Securing the Wireless LAN

George Ou Network Systems Architect Contributing editor ZDNet

Contents

Introduction Relative risks of Wireless LANs Six dumbest ways to secure a WLAN Tools of the wireless LAN hacker The best ways to secure the WLAN SOHO WLAN implementations Enterprise WLAN implementations

Introduction

Wireless security is a huge headache in IT Wireless security widely misunderstood Wireless security is everyones problem even if you dont think you have a WLAN Banning WLANs often result in improvised home grown solutions Wireless LANs can be secured Wireless security applicable elsewhere in IT

Relative risks of Wireless LANs

Wireless security is NOT an oxymoron Less dangerous than having an Internet connection direct or indirect Attacks from the Internet can come from anywhere on the entire globe

Web/FTP/Mail/DNS Servers Back doors R00TK1T5 that can dial home

Attacks on Wireless LANs are limited to a couple of kilometers

Six dumbest ways to secure a WLAN

Overview

MAC authentication SSID hiding LEAP authentication Disabling DHCP Antenna placement and signal suppression Switch to 802.11a or Bluetooth Wireless LANs ______________________________________ Dishonorable mention: WEP

Original article on http://blogs.zdnet.com/Ou

Six dumbest ways to secure a WLAN

MAC authentication

Use of the word authentication is laughable All thats happening is MAC address filtering MAC addresses are transmitted in clear text Extremely easy to capture Extremely easy to clone and defeat Extremely difficult to manage MAC filtering

Six dumbest ways to secure a WLAN

MAC spoofing

Six dumbest ways to secure a WLAN

SSID hiding

No such thing as hiding an SSID All thats happening is Access Point beacon suppression Four other SSID broadcasts not suppressed

Probe requests Probe responses Association requests Re-association requests

SSIDs must be transmitted in clear text or else 802.11 cannot function

Six dumbest ways to secure a WLAN

LEAP authentication

Cisco LEAP authentication is extremely weak LEAP successor EAP-FAST not much better Cisco dominates Enterprise WLAN market Significant percentage of Cisco shops use LEAP but have started to migrate to EAP-TLS LEAP and EAP-FAST are free on client side Only Cisco can sell LEAP and EAP-FAST on Access Points Cisco APs support all open authentication standards like EAP-TLS and PEAP

Six dumbest ways to secure a WLAN

Disabling DHCP

Disabling DHCP and forcing the use of Static IP addresses is another common myth IP schemes are easy to figure out since the IP addresses are sent over the air in clear text Takes less than a minute to figure out an IP scheme and statically enter an IP address

Six dumbest ways to secure a WLAN

Antenna placement and signal suppression

Antenna placement and signal suppression does nothing to encrypt data The hackers antenna is bigger than yours Directional high-gain antennas can pick up a weak signal from several kilometers away Lowering the signal hurts legitimate users a lot more than it hurts the hackers Wi-Fi paint or wall paper not 100% leak proof and very expensive to implement

Six dumbest ways to secure a WLAN

Switch to 802.11a or Bluetooth wireless LANs

802.11a is a transport mechanism similar to 802.11b or 802.11g 802.11a has nothing to do with security Pray that the hacker doesnt have 5 GHz 802.11a capable equipment Bluetooth is more of a wireless USB alternative Can be used for wireless networking but not designed as an 802.11 a or b/g replacement

Six dumbest ways to secure a WLAN

Dishonorable mention: WEP

WEP barely missed the six dumbest list because it can still hold up for a couple of minutes Hacker named KoreK releases new WEP analysis tool in August 2004 WEP coupled with 802.1x and EAP key rotation (AKA DWEP) is considered broken Packet injection techniques lowers WEP cracking times to minutes

Article: Next generation WEP cracking tools

Tools of the wireless LAN hacker

Overview

Software

Auditor CD Kismet ASLEAP Void11, Aireplay, Airedump, and Aircrack

Hardware

Cheap and compatible cardbus adapters Omni directional high-gain antennas Directional high-gain antennas Off the shelf Laptop computer

Tools of the wireless LAN hacker

Auditor CD

Bootable Linux CD with every security auditing tool under the sun Everything needed to penetrate most wireless LAN and more Mentioned as a favorite of the FBI Relatively easy to use

Tools of the wireless LAN hacker

Kismet

Kismet is a Linux wireless LAN audit tool Can see hidden SSIDs Can see MAC addresses Can see IP schemes Can capture raw packet GUI version lays everything out

Tools of the wireless LAN hacker

ASLEAP

ASLEAP cracks Cisco LEAP authentication Exploits weak MSCHAPv2 authentication Uses pre-computed indexed hash tables Checks 45 million passwords a second Upgraded to support PPTP VPN cracking

Tools of the wireless LAN hacker

Void11, Aireplay, Airedump, and Aircrack

New set of tools makes WEP cracking hundreds of times faster Void11 forces users to re-authenticate Aireplay monitors re-auth session for ARP and then plays back the ARP request to trigger responses from legitimate computers Airedump captures all of the raw packets Aircrack only needs 200,000 packets instead of 10,000,000 packets from previous tools

Tools of the wireless LAN hacker

Hardware: Cheap and compatible cardbus adapters

Prism 2/3 based 802.11b adapters PrismGT based 802.11 b/g adapters Atheros based 802.11 a/b/g adapters All typically around $40 to $70 USD All compatible with Linux cracking tools

Tools of the wireless LAN hacker

Omni directional high-gain antennas

Typically 7 to 9 dB gain General purpose surveying and war driving Can be used to create evil twin access point Less than $100 USD

Tools of the wireless LAN hacker

Directional high-gain antennas

Used to aim and focus in on victim Picks up weak signals many kilometers away Around $100 USD

Tools of the wireless LAN hacker

Off the shelf Laptops

Any Laptop or PC can be used for hacking New Laptops with good cracking speed are as low as $400 USD Wireless hacking is NOT cost prohibitive!

The best ways to secure the WLAN

Overview

Good cryptography allows secure communications over unsecured medium Follow best practice cryptographic principles

Strong authentication Strong encryption

WPA and WPA2 standards

The best ways to secure the WLAN

Strong authentication background

Strong authentication is often overlooked Well established secure authentication methods all use SSL or TLS tunnels TLS is the successor of SSL SSL has been used for nearly a decade in ECommerce SSL or TLS requires Digital Certificates Digital Certificates usually involves some form of PKI and Certificate management

The best ways to secure the WLAN

Strong authentication in Wireless LANs

Wireless LANs typically use 802.1x and EAP Common standard EAP types are EAP-TLS, EAP-TTLS and PEAP LEAP and EAP-FAST are not standard EAP-TLS requires server and client certificates EAP-TTLS and PEAP only require client-side certificates EAP-TTLS created by Funk and Certicom PEAP created by Microsoft, Cisco and RSA

Details on EAP types at: http://blogs.zdnet.com/Ou/?p=67

The best ways to secure the WLAN

Strong authentication and RADIUS servers

EAP authentication requires RADIUS support in Access Point and one or more RADIUS servers Microsoft Windows 2003 Server has fully functional RADIUS component called IAS

Supports EAP-TLS and PEAP Windows 2000 only supports EAP-TLS Easily integrates in to NT domains or Active Directory

Funk software makes Steelbelted and Odyssey Open source FreeRadius supports broad range of EAP types

The best ways to secure the WLAN

Strong encryption

Encryption is well understood No known methods of breaking good encryption DES encryption has never been crypto-analyzed in nearly 30 years and must be brute forced 3DES still considered solid but slow AES is the official successor to DES and is solid at 128, 192, or 256 bits

The best ways to secure the WLAN

Strong encryption in Wireless LANs

RC4 encryption is known to be weak WEP uses a form of RC4 encryption Dynamic WEP makes WEP cracking harder TKIP is a rewritten WEP algorithm No known methods against TKIP yet but some theoretical attacks are on the horizon AES encryption mandated in the newest Wireless LAN standards is rock solid

The best ways to secure the WLAN

WPA and WPA2 standards

WPA used a trimmed down version of 802.11i WPA2 uses the ratified 802.11i standard WPA and WPA2 certified EAP types

EAP-TLS (first certified EAP type) EAP-TTLS PEAPv0/EAP-MSCHAPv2 (Commonly known as PEAP) PEAPv1/EAP-GTC EAP-SIM

WPA requires TKIP capability with AES optional WPA2 requires both TKIP and AES capability

Details on EAP types at: http://blogs.zdnet.com/Ou/?p=67

SOHO WLAN implementations

Minimum encryption should be TKIP Run AES encryption if possible EAP authentication usually not feasible for Small offices and home offices SOHO WLANs usually rely on WPA-PSK PSK (pre-shared keys) are easier than WEP with 26 HEX digits PSK must be at least 8 alphanumeric random characters Zyxel offers Access Points with PEAP RADIUS built-in

Enterprise WLAN implementations

WPA and WPA2 standards

Minimum encryption should be TKIP Run AES encryption if possible EAP-TLS authentication recommended PEAP or EAP-TTLS authentication at a minimum

Enterprise WLAN implementations

Wireless Switches

Wireless LAN switches manage large numbers of Access Points Much easier to manage Wireless switch makers

Symbol Cisco Airespace Aruba

Enterprise WLAN implementations

Advanced security implementations

Multiple Virtual SSID and VLAN support VLAN assignment based on group membership Guest Wireless LANs that are isolated Mitigating WEP security risks for WEP only devices using Firewall or Router ACLs (Access Control Lists) Can be done with single device such as the Cisco 851W which is a Firewall, Router, Managed Switch, and Access Point all-in-one