Security for Wireless Computing. Anthony Gauvin

Running head: SECURITY FOR WIRELESS COMPUTING Security for Wireless Computing 1 Security for Wireless Computing Anthony Gauvin

Security for Wireless Computing 2 Abstract Many corporations and small business are moving to 802.11 wireless technologies for their local area networks without a complete understanding of the security risks involved. According to published research, many of the original security solutions to wireless local area network (WLAN) security are inherently weak and do not provide adequate security. Newer, more robust, wireless security technologies are being developed but have not had widespread acceptance within corporate information infrastructures. Corporations and organizations with wireless networks are at risk. This paper seeks to educate Information Technology managers and professionals about the security risks of WLAN technologies and provide some viable approaches to securing a wireless network.

Security for Wireless Computing 3 Table of Contents Introduction... 4 How Wireless Computing Works... 4 Security Issues with WLANS... 7 Existing Wireless Security Solutions... 9 New Solutions to Wireless Security... 15 Conclusions... 19 References... 21

Security for Wireless Computing 4 Security for Wireless Computing Introduction One of the more exciting information technologies to come about in the last several years was wireless computing. No longer do computer users have to be tied to massive desktop computers to accomplish their daily tasks. With a wireless enabled laptop or personal digital assistant (PDA), employees can roam freely throughout office buildings while continuing to work and converse on organizational information networks. The freedom to roam and work has increased productivity and morale, earning praise for wireless networks from workers and management alike. The information technology personnel are also enamored of wireless computing. It has reduced the cost of providing networks since the cost of wireless access points and the supporting wireless access cards is much less than the cost of running data wiring to each computer enabled office.(lewis, 2004) The physical work involved in deploying wireless networks is also decreased. It is no wonder that wireless networks grew at such rapid rates. All this growth quickly stalled however, when wireless security concerns became known. How Wireless Computing Works A discussion of the relative insecurity of wireless computing cannot begin until a discussion of how wireless computing was originally designed is presented. The insecurity

Security for Wireless Computing 5 of wireless computing originates from the desire of the designers of wireless computing to provide roaming, unencumbered access to computer networks for wireless users. This desire to provide free, open and easy access to computer networks often conflicts with many organizations desire to keep their data safe from prying eyes. Security and wireless computing is simply a case of you can t have your cake and eat it too. The dominant wireless networking standard is defined in the Institute for Electrical and Electronics Engineers (IEEE) 802.11 specifications for wireless Ethernet networks. This is a publicly available specification and the intent is to have all wireless vendors adhere to the specification and insure interoperability of components from competitors. The three most popular wireless local area network (WLAN) standards are 802.11a, 802.11b and 802.11g. 802.11b is the market leader with 802.11g quickly gaining ground. All three standards are similar in operation and are differentiated by bandwidth and the frequency band of the signals transmitted and received. The insecurity of WLAN is not manifested in the bandwidth or frequency of operation so we will refer to 802.11 WLANs in general and not to any specific standard. (Siegel, Levine, & Siegel, 2004) WLANs operate in one of two modes, ad-hoc or infrastructure. Ad-hoc defines a method of wireless computer peers to exchange data without a predefined network infrastructure and has not met with great success. The infrastructure mode of operation is predominantly used for

Security for Wireless Computing 6 construction of wireless networks and requires two components; wireless access point(s) connected to a traditional wired network and wireless network interface card(s) installed into the computing devices. The access points act as electronic bridges, converting and translating data from the wireless network to wired networks and vice versa. Access points can be deployed singly or in groups called a distribution system. The wireless network interface cards installed in the computers converse with the access point(s) and through the access point(s) can access to the wired networks and other wireless computing devices. (Krouse & Ross, 2002) Wireless enabled computing devices must gain knowledge of the access points in order to establish communications with the network. The process of learning about available wireless network is called association. The method of identification for association is a Service Set Identifier or SSID. This SSID can either be entered into the computer manually or discovered dynamically. In the case of manually inserted information, the computing device must then broadcast this SSID in search of the correct access point to respond, establish communications and create the association. Dynamic configuration requires the access points to broadcast a beacon frame announcing its presence with the correct SSID in the beacon frame for the wireless computing devices to respond and create the association. (Arbaugh, Shankar, & Wan, 2001) An analogy would be that either the device shouts the correct name (SSID) out or

Security for Wireless Computing 7 the access points do. The association is created when the other side responds Yes, that s me. Here I am. Once an association is created between the access point and the wireless computing device, the computing device becomes a peer on wireless network and through the access point bridging capabilities, a peer on the wired network. The association process corresponds to the plugging in of a network cable between a device and the network on a wired network. Organizational network policy may require other authentication and configuration protocol after association but generally whatever protocol are established for the computers physically wired to the network apply to the wireless computers also. Security Issues with WLANS It should be become very obvious from the previous discussion that limitations of access was not a design concern for WLAN, in fact, ease of access was the primary concern. The process of association on WLANs is easily subverted. A miscreant computer user merely has to get his computer to lie about the SSID to become a peer on a WLAN. If the wireless access point is broadcasting beacon frames, than the miscreant computer user merely has to respond in the affirmative and access is gained. If the access point is silent, the miscreant computer waits for any other device to create an association with the access and then mimic the electronic conversations of the other device to gain access. This process of gaining access has become a popular

Security for Wireless Computing 8 activity with hackers and has been termed War-Driving. (Berghel, 2004) War-driving relies on the nature of radio frequency (RF) propagation of the wireless access point and wireless devices. While different standards determine different frequencies and power requirements for transmitting and receiving RF signals, a good assumption is the WLAN RF propagation has a range of about 100 feet. The area in which the signals from a wireless device can be utilized is about a one acre large circle centered on the device. Clearly, WLAN RF propagation can extend beyond the building and even beyond the property owned by the organization that deployed the wireless devices. As a result, access to the wireless network is available to a hacker, with the right equipment, that is driving by on a publicly accessible roadway or parked in the corporate parking lot. These hackers can do more than just access and listen. They can mount denial-of service attacks; insert viruses, worms and spam into the networks; and do other mischief. (Panko, 2004, p. 239) The standard method for securing data from prying eyes is encryption. The 802.11 WLAN standards include Wired Equivalent Privacy (WEP) encryption protocol. WEP is a symmetric (one-key) encryption protocol that uses a static shared key that must be known both to the access point and the wireless enabled devices before encryption can occur. This shared key is used to both authenticate the access point and wireless devices to each other and to encrypt the data sent between them. (Campbell, Calvert, & Boswell, 2003) WEP was intended to provide the same level of

Security for Wireless Computing 9 security that was available on wired networks. The reality however is that WEP has severe mathematical flaws and an attacker can break the encryption code easily with freely available software from the Internet. (Liska, 2003) The greatest security hole created by WLAN technology is the ease and low cost of deployment. Several networking venders are selling Do it yourself WLAN kits that cost under $100 to purchase and deploy. Many companies are finding rogue WLANs in their corporation information infrastructures set-up by employees that wanted all the advantages of the WLANS but did not want bother the IT folks to set-up a WLAN for them. These rouge WLAN are often deployed with none of the security options enabled since most of the do-it-yourself installers have no knowledge of the inherent security risks of WLANs. An organization that has implemented a progressive security policy becomes just as vulnerable as one that hasn t as these rogue WLANs become open door invitations for hackers. (Pescatore, 2004) Existing Wireless Security Solutions The are many existing solutions to providing security for wireless networks and in this section we will discuss the first generation of these security solutions along with some reasons why these solutions do not provide the desired level of security. Security was not a concern for the original development of WLAN so most these solutions were implemented

Security for Wireless Computing 10 after the fact and as such are merely band-aids over gaping wounds. The first security solution deals with locating the access points nearer to the physical center of the enterprise. Since the RF propagation limits are fixed, if the access points can be deployed such that none of the RF leaks beyond the physical limits of a physically secured building than the hacker will not be able to access the wireless networks. While this seems to be a very common sense approach, it relies on the hackers playing by the rules and only using the standard, vendor supplied equipment for wireless devices. Hackers, however, have developed more sensitive antennas. Methods for constructing these specialty antennas are well known and published on the internet. (Berghel, 2004) The most often used war-driving antenna is constructed from an empty can of Pringles potato chips and some wiring. The instruction for constructing the antenna can be found at http://verma.sfsu.edu/users/wireless/pringles.php The SSID and the association process provide another level of security for wireless networks. As stated before in the discussion of how WLANs work, the SSID is used to identify wireless devices to each other and as such provides authentication. Disabling the access point from broadcasting the SSID requires every device desiring to connect to the access point to know the correct SSID before accessing the WLAN. There are two problems with this approach. The first is that configuring SSIDs on the access point is a complicated task and most IT professionals will leave the access point configured

Security for Wireless Computing 11 with the default SSID that was configured at the factory. Table 1 (Liska, 2003, p.186) shows the default SSIDS from the more popular manufactures of wireless access points. Hackers simply try the default SSIDs to gain access. The second problem with using SSID as an authentication method is that the intruder can simply monitor the WLAN traffic till a new device joins the WLAN and broadcasts the supposable secret SSID for the intruder to read. Even if encryption is enabled on the WLAN the SSID is allways broadcast in the clear (un-encrypted). Table 1 Default SSIDS for More Popular Manufactures Manufacturer Cisco Compaq DLink Default SSID 2 or tsunami Compaq WLAN INTEL Intel,xlan, or 101 SMC WLAN Another method to limit access to a wireless networks is similar to a method used to control access to a wired network. All devices that are able to connect to an Ethernet networks (WLANS are a subset of Ethernet networks) have a unique Media Access Control (MAC) address that uniquely identifies each communicating device. These MAC addresses are burned-in at the factory into all devices that can connect to an Ethernet network and. MAC addresses are globally unique, no two devices can have

Security for Wireless Computing 12 the same MAC. These MAC(s) can be used to limit access to the corporate networks. While a MAC addresses identifies each device, a higher order address, usually TCP/IP, is required to participate on the network. The process that assigns these higher-order addresses is generally done by a Dynamic Host Configuration Protocol Server (DHCP). By limiting the DHCP server to assigning addresses to those devices that have known MAC(s), you can deny unknown devices from getting the higher order addresses needed to participate on the network. The network access points can also be configured to allow associations only from known MAC(s) Most access points manufactures allow the storage of up to 255 known good MAC(s) in to an allowable device list stored on the access point. The access point will then only allow associations from the list of known good MAC(s). This, of course, means that the access point must be reconfigured before a new user is allowed to join the WLAN. Most IT professionals will not enable this option since it creates more work for them. Every time a new wireless device is purchased, all access points must be reconfigured to accept the new MAC. (Liska, 2003) Both of the methods of filtering out intruder devices by the MACS addresses can be defeated by a wireless device that can set any arbitrary MAC in the network data packets it sends out. While the MAC(s) are burned into the NIC and cannot be changed, the process that takes the burnt-in MAC and places it into the network packet is software and software is easily modified. All an intruder device has to do is discover a good MAC and use it

Security for Wireless Computing 13 to gain access. This can be done by guessing or by listening in on the existing WLAN network traffic. All Ethernet network traffic carries the MACs of both the sender and the receiver in clear text. The intruder device simply steals the MAC address of an allowed device and uses that MAC to gain access. This process of subverting address is called spoofing and is used by hackers on both wired and wireless networks. (Liska, 2003) WEP can be used to encrypt data in wireless transmission but it cannot be used to encrypt MAC or higher order addresses. WEP only encrypts data between the access points and a wireless device that has associated with that particular access point. Since access points were intended to be low-cost devices, the encryption algorithm chosen for WEP is not a computational intensive double-key system but a single-key symmetric algorithm called RC4. The strength of any encryption system using keys is total number of possible keys that can be used for encryption. If the number of possible keys is small, a hacker will try all possible keys till they are able to decrypt the encrypted text. (Bishop, 2003) While RC4 does not define the key length, most implementations provide key lengths of 40 to 128 bit keys, allowing 2 40 to 2 128 possible keys. While this number of possible keys should be sufficient, there are number of flaws in the RC4 algorithm that mathematically reduce this number of possible keys. (Flurher, Mantin, & Shamir, 2001) Borisov, Goldberg, and Wagner, (2001) have also documented implementation problems in the WEP protocol that limit its effectiveness. While the technical treatments of these two discovery papers are beyond

Security for Wireless Computing 14 most hackers to implement, that job has been made easier for hackers by downloading AirSnort (http://airsnort.shmoo.com/) or WebCrack (http://sourceforge.net/projects/wepcrack), two free WEP key cracking tools that implement the techniques describe in the two papers. The last of the exiting security mechanism discussed which is currently available for WLANs is a Remote Authentication Dial in User Service (RADUIS). RADIUS is a server that is used for centralized account authentication. Requiring access points to use RADIUS authentication means that any device wishing to create an association with the access point must supply a username and password that has been stored in the RADIUS server. While this provides stronger security than the previously discussed methodology, hackers have long known how to defeat RADIUS and password are easily guessed. Since RADIUS is simply an authentication scheme and not an encryptions device, data is still subject to electronic eavesdropping. (Liska, 2003) Before the discussion of the more robust ways of securing a WLAN, an appropriate step is to determine the current security measures the corporate world is using to secure their WLANs. Every year, an informal organization of hackers embarks on a world-wide war driving effort to find as many access points as they can, survey the security measures employed, record the data for others to use and publish the results of that effort on the Internet at http://www.worldwidewardrive.org/. A summary of 2004 world-wide war-drive results is given in Table 2. (Hurley, 2004) The reality is sobering, not even the simplest of security

Security for Wireless Computing 15 protocols are being used on most WLANs. The more serious problem is, despite all the recent publications about WLAN insecurity, the percentage of WLANs that are deployed with no security measures at all has increased. Table 2 Summary of June 2004 World Wide War Drive Category Total Percent Percent Change from last year Total APs Found 228537 100% N/A WEP Enabled 87647 38.30% +6.04% No WEP Enabled 140890 61.6% -6.04% Default SSID 71805 31.4% +3.57% Default SSID and No WEP 62859 27.5% +2.74% New Solutions to Wireless Security The IEEE has also been looking into wireless security and has been developing a new set of security protocols for wireless computing. This new suite of tools is part of the 801.11i standards. While the new specification has yet to be ratified, some of the current work done in developing the new standard has resulted in improvements to WEP such as Temporal Key Integrity

Security for Wireless Computing 16 Protocol (TKIP) and an new encryption scheme, Wi-Fi Protected Access (WPA), that replaces RC4 with the more secure Advance Encryption System (AES) developed by the National Security Agency (NSA).(Farrow, 2003) While these modifications greatly enhance the security of WLANs, vendors have been slow to implement these new technologies since the technologies make their existing inventories of 802.11 wireless products obsolete. Organization will be required to scrap their existing WLAN infrastructures in favor of the new products since there are minimal backwards capabilities in new 802.11i specification. (Liska, 2003) One of the more exciting technologies for enhancing WLAN security is Frequency Selective Surfaces. (Institution of Electrical Engineers, 2004) Frequency Selective Surfaces (FSS) are smart building panels that can block out chosen wavelengths of RF while allowing others to pass. This provides a new approach to providing security for wireless networks by modifying building construction to prevent the wireless radio frequency (RF) signals from propagating into unsecured physical spaces. A concern is while companies need to limit RF propagation for wireless networks they do not want to attenuate any cellular and other wireless phone signal which also operate in an adjacent band in the RF spectrum. FFS can attenuate signals in one band and not disturb signals in a nearby band. Building construction with FSS construction panels and FSS window treatments can effectively constrain the wireless networks RF signals to the desired physical spaces. It would

Security for Wireless Computing 17 greatly enhance security for wireless networks since any access must be from within predefined physical areas which can be made secure. This would effectively stop the war driving method of gaining access to wireless networks. FSS technology makes wireless networks the security equivalent of wired networks. (Newbold, 2004) By now you are wondering why anyone would be foolish enough to deploy a WLAN. The reasons for creating a WLAN are still valid. WLANs provide freedom and ease of use, save money on deployment and provide ubiquitous access. In fact, these are some of the same very reasons companies connected to the Internet. The answer to WLAN security is the same answer to Internet security; treat the WLAN network as a HOSTILE network just like the Internet! Industry has had solutions for connecting secure private networks to and through the Internet for years now and these same technologies can be used for WLANS. These technologies include Firewalls, Intrusion Detections Systems, Virtual Private Networks and robust public/private key encryptions system. These same systems can be used to secure a wireless network. With the right security tools, Internet and wireless computing can be made safe. Having been a network security professional for several years, my approach to deploying WLANs was the same approach I used when connecting remote users to secure networks. That approach was to use a combination of Firewall and Virtual Private Networks (VPN) technologies. Key to the use of these technologies is the assumption that the WLAN is a hostile

Security for Wireless Computing 18 network and that hackers can and will use this WLAN to try to penetrate and compromise the secure corporate network. Access points must be deployed on the outside of firewall. If the access point is compromised, the secure network is not. All access through the firewall must be encrypted traffic and part of a VPN tunnel of traffic that originated from a VPN enabled wireless device on the WLAN and terminates in a VPN concentrator that is sandwiched into a demilitarized zone (DMZ) bordered by two firewalls. Figure 1 shows the desired configuration. Figure 1 Securing a WLAN through VPN technology VPN Tunnels The WLAN firewall is configured to allow only properly configured VPN tunnels to pass through it. Any device that tries

Security for Wireless Computing 19 to connect through the WLAN to the secure network must have a properly configured VPN client. The DMZ firewall is configured the allow traffic that originates from or terminates to the VPN concentrator. The only way that a hacker can penetrate through the WLAN is to get control of a properly configured wireless device or to clone a properly configured device. While this is not impossible, it is highly improbable and most hackers will seek out softer targets. This solution adds cost to a WLAN deployment and, as such, means many organizations will not use this technique. If you must have a secure WLAN, this is certainly one way to proceed. Conclusions As with every Information technology project, security must be a primary consideration. For security to effective, it must be deployed proportional to risk. WLANs present a security risk to organizations but providing security for WLANs is not an insurmountable challenge. There are security solutions available for WLANs to mitigate those most conceivable risks. What organizations must ask is the cost of securing a WLAN worth the benefits gained from deploying the WLAN? The answer will be different for many organizations. Many will elect not to deploy WLAN. Others will deploy WLANs since benefits overcome the inherent risks and will deploy WLAN with little to no security enabled.

Security for Wireless Computing 20 References Arbaugh, W. A., Shankar, N., & Wan, J. Y. (2001). Your 802.11 Wireless Network has No Clothes. Unpublished manuscript, University of Maryland at College Park. Retrieved October 21, 2004, from http://www.cs.umd.edu/%7ewaa/wireless.pdf Berghel, H. (2004). Wireless Infidelity I: War Driving. Communications of the ACM, 47(9), 21-28. Bishop, M. (2003). Computer Security, Art and Science. Boston: Addison Wesley. Borisov, N., Goldberg, I., & Wagner, D. (2001). Intercepting Mobile Communications, The Insecurity of 802.11. Seventh Annual Conference on Mobile Computing and Networking. Campbell, P., Calvert, B., & Boswell, S. (2003). Security+ Guide to Network Security Fundamentals. Boston: Thomson Course Technology. Farrow, R. (2003). Wireless Security: Send in the Clowns? Network Magazine, 18(9), 57-57. Retrieved October 24, 2004, from Academic Search Premier Web Site: http://search.epnet.com/login.aspx?direct=true&authtype=coo kie,ip,url,uid&db=aph$an=10785802 Flurher, S., Mantin, I., & Shamir, A. (2001). Weakness in the Key Scheduling Algorithm of RC4. Eighth Annual Workshop on Selected Areas in Cryptography. Retrieved October 20, 2004, from http://www.drizzle.com/%7eaboba/ieee/rc4_ksaproc.pdf Hurley, C. (n.d.). WWWW4 Stats. Retrieved October 28, 2004, from http://www.worldwidewardrive.org/

Security for Wireless Computing 21 Institution of Electrical Engineers (2004). Islands Boost Wireless Efficiency. IEE Review, 50(30), 15-20. Retrieved October 27, 2004, from Academic Search Premier Web Site: http://search.epnet.com/login.aspx?direct=true&authtype=coo kie,ip,url,uid&db=aph$an=12840593 Krouse, F. K., & Ross, K. W. (2002). Computer Networking (2nd ed.). Boston: Addison Wesley. Lewis, M. (2004). A primer on wireless networks. Family Practice Management, 11(2), 69-71. Retrieved October 28, 2004, from Academic Search Premier Web Site: http://seacrh.epnet.com/login.aspx?direct=true&authtype=coo kie,ip,url,uid&db=aph&an=12444520 Liska, A. (2003). The Practice of Network Security, Deployment Strategies for Production Networks. Upper Saddle River, NJ: Prentice Hall. Newbold, A. (2004). Designing Buildings for the Digital Age. Computing and Control Engineering, 15(14), 36-40. Retrieved September 25, 2004, from http://search.epnet.com/login.aspx?direct=true&authtype=coo kie,ip,url,uid&db=buh$an=13478871 Panko, R. (2004). Business Data Networks and Telecommunications (5th ed.). Upper Saddle River, NJ: Prentice Hall. Pescatore, J. (2004). DIY Wireless Nets open Security Holes. IEE Review, 50(8), 13-14.

Security for Wireless Computing 22 Siegel, J. G., Levine, M. H., & Siegel, R. M. (2004). Security safeguards over wireless networks. CPA Journal, 74(6), 68-71. Retrieved October 22, 2004, from Business Source Premier Web Site: http://search.epnet.com/login.aspx?direct=true&authtype=coo kie,ip,url,uid&db=buh$an=13478871