SEMINAR REPORT

ON
WIRELESS LAN SECURITY
Contents:
I. Introduction1
II. Wireless LAN Deployent!
III. Wireless LAN Security O"er"ie#1$
I%. Protectin& Wireless LANs...1'
%. Wireless LAN Security Su(ry1)
I. Introduction
(. T*e )$+.11 Wireless LAN St(nd(rd
In 1997, the IEEE ratified the 802.11 Wireless LAN standards,
establishing a global standard for i!leenting and de!lo"ing
Wireless LAN#. $he thro%gh!%t for 802.11 is 2&b!s, 'hi(h 'as 'ell
belo' the IEEE 802.) Ethernet (o%nter!art. Late in 1999, the IEEE
ratified the 802.11b standard e*tension, 'hi(h raised the
thro%gh!%t to 11 &b!s, a+ing this e*tension ore (o!arable to
the 'ired e,%i-alent. $he 802.11b also s%!!orts the 2 &b!s data
rate and o!erates on the 2../01 band in radio fre,%en(" for high2
s!eed data (o%ni(ations
As 'ith an" of the other 802 net'or+ing standards 3Ethernet, $o+en
4ing, et(.5, the 802.11 s!e(ifi(ation affe(ts the lo'er la"ers of the O#I
referen(e odel, the 6h"si(al and 7ata Lin+ la"ers.
$he 6h"si(al La"er defines ho' data is transitted o-er the !h"si(al
edi%. $he IEEE assigned 802.11 t'o transission ethods for
radio fre,%en(" 3485 and one for Infrared. $he t'o 48 ethods are
fre,%en(" ho!!ing s!read2s!e(tr% 380##5 and dire(t se,%en(e
s!read2s!e(tr% 37###5. $hese transission ethods o!erate 'ithin
the I#& 3Ind%strial, #(ientifi(, and &edi(al5 2.. /01 band for
%nli(ensed %se. Other de-i(es that o!erate on this band in(l%de
reote !hones, i(ro'a-e o-ens, and bab" onitors.
80## and 7### are different te(hni,%es to transit data o-er radio
'a-es. 80## %ses a si!le fre,%en(" ho!!ing te(hni,%e to na-igate
the 2../01 band 'hi(h is di-ided into 79 s%b2(hannels 1&01 ea(h.
$he sender and re(ei-er negotiate a se,%en(e !attern o-er the s%b2
(hannels.
7###, ho'e-er, %tili1es the sae (hannel for the d%ration of the
transission b" di-iding the 2.. /01 band into 1. (hannels at 22&01
ea(h 'ith 11 (hannels o-erla!!ing the ad:a(ent ones and three non2
o-erla!!ing (hannels. $o (o!ensate for noise and interferen(e, 7###
%ses a te(hni,%e (alled ;(hi!!ing;, 'here ea(h data bit is (on-erted
into red%ndant !atterns (alled ;(hi!s;.
$he 7ata Lin+ la"er is ade %! of t'o s%b2la"ers, the &edia A((ess
<ontrol 3&A<5 la"er and the Logi(al Lin+ <ontrol 3LL<5 la"er. $he 7ata
Lin+ la"er deterines ho' transitted data is !a(+aged, addressed
and anaged 'ithin the net'or+. $he LL< la"er %ses the identi(al .82
bit addressing fo%nd in other 802 LAN net'or+s li+e Ethernet 'here
the &A< la"er %ses a %ni,%e e(hanis (alled (arrier sense %lti!le
a((ess, (ollision a-oidan(e 3<#&A=<A5. $his e(hanis is siilar to
the (arrier sense %lti!le a((ess (ollision dete(t 3<#&A=<75 %sed in
Ethernet, 'ith a fe' a:or differen(es. O!!osed to Ethernet, 'hi(h
sends o%t a signal %ntil a (ollision is dete(ted before a resend,
<#&A=<A senses the air'a-es for a(ti-it" and sends o%t a signal 'hen
the air'a-es are free. If the sender dete(ts (onfli(ting signals, it 'ill
'ait for a rando !eriod before retr"ing. $his te(hni,%e is (alled
;listening before tal+ing; 3L>$5 and !robabl" 'o%ld be effe(ti-e if
a!!lied to -erbal (o%ni(ations also.
$o inii1e the ris+ of transission (ollisions, the 802.11 (oittee
de(ided a e(hanis (alled 4e,%est2$o2#end = <lear2$o2#end
34$#=<$#5. An e*a!le of this 'o%ld be 'hen an A6 a((e!ts data
transitted fro a 'ireless station? the A6 'o%ld send a 4$# frae to
the 'ireless station that re,%ests a s!e(ifi( ao%nt of tie that the
station has to deli-er data to it. $he 'ireless station 'o%ld then send
an <$# frae a(+no'ledging that it 'ill 'ait to send an"
(o%ni(ations %ntil the A6 (o!letes sending data. All the other
'ireless stations 'ill hear the transission as 'ell and 'ait before
sending data. 7%e to the fragile nat%re of 'ireless transission
(o!ared to 'ired transfers, the a(+no'ledgeent odel 3A<@5 is
e!lo"ed on both ends to ens%re that data does not get lost in the
air'a-es.
,. )$+.11 E-tensions
#e-eral e*tensions to the 802.11 standard ha-e been either ratified or
are in !rogress b" their res!e(ti-e tas+ gro%! (oittees. >elo' are
three (%rrent tas+ gro%! a(ti-ities that affe(t WLAN %sers ost
dire(tl":
)$+.11(
$he 802.11a 3;another band;5 e*tension o!erates on a different
!h"si(al la"er s!e(ifi(ation than the 802.11 standard at 2../01.
802.11a o!erates at 9/01 and s%!!orts date rates %! to 9.&b!s. $he
8<< has allo(ated )00&1 of 48 s!e(tr% for %nli(ensed o!eration in
the 9/01 range. Altho%gh 802.11a s%!!orts %(h higher data rates,
the effe(ti-e distan(e of transission is %(h shorter than 802.11b
and is not (o!atible 'ith 802.11b e,%i!ent and in its (%rrent state
is %sable onl" in the A#. 0o'e-er, se-eral -endors ha-e ebra(ed the
802.11a standard and soe ha-e d%al band s%!!ort A6 de-i(es and
net'or+ (ards.
)$+.11,
$he 802.11b 3;baseline;5 is (%rrentl" the de fa(to standard for
Wireless LANs. As dis(%ssed earlier, the 802.11b e*tension raised the
data rate bar fro 2&b!s to 11&b!s, e-en tho%gh the a(t%al
thro%gh!%t is %(h less. $he original ethod e!lo"ed b" the 802.11
(oittee for (hi!!ing data transissions 'as the 112bit (hi!!ing
en(oding te(hni,%e (alled the ;>ar+er #e,%en(e;. $he in(reased data
rate fro 2&b!s to 11&b!s 'as a(hie-ed b" %tili1ing an ad-an(ed
en(oding te(hni,%e (alled <o!leentar" <ode @e"ing 3<<@5. $he
<<@ %ses B%adrat%re 6hase #hift @e"ing 3B6#@5 for od%lation to
a(hie-e the higher data rates.
)$+.11&
$he 802.11g 3;going be"ond b;5 tas+ gro%!, li+e 802.11a is fo(%sing
on raising the data transission rate %! to 9.&b!s, b%t on the 2..&01
band. $he s!e(ifi(ation 'as a!!ro-ed b" the IEEE in 2001 and is
e*!e(ted to be ratified in the se(ond half of 2002. It is an attra(ti-e
alternati-e to the 802.11a e*tension d%e to its ba(+'ard (o!atibilit"
to 802.11b, 'hi(h !reser-es !re-io%s infrastr%(t%re in-estents.
$he other tas+ gro%!s are a+ing enhan(eents to s!e(ifi( as!e(ts of
the 802.11 standard. $hese enhan(eents do not affe(t the data
rates. $hese e*tensions are belo':
)$+.11d
$his gro%! is fo(%sing on e*tending the te(hnolog" to (o%ntries that
are not (o-ered b" the IEEE.
)$+.11e
$his gro%! is fo(%sing on i!ro-ing %lti2edia transission ,%alit"
of ser-i(e.
)$+.11.
$his gro%! is fo(%sing on enhan(ing roaing bet'een A6s and
intero!erabilit" bet'een -endors.
)$+.11*
$his gro%! is addressing (on(erns on the fre,%en(" sele(tion and
!o'er (ontrol e(haniss on the 9/01 band in soe E%ro!ean
(o%ntries.
)$+.11i
$his gro%! is fo(%sing on enhan(ing 'ireless lan se(%rit" and
a%thenti(ation for 802.11 that in(l%de in(or!orating 4eote A((ess
7ialing Aser #er-i(e 34A7IA#5, @erberos and the net'or+ !ort
a%thenti(ation 3IEEE 802.1C5. 802.1C has alread" been i!leented
b" soe A6 -endors.

c. )$+.11 Security /l(#s
802.11 'ireless LAN se(%rit" or la(+ of it reains at the to! of ost
LAN adinistrators list of 'orries. $he se(%rit" for 802.11 is !ro-ided
b" the Wired E,%i-alen(" 6oli(" 3WE65 at the &A< la"er for
a%thenti(ation and en(r"!tion $he original goals of IEEE in defining
WE6 'as to !ro-ide the e,%i-alent se(%rit" of an ;%nen(r"!ted; 'ired
net'or+. $he differen(e is the 'ired net'or+s are soe'hat !rote(ted
b" !h"si(al b%ildings the" are ho%sed in. On the 'ireless side, the
sae !h"si(al la"er is o!en in the air'a-es.
WE6 !ro-ides a%thenti(ation to the net'or+ and en(r"!tion of
transitted data a(ross the net'or+. WE6 (an be set either to either
an o!en net'or+ or %tili1ing a shared +e" s"ste. $he shared +e"
s"ste %sed 'ith WE6 as 'ell as the WE6 en(r"!tion algorith are the
ost 'idel" dis(%ssed -%lnerabilities of WE6. #e-eral an%fa(t%rersD
i!leentations introd%(e additional -%lnerabilities to the alread"
beleag%ered standard.
WE6 %ses the 4<. algorith +no'n as a strea (i!her for en(r"!ting
data. #e-eral an%fa(t%rers to%t larger 1282bit +e"s, the a(t%al si1e
a-ailable is 10. bits. $he !roble 'ith the +e" is not the length, b%t
lies 'ithin the a(t%al design of WE6 that allo's se(ret identifi(ation. A
!a!er 'ritten b" Eesse Wal+er, ;Ansafe at an" +e" length; !ro-ides
insight to the s!e(ifi(s of the design -%lnerabilities and e*!lains the
e*!loitation of WE6.
$he follo'ing ste!s e*!lain the !ro(ess of ho' a 'ireless station
asso(iates to an A6 %sing shared +e" a%thenti(ation.
15 $he 'ireless station begins the !ro(ess b" sending an
a%thenti(ation frae to the A6 it is tr"ing to asso(iate 'ith.
25 $he re(ei-ing A6 sends a re!l" to the 'ireless station 'ith its o'n
a%thenti(ation frae (ontaining 128 o(tets of (hallenge te*t.
)5 $he 'ireless station then en(r"!ts the (hallenge te*t 'ith the
shared +e" and sends the res%lt ba(+ to the A6.
.5 $he A6 then de(r"!ts the en(r"!ted (hallenge %sing the sae
shared +e" and (o!ares it to the original (hallenge te*t. If the there
is a at(h, an A<@ is sent ba(+ to the 'ireless station, other'ise a
notifi(ation is sent ba(+ re:e(ting the a%thenti(ation.
It is i!ortant to note that this a%thenti(ation !ro(ess si!l"
a(+no'ledges that the 'ireless station +no's the shared +e" and does
not a%thenti(ate against reso%r(es behind the A6. A!on a%thenti(ating
'ith the A6, the 'ireless station gains a((ess to an" reso%r(es the A6
is (onne(ted to.
$his is 'hat +ee!s LAN and se(%rit" anagers %! at night. If WE6 is
the onl" and last la"er of defense %sed in a Wireless LAN, intr%ders
that ha-e (o!roised WE6, ha-e a((ess to the (or!orate net'or+.
&ost A6s are de!lo"ed behind the (or!orate fire'all and in ost (ases
%n+no'ingl" are (onne(ted to (riti(al do'n2line s"stes that 'ere
lo(+ed do'n before A6s 'ere in-ented. $here are a n%ber of !a!ers
and te(hni(al arti(les on the -%lnerabilities of WE6 that are listed in
the 4eferen(e se(tion.
II. Wireless LAN Deployent
$he biggest differen(e in de!lo"ent of Wireless LANs o-er their 'ired
(o%nter!art are d%e to the !h"si(al la"er o!erates in the air'a-es and
is affe(ted b" transission and re(e!tion fa(tors s%(h as atten%ation,
radio fre,%en(" 3485 noise and interferen(e, and b%ilding and
str%(t%ral interferen(e.
(. Antenn( Prier
Antenna te(hnolog" !la"s a signifi(ant role in the de!lo"ent,
res%lting !erforan(e of a Wireless LAN, and enhan(ing se(%rit".
6ro!erl" !lanned !la(eent (an red%(e stra" 48 signal a+ing
ea-esdro!!ing ore diffi(%lt.
<oon ters that are %sed in des(ribing !erforan(e of antenna
te(hnolog" are as follo's:
Isotro!i( 4adiator 2 An antenna that radiates e,%all" in all dire(tions in
a three diensional s!here is (onsidered an ;isotro!i( radiator;.
7e(ibel 3d>5 2 7es(ribes loss or gain bet'een t'o (o%ni(ating
de-i(es that is e*!ressed in 'atts as a %nit of eas%re.
d>i -al%e 2 7es(ribes the ratio of an antennaDs gain 'hen (o!ared to
that of an Isotro!i( 4adiator antenna. $he higher the -al%e, the
greater the gain.
Atten%ation 2 7es(ribes the red%(tion of signal strength o-er distan(e.
#e-eral fa(tors (an affe(t atten%ation in(l%ding absor!tion
3obstr%(tions s%(h as trees that absorb radio 'a-es5, diffra(tion
3signal bending aro%nd obstr%(tions 'ith refle(ti-e ,%alities5, refle(tion
3signal bo%n(es off a refle(ti-e s%rfa(e s%(h as 'ater5, and refra(tion
3signal bends d%e to atos!heri( (onditions s%(h as arine fog5.
/ain 2 7es(ribes 48 (on(entration o-er that of an Isotro!i( 4adiator
antenna and is eas%red in d>.
A1i%th 2 7es(ribes the a*is for 'hi(h 48 is radiated.
Antennas (oe in all sha!es and si1es in(l%ding the hoe2ade
-ersions %sing (oon +it(hen (%!board (ans to deli-er s!e(ifi(
!erforan(e -ariations. 8ollo'ing are soe (oonl" de!lo"ed
antenna t"!es.
Dipole Antenn(0
$his is the ost (oonl" %sed antenna that is designed into ost
A((ess 6oints. $he antenna itself is %s%all" reo-able and radiating
eleent is in the one in(h length range. $his t"!e of antenna f%n(tions
siilar to a tele-ision ;rabbit ears; antenna. As the fre,%en(" gets to
the 2../01 range, the antenna re,%ired gets saller than that of a
100&1 tele-ision. $he 7i!ole antenna radiates e,%all" in all dire(tions
aro%nd its A1i%th b%t does not (o-er the length of the diagonal
gi-ing a don%t2li+e radiation !attern. #in(e the 7i!ole radiates in this
!attern, a fra(tion of radiation is -erti(al and bleeds a(ross floors in a
%lti2stor" b%ilding and ha-e t"!i(al ranges %! to 100 feet at 11&b!s.
Direction(l Antenn(s0
7ire(tional antennas are designed to be %sed as a bridge antenna
bet'een t'o net'or+s or for !oint2to2!oint (o%ni(ations. Fagi and
6araboli( antennas are %sed for these !%r!oses as 'ell as others.
7ire(tional antennas (an red%(e %n'anted s!ill2o-er as the"
(on(entrate radiation in one dire(tion.
With the !o!%larit" of ;'ar dri-ing; 3dri-ing aro%nd in a (ar and
dis(o-ering %n!rote(ted WLANs5 there is (ontin%ing resear(h done on
enhan(ing distan(es and red%(ing s!ill2o-er b" (oer(ial and
%ndergro%nd gro%!s. Ad-an(ed antennas li+e the ;#lotted Wa-eg%ide;
b" $re-or &arshal, %tili1es %lti!le di!oles, one abo-e the other, to
(a%se the signal radiation to be in !hase so that the (on(entration is
along the a*is of the di!oles.
,. Deployent 1est Pr(ctices
6lanning a Wireless LAN re,%ires (onsideration for fa(tors that affe(t
atten%ation dis(%ssed earlier. Indoor and %lti2stor" de!lo"ents
ha-e different (hallenges than o%tdoor de!lo"ents. Atten%ation
affe(ts antenna (abling fro the radio de-i(e to the a(t%al antenna
also. $he radio 'a-e a(t%all" begins at the radio de-i(e and ind%(es
-oltage as it tra-els do'n the antenna (able and loses strength.
&%lti2!ath distortion o((%rs in o%tdoor de!lo"ents 'here a signal
tra-eling to the re(ei-er arri-es fro ore than one !ath. $his (an
o((%r 'hen the radio 'a-e tra-erses o-er 'ater or an" other sooth
s%rfa(e that (a%ses the signal to refle(t off the s%rfa(e and arri-e at a
different tie than the intended signal does.
#tr%(t%ral iss%es %st also be (onsidered that (an affe(t the
transission !erforan(e thro%gh !ath fading or !ro!agation loss.
$he greater the densit" of the str%(t%ral obstr%(tion, the slo'er the
radio 'a-e is !ro!agated thro%gh it. When a radio 'a-e is sent fro a
transitter and is obstr%(ted b" a str%(t%ral ob:e(t, the signal (an
!enetrate thro%gh the ob:e(t, refle(t off it, or be absorbed b" it.
A (riti(al ste! in de!lo"ing the WLAN is !erforing a 'ireless site
s%r-e" !rior to the de!lo"ent. $he s%r-e" 'ill hel! deterine the
n%ber of A6s to de!lo" and their o!ti% !la(eent for
!erforan(e 'ith regards to obsta(les that affe(t radio 'a-es as 'ell
as b%siness and se(%rit" related iss%es.
<o!lete %nderstanding of the infrastr%(t%re and en-ironent 'ith
res!e(t to net'or+ edia, o!erating s"stes, !roto(ols, h%bs,
s'it(hes, ro%ters and bridges as 'ell as !o'er s%!!l" is ne(essar" to
a*ii1e !erforan(e and red%(e net'or+ !robles.
III. Wireless LAN Security O"er"ie#
As ne' de!lo"ents of Wireless LANs !roliferate, se(%rit" fla's are
being identified and ne' te(hni,%es to e*!loit the are freel"
a-ailable o-er the Internet.
#o!histi(ated ha(+ers %se long2range antennas that are either
(oer(iall" a-ailable or b%ilt easil" 'ith (ans or ("linders fo%nd in a
+it(hen (%!board and (an !i(+ %! 802.11b signals fro %! to 2,000
feet a'a". $he intr%ders (an be in the !ar+ing lot or (o!letel" o%t of
site. #i!l" onitoring the ad:a(ent !ar+ing lots for s%s!i(io%s a(ti-it"
is far fro sol-ing the se(%rit" iss%es aro%nd WLANs.
&an" an%fa(t%rers shi! A6s 'ith WE6 disabled b" defa%lt and are
ne-er (hanged before de!lo"ent. In an arti(le b" @e-in 6o%lsen titled
;War dri-ing b" the >a";, he and 6eter #hi!le" dro-e thro%gh #an
8ran(is(o r%sh ho%r traffi( and 'ith an e*ternal antenna atta(hed to
their (ar and soe (%sto sniffing soft'are, and 'ithin an ho%r
dis(o-ered (lose to eight" 3805 'ide o!en net'or+s. #oe of the A6s
e-en bea(on the (o!an" nae into the air'a-es as the ##I7.
(. Aut*entic(tion (nd Encryption
#in(e the se(%rit" !ro-ided b" WE6 alone in(l%ding the ne' 802.1*
6ort >ased IEEE standard is e*treel" -%lnerable, stronger
a%thenti(ation and en(r"!tion ethods sho%ld be de!lo"ed s%(h as
Wireless G6Ns %sing 4eote A%thenti(ation 7ial2In Aser #er-i(e
34A7IA#5 ser-ers.
$he G6N la"er e!lo"s strong a%thenti(ation and en(r"!tion
e(haniss bet'een the 'ireless a((ess !oints and the net'or+, b%t
do i!a(t !erforan(e, a G6N 3I6#e(5 (lient o-er a 'ireless
(onne(tion (o%ld degrade !erforan(e %! to 29H. 4A7IA# s"stes
are %sed to anage a%thenti(ation, a((o%nting and a((ess to net'or+
reso%r(es.
While G6Ns are being re!resented as a se(%re sol%tion for 'ireless
LANs, one2'a" a%thenti(ation G6Ns are still -%lnerable to e*!loitation.
In large organi1ations that de!lo" dial2%! G6Ns b" distrib%ting (lient
soft'are to the asses, in(orre(t (onfig%rations (an a+e G6Ns ore
-%lnerable to ;session hi2:a(+ing;. $here are a n%ber of +no'n
atta(+s to one2'a" a%thenti(ation G6Ns and 4A7IA# s"stes behind
the that (an be e*!loited b" atta(+ers. &%t%al a%thenti(ation
'ireless G6Ns offer strong a%thenti(ation and o-er(oe 'ea+nesses in
WE6.
,. Att(c2in& Wireless LANs
With the !o!%larit" of Wireless LANs gro'ing, so is the !o!%larit" of
ha(+ing the. It is i!ortant to reali1e that ne' atta(+s are being
de-elo!ed based on old 'ired net'or+ ethods. #trategies that
'or+ed on se(%ring 'ired reso%r(es before de!lo"ing A6s need to be
re-ie'ed to address ne' -%lnerabilities.
$hese atta(+s !ro-ide the abilit" to:
&onitor and ani!%late traffi( bet'een t'o 'ired hosts behind
a fire'all
&onitor and ani!%late traffi( bet'een a 'ired host and a
'ireless host
<o!roise roaing 'ireless (lients atta(hed to different
A((ess 6oints
&onitor and ani!%late traffi( bet'een t'o 'ireless (lients
>elo' are soe +no'n atta(+s to 'ireless LANs that (an be a!!lied to
G6Ns and 4A7IA# s"stes:
Session 3i4(c2in&
#ession hi:a(+ing (an be a((o!lished b" onitoring a -alid 'ireless
station s%((essf%ll" (o!lete a%thenti(ating to the net'or+ 'ith a
!roto(ol anal"1er. $hen the atta(+er 'ill send a s!oofed disasso(iate
essage fro the A6 (a%sing the 'ireless station to dis(onne(t. When
WE6 is not %sed the atta(+er has %se of the (onne(tion %ntil the ne*t
tie o%t #ession hi:a(+ing (an o((%r d%e to -%lnerabilities in 802.11
and 802.1* state a(hines. $he 'ireless station and A6 are not
s"n(hroni1ed allo'ing the atta(+er to disasso(iate the 'ireless station
'hile the A6 is %na'are that the original 'ireless station is not
(onne(ted.
M(n5in5t*e5iddle
$he an2in2the2iddle atta(+ 'or+s be(a%se 802.1* %ses onl" one2
'a" a%thenti(ation. In this (ase, the atta(+er a(ts as an A6 to the %ser
and as a %ser to the A6. $here are !ro!rietar" e*tensions that enhan(e
802.1* to defeat this -%lnerabilit" fro soe -endors.
RADI6S Att(c2s
$he C8or(e at Internet #e(%rit" #"stes !%blished -%lnerabilit"
findings in %lti!le -endors 4A7IA# offerings. &%lti!le b%ffer o-erflo'
-%lnerabilities e*ist in the a%thenti(ation ro%tines of -ario%s 4A7IA#
i!leentations. $hese ro%tines re,%ire %ser2s%!!lied inforation.
Ade,%ate bo%nds (he(+ing eas%res are not ta+en 'hen !arsing %ser2
s%!!lied strings. /enerall", the ;radi%sd; daeon 3the 4A7IA#
listener5 r%ns 'ith s%!er %ser !ri-ilege. Atta(+ers a" %se +no'ledge
of these -%lnerabilities to la%n(h a 7enial of #er-i(e 37o#5 atta(+
against the 4A7IA# ser-er or e*e(%te arbitrar" (ode on the 4A7IA#
ser-er. If an atta(+er (an gain (ontrol of the 4A7IA# ser-er, he a"
ha-e the abilit" to (ontrol a((ess to all net'or+ed de-i(es ser-ed b"
4A7IA#, as 'ell as gather login and !ass'ord inforation for these
de-i(es.
An Anal"sis of the 4A7IA# A%thenti(ation 6roto(ol is listed belo':
4es!onse A%thenti(ator >ased #hared #e(ret Atta(+ Aser2
6ass'ord Attrib%te <i!her 7esign <oents
Aser26ass'ord Attrib%te >ased #hared #e(ret Atta(+
Aser26ass'ord >ased 6ass'ord Atta(+
4e,%est A%thenti(ator >ased Atta(+s
6assi-e Aser26ass'ord <o!roise $hro%gh 4e!eated 4e,%est
A%thenti(ators
A(ti-e Aser26ass'ord <o!roise thro%gh 4e!eated 4e,%est
A%thenti(ators
4e!la" of #er-er 4es!onses thro%gh 4e!eated 4e,%est
A%thenti(ators
7O# Arising fro the 6redi(tion of the 4e,%est A%thenti(ator
I%. Protectin& Wireless LANS
As dis(%ssed abo-e, there are n%ero%s ethods a-ailable to e*!loit
the se(%rit" of 'ired net'or+s -ia 'ireless LANs. La"ered se(%rit" and
'ell tho%ght o%t strateg" are ne(essar" ste!s to lo(+ing do'n the
net'or+. A!!l"ing best !ra(ti(es for 'ireless LAN se(%rit" does not
alert the se(%rit" anager or net'or+ adinistrator 'hen the se(%rit"
has been (o!roised.
Intr%sion 7ete(tion #"stes 3I7#5 are de!lo"ed on 'ired net'or+s
e-en 'ith the se(%rit" !ro-ided 'ith G6Ns and fire'alls. 0o'e-er,
'ire2based I7# (an onl" anal"1e net'or+ traffi( on(e it is on the 'ire.
Anfort%natel", 'ireless LANs are atta(+ed before entering the 'ired
net'or+ and b" the tie atta(+ers e*!loit the se(%rit" de!lo"ed, the"
are entering the net'or+ as -alid %sers.
8or I7# to be effe(ti-e against 'ireless LAN atta(+s, it first &A#$ be
able to onitor the air'a-es to re(ogni1e and !re-ent atta(+s before
the ha(+er a%thenti(ates to the A6.
(. Principles o. Intrusion Detection
Intr%sion 7ete(tion is the art of dete(ting ina!!ro!riate, in(orre(t, or
anoalo%s a(ti-it" and res!onding to e*ternal atta(+s as 'ell as
internal is%se of (o!%ter s"stes. /enerall" s!ea+ing, Intr%sion
7ete(tion #"stes 3I7#5 are (o!rised of three f%n(tional areas:
A strea so%r(e that !ro-ides (hronologi(al e-ent inforation
An anal"sis e(hanis to deterine !otential or a(t%al
intr%sions
A res!onse e(hanis that ta+es a(tion on the o%t!%t of the
anal"sis e(hanis.
In the 'ireless LAN s!a(e, the strea so%r(e 'o%ld be a reote
sensor that !rois(%o%sl" onitors the air'a-es and generates a
strea of 802.11 frae data to the anal"sis e(hanis. #in(e atta(+s
in 'ireless o((%r before data is on the 'ired net'or+, it is i!ortant
for the so%r(e of the e-ent strea to ha-e a((ess to the air'a-es
before the A6 re(ei-es the data.
$he anal"sis e(hanis (an (onsist of one or ore (o!onents based
on an" of se-eral intr%sion dete(tion odels. 8alse !ositi-es, 'here
the I7# generated an alar 'hen the threat did not a(t%all" e*ist,
se-erel" ha!er the (redibilit" of the I7#. In the sae light, false
negati-es, 'here the I7# did not generate an alar and a threat did
e*ist, degrade the reliabilit" of the I7#.
#ignat%re2based te(hni,%es !rod%(e a((%rate res%lts b%t (an be
liited to histori(al atta(+ !atterns. 4el"ing solel" on an%al
signat%re2based te(hni,%es 'o%ld onl" be as good as the latest +no'n
atta(+ signat%re %ntil the ne*t signat%re %!date. Anoal" te(hni,%es
(an dete(t %n+no'n atta(+s b" anal"1ing noral traffi( !atterns of the
net'or+ b%t are less a((%rate than the signat%re2based te(hni,%es. A
%lti2diensional intr%sion dete(tion a!!roa(h integrates intr%sion
dete(tion odels that (obine anoal" and signat%re2based
te(hni,%es 'ith !oli(" de-iation and state anal"sis.
,. %ulner(,ility Assessent
G%lnerabilit" assessent is the !ro(ess of identif"ing +no'n
-%lnerabilities in the net'or+. Wireless s(anning tools gi-e a sna!shot
of a(ti-it" and identif" de-i(es on ea(h of the 802.11b (hannels and
!erfor trend anal"sis to identif" -%lnerabilities. A 'ireless I7# sho%ld
be able to !ro-ide s(anning f%n(tionalit" for !ersistent onitoring of
a(ti-it" to identif" 'ea+nesses in the net'or+.
$he first ste! in identif"ing 'ea+ness in a Wireless LAN de!lo"ent is
to dis(o-er all A((ess 6oints in the net'or+. Obtaining or deterining
ea(h oneDs &A< address, E*tended #er-i(e #et nae, an%fa(t%rer,
s%!!orted transission rates, a%thenti(ation odes, and 'hether or
not it is (onfig%red to r%n WE6 and 'ireless adinistrati-e
anageent. In addition, identif" e-er" 'or+station e,%i!!ed 'ith a
'ireless net'or+ interfa(e (ard, re(ording the &A< address of ea(h
de-i(e.
$he inforation (olle(ted 'ill be the baseline for the I7# to !rote(t.
$he I7# sho%ld be able to deterine rog%e A6Ds and identif" 'ireless
stations b" -endor finger!rints that 'ill alert to de-i(es that ha-e been
o-erloo+ed in the de!lo"ent !ro(ess or not eant to be de!lo"ed at
all.
4adio 8re,%en(" 3485 bleed (an gi-e ha(+ers %nne(essar"
o!!ort%nities to asso(iate to an A6. 48 bleed sho%ld be inii1ed
'here !ossible thro%gh the %se of dire(tional antennas dis(%ssed
abo-e or b" !la(ing A((ess 6oints (loser to the iddle of b%ildings as
o!!osed to the o%tside !erieter.
c. De.inin& Wireless LAN Security Policies
#e(%rit" !oli(ies %st be defined to set thresholds for a((e!table
net'or+ o!erations and !erforan(e. 8or e*a!le, a se(%rit" !oli("
(o%ld be defined to ens%re that A((ess 6oints do not broad(ast its
#er-i(e #et Identifier 3##I75. If an A((ess 6oint is de!lo"ed or
re(onfig%red and broad(asts the ##I7, the I7# sho%ld generate an
alar. 7efining se(%rit" !oli(ies gi-es the se(%rit" or net'or+
adinistrator a a! of the net'or+ se(%rit" odel for effe(ti-el"
anaging net'or+ se(%rit".
With the introd%(tion of A((ess 6oints into the net'or+, se(%rit"
!oli(ies need to be set for A((ess 6oint and Wireless #tation
(onfig%ration thresholds. 6oli(ies sho%ld be defined for a%thori1ed
A((ess 6oints and their res!e(ti-e (onfig%ration !araeters s%(h as
Gendor I7, a%thenti(ation odes, and allo'ed WE6 odes. Allo'able
(hannels of o!eration and noral a(ti-it" ho%rs of o!eration sho%ld be
defined for ea(h A6. 6erforan(e thresholds sho%ld be defined for
ini% signal strength fro a 'ireless station asso(iating 'ith an
A6 to identif" !otential atta(+s fro o%tside the b%ilding.
$he defined se(%rit" !oli(ies for the baseline for ho' the 'ireless
net'or+ sho%ld o!erate. $he thresholds and (onfig%ration !araeters
sho%ld be ad:%sted o-er tie to tighten or loosen the se(%rit" baseline
to eet real2'orld re,%ireents. 8or e*a!le, noral a(ti-it" ho%rs
for a !arti(%lar A6 (o%ld be s(aled ba(+ d%e to 'or+ing ho%r (hanges.
$he se(%rit" !oli(" sho%ld also be (hanged to refle(t the ne' ho%rs of
o!eration.
No one se(%rit" !oli(" fits all en-ironents or sit%ations. $here are
al'a"s trade offs bet'een se(%rit", %sabilit" and i!leenting ne'
te(hnologies.
d.St(te5An(lysis
&aintaining state bet'een the 'ireless stations and their intera(tions
'ith A((ess 6oints is re,%ired for Intr%sion 7ete(tion to be effe(ti-e.
$he three basi( states for the 802.11 odel are idle, a%thenti(ation,
and asso(iation. In the idle state, the 'ireless station has either not
atte!ted a%thenti(ation or has dis(onne(ted or disasso(iated. In the
a%thenti(ation state, the 'ireless station atte!ts to a%thenti(ate to
the A6 or in %t%al a%thenti(ation odels s%(h as the <is(o LEA6
i!leentation, the 'ireless station also a%thenti(ates the A6. $he
final state is the asso(iation state, 'here the 'ireless station a+es
the (onne(tion to the net'or+ -ia the A6.
8ollo'ing is an e*a!le of the !ro(ess of aintaining state for a
'ireless station:
1. A sensor in !rois(%o%s ode dete(ts a 'ireless station tr"ing to
a%thenti(ate 'ith an A6
2. A state2a(hine logs the 'ireless stations &A< address, 'ireless
(ard -endor and A6 the 'ireless station is tr"ing to asso(iate to b"
reading 802.11b fraes, stri!!ing headers and !o!%lating a data
str%(t%re %s%all" stored in a database
). A state2a(hine logs the 'ireless stationDs s%((essf%l asso(iation to
the A6
#tate Anal"sis loo+s at the beha-ioral !atterns of the 'ireless station
and deterines 'hether the a(ti-it" de-iates fro the noral state
beha-ior. 8or e*a!le, if the 'ireless station 'as broad(asting
disasso(iate essages, that beha-ior 'o%ld -iolate the 802.11 state
odel and sho%ld generate an alar.
e. Multi5Diension(l Intrusion Detection
$he -er" nat%res of Wireless LANs intrinsi(all" ha-e ore
-%lnerabilities than their 'ired (o%nter!arts. #tandard 'ire2line
intr%sion dete(tion te(hni,%es are not s%ffi(ient to !rote(t the
net'or+. $he 802.11b !roto(ol itself is -%lnerable to atta(+. A %lti2
diensional a!!roa(h is re,%ired be(a%se no single te(hni,%e (an
dete(t all intr%sions that (an o((%r on a 'ireless LAN. A s%((essf%l
%lti2diensional intr%sion dete(tion a!!roa(h integrates %lti!le
intr%sion dete(tion odels that (obine ,%antitati-e and statisti(al
eas%reents s!e(ifi( to the O#I La"er 1 and 2 as 'ell as !oli("
de-iation and !erforan(e thresholds.
B%antitati-e te(hni,%es in(l%de signat%re re(ognition and !oli("
de-iation. #ignat%re re(ognition interrogates !a(+ets to find !attern
at(hes in a signat%re database siilar to anti2-ir%s soft'are. 6oli(ies
are set to define a((e!table thresholds of net'or+ o!eration and
!erforan(e. 8or e*a!le, !oli(" de-iation anal"sis 'o%ld generate an
alar d%e to an i!ro!er setting in a de!lo"ed A((ess 6oint. Atta(+s
that e*!loit WLAN !roto(ols re,%ire !roto(ol anal"sis to ens%re the
!roto(ols %sed in WLAN# ha-e not been (o!roised. And finall",
statisti(al anoal" anal"sis (an dete(t !atterns of beha-ior that
de-iate fro the nor.
Si&n(ture Detection
A signat%re dete(tion or re(ognition engine anal"1es traffi( to find
!attern at(hes an%all" against signat%res stored in a database or
a%toati(all" b" learning based on traffi( !attern anal"sis. &an%al
signat%re dete(tion 'or+s on the sae odel as ost -ir%s !rote(tion
s"stes 'here the signat%re database is %!dated a%toati(all" as
ne' signat%res are dis(o-ered. A%toati( signat%re learning s"stes
re,%ire e*tensi-e logging of (o!le* net'or+ a(ti-it" and histori( data
ining and (an i!a(t !erforan(e.
8or 'ireless LANs, !attern signat%res %st in(l%de 802.11 !roto(ol
s!e(ifi( atta(+s. $o be effe(ti-e against these atta(+s, the signat%re
dete(tion engine %st be able to !ro(ess fraes in the air'a-es
before the" are on the 'ire.
Policy De"i(tion
#e(%rit" !oli(ies define a((e!table net'or+ a(ti-it" and !erforan(e
thresholds. A !oli(" de-iation engine generates alars 'hen these
!re2set !oli(" or !erforan(e thresholds are -iolated and aids in
'ireless LAN anageent. 8or e*a!le, a (onstant !roble for
se(%rit" and net'or+ adinistrators are rog%e A((ess 6oints. With the
abilit" for e!lo"ees to !%r(hase and de!lo" 'ireless LAN hard'are, it
is diffi(%lt to +no' 'hen and 'here the" ha-e been de!lo"ed %nless
"o% an%all" s%r-e" the site 'ith a 'ireless sniffer or s(anner.
6oli(" de-iation engines sho%ld be able to alar as soon as a rog%e
a((ess !oint has been de!lo"ed. $o be effe(ti-e for a 'ireless LAN, a
!oli(" de-iation engine re,%ires a((ess to 'ireless frae data fro the
air'a-es.
Protocol An(lysis
6roto(ol anal"sis onitors the 802.11 &A< !roto(ols for de-iations
fro the standards. 4eal2tie onitoring and histori(al trending
!ro-ide intr%sion dete(tion and net'or+ tro%bleshooting.
#ession hi:a(+ing and 7o# atta(+s are e*a!les of a !roto(ol atta(+.
&aintaining state is (r%(ial to dete(ting atta(+s that brea+ the !roto(ol
s!e(.
% .Wireless LAN Security Su(ry
Wireless LANs !ro-ide ne' (hallenges to se(%rit" and net'or+
adinistrators that are o%tside of the 'ired net'or+. $he inherent
nat%re of 'ireless transission and the a-ailabilit" of !%blished atta(+
tools do'nloaded fro the Internet, se(%rit" threats %st be ta+en
serio%sl". >est !ra(ti(es di(tate a 'ell tho%ght o%t la"ered a!!roa(h to
WLAN se(%rit". A((ess !oint (onfig%ration, fire'alls, and G6Ns sho%ld
be (onsidered. #e(%rit" !oli(ies sho%ld be defined for a((e!table
net'or+ thresholds and !erforan(e. Wireless LAN intr%sion dete(tion
s"stes (o!leent a la"ered a!!roa(h and !ro-ide -%lnerabilit"
assessent, net'or+ se(%rit" anageent, and ens%re that 'hat "o%
thin+ "o% are se(%ring is a(t%all" se(%red.
Re.erence0
'''.ieee.org
'''.(se.org
(o!%ter net'or+s b" Andre' # $anenba%
'''.irda.(o