Hardening_IEEE802.11_Wireless_Networks.pdf

H ardening IEEE 802.11 wireless networks

Hardening IEEE 802.11 wireless networks

January 2002

Tyson Macaulay,

Director, PKI and Wireless Security

EWA Canada

www.ewa-canada.com

www.ewa.com

H ardening IEEE 802.11 wireless networks

Table of contents

1 Introduction................................................................................................................. 1

2 WLAN architecture..................................................................................................... 1

3 Security under the WLAN status quo ......................................................................... 3

4 Threats to WLANs ...................................................................................................... 4

5 Wireless Equivalent Privacy (WEP) ........................................................................... 4

6 Rudimentary steps for Hardening WLANs................................................................. 6

7 Intermediate steps for Hardening WLANs ................................................................. 8

8 Comprehensive steps to hardening WLANS ............................................................ 13

9 Other enhancements: VPN and IDS ......................................................................... 16

10 Roadmap for Hardening 802.11................................................................................ 17

11 Contact information and Author’s Bio ..................................................................... 18

List of figures

Figure 1: WLAN Overview ................................................................................................ 2

Figure 2: Peer to Peer Overview......................................................................................... 2

Figure 3: Access Point network placement......................................................................... 8

Figure 4: Device MAC information.................................................................................... 9

Figure 5: Radiation leakage from an Access Point ........................................................... 12

Figure 6: Better Antenna placement ................................................................................. 12

Figure 7: Reduced signal strength..................................................................................... 13

Figure 8: Shaped antenna radiation................................................................................... 14

Figure 9: Roadmap to harden WLANs ............................................................................. 17

Revision history

Version

Date

Authors

1.0

January 15, 2002

Tyson Macaulay

H ardening IEEE 802.11 wireless networks

1 Introduction

IEEE 802.11 is a Wireless Local Area Network (WLAN) standard which specifies a radio

interface and Layer 2 (Link Layer) protocol for data communications in the 2.4 Ghz

spectrum. 802.11b supports up to 11 Mbps of capacity, depending on what part of the

world you are in, and has a range of up to a hundred meters or more in open spaces, but

more like 50 Meters in a practical office environment using off the shelf equipment.

802.11b is not just popular, it is now widespread. Shipments of 802.11b WLAN (just

WLAN from now on) components now exceed 3 million units per quarter as of late 2001

– and are growing fast 1 . Increasingly, WLANs will replace the traditional fixed-line

LANs because of their flexibility, affordability and the Return on Investnment they offer

through cheap deployment and support costs 2 . There are dozens manufacturers of

WLAN products, which is contributing to the growth of the market and competitive

prices 3 .

This paper will begin with a discussion of WLAN security problems and continue to

outline the various types of threats that face WLANs at a high level, and how these

threats are in some cases similar, and in some cases distinct, from “fixed-line” threats.

The core of this paper will be about hardening WLANS: specifically, how the native

features of 802.11b can be used to secure the network from eavesdropping, masquerade

and denial of service, and how some cheap, after-market WLAN enhancements that can

be applied for these purposes.

One final word before we commence; 802.11a is the next generation in the wireless

world after 802.11b, and is a very close in design and function to 802.11b. 802.11a

operates in the 5 Ghz range and offers up to 54 Mbps of bandwidth – that is the primary

distinction from 802.11b. While this paper applies mainly to 802.11b, it is generally

applicable to the 802.11x wireless network specification as a whole.

2 WLANarchitecture

This section provides a brief overview of WLAN architecture.

WLANs consist of Access Points (APs) and Stations as shown in Figure 1: WLAN

Overview. The APs are the connection between the wireless and fixed-line world. The

Stations are devices with 802.11 radios that access the network through the APs. APs

contain configuration information for Stations and generally also have the ability to

manage users in some form or another depending on the vendor.

1 IDC November 2001: 802.11 market forecast

2 Yankee Group

3 http://www.wi-fi.org/certified_products.asp

H ardening IEEE 802.11 wireless networks

Station A

Station B

Access Point

Figure 1: WLAN Overview

An alternate form of WLAN architecture discussed throughout this paper is a Peer-to-

Peer WLAN. This is a simpler architecture in which two Stations form the network, with

one of the Stations acting as a gateway for the other(s) through a second network

interface. The primary difference is that this arrangement is generally simpler and

possesses fewer features for managing WLAN connections.

Station A

Station B

802.11 card

Figure 2: Peer to Peer Overview

H ardening IEEE 802.11 wireless networks

3 Security under the WLAN status quo

WLANs are deployed across the range of corporate and small office environments. From

the largest business or government agency down to the home user, everyone is using

them in the same manner as fixed-line LANs. Walk through a downtown core and you

will find all manner of business using WLANs – you can tell by the 802.11 radio signals

leaking out of the building and being bounced and reflected for city blocks. Walk

through a residential neighbourhood and you will find a whole different population using

the same technology.

The problem is that the vast majority – 80% by our own research - are all using it the

same way: without even basic security 4 . The networks are not configured with security

of any kind and are generally providing access right into corporate networks. Stories of

getting inside corporate networks with full access to shared drives abound elsewhere. A

business might as well install a LAN jack in the parking lot across the street, if they

manage their WLANs in this fashion.

There are several reasons for the preponderance of insecure WLAN deployments: many

of which parallel the situation in the early days of the Internet back in the mid 90’s.

1. It is a new, “cool”, but poorly understood technology . Once it has started to

work, leave it alone lest we break it. Organizations are essentially setting up

the WLANs to the point they merely work, then walk away until there is a

problem. In the early days of the Internet, many organizations simply

connected the ISP 5 router directly to the corporate network and supplied users

with fully routable IP address. Then they paid the price in security

catastrophes. Security in the fixed-line world is poorly understood once you

get past email viruses. Wireless security possesses all the threats of the fixed

line world – plus it introduces the “network-jack-in the-parking-lot” exposure.

2. Faith in perceived complexity – security by obscurity . “If it’s this complex,

no one is likely to hack it.” Since WLANs require (apparently) complex

hardware, some software and effort to set up and configure, people rationalize

that they are safe. “I can’t see it so nobody else can”.

3. Default configurations from manufacturers are set to “completely open”. Any

organization using the default configuration from almost all WLAN

equipment manufacturers will be set to the most vulnerable posture. In

defence of the manufacturers, this is done to make it as easy as possible to

establish the networks and reduce support costs. Even establishing Wireless

Equivalent Privacy (WEP) 6 requires an limited understanding of

cryptographic key management – which is about three steps beyond where

most harried administrators want to go.

4. Poor understanding of network architecture and how wireless should fit in .

Even a competent network administrator can easily make mistakes when it

4 EWA Canada WLAN Survey of 2 major Canadian cities, Dec 2001/Jan 2002.

5 Internet Service Provider

6 Wireless Equivalent Privacy – See Section 5 Wireless Equivalent Privacy (WEP)

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: