E-mail
Securely Deploying IEEE802.11 WLANs
David Ross
Abstract
The phenomenal public take-up of pervasive computing technologies and the general preparedness to accept the ubiquitous wireless communication channels is occurring with little or no regard for the failings and inherent risks associated with these technologies.
This is an ENTRY-LEVEL tutorial gives a high-level overview of the current state of the art of wireless networking security in general and IEEE 802.11 WLANs in particular, including the current technologies and their inherent problems.
It discusses and demonstrates the secure deployment of wireless networking in the HOME, SOHO, commercial or government environment.
The tutorial explains the basics of IEEE802.11 networks, the ëaí, ëbí, ëgí and ëní (MIMO) modes of operation, as well as the IEEE802.11i security enhancements. It compares the differences between WEP, WPA, WPA2, IEEE802.11i, RSN and TSN; and also discusses the requirements of the Australian Governmentís ACSI33 and its implications for government and related organisation use.
This is NOT a detailed presentation of media access protocols, but only enough to understand the differences in the transmission modes and their strengths and weaknesses, so as to permit the confident secure deployment of these technologies. Those seeking greater depth are welcome to seek-out the presenter during the remainder of the conference.
In wireless LANs, the robust security network, or RSN, is the goal for any new deployment of all but the most open public networks. Conforming with the IEEE802.11i amendment does not imply a RSN. Many believe that, because Wi-Fi Protected Access 2 (WPA2), is based on IEEE 802.11i, all WPA2 WLANs are thus RSNs. This is not valid. The mere existence of WPA2 certification of equipment is not sufficient to provide a RSN, since compliance with IEEE802.11i does not mandate a RSN in operation. There is a critical difference between RSNA-capable devices and RSNA-enabled devices.
Indeed, WPA2 certification requires backward compatibility with WPA. Despite TKIP being an optional protocol for RSNs, WPA/TKIP is not a RSN. In addition to this, any Wi-Fi certification demands backward compatibility with WEP ó but WEP is incompatible with a RSN and some vendors do not keep the two separate.
This tutorial demonstrates how a consumer-grade store-bought low-end Access Point can be more secure than badly configured commercial-grade equipment. It raises the issues of weak configurations of WPA2 WLANs not meeting RSN requirements and tests two modes of attack on WPA2 WLANs via such weak configurations.
The tutorial also demonstrates the use of commonly-available tools and techniques to ensure the security and practicality of any WLAN installation. These include the free and not-so-free commonly available tools for all common platforms and any size of organisation.
Wi-Spy is a relatively inexpensive spectrum analyser for Windows and can provide real-time analysis of the 2.4GHz ISM spectrum.
Kismet is a free passive IEEE 802.11 layer 2 wireless network detector, sniffer, and intrusion detection system for Linux and can sniff IEEE 802.11b, IEEE 802.11a, and IEEE 802.11g traffic.
NetStumbler (and MiniStumbler) are free tools for Windows (and Windows CE) that detect WLANs using active methods, probing for available networks.
AirSnort recovers WEP encryption keys by passively monitoring transmissions, using the weakness described by Fluhrer, Mantin and Shamir. AirSnort requires approximately 5-10 million encrypted packets and then can guess the encryption password in under a second.
Airsnarf is a rogue wireless access point utility for Linux that creates a DoS and disconnects hot spot users. Then it provides a sign-in page that looks like the legitimate service.
AirJack provides low-level device drivers so that raw IEEE 802.11a, IEEE 802.11b or IEEE 802.11g frames can be crafted and injected into a wireless network.
Aircrack implements the KoreK attacks as well as the improved Fluhrer-Mantin-Shamir attack on WEP and provides WPA and WPA2 PSK brute force and dictionary cracking attacks to break poorly configured pre-shared key configurations.
The tutorial concludes with specific guidance in the secure deployment of WPA2 to form a RSN (in either small- or large-scale environments) and remedial actions for those cases where the configuration degrades security.
Presenter Biography
David Ross is a Chartered Professional Engineer (Electrical) and IT security consultant with the ANTACS Group in Brisbane. He is currently also undertaking a PhD in wireless network security,
with the Information Security Institute at the Queensland University of Technology. He has worked in the computer industry for 20 years and specifically in IT security for over half of that.
He also undertakes casual teaching with the Universtity of Queensland and the Queensland University of Technology from time to time. His consulting roles typically involve security
infrastructure development, commissioning and review, as well as enterprise architecture and policy development for the finance, resources and government sectors.