way to the resources in the intranet. With wired LANs an intruder must first gain physical access to the building before she can plug her computer to the network and eavesdrop on the traffic. The intranet is typically considered secure even though employees can cause security breaches and data is transmitted unencrypted. If the information transmitted in the corporation network is extremely valuable to the corporation, the wireless LAN interface should be protected from unauthorized users and eavesdropping. The obvious way to extend the intranet with a wireless LAN is to connect the access points directly to the intranet as illustrated in Figure 1.1
The terminals that wish to join the wireless network need to know the SSID (Service Set Identifier) string that identifies the network. When the terminal enters the coverage area of an access point in that network, it can start associating with an access point. The authentication methods supported by the current 802.11 standard are Open System and Shared Key. The Shared Key method requires that the WEP algorithm be implemented on both the wireless terminal and the access point. In the Open System authentication scheme, which is the default scheme, a terminal announces that it wishes to associate with an access point, and typically the access point allows the association. To restrict access to a wireless network without WEP, most wireless LAN product vendors have implemented an access control method, which is based on blocking associations from unwanted MAC addresses on the access points. The network interface cards have a 48-bit MAC address that uniquely identifies them as defined in [IEEE802]. A list that contains the MAC addresses of valid network cards can be defined in the access points, and any terminal trying to associate with a card whose MAC address is not on the list, is denied association and thus cannot use the wireless LAN interface [2]
If no authentication or encryption methods are used, the WLAN can create a security risk if the radio signals flow outside the office building. An intruder who knows the SSID that identifies the WLAN, could configure a device to operate on the same network and frequency as the access points and gain access to the network if no MAC address blocking were used. With proper tools she could eavesdrop on the data the other legitimate users were transmitting. It is also possible to counterfeit MAC addresses used on the network cards, so after learning an authorized MAC address, an intruder could program her card to have the same MAC address, and gain access to the wireless LAN. Using the cards at the same time would of course lead to networking problems. To prevent eavesdropping and unauthorized access to the WLAN, other security measures should be implemented if the transmitted data is valuable to the business.
1.2 Benefits of Wireless Local Area Network
Local Area Networks (LAN) have been used for interconnecting computers and resources in various networking environments. Cables have typically been used as the physical medium in these LAN environments. Sometimes it may not be possible or practical to install cables, but network connectivity is required. Using wireless connections allows portable computers to still be portable without sacrificing the advantages of being connected to a network. Furthermore, the increased use of mobile phones and Personal Digital Assistant (PDA) devices is driving the workforce towards a more mobile working environment. Due to bandwidth limitations and expensive technologies, cellular data networks, such as Global Systems for Mobile Communications (GSM), are not suitable for local area high speed data networking. Wireless LANs provide the needed mobility in these working environments, enabling a user to access the network services away from the desk. Wireless LANs use electromagnetic airwaves (radio or infrared) to communicate information from one point to another without relying on any physical connection [3].
The widespread reliance on networking in business and the meteoric growth of the Internet and online services are strong testimonies to the benefits of shared data and shared resources. With wireless LANs, users can access shared information without looking for a place to plug in, and network managers can set up or augment networks without installing or moving wires. If I want to mention more about the benefit, then the support for mobility, easy installation, cost effectiveness and support for novel applications will come first.
2. Known vulnerabilities in WLAN
Network Security is an important aspect in wireless LANs since it is hard to restrict access to network resources physically, which can be made with wired LAN by physical access control in the premises. Radio signals can propagate outside office buildings depending on building material and surrounding, thus it could be possible for an intruder to access the wireless LAN outside the building for example from a nearby parking lot. The intruder could then eavesdrop on the transmitted data. This however, requires that the intruder obtain the network access code to be able to join the wireless LAN. Ethernet 10Base-T cabling acts as a remarkable antenna. Anyone with a strong motivation and a good antenna can sit in the parking lot and pick up the wired Ethernet data packets [1].
People might be satisfied and feel comfortable to a certain extends with the security level intrinsic in wired LAN. But as soon as the data packets are being transmitting through the open-air interface, there is a necessity to think twice. In a wired LAN the devices need to be physically connected to the network, but because of the wireless medium, access in a wireless LAN cannot be physically restricted. In fact, any network, including a wired LAN, wireless LAN, is subjected to substantial security risks and issues, namely:
2.2 Hackers, Virus, and Intruder
Another security hole is the growing use of the Internet. If users from inside can get out to the Internet, then users from outside can get into the own network if there is no proper precautions. And this applies not only to the Internet, but also to any capabilities that allow users to come in from the outside. Remote access products allows people to dial in for their email, remote offices connected via dial-up lines, on-site Web sites, and "Extranets" that connect vendors and customers to own network which can make network vulnerable to hackers, viruses, and other intruders.
2.3 Distribution file and quality of password
On the other hand, the user needs to have the file distributed when he wants to access the Intranet. Typically, this distribution file would reside on the hard disk of the user's personal laptop. The quality of the password that opens access to the keys in the file, is essential to the whole security of the system: if a malicious user finds out the password and gains access to the distribution file, she can log on to the server and thus create a tunnel to the intranet.
2.4 Interception
A kind of identity interception, in which
the identity of a communicating party is observed for a later misuse, or
data interception in which an unauthorized user is observing the
user data during a communication. This is an attack on confidentiality,
and an example would be where an attacker listens on the wireless – or
wired – medium and captures the transmitted data.
Masquerading takes place when an attacker pretends to be an authorized user in order to gain access to information or to a system. An example of this in a wireless LAN would be the case where an unauthorized user tries to gain access to the wireless network.
2.6 A denial-of-service attack
A denial-of-service attack could be launched against a wireless LAN by deliberately causing interference in the same frequency band the wireless LAN operates. This would cause availability problems, keeping the authorized users from using the network[4].
Due the nature of the radio transmission the wireless LANs are very vulnerable against denial of service attacks. If attacker has powerful enough transceiver, he can easily generate such radio interference that our wireless LAN is unable to communicate using radio path. This kind of attack can be done from outside of site, for example from a van parked on the street or from an apartment in the next block. Equipment needed to commit this kind of attack can be bought from any electronic store with reasonable price and any short-wave radio enthusiast has the knowledge needed to construct the equipment. The protection against this kind of attacks is very difficult and expensive. The only total solution is to have our wireless network inside of the faraday cage, but this is applicable only in the very rare cases. But it is easy for authorities to locate the transceiver used to generate interference, so the attacker has limited time before the transceiver is found.
The user authentication in TWISS is based on public-key cryptography. Each user has a public/private key pair, which is generated on the TWISS server and then delivered to the user in a distribution file. The keys in a distribution file are protected using a password that only the user knows. The password is entered when logging locally to the TWISS client in order to access the private key needed when logging on to the TWISS server. As the user logs on to the TWISS server, the client and the server negotiate a symmetric encryption/decryption key that is used for data confidentiality during a single security connection.
The wireless LAN could be used as a launch pad to the transitive trust attack. If the attacker can fool wireless LAN to trust the mobile he controls, then there is one hostile network node inside all firewalls of enterprise network and it is very difficult to prevent any hostile actions after that. This kind of attack can be done from outside of site with standard wireless LAN hardware compatible with equipment. The only real protection against this kind of attacks is the strong authentication mechanism of the mobiles accessing the wireless LAN. The discovery of the unsuccessful attacks must rely on the logging of unsuccessful logging attempts, but it might be very hard to find out if there has been a real attack attempt, because in the normal operation there comes unsuccessful logon attempts due the high BER in radio path and from mobiles that belongs to some other wireless LAN [4].
Two common encryption schemes, RSA and DES, are utilized in wireless LAN systems. While providing enhanced security, these particular encryption methods are not sufficiently strong against persistent attempts to crack.
The other kind of transitive trust attack, special for wireless networks, is fooling the mobile to trust the base controlled by attacker as our base. When mobile is switched on it usually tries first to logon the network with strongest signal and if that fails then the rest ones in the order of the signal power. Now, if attacker has a base with high transmission power, he may be able to fool our mobiles to try first to logon the attackers network. Now there is basically two possibilities: the attacker may let as to logon his network and make it pretend our network and find out the passwords secret keys, etc. or the attacker may just reject our logon attempts but record all the messages during the logon process and find out the secret keys or passwords used in authentication in our network by analyzing these messages. The former case is very difficult to implement without very detailed information about our network services and is probably detected very soon, but the later one requires just standard base hardware, maybe with a special antenna, compatible with our equipment, and is very difficult to detect, because the mobiles do not usually report unsuccessful logon tries to the upper layers and the are a lot of unsuccessful logon attempts even in the normal circumstances. The only protection against these attacks is an efficient authentication mechanism which allows the mobile authenticate the base without any disclosure of the secret keys or passwords it uses to logon our network [4].
The Infrastructure attacks are based on some weakness in the system: the software bug, configuration mistake, hardware failure, etc. This kind of situations will certainly occur in wireless LANs, too. But protection against this kind of attacks are almost impossible - You do not know about the bug until something happens. So the only thing to do is to keep the possible damages as small as possible.
In the other hand the wireless LANs are not so vulnerable than the wired LANs to the other kind of denial of service attacks. For example the fixed LAN node can be isolated from the network by simple cutting the wire, which is not possible in wireless environment. If attacker cuts down the power of the whole site, then all wired networks are usually useless, but the wireless LANs can be used in the ad-hoc configuration with laptops or other battery powered computers.
The data security is accomplished by a complex encryption technique know as the Wired Equivalent Privacy Algorithm (WEP). WEP is based on protecting the transmitted data over the RF medium using a 64-bit seed key and the RC4 encryption algorithm. WEP, when enabled, only protects the data packet information and does not protect the physical layer header so that other stations on the network can listen to the control data needed to manage the network. However, the other stations cannot decrypt the data portions of the packet.
The current wireless LAN standards offer very unsatisfactory level of security and one could not truly trust them. When using products based on these standards must the security issues been taken care in the upper layers. A certain level of security is a must in most local area networks, regardless of whether or not there are wireless segments. Even wired networks are vulnerable to insider curiosity, outsider attack, and wire-tapping. No one wants to risk having the LAN data exposed to the casual observer or open to malicious mischief. The nature of the radio communication makes it practically impossible to prevent some attacks, like denial of service using radio interference. But if the data is very confidential, safety-critical, such as that found on banking and military networks, manufacturing or hospitals, then extra measures must be taken to ensure privacy and safety.
[1] BREEZECOM
Wireless Communications, Inc. : Network Security in a Wireless LAN,
02.02.1999 [referred 10.10.1999]
<http://www.summitonline.com/security/papers/breeze1.html>
[2] Molta Dave, Foster-Webster Areth, Wired
on Wireless: A New Class of 802.11 Devices Go the Distance,March 1999,[referred
11.10.1999]
<http://www.networkcomputing.com/1006/1006r2.html>
[3] Rinnemaa, Jyri Petri, Designing a Secure Wireless Local Area Network Architecture, Masters’ thesis, Tampere University of Technology, 83 p, August 1999 [referred 09.10.1999]
[4] Uskela Sami, Security in Wireless Local
Area Networks, 26.12.1997 [referred 10.10.1999]
<http://www.tcm.hut.fi/Opinnot/Tik-110.501/1997/wireless_lan.html>
[5] WLANA,The Wireless LAN Alliance:Wireless
LAN Security white paper, 13.10.1998 [referred 10.10.1999]
<http://www.wlana.com/resource/whitepaper.html>
What is a Wireless LAN? What WLAN,
[referred 10.10.1999]
<http://www.wlana.com/intro/introduction/intro.pdf>