277 Chapter 10 – Wireless LAN Security in such a manner as to avoid the weaknesses with WEP, such as the initialization vector problem. Temporal Key Integrity Protocol (TKIP) TKIP is essentially an upgrade to WEP that fixes known security problems in WEP's implementation of the RC4 stream cipher. TKIP provides for initialization vector hashing to help defeat passive packet snooping. It also provides a Message Integrity Check to help determine whether an unauthorized user has modified packets by injecting traffic that enables key cracking. TKIP includes use of dynamic keys to defeat capture of passive keys—a widely publicized hole in the existing Wired Equivalent Privacy (WEP) standard. TKIP can be implemented through firmware upgrades to access points and bridges as well as software and firmware upgrades to wireless client devices. TKIP specifies rules for the use of initialization vectors, re-keying procedures based on 802.1x, per-packet key mixing, and message integrity code (MIC). There will be a performance loss when using TKIP, but this performance decrease may be a valid trade-off, considering the gain in network security. AES Based Solutions AES-based solutions may replace WEP using RC4, but in the interim, solutions such as TKIP are being implemented. Although no products that use AES are currently on the market as of this writing, several vendors have products pending release. AES has undergone extensive cryptographic review and is very efficient in hardware and software. The current 802.11i draft specifies use of AES, and, considering most wireless LAN industry players are behind this effort, AES is likely to remain as part of the finalized standard. Wireless Gateways Residential wireless gateways are now available with VPN technology, as well as NAT, DHCP, PPPoE, WEP, MAC filters, and perhaps even a built-in firewall. These devices are sufficient for small office or home office environments with few workstations and a shared connection to the Internet. Costs of these units vary greatly depending on their range of offered services. Some of the high-end units even boast static routing and RIPv2. Enterprise wireless gateways are a special adaptation of a VPN and authentication server for wireless networks. An enterprise gateway sits on the wired network segment between Changing data encryption techniques to a solution that is as strong as AES will make a significant impact on wireless LAN security, but there still must be scalable solutions implemented on enterprise networks such as centralized encryption key servers to automate the process of handing out keys. If a client radio card is stolen with the AES encryption key embedded, it would not matter how strong AES is because the perpetrator would still be able to gain access to the network. CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc. Chapter 10 – Wireless LAN Security 278 the access points and the wired upstream network. As its name suggests, a gateway controls access from the wireless LAN onto the wired network, so that, while a hacker could possibly listen to or even gain access to the wireless segment, the gateway protects the wired distribution system from attack. An example of a good time to deploy an enterprise wireless LAN gateway might be the following hypothetical situation. Suppose a hospital had implemented 40 access points across several floors of their building. Their investment in access points is fairly significant at this point, so if the access points do not support scalable security measures, the hospital could be in the predicament of having to replace all of their access points. Instead, the hospital could employ a wireless LAN gateway. This gateway can be connected between the core switch and the distribution switch (which connects to the access points) and can act as an authentication and VPN server through which all wireless LAN clients can connect. Instead of deploying all new access points, one (or more depending on network load) gateway device can be installed behind all of the access points as a group. Use of this type of gateway provides security on behalf of a non-security-aware access point. Most enterprise wireless gateways support an array of VPN protocols such as PPTP, IPsec, L2TP, certificates, and even QoS based on profiles. 802.1x and Extensible Authentication Protocol The 802.1x standard provides specifications for port-based network access control. Port- based access control was originally – and still is – used with Ethernet switches. When a user attempts to connect to the Ethernet port, the port then places the user's connection in blocked mode awaiting verification of the user's identity with a backend authentication system. The 802.1x protocol has been incorporated into many wireless LAN systems and has become almost a standard practice among many vendors. When combined with extensible authentication protocol (EAP), 802.1x can provide a very secure and flexible environment based on various authentication schemes in use today. EAP, which was first defined for the point-to-point protocol (PPP), is a protocol for negotiating an authentication method. EAP is defined in RFC 2284 and defines the characteristics of the authentication method including the required user credentials (password, certificate, etc.), the protocol to be used (MD5, TLS, GSM, OTP, etc.), support of key generation, and support of mutual authentication. There are perhaps a dozen types of EAP currently on the market since neither the industry players nor IEEE have come together to agree on any single type, or small list of types, from which to create a standard. The successful 802.1x-EAP client authentication model works as follows: 1. The client requests association with the access point 2. The access point replies to the association request with an EAP identity request 3. The client sends an EAP identity response to the access point 4. The client's EAP identity response is forwarded to the authentication server CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc. 279 Chapter 10 – Wireless LAN Security 5. The authentication server sends an authorization request to the access point 6. The access point forwards the authorization request to the client 7. The client sends the EAP authorization response to the access point 8. The access point forwards the EAP authorization response to the authentication server 9. The authentication sends an EAP success message to the access point 10. The access point forwards the EAP success message to the client and places the client's port in forward mode FIGURE 10.11 Two Logon Processes NT Domain Controller RADIUS Server LDAP Server User sees a double logon Layer 7 Layer 2 NT Domain Controller RADIUS Server User sees a single logon Layer 7 Layer 2 When 802.1x with EAP is used, a situation arises for an administrator in which it is possible to have a double logon when powering up a notebook computer that is attached wirelessly and logging into a domain or directory service. The reason for the possible double logon is that 802.1x requires authentication in order to provide layer 2 connectivity. In most cases, this authentication is done via a centralized user database. If this database is not the same database used for client authentication into the network (such as with Windows domain controllers, Active Directory, NDS, or LDAP), or at least synchronized with the database used for client authentication, then the user will experience two logons each time network connectivity is required. Most administrators choose to use the same database for MAC layer connectivity and client/server connectivity, providing a seamless logon process for the client. A similar configuration can also be used with wireless VPN solutions. CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc. Chapter 10 – Wireless LAN Security 280 Corporate Security Policy A company that uses wireless LANs should have a corporate security policy that addresses the unique risks that wireless LANs introduce to the network. The example of an inappropriate cell size that allows the drive-by hacker to gain network access from the parking lot is a very good example of one item that should be included in any corporate security policy. Other items that should be covered in the security policy are strong passwords, strong WEP keys, physical security, use of advanced security solutions, and regular wireless LAN hardware inventories. This list is far from comprehensive, considering that security solutions will vary between organizations. The depth of the wireless LAN section of the security policy will depend on the security requirements of organization as well as the extent of the wireless LAN segment(s) of the network. The benefits of having, implementing, and maintaining a solid security policy are too numerous to count. Preventing data loss and theft, preventing corporate sabotage or espionage, and maintaining company secrets are just a few. Even the suggestion that hackers could have stolen data from an industry-leading corporation may cause confidence in the company to plummet. The beginning of good corporate policy starts with management. Recognizing the need for security and delegating the tasks of creating the appropriate documentation to include wireless LANs into the existing security policy should be top priority. First, those who are responsible for securing the wireless LAN segments must be educated in the technology. Next, the educated technology professional should interact with upper management and agree on company security needs. This team of educated individuals is then able to construct a list of procedures and requirements that, if followed by personnel at every applicable level, will ensure that the wireless network remains as safely guarded as the wired network. Keep Sensitive Information Private Some items that should be known only by network administrators at the appropriate levels are:  Usernames and passwords of access points and bridges  SNMP strings  WEP keys  MAC address lists The point of keeping this information only in the hands of trusted, skilled individuals such as the network administrator is important because a malicious user or hacker could easily use these pieces of information to gain access into the network and network devices. This information can be stored in one of many secure fashions. There are now applications using strong encryption on the market for the explicit purpose of password and sensitive data storage. CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc. 281 Chapter 10 – Wireless LAN Security Physical Security Although physical security when using a traditional wired network is important, it is even more important for a company that uses wireless LAN technology. For reasons discussed earlier, a person that has a wireless PC Card (and maybe an antenna) does not have to be in the same building as the network to gain access to the network. Even intrusion detection software is not necessarily enough to prevent wireless hackers from stealing sensitive information. Passive attacks leave no trace on the network because no connection was ever made. There are utilities on the market now that can see a network card that is in promiscuous mode, accessing data without making a connection. When WEP is the only wireless LAN security solution in place, tight controls should be placed on users who have company-owned wireless client devices, such as not allowing them to take those client devices off of company premises. Since the WEP key is stored in the client device’s firmware, wherever the card goes, so does the network’s weakest security link. The wireless LAN administrator should know who, where, and when each PC card is taken from the organization’s facilities. Because such knowledge is often unreasonable, an administrator should realize that WEP, by itself, is not an adequate wireless LAN security solution. Even with such tight controls, if a card is lost or stolen, the person responsible for the card (the user) should be required to report the loss or theft immediately to the wireless LAN administrator so that necessary security precautions can be taken. Such precautions should include, at a minimum, resetting MAC filters, changing WEP keys, etc. Having guards make periodic scans around the company premises looking specifically for suspicious activity is effective in reducing netstumbling. Security guards that are trained to recognize 802.11 hardware and alerting company personnel to always be on the lookout for non-company personnel lurking around the building with 802.11-based hardware is also very effective in reducing on-premises attacks. Wireless LAN Equipment Inventory & Security Audits As a complement to the physical security policy, all wireless LAN equipment should be regularly inventoried to account for authorized and prevent unauthorized use of wireless equipment to access the organization’s network. If the network is too large and contains a significant amount of wireless equipment, periodic equipment inventories might not be practical. In cases such as these, it is very important to implement wireless LAN security solutions that are not based on hardware, but rather based on usernames and passwords or some other type of non hardware-based security solution. For medium and small wireless networks, doing monthly or quarterly hardware inventories can motivate users to report hardware loss or theft. Periodic scans of the network with sniffers, in a search for rogue devices, are a very valuable way of keeping the wireless network secure. Consider if a very elaborate (and expensive) wireless network solution were put in place with state-of-the-art security, and, since coverage did not extend to a particular area of the building, a user took it into their own hands to install an additional, unauthorized access point in their work area. In this CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc. Chapter 10 – Wireless LAN Security 282 case, this user has just provided a hacker with the necessary route into the network, completely circumventing a very good (and expensive) wireless LAN security solution. Inventories and security audits should be well documented in the corporate security policy. The types of procedures to be performed, the tools to be used, and the reports to be generated should all be clearly spelled out as part of the corporate policy so that this tedious task does not get overlooked. Managers should expect a report of this type on a regular basis from the network administrator. Using Advanced Security Solutions Organizations implementing wireless LANs should take advantage of some of the more advanced security mechanisms available on the market today. It should also be required in a security policy that the implementation of any such advanced security mechanism be thoroughly documented. Because these technologies are new, proprietary, and often used in combination with other security protocols or technologies, they must be documented so that, if a security breach occurs, network administrators can determine where and how the breach occurred. Because so few people in the IT industry are educated in wireless technology, the likelihood of employee turnover causing network disruption, or at least vulnerability, is much higher when wireless LANs are part of the network. This turnover of employees is another very important reason that thorough documentation on wireless LAN administration and security functions be created and maintained. Public Wireless Networks It is inevitable that corporate users with sensitive information on their laptop computers will connect those laptops to public wireless LANs. It should be a matter of corporate policy that all wireless users (whether wireless is provided by the company or by the user) run both personal firewall software and antiviral software on their laptops. Most public wireless networks have little or no security in order to make connectivity simple for the user and to decrease the amount of required technical support. Even if upstream servers on the wired segment are protected, the wireless users are still vulnerable. Consider the situation where a hacker is sitting at an airport, considered a “Wi-Fi hot spot.” This hacker can sniff the wireless LAN, grab usernames and passwords, log into the system, and then wait for unsuspecting users to login also. Then, the hacker can do a ping sweep across the subnet looking for other wireless clients, find the users, and begin hacking into their laptop computer’s files. These vulnerable users are considered “low hanging fruit”, meaning that they are easy to hack because of their general unfamiliarity with leading edge technology such as wireless LANs. Limited and Tracked Access Most enterprise LANs have some method of limiting and tracking a user’s access on the LAN. Typically, a system supporting Authentication, Authorization, and Accounting (AAA) services is deployed. This same security measure should be documented and CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc. 283 Chapter 10 – Wireless LAN Security implemented as part of wireless LAN security. AAA services will allow the organization to assign use rights to particular classes of users. Visitors, for example, might be allowed only Internet access whereas employees would be allowed to access their particular department’s servers and the Internet. Keeping logs of users’ rights and the activities they performed while using your network can prove valuable if there’s ever a question of who did what on the network. Consider if a user was on vacation, yet during the vacation the user’s account was used almost every day. Keeping logs of activity such as this will give the administrator insight into what is really happening on the LAN. Using the same example, and knowing that the user was on vacation, the administrator could begin looking for where the masquerading user was connecting to the network. Security Recommendations As a summary to this chapter, below are some recommendations for securing wireless LANs. WEP Do not rely solely on WEP, no matter how well you have it implemented as an end-to- end wireless LAN security solution. A wireless environment protected with only WEP is not a secure environment. When using WEP, do not use WEP keys that are related to the SSID or to the organization. Make WEP keys very difficult to remember and to figure out. In many cases, the WEP key can be easily guessed just by looking at the SSID or the name of the organization. WEP is an effective solution for reducing the risk of casual eavesdropping. Because an individual who is not maliciously trying to gain access, but just happens to see your network, will not have a matching WEP key, that individual would be prevented from accessing your network. Cell Sizing In order to reduce the chance of eavesdropping, an administrator should make sure that the cell sizes of access points are appropriate. The majority of hackers look for the locations where very little time and energy must be spent gaining access into the network. For this reason, it is important not to have access points emitting strong signals that extend out into the organization's parking lot (or similar unsecure locations) unless absolutely necessary. Some enterprise-level access points allow for the configuration of power output, which effectively controls the size of the RF cell around the access point. If an eavesdropper in your parking lot cannot detect your network, then your network is not susceptible to this kind of attack. It may be tempting for network administrators to always use the maximum power output settings on all wireless LAN devices in an attempt to get maximum throughput and coverage, but such blind configuration will come at the expense of security. An access CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc. Chapter 10 – Wireless LAN Security 284 point has a cell size that can be controlled by the amount of power that the access point is emitting and the antenna gain of the antenna being used. If that cell is inappropriately large to the point that a passerby can detect, listen to, or even gain access to the network, then the network is unnecessarily vulnerable to attack. The necessary and appropriate cell size can be determined by a proper site survey (Chapter 11). The proper cell size should be documented along with the configuration of the access point or bridge for each particular area. It may be necessary to install two access points with smaller cell sizes to avoid possible security vulnerabilities in some instances. Try to locate your access points towards the center of your house or building. This will minimize the signal leak outside of the intended range. If you are using external antennas, selecting the right type of antenna can be helpful in minimizing signal range. Turn off access points when they are not in use. This will minimize your exposure to potential hackers and lighten the network management burden. User Authentication Since user authentication is a wireless LAN’s weakest link, and the 802.11 standard does not specify any method of user authentication, it is imperative that the administrator implement user-based authentication as soon as possible upon installing a wireless LAN infrastructure. User authentication should be based on device-independent schemes like usernames and passwords, biometrics, smart cards, token-based systems, or some other type of secure means of identifying the user, not the hardware. The solution you implement should support bi-directional authentication between an authentication server (such as RADIUS) and the wireless clients. RADIUS is the de-facto standard in user authentication systems in most every information technology market. Access points send user authentication requests to a RADIUS server, which can either have a built-in (local) user database or can pass the authentication request through to a domain controller, an NDS server, an Active Directory server, or even an LDAP compliant database system. A few RADIUS vendors have streamlined their RADIUS products to include support for the latest family of authentication protocols such as the many types of EAP. Administering a RADIUS server can be very simple or very complicated, depending on the implementation. Because wireless security solutions are very sensitive, care should be taken when choosing a RADIUS server solution to make sure that the wireless network administrator can administer it or can work effectively with the existing RADIUS administrator. Security Needs Choose a security solution that fits your organizations’ needs and budget, both for today and tomorrow. Wireless LANs are gaining popularity so fast partly because of their ease of implementation. That means that a wireless LAN that began as an access point and 5 clients could quickly grow to 15 access points and 300 clients across a corporate campus. The same security mechanism that worked just fine for one access point will not be as acceptable, or as secure, for 300 users. An organization could waste money on security CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc. 285 Chapter 10 – Wireless LAN Security solutions that will be quickly outgrown as the wireless LAN grows. In many cases, organizations already have security in place such as intrusion detection systems, firewalls, and RADIUS servers. When deciding on a wireless LAN solution, leveraging existing equipment is an important factor in keeping costs down. Use Additional Security Tools Taking advantage of the technology that is available, such as VPNs, firewalls, intrusion detection systems (IDS), standards and protocols such as 802.1x and EAP, and client authentication with RADIUS can help make wireless solutions secure above and beyond what the 802.11 standard requires. The cost and time to implement these solutions vary greatly from SOHO solutions to large enterprise solutions. Monitoring for Rogue Hardware To discover rogue access points, regular access point discovery sessions should be scheduled but not announced. Actively discovering and removing rogue access points will likely keep out hackers and allow the administrator to maintain network control and security. Regular security audits should be performed to locate incorrectly configured access points that could be security risks. This task can be done while monitoring the network for rogue access points as part of a regular security routine. Present configurations should be compared to past configurations in order to see if users or hackers have reconfigured the access points. Access logs should be implemented and monitored for the purpose of finding any irregular access on the wireless segment. This type of monitoring can even help find lost or stolen wireless client devices. Switches, not hubs Another simple guideline to follow is always connecting access points to switches instead of hubs. Hubs are broadcast devices, so every packet received by the hub will be sent out on all of the hub’s other ports. If access points are connected to hubs, then every packet traversing the wired segment will be broadcast across the wireless segment as well. This functionality gives hackers additional information such as passwords and IP addresses. Wireless DMZ Another idea in implementing security for wireless LAN segments is to create a wireless demilitarized zone (WDMZ). Creating these WDMZs using firewalls or routers can be costly depending on the level of implementation. WDMZs are generally implemented in medium- and large-scale wireless LAN deployments. Because access points are basically unsecured and untrusted devices, they should be separated from other network segments by a firewall device, as illustrated in Figure 10.13. CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc. Chapter 10 – Wireless LAN Security 286 FIGURE 10.13 Wireless DMZ C o r p o r a t e N e t w o r k Server Server Firewall Internet Firewall Wireless DMZ Firmware & Software Updates Update the firmware and drivers on your access points and wireless cards. It is always wise to use the latest firmware and drivers on your access points and wireless cards. Manufacturers commonly fix known issues, security holes, and enable new features with these updates. CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc. [...]... roaming is just part of the job CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc  299 Chapter 11 – Site Survey Fundamentals In the relatively small, multi-room facility of the real estate firm, users sit at their desks and access the wireless network from that one location, so roaming may not be necessary Existing Networks Is there already a network (wired or wireless) in place? This question... from many points in the building C Users on the sidewalk passing by your building can see your wireless LAN D Users can attach to the network from their car parked in the facility's parking lot CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc Chapter 10 – Wireless LAN Security 292 20 For maximum security wireless LAN user authentication should be based on which of the following? Choose all that... capable of full-duplex mode CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc  291 Chapter 10 – Wireless LAN Security 15 Which of the following protocols are network security tools above and beyond what is specified by the 802.11? Choose all that apply A 802.1x and EAP B 8011.g C VPNs D 802.11x and PAP 16 An enterprise wireless gateway is positioned at what point on the wired network segment? A Between... asked of the network administrator or manager include: What Network Operating Systems (NOS) are in use? How many users (today and 2 years from now) need simultaneous access to the wireless network? What is the bandwidth (per user) requirement on the wireless network? What protocols are in use over the wireless LAN? What channels and spread spectrum technologies are currently in use? What wireless LAN... configurations 11 A, D By passive listening to the wireless network or by connecting to access points and performing scanning and probing of network resources, a hacker is able to gain valuable information if the right precautions and security measures are not in place CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc Chapter 10 – Wireless LAN Security 294 12 A MAC addresses must always be sent in the... point on the wired network segment? A Between the access point and the wired network upstream B Between the access point and the wireless network clients C Between the switch and the router on the wireless network segment D In place of a regular access point on the wireless LAN segment 17 Networks using the 802.1x protocol control network access on what basis? Choose all that apply A Per–user B Per–port... Filter Application Server CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc Chapter 10 – Wireless LAN Security 290 10 MAC filtering is NOT susceptible to which one of the following intrusions? A Theft of a PC card B MAC address spoofing C Sniffer collecting the MAC addresses of all wireless LAN clients D MAC filter bypass equipment 11 Which of the following are types of wireless LAN attacks? Choose... detailed network diagram (topology map) from the current network administrator When one or more wireless LANs are already in place, the site survey will become all the more difficult, especially if the previous installations were not done properly Doing a site survey with an ill-functioning wireless LAN in place can be almost impossible without the cooperation of the network administrator to disable the network. .. CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc Preparation Tools and Equipment Needed Conducting the Survey Reporting Chapter 11 – Site Survey Fundamentals 296 In this chapter, we will discuss the process of conducting a site survey, also known as a "facilities analysis." We will discuss terms and concepts that you have probably heard and used before if you have ever installed a wireless network. .. be Some of the topics you may want to question the network management about before performing your site survey: Facilities Analysis Existing Networks Area Usage & Towers Purpose & Business Requirements Bandwidth & Roaming Requirements Available Resources CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc Chapter 11 – Site Survey Fundamentals 298 Security Requirements Facility Analysis What kind . specific intent of the network designer, the cell sizes are too large. CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc. CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc. Site. used with wireless VPN solutions. CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc. Chapter 10 – Wireless LAN Security 280 Corporate Security Policy A company that uses wireless. encryption? B. 40-bit D. 128-bit CWNA Study Guide © Copyright 2002 Planet3 Wireless, Inc. 2 89 Chapter 10 – Wireless LAN Security 5. Which piece of information on a wireless LAN is encrypted with