WLAN Security Dr. Siwaruk Siwamogsatham ThaiCERT, NECTEC
Agenda Wireless Technology Overview IEEE 802.11 WLAN Technology WLAN Security Issues How to secure WLAN? WLAN Security Technologies
Wireless Technologies WPAN (Wireless Personal Area Network) Range 1-10 m Device-to-device links WLAN (Wireless Local Area Network) Range < 100 m, Indoor wireless network WMAN & WWAN (Wireless Metropolitan Area Network & Wireless Wide Area Network) Coverage over large areas, e.g., City & rural areas Outdoor wireless network
WPAN Range 1-10 m Low power consumption Technologies Infrared (IR Port) needs line of sight Bluetooth non-line of sight Data rate < 2 Mb/s Applications: Phone-to-phone data transfer Wireless headset Remote Control
WLAN Range < 100 m Home, office, indoor wireless networks 2.4 GHz: Unlicensed frequency band. Technologies: IEEE 802.11 (Wi-Fi) Data rate : 11-54 Mb/s (Bluetooth)
WMAN & WWAN Coverage over large areas, e.g. city & rural areas, outdoor wireless networks Typically, ISPs need licensed to operate Technologies: GPRS (GSM), CDMA Data rate < 128 kb/s 3G Cellular Networks Data rate < 2 Mb/s Wi-MAX (IEEE 802.16) Data rate > 2 Mb/s To be commercially available in about 2-3 years Laptop will have built-in Wi-Max devices
IEEE 802.11 Technology Home, office, indoor wireless networks Define Physical layer and MAC layer Wireless Ethernet 2.4 GHz: Unlicensed frequency band. ISM: 2.40-2.483 MHz Data rate < 54 Mb/s Range < 100 m (per base station device)
IEEE 802.11: CSMA/CA IEEE 802.3 Ethernet CSMA/CD (Carrier Sense Multiple Access/Collision Detection) Wait for random amount of time after carrier is not busy, before sending data Collision detection by checking for exceeded voltage If collision, restart the process IEEE 802.11 Wireless Ethernet CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance) Collision detection is not possible due to wireless nature Collision avoidance by keeping track of carrier busy schedule When sending data, length of transmission is also broadcasted, so that every one know how long a user will use the medium
IEEE 802.11 Devices Client Devices Notebook WLAN Access Point Desktop PDA 3G phone Antenna
History of IEEE 802.11 WLAN 1997 IEEE 802.11 Data rate: 1-2 Mb/s 1999 IEEE 802.11b Wi-Fi Data rate: 11 Mb/s 2003 IEEE 802.11g, Data rate: 54 Mb/s 2004 IEEE 802.11i Enhanced Security (2006???) IEEE 802.11n Data rate: > 100 Mb/s
IEEE 802.11: Usable Frequencies 2.4 2.483 GHz (ISM) 11 sub-channels (overlapping) 22 MHz Bandwidth for each channel 3 non-overlapping channels Channel 1 Channel 6 Channel 11
Wireless Security Issues Difficult to control signal radiation Difficult (impossible) to know if someone is listening/sniffing Difficult to track location of attackers Antenna can further extend attacking ranges Access point Wireless Hub Data Sniffing Unauthorized Access & Spy Signal Jamming/Interference
WLAN Security Threats Data Sniffing Tools: - AiroPeek,Kismet, Username/password User Email messages Internet chat Credit card Info. Access point Wireless Hub Hacker Invisible Sniffer!
WLAN Security Threats Unauthorized Client Access Internet War-Driving Internet attack MAC spoofing User Invisible Hacker
WLAN Security Threats Unauthorized/Rogue/Faked Access Points User Spy, Backdoor Man-in-the-Middle Attacks Inverse war-driving Mutual Authentication Issue! Rogue AP Hacker
WLAN Security Threats Jamming attack User 2.4 GHz RF jamming Packet flooding RF Jamming cannot be prevented! Hacker
How to secure SOHO WLAN? SOHO Small Office Home Office Use shared-key encryption feature of WLAN device every one uses the same share encryption key! WEP (Wired Equivalent Privacy) Ok! But out-of-date now coz it can be cracked! using software like Aircrack & Airsnort WPA-PSK New technology to replace WEP
How to Secure Enterprise WLAN? According to computer security principles, we need to address Technology Encryption & authentication People User security awareness Process Security Policy
Technology for Enterprise 802.11i (WPA) User Database Radius Switch Internet Router/Gateway AP AP
WPA & IEEE 802.11i WPA = Wi-Fi Protected Access (2003) TKIP (Temporal Key Integrity Protocol) Dynamic WEP per user per packet keying IEEE 802.11i (2004) AES or TKIP Authentication & automatic key management via IEEE 802.1x protocol Mutual client/server authentication
WPA/IEEE 802.11i Requirements WPA/IEEE 802.11i Access Points Client Windows XP Windows xx + 3 rd party software (e.g. Funk) (Linux) Authentication Server, e.g. RADIUS Odyssey by Funk (Commercialized) Windows 2000/2003 server (Commercialized) FreeRADIUS (Opensource)
Additional Technologies Firewall Treat WLAN as untrusted network Separate WLAN from Intranet Server farm Hub Intranet Firewall AP AP Internet
Additional Technologies Virtual AP & VLAN Multiple user groups for one AP Different security policy each group MAC Address Filtering Weak user authentication Hotspot gateway Widely used, e.g, Starbuck & True Wi-Fi User must login in before gaining access No encryption required! VPN User authentication + encryption
Solutions VPN Secured tunnel VPN Server Switch Internet Router/Gateway AP AP
Research at ThaiCERT/NECTEC Develop user-friendly multi-purpose secure WLAN server WPA/IEEE 802.11i support Hotspot gateway RADIUS Firewall VPN services Web-base user interface
ThaiCERT Wireless Manager Develop friendly graphic user interface for managing user account Features Add/Edit/Delete user account Generate user certification Status of users Manage RADIUS server
Solutions Authentication Gateway Commonly used in Wi-Fi hotspot User login is required before access the Internet Opensource Authentication Gateway Goal to create an authentication gateway appliance Develop friendly graphic user interface of gateway management Evaluate the performance
Solutions VPN Create secured tunnel to protect wireless communication Opensource VPN Server Goal to create a VPN server appliance Develop friendly graphic user interface of server management Support wide range of VPN solutions (i.e., PPTP, L2TP/IPSec, SSL) Support wide range of VPN clients (i.e., Windows OS, MAC OS, Linux) Evaluate the performance
Wireless Security Total Solution WLAN Manager (Radius, MySQL) VPN Server Switch Internet Auth. Gateway AP AP
Thank you siwaruk.siwamogsatham@nectec.or.th www.thaicert.nectec.or.th 02-564-6900