WLAN Security Performance Study

Size: px

Start display at page:

Download "WLAN Security Performance Study"

Andrea Gaines
5 years ago
Views:

1 WLAN Security Performance Study GHEORGHE MÜLEC *,. RADU VASIU *, FLAVIU M. FRIGURA-ILIASA **, DORU VATAU ** * Electronics and Telecommunication Faculty, ** Power and Electrical Engineering Faculty POLITEHNICA University of Timisoara, 2 V. Parvan Bvd., TIMISOARA ROMANIA george.mulec@rdslink.ro, radu.vasiu@etc.upt.ro, flaviu.frigura@et.upt.ro, Abstract: - Wireless network have gained popularity due to the flexibility and mobility that allow users access to the information. This research evaluated the effect of multiple security mechanisms of the performance for IEEE g wireless network using server-client architecture. The results showed that security mechanisms degrade the performance of network and we must know how much we pay for security features. Key-Words: - IEEE , security, performance, IDS, attacks, encryption, throughput 1 Introduction Since the ratification of the IEEE b standard in 1999, wireless LANs have became rifer. This is due the mobility of users by releasing the constraint of physical connections. Today, wireless LANs are widely deployed in places such as corporate office, conference rooms, airports, university campus. Besides these advantages, inherent broadcast nature of wireless networks, the IEEE based wireless LANs present new challenges for information security administrators [1].Network performance is characterized by certain parameters such as a time delay, system throughput, packet loss etc. Wireless networks are highly susceptible to many kinds of attacks since interception and eavesdropping of data in transit is possible for anyone with access to wireless network due to their inherent broadcast nature and shared air medium [2],[3]. For maintaining a specific level of network performance it is vital to determine the performance impact caused by security services in wireless network. At the most basic level wireless security requires authentication and encryption. Wireless network use more levels of security for data protecting [4]. Secure communication is typically achieved by employing security protocols at various layers of the network protocol stack. The building blocks of a security protocol are cryptographic algorithms, which are selected based on the security objectives that are to be achieved by the protocol. They include asymmetric and symmetric encryption algorithms, which are used to provide authentication and privacy, as well as hash or message digest algorithms that are used to provide message integrity. Security is achieved, generally, by using cryptographic primitives, e.g. encryption and authentication. The encryption and authentication algorithms need processing. Encrypting data traffic involves adding extra bytes to the frames. Authentication, on the other hand, involves adding extra messages. Adding extra bytes and extra messages to the original data result in throughput reduction and also increases the wait time. The overhead associated with applying encryption and authentication mechanisms to secure the wireless communication transactions represents an important issue as the network load becomes important. 2 Backgrounds Many networks are inadequately safeguarded against a variety of attacks. An intruder can use an insecure management frame to produce different kinds of attacks so that the whole wireless network will be unusable [10], [11]. Common recently attacks on management frames are as follow. A. MAC Address Spoofing MAC address is a vital piece of information that helps clients understand which AP they are talking to and vise versa. Unfortunately MAC address is not encrypted and spoofed easily which is one of common attacks on management frames whereby the intruders configure their wireless client to appear to have the same MAC address as an authorized access point or wireless client. When a legitimate client is not transmitting, the intruder will first reconfigure his terminal with the known information. Once this is done, the intruder s terminal will appear as the authorized terminal and will be able to access most of the resources. There are different known attacks using MAC address spoofing [10], [12] as follow: - Forged De-authentication - Forged Disassociation ISBN:

2 B. Denial of Service (DoS) Attack In this attack, the intruder sends a continually stream of different kinds of management frames to the WLAN [10], [11]. An attacker can spoof MAC address of AP or client and flood the WLAN with different kinds of forgery de-authentication, disassociation, association, authentication or bacon management frames by using both directions of the communication. In this case the WLAN overloads and will be unusable for even legitimate users. C. Session Hijacking Session hijacking combines denial of service and MAC spoofing attacks. Typically an intruder forces a legitimate client to terminate its connection to an AP by sending it a forgery disassociation or de-authentication management frame with the MAC address spoofed of the AP, therefore the client will be disconnected from the network. The intruder can now associate with the AP, to forge the MAC address of the client, and hence captures its session. D. Man-in-the-Middle Attack For Man-in-the-Middle attack, intruders insert themselves between an AP and a client to capture management frames in transmission. The idea behind this attack is to enter between the sender and the recipient, access to the management frame, modify it and forward it to the recipient. The client sees the intruder as an authorize AP, while the AP sees the intruder as an authorize client. Both authorize devices fail to detect the intruder and continue transmitting information. As a result, all these mentioned attacks are because there is no any security mechanism to check integrity and authentication of the management frames (MF) in none of IEEE standards, therefore these standards are vulnerable to such mentioned attacks. Man-in-the-middle attacks have two major forms: eavesdropping and manipulation. Eavesdropping occurs when an attacker receives a data communication stream. This is not so much a direct attack as much as it is a leaking of information. An eavesdropper can record and analyze the data that he is listening to. A manipulation attack requires the attacker to not only have the ability to receive the victim s data but then be able to retransmit the data after changing. 1. Eavesdropping In a wireless network, eavesdropping is easy because wireless communications are not easily confined to a physical area. A nearby attacker can receive the radio waves on the wireless network without any substantial effort or equipment (passive eavesdropping). All frames sent across the wireless medium can be examined in real time or stored for later examination. 2. Manipulation Manipulation takes eavesdropping a step further. An attacker who can successfully manipulate data on a network can effectively send data masquerading as a victim computer. Furthermore, the attacker can gather sensitive data by introducing a rogue access point into the WLAN coverage area. The rogue AP can be configured to look like a legitimate AP and, since many wireless clients simply connect to the AP with the best signal strength, users can be "tricked" into inadvertently associating with the rogue AP. Once a user is associated, all communications can be monitored by the attacker through the rogue AP (active eavesdropping). If we have the ability to detect the attack once it comes into the network, we can stop it from doing any damage to the system or any data. This is the role of Intrusion Detection and Prevention System. The current rules-based and anomaly-based intrusion detection systems detect intrusions either by matching patterns of network and users activities with the predefined rules or define normal profile of system usages, and then looks for the deviation[13]. Any implementation of Intrusion Detection and Prevention System introduce an overload for network traffic and has a direct influence of the hardware resource (cpu, memory, power) especially on mobile devices. In the first stages of development, the WLAN security was based on two mechanisms: Service Set Identifier (SSID) and Wireless Equivalent Privacy (WEP). When the weaknesses of WEP were identified, IEEE ratified a new standard, IEEE 802.1X, that provides a way to leverage traditional strong authentication mechanisms such as RADIUS Server in a wireless network [5]. The IEEE 802.1x defines a mechanism for port-based network access control. It is based upon Extensible Authentication Protocol (EAP) to provide compatible authentication and authorization mechanisms for devices interconnected by IEEE There are three main components in the IEEE 802.1x authentication system: supplicant, authenticator and authentication server. In a WLAN, supplicant usually is AP ( Acces Point ) that represents an authenticator. Authentication, Authorization, and Accounting (AAA) server such as RADIUS server is the authentication server. The port in 802.1x represents the association between supplicant and authenticator. Both supplicant and authenticator have a Port Access Entity (PAE) that operates the algorithms and protocols associated with the authentication mechanisms. The authenticator's controlled port is in unauthorized state. Messages will be directed only to the Authenticator PAE, which will further direct 802.1x messages to the authentication server. The authenticator PAE will close the controlled port after the supplicant is authenticated successfully. IEEE 802.1X specifies how to run the EAP directly over a link layer protocol. EAP is a transport protocol that can use a variety of different authentication types known as EAP methods [6], [7], [8]. ISBN:

Figure 1. 802.1X EAP Message Flow In figure 1 is illustrate the 802.1X EAP Message Flow for an authentication process.

protocols. These are EAP-TLS, EAP-TTLS and EAP-PEAP. 3 Experimental part A.

3 Figure X EAP Message Flow In figure 1 is illustrate the 802.1X EAP Message Flow for an authentication process. Among the EAP methods developed specifically for wireless networks are a family of methods base on public key certificates and the Transport Layer Security (TLS) protocols. These are EAP-TLS, EAP-TTLS and EAP-PEAP. 3 Experimental part A. Configuration topology Our test platform is a miniature of WLAN compound by an access point, an authentication RADIUS server, a local area network, a wireless laptop and a PC station. Figure 2 shows the testbed architecture used on this experiment. Figure 2. Testbed architecture ISBN:

4 B. Hardware configuration Access point (AP) used in experiment is a D-link DWL 2100AP [18]. At this access point, are wireless connected a wireless client with Laptop HP (Celeron 1.5 GHz, 256 MB RAM) and a D-link DWL G650 wireless cardbus adapter [14]. For RADIUS Server we used a desktop PC (P IV, 2.6 GHz, 512 MB RAM) and for PC station another desktop PC (AMD 1,3 GHz, 256 MB RAM). All the Ethernet adapter are fast adapter (100 Mbps). C. Software configuration All the systems have installed Windows XP Home Edition as a operating system. We have installed following software components for various protocol used in testbed: RADIUS server is implemented with opensource software FreeRADIUS [19], X.509 Certificate (CA, Server, Client ) are issued with open-source software OpenSSL [16], Capturing packets are made with Ethereal packet analyzer. [17], TCP / UDP tuning and throughput measurement are made with Iperf [14] and Qcheck [19]. D. Experimental analysis Many factors affect network performance and some of them interact to provide overall performance results. Performance results depending on the choice of hardware device, software application, security policy and network topology. On the same conditions (hardware, software and network topology) we have measured the authentication time, throughput and response time for different types of security policy. Authentication time is defined as the time involved in a authentication phase of security protocol. Throughput refers to actual measured bandwidth, at a specific time of day, using specific routes, and while a specific set of data is transmitted on the network. The throughput (Th) can be calculated as (1): D Th= a R (1) D+ H where D is the payload length in, H is the length of all the protocol overheads associated with a specific transmission technology, R is the channel data rate, a is the packages transmission success rate. A possibility to evaluate the secured transfer efficiency could be the ratio between the throughput with no security overheads and the throughput with security overheads. Starting from the general formula for throughput as in (1) and considering S as being the security overheads, we have a modified equation, pointing on security affected throughput ThS (2): D Th S = a R (2) D+ H + S A degradation factor related to overheads for a given channel can be defined as a ratio between the secured throughput ThS and the throughput for a non-secured channel: Th s L = 100 [%] with L=D+H (3) Th L+ S where D is data field length, H are the usual protocol overheads and S are the overheads introduced by the different encryption methods. Response time is a measure of the delay in transmission of data between a sender and a receiver for a specific packet size. For this experimental analyze we have used the Iperf, Qcheck and Ethereal software programs. 1. Security configuration IEEE provides two mechanism of security: authentication and encryption. Authentication may be made with Shared key authentication mechanism and with different type of authentication mechanism run over the EAP protocol. In our research we used the EAP based on 802.1x family protocol for authentication (EAP TLS, EAP TTLS, EAP PEAP).For data encryption we used WEP (40 and 128 ), TKIP and AES encryption protocol. 2. Measurement methods For each security service configured, experimental data were collected in two phases, in a not congested network (normal situation). The first phase collects measurements from authentication protocols. The second phase focuses on generating different traffic and measurement the throughput and response time. In the first phase, we used Ethereal packet analyzer to capture the packets exchanged during authentication process. Data obtained here were used to compare the authentication time for different authentication protocols. On the second phase we used Iperf and Qcheck for generate TCP and UDP traffic between Wireless Laptop and PC station for measures the throughput and response time.for all tests, the wireless link was at a constantly 54 Mbps with level of radio signal more than 95%. 4. Results and discussion 1. Authentication Time Figure 3 show authentication time (in sec) for EAP TLS, EAP TTLS, EAP PEAP authentication protocols. Our research is based only to the 802.1x authentication framework. The shared key authentication not achieves the mutual authentication and when the authentication is completed does not result a session key. Authentication time for all the Certificates based protocol mention above is mostly the same. We can see that authentication process is smaller than 1 sec and appear after association phase. ISBN:

5 UDP Throughput EAP-PEAP EAP-TTLS 14,20 14,00 13,80 13,60 EAP-TLS No authentication 0,000 0,200 0,400 0,600 0,800 Figure 3. Authentication time 2. Throughput Figure 4 illustrates the throughput of TCP traffic for different encryption protocol. Performance measures were gathered by running seven repetitive tests at each encryption protocol. The throughput is smaller if we use the AES instead of TKIP (RC4) cipher. If we use the same protocol the throughputs decrease if increasing the secret key length. Mbps 18,20 18,00 17,80 17,60 17,40 17,20 17,00 16,80 16,60 16,40 AES TKIP WEP 128 s TCP Throughput WEP 40 Figure 4. Throughput for TCP No secure Figure 5 illustrates the throughput of UDP traffic for different encryption protocol. In this case, the trend is the same as in TCP traffic, but throughput is with cca. 20% lesser. 3. Response time Figure 6 illustrate the response time for TCP and UDP traffic. In this case, we measure the response time for 1K byte packet size (in a not congested network). Mbps 13,40 13,20 13,00 12,80 12,60 12,40 AES TKIP WEP 128 WEP 64 No secure AES TKIP WEP 128 WEP 40 Figure 5. Throughput for UDP 0,00 10,00 20,00 30,00 ms Figure 6. Per packet response time No secure UDP TCP 5 Conclusion In this paper, we presented experimental results of impact incurred by security policies on system performance in a not congested network. The results demonstrate that WEP policies cause least overhead, while AES and TKIP cause significant overhead but provide stronger security. Authentication process 802.1x with EAP-TLS cause lesser overhead than 802.1x with EAP- PEAP. The delay produce by the authentication process is smaller than 1 sec. Because the WLAN isn t very mobile (WLAN is implemented in relative limited area college campuses, airports, shops) the need for authentication is not very frequent and the benefits of that is evident. The authentication delay is bigger for EAP-PEAP towards other authentication Certificate based protocols. Using AES as encryption protocol we have obtained a smaller throughput and obviously the possibility of delivery less amount of data in a given time than in case of using TKIP or WEP, but this is the price for having a higher security. ISBN:

6 References: [1] Y. Zahur and T.A. Yang, Wireless LAN security and Laboratory design, Journal of Computing Science in Colleges, vol. 19, pp , January 2004 [2] W. A. Arbaugh, N. Shankar, J. Wang and K. Zhang, Your network has no clothes, IEEE Wireless Communication Magazine, December 2002 [3] D.B. Faria and D.R.Cheriton, DoS and authentication in Wireless Public Access Networks, pp , September [4] E Bertino, S. Jajodia, L. Mancini and I. Ray,Advanced transaction processing in Multilevel secure File Stores, IEEE Transactions on Knowledge and Data Engineering, vol. 10, pp , February 1998 [5] IEEE Std 802.1x-2001x: Port Based Network Access Control, June 2001 [6] Blunk, L., & J. Vollbrecht. (1998). PPP Extensible Authentication Protocol (EAP), RFC2284: Internet Engineering Task Force. [7] IEEE 802 Standards, [8] IETF, PPP EAP TLS Authentication Protocol, RFC 2716, October 1999 [9] Microsoft Wireless Security Windows XP, [10] Bellardo J. and Savage S Denial-of- Service Attacks: Real Vulnerabilities and Practical Solutions. Proceedings of the USENIX Security Symposium, Washington D.C. [11] Welch D., and Lathrop S Wireless Security Threat Taxonomy. Proceedings of the 2003 IEEE Workshop on Information Assurance United States Military Academy, West Point, NY, ISBN /03, [12] Xiao Y., Pan Y., Du X., Bandela C., and Dass K Security mechanisms, Attacks, and Security Enhancements for the IEEE WLANs. International journal of wireless and mobile computing. [13] Chen M., Kuo S., Li P., and Zhu M., Intrusion Detection in Wireless Mesh Networks, CRC Press 2007 [14] [15] [16] [17] [18] [19] ISBN:

How Insecure is Wireless LAN?

Page 1 of 7 How Insecure is Wireless LAN? Abstract Wireless LAN has gained popularity in the last few years due to its enormous benefits such as scalability, mobile access of the network, and reduced cost