coursework 2 - tdelazzari.free.frtdelazzari.free.fr/files/asmnwireless.pdf · coursework 2 secure...

Advanced Security and Mobile NetworksNapier University

Friday 3rd June 2005

Coursework 2

Secure Wireless Network Design

Course: CO42034 Report written by: Mr Thomas DE LAZZARI [email protected]

Advanced Security and Mobile Networks CO42034

Thomas DE LAZZARI - 03009323 2

Table of Content

Table of Content _______________________________________________________________ 2 Table of Illustrations ____________________________________________________________ 3 1. Introduction _________________________________________________________________ 4 2. Investigation _________________________________________________________________ 5

2.1 The roots of wireless___________________________________________________ 5 2.2 The standard 802.11 ___________________________________________________ 5

2.2.1 Frame types ______________________________________________________ 6 2.2.2 Frame format _____________________________________________________ 6

2.3 Hardware requirements_________________________________________________ 7 2.3.1 Access point ______________________________________________________ 7 2.3.2 Client adapter _____________________________________________________ 8

2.4 Radio waves _________________________________________________________ 8 2.4.1 Channel plan______________________________________________________ 8 2.4.2 Spread spectrum ___________________________________________________ 9 2.4.3 Problems with wireless environments __________________________________ 9

2.5 The Wi-Fi revolution __________________________________________________ 9 2.6 Conclusion __________________________________________________________ 9

3. Security weaknesses__________________________________________________________ 10 3.1 Security standards____________________________________________________ 10

3.1.1 Encryption ______________________________________________________ 10 3.1.2 Authentication ___________________________________________________ 11

3.2 Wireless attacks _____________________________________________________ 12 3.2.1 Jamming the signal________________________________________________ 12 3.2.2 Wardriving ______________________________________________________ 12 3.2.3 Denial-of-service (DoS) ____________________________________________ 12 3.2.4 Authentication weaknesses _________________________________________ 12 3.2.5 WEP weaknesess _________________________________________________ 13

3.3 Conclusion _________________________________________________________ 14 4. System design _______________________________________________________________ 15

4.1 Architecture ________________________________________________________ 15 4.2 Security configuration ________________________________________________ 17 4.3 Map of the library____________________________________________________ 19

5. Conclusion _________________________________________________________________ 20 6. References__________________________________________________________________ 21



Table of Illustrations Figure 1: 802.11 Frame format ________________________________________________ 6 Figure 2: Infrastructure network type ___________________________________________ 7 Figure 3: Aironet 1200 access point_____________________________________________ 7 Figure 4 (a): Laptop wireless network card _______________________________________ 8 Figure 4 (b): Desktop wireless network card______________________________________ 8 Figure 5: Three nonoverlapping, noninterfering channels____________________________ 8 Figure 6: WEP Encryption___________________________________________________ 10 Figure 7: MAC addresses filtering_____________________________________________ 11 Figure 8: WEP process for encryption__________________________________________ 13 Figure 9: Three access points design ___________________________________________ 16 Figure 10: Security configuration via telnet______________________________________ 17 Figure 11: Geographical placement of the access points ____________________________ 19



1. Introduction Security is an important aspect especially if it concerns private data of a company. To secure a computers network, experts work on specific devices such as firewalls and routers. In case there is a wireless access point, data traffic has to be encrypted and insertion of a new station inside the network must be made through a secure authentication. Specific techniques and protocols must be used to secure possible threats introduced by a wireless network. This coursework is an investigation of the current weaknesses in IEEE 802.11 networks. The main objective is to produce a possible solution overcoming the problems identified. This solution could be applied in the library at Merchiston, supporting up to 100 simultaneous users. The system implementation is presented in the form of configuration lines. Hardware used to setup an access point is the Cisco Aironet 1200 series. Geographical positions for each device will be added to the Autocad map of the library. The solution will consider some important wireless security weaknesses and the design will include some form of authentication and encryption to reduce identified threats. This report is a rationale of the choices made to reinforce the security policy of this wireless network solution. It contains a background presentation of the technology and its security standards. Problems related to the encryption protocols, authentication techniques, and other security weaknesses will be discussed and details of a possible solution provided.



2. Investigation In this part, the main background theory on the wireless networks is presented. Research conducted explains the basic features and topology of this technology. Discussion and interpretation about the findings are given to evaluate some issues that can be encountered during the implementation process.

2.1 The roots of wireless A wireless local area network (WLAN) uses radio waves to convey data to the user. Access point can be configured to give network connection to an entire building or campus. It is usually attached to a cabled backbone (Wikipedia, 2005). Although the growth of wireless networking is in constant evolution, the technology itself has been developed and refined for more than 30 years now. Researchers at the University of Hawaï found an effective way to share data between 4 islands. The result was the first wireless network: ALOHANET. Data could be exchanged at an impressive rate of 1-2Mbps. Since this date, the technology has been improved and standardized by the IEEE (CyberScience Laboratory, 2003).

2.2 The standard 802.11 The standard was adopted by IEEE in 1997. The standard defines the control layers: medium access, management protocol and physical spread (Hammond et al, 2003). Three IEEE protocol standards have been added to the original specification:

802.11b up to 11 Mbps in the 2.4 GHz frequency range.

802.11a

up to 54Mbps in the 5.8 GHz frequency range to overcome problems with the overcrowded 2.4GHz S-band: microwaves ovens, cordless phones, etc…

802.11g

up to 54Mbps and compatible with 802.11b devices because it remains in the 2.4 GHz frequency range.

These three modifications to the original standard are especially an evolution towards faster data rates.



2.2.1 Frame types According to (Brenner, 1997) there are three main types of frames:

Control frames: handshaking signals of Ready To Send (RTS) and Clear To Send (CTS). The AP allocates time for the transmission and sends a Clear To Send back to the client (Leira, 2005).

Data frames: allows the data to be transmitted. Management frames: to exchange management information.

2.2.2 Frame format The specifications for the 802.11 frame format are as follow (see Figure 1):

Frame control: contains control information. Duration: time to live of the frame. Address fields: source and destination address. Sequence control: allows checking for duplicate or missing frames. Frame body: up to 2312 byes. FCS or CRC: error detection code.

Figure 1: 802.11 Frame format



2.3 Hardware requirements In order to setup a wireless network, the scale of the installation must first be evaluated: maximum number of users, geographical distribution, etc… Two wireless network cards are sufficient if only two computers must be connected. The network type is Ad-hoc (Tabona, 2004). In this coursework, the library network should support up to 100 users, the type is thus an infrastructure network (see Figure 2).

Figure 2: Infrastructure network type

2.3.1 Access point Aironet 1200 (see Figure 3) access points used for this coursework act as bridges between the wireless devices and the backbone. It can also be configured as a router and manage data transmission between one access point to another.

Figure 3: Aironet 1200 access point



2.3.2 Client adapter A wireless network card needs to be installed in each computer around the Access Point (AP). There are two different types of network card:

For laptop: usually the network card fits into the PCMCIA slot (Figure 4 (a)).

For desktop computer: fits into PCI slot and usually have an external antenna to increase the signal power (Figure 4 (b)).

Figure 4 (a): Laptop wireless network card

Figure 4 (b): Desktop wireless network cardCisco Aironet 350 series

2.4 Radio waves Each access point uses one channel to transmit data. Two access points using the same channel must be out of range from each other (Figure 5). A radio wave cannot send and receive at the same time, while transmitting a node cannot listen on the channel. The CSMA/CA protocol is thus implemented to avoid collision. For real-time audio or data, a priority protocol (Point Coordination Function) enables devices to transmit synchronously without any contention (Kinicki, 2004).

2.4.1 Channel plan There are two options for using the channels (Ward & Harris, 2005):

Increase throughput in one room: many channels cover the same area. Covering a large building: access points are physically separated. The

signal’s energy level at the edge of each cell (Ch. 1) is low enough so there is no interference (Figure 5).

Figure 5: Three nonoverlapping, noninterfering channels



Roaming is frequently used by GSM mobile phone. When the user is moving with his cell phone, it automatically changes the access point without disconnection. A beacon signal is regularly transmitted to the client with its traffic map and if the signal’s power level is lowering, the client adapter moves to another AP (Nantes Wireless, 2005).

2.4.2 Spread spectrum There are two methods used in wireless networks to avoid interference in the band:

First one is Frequency Hopping Spread Spectrum (FHSS). This technique has first been used in military systems. The ISM band is split into 79 1MHz channels. The frequency is moved from a channel to another according to a hopping pattern (Baker, 2000).

Second one is Direct Sequence Spread Spectrum (DSSS).

A noise signal is multiplied to the data being transmitted.

2.4.3 Problems with wireless environments While deploying a wireless network there are many geographical constraints to consider. For example, there can be noise in the frequency band due to electrical equipment or radio waves can hit obstacles (wall). As a result of these problems: interferences, impossibility to transmit or low bandwidth.

2.5 The Wi-Fi revolution According to (Anderson, 2003) Wi-Fi will become a universal standard and every electronic device in the future will not require cables anymore. It is already true with cell phones, PDAs and even digital cameras. According to Gartner 99 million people will use Wi-Fi in 2006. For example it is now almost impossible to find keyboards and mice without Bluetooth. New cars are also entirely equipped with wireless Bluetooth devices such as radio controller, security distance check, etc…

2.6 Conclusion Implementing a wireless network is nowadays more and more accessible with hardware not so expensive. However, many technical aspects have to be considered before and after the installation to configure the network properly. Radio waves coverage is directly influenced by the AP’s location and security techniques included in the IEEE 802.11 standard have many weaknesses.



3. Security weaknesses Wireless by nature is unsecured. An access point is often situated behind the router or the firewall, inside the LAN. It does not even require physical access! Imagine RJ45 plugs everywhere outside a company’s building, freely providing access to the internal network. This is exactly what a 802.11 AP is doing and this is why strong precautions have to be applied before installing this type of device in a LAN. This chapter is a description of all the security weaknesses introduced by wireless 802.11. First, an analysis of the actual possible solutions for securing a wireless network will be presented and then a list of all possible attacks to breach some basic security methods employed in wireless.

3.1 Security standards

3.1.1 Encryption a) WEP Wired Equivalent Privacy (WEP) is part of the IEEE 802.11 standard. It is a protocol to secure a wireless network. The data transmitted is encrypted with a specific algorithm. A secret key is first exchanged between a host and its AP, and then packets are encrypted using this key. A CRC check is made to prevent a possible data modification (Alam & Jenkins, 2005). The key is a sequence of hexadecimal alphanumeric values entered by the user and WEP can switch amongst four keys. IEEE 802.11b has three encryption operations:

Disable: No security at all! Information sent as cleartext. 64-bit WEP: Weak security. 128-bit WEP: 128-bit key providing stronger security.

Figure 6: WEP Encryption

Client

WEP

AP

Backbon

Fileserver

Company’s

Client



b) WPA Newer standards include WPA (Wireless Protected Access). WPA allows authentication and encryption through an improved RC4 algorithm. The encryption key differs in every packet transferred. The mechanism is called Temporal Key Integrity Protocol (TKIP). With WPA a server can also be configured for logging and authentication process. c) VPN Another secure way for encryption is VPN (Virtual Private Network). It forms a secure tunnel between a client and a server. It is almost impossible to break because it uses strong and advanced encryption mechanisms. However, this technology is not part of the IEEE 802.11 standard.

3.1.2 Authentication a) EAP For authentication there are many different standards:

EAPS (Extensible Authentication Protocol) LEAP (Lightweight EAP) EAP-TLS (EAP - Transport Layer Security)

A RADIUS server authenticates a client with UserID and password. Client cannot access the network if he does not have the correct WEP key. b) SSID and MAC filtering Basic configurations for authentication involve (Tabona, 2004):

SSID (Service Set Identifier). It acts as a simple password and identifies a WLAN network. This identifier has to be set for each access point. The client configuration must include the SSID of the network he wishes to connect. Access is granted if SSIDs are the same.

MAC addresses filtering (Figure 7).

A list of MAC addresses can be inputted manually (can take a long time for network with hundreds of computers) into an access point and thus only the corresponding client adapter will be allowed to access.

Figure 7: MAC addresses filtering



3.2 Wireless attacks After this brief introduction on the different wireless security methods, the following presents some possible attacks to break a node even if information transmitted is encrypted. Some obvious wireless security weaknesses are exploited by attackers.

3.2.1 Jamming the signal Military equipment or even a modified radio antenna can jam all the signals on frequencies around 2.4 GHz preventing all communication. It has the same effect if someone enters a company’s building and cut all network cables, except that signal jamming can be done from the outside!

3.2.2 Wardriving It consists of driving a vehicle with a Wi-Fi-equipped laptop sniffing the 2.4 GHz band. Wardrivers usually collect information on access points and accessible computer systems. In UK it is considered illegal even if it is only for listening like a basic radio. A lot of tools and software can be downloaded at: http://www.wardrive.net/wardriving/tools For example SSIDsniff, by Kostas Evangelinos, can log information about an access point and it has been written for CISCO Aironet AP.

3.2.3 Denial-of-service (DoS) Wireless 802.11 in its implementation leaves a door open to intruders who can easily flood an access point with continuous connection request. The bandwidth will then be reduced for other client and if requests are too many to be handled, it can provoke a saturation of the access point.

3.2.4 Authentication weaknesses The first three types of attacks presented above insist on a specific weakness of wireless networks; the fact that private data can be accessed from everywhere. The administrator of the network can suppose that there will always be a “man in the middle”. This is why, users have to be authenticated but even robust authentication techniques, described on the previous page, have weaknesses!



For example, an authentication made by the MAC address can be breached by an intruder if he has a valid MAC address (spoofing). A MAC address can indeed be setup in some networks cards. Also a spoof access point can be setup and if ordinary clients connect to it, they will provide all the details for decrypting their messages.

3.2.5 WEP weaknesess WEP does not include a specific protocol to manage key sharing. Only a single key is exchanged. RC4 algorithm has a lot of weak keys and can be easily cracked by knowing a few bytes. The attacker can isolate two cipher texts encrypted with the same key and then perform an alphabetical analysis. For example, letter which has the more occurrence in English is “E”. And it is possible to bypass the CRC integrity checker even if bits are flipped (Anderson & Demko, 2005). With WEP data headers are not encrypted so an intruder can easily catch a valid source and destination address. There are many tools available to crack any WEP keys easily (http://www.wardrive.net/wardriving/tools):

AirSNORT Once 5-10 million packets have been gathered, it takes less than one second to decrypt the entire communication.

WEP Crack Open source tool to exploit RC4 vulnerabilities.

Figure 8: WEP process for encryption



3.3 Conclusion Even if an addendum has been made to the standard with some new security solutions such as WPA and EAP authentication, a lot of devices are not compatible and still use WEP as a main encryption protocol. Home devices are even commercialized with the WEP function disable by default. However wireless is not a technology to ignore because in some cases it is the only way to provide an access to the network. An example will be seen below within a library. Thanks to wireless, students can come with their laptops and connect to the network. Configurations of this infrastructure must take into account all the weaknesses discussed in this part.



4. System design This part of the study shows the elements of the system which could be implemented in the Merchiston library (Napier University Campus). For example, one could use his laptop to connect to the wireless network and retrieve some e-books from a server. He could read the e-books directly on his laptop or download it in PDF format with a validity period of two weeks.

4.1 Architecture The topology that could be used for this installation is a three access point design (Figure 9). It should overcome all the network needs and cover the entire area: rooms, first and second floor, etc… Access points used for the proposed design are Aironet 1200 from Cisco. They provide high capacity security, and also flexibility in their configuration. We could deploy a 802.11g network and in the future upgrade it to a dual-band 802.11a/g network (Cisco, 2005). The cost for each access point is around $700 and Cisco provides also other tools that can be added to the device (different antenna). Aironet 1200 access points support WEP, WPA, TKIP, and EAPs authentication. Product specifications provide details about the indoor maximum range: 802.11g: Indoor 90 ft (27 m) @ 54 Mbps 95 ft (29 m) @ 48 Mbps 100 ft (30 m) @ 36 Mbps 140 ft (43 m) @ 24 Mbps 180 ft (55 m) @ 18 Mbps 210 ft (64 m) @ 12 Mbps 220 ft (67 m) @ 11 Mbps 250 ft (76 m) @ 9 Mbps 300 ft (91 m) @ 6 Mbps 310 ft (94 m) @ 5.5 Mbps 350 ft (107 m) @ 2 Mbps 410 ft (125 m) @ 1 Mbps Cisco provides an interesting documentation on its web site on channel deployment issues for 2.4 GHz 802.11 WLANs (Cisco, 2004). The conclusion is that the deployment of such network must have three nonoverlapping, noninterfering channels. These channels have a center frequency separation of only 5 MHz and an overall channel bandwidth (or frequency occupation) of 22 MHz. Aironet 1200 AP can support more than 100 simultaneous users.



Firewall

Internet

Uni NetworkJKCC, labs, etc...

RADIUS server

EAP Authentification

Aironet Access point

Client

Figure 9: Three access points design

With three access points in the library, users would obligatory be close to one of them and the data rate could be higher. This is very interesting for example if a user want to access a non-compressed video file on the library’s server.



4.2 Security configuration Security configuration has been experimented using the pod program (Figure 10) to access and configure an Aironet 1200 device via telnet.

Figure 10: Security configuration via telnet First of all, EAP authentication has to be configured on the device, the aaa list leap and a user “thom” are created using the following commands on telnet: Telnet 146.176.165.229 port 2007 password: cisco enable config t password: Cisco int dot11radio0 ssid thom authentication network-eap aaa creation of a client authentication client username thom password toto exit EAPs can either be in the access point or from a RADIUS server. It is probably better to use a RADIUS server because it could interact with some sort of registration process and user database.



To configure the RADIUS server on the Access Point, following commands are used: config t radius-server host 146.176.165.212 (supposing 146.176.165.212 is the IP address of the RADIUS server) radius-server key 0 25943687200ABC2548BA26398A (unencrypted key) The encryption key and method proposed are based on WPA new technique. To overcome the problems of the WEP encryption method, TKIP is used. Set key management: config t int dot11radio0 ssid thom authentication key-management wpa wpa-psk hex 0 25943687200ABC2548BA26398A Encryption key config t int dot11radio0 encryption mode cipher tkip wep128 encryption key 3 size 128bit 25943687200ABC2548BA26398A transmit-key (26 hexadecimal digits) A MAC address filtering and authentication technique could also be setup as a secondary authentication with the RADIUS server. The Aironet 1200 provide such technique. Commands are: MAC filtering config t int dot11radio0 ssid thom authentication open mac-address 00-40-F4-7D-4C-83 As this process is manual, the development of this authentication technique is hard to implement and could slow down the system. To reinforce the security all communication could be encrypted through a VPN tunnel but this solution is hard to setup and need to be installed also on client side. Also for specific cases, QoS (Quality of Service) could be setup directly on the Access Point using: config t policy-map ? int dot11radio0 service-policy input (apply a QoS on the input interface)



4.3 Map of the library This is an Autocad map of the Merchiston library modified to show the geographical placement of the three Aironet 1200 access points (blue points). The intended power level of their signals is delimited by a blue circle.

Figure 11: Geographical placement of the access points



5. Conclusion

As a conclusion to this report, the design of this system is a comprehensive study of what is a wireless network, how it works and what are the different methods to setup one especially according to all the security weaknesses of this technology. Since a wireless message can be read by anybody in the range of the access point, there are obviously a lot of security risks even if strong encryption algorithms are used. (Cheung, 2005) published few days ago a long article on how to crack WEP on Tom’s Hardware website. With more and more powerful workstations, it is now easier to decode RC4-based encryption algorithm. However, new techniques such as TKIP and EAP authentication have been added to the wireless standard and with all these security features enabled it limits the possible attacks. There is no perfect security policy in networking. Multiplying many security layers, for example an authentication process followed by a strong encryption of the data being transmitted is a solution that has to be considered if a wireless network is installed at the Merchiston library.



6. References All references in this report are standardised using the Harvard referencing technique, described in a quick reference guide by Hazel Hall (2004): Reference list entries, bibliographies and in-text citations. All references are listed below in their quotation order. Wikipedia (last modified 25 May 2005). Definition of a Wireless LAN. Retrieved from: http://en.wikipedia.org/wiki/Wireless_LAN. Cyberscience Laboratory (May 2003). Introduction to the 802.11 Wireless Network Standard. Paper can be viewed at: http://www.nlectc.org/pdffiles/introduction_to_802.11_networks.pdf. John Hammond et al (Dec 2003). Wireless Hotspot Deployment Guide. Paper can be viewed at: http://www.intel.com/business/bss/infrastructure/wireless/deployment/hotspot.pdf. Andrew Z. Tabona (May 20, 2004). An Introduction to Wireless Networking - 802.11. Retrieved from: http://www.windowsnetworking.com/articles_tutorials/Introduction-Wireless-Networking-Part1.html. Pablo Brenner (1997). A Technical Tutorial on the IEEE 802.11 Protocol. Available at: http://www.dis.org/wl/pdf/tutorial.pdf. Jardar Leira (Apr 04, 2005). UNINETT: WLAN: IEEE 802.11. Available at: http://www.uninett.no/wlan/ieee80211.html. Dennis Ward and Susan Harris (2005). Basic Overview of Wireless LAN Technology. Paper available at: http://www.citi.umich.edu/projects/itss/lectures/lecture-14-Wireless_is_not_Ethernet.pdf Professor Bob Kinicki (Dec 06, 2004). Wireless LANs. Worcester Polytechnic Institute. Paper available at: http://www.cs.wpi.edu/~rek/Undergrad_Nets/B04/Wireless.pdf.



Nantes Wireless and Angers Wireless, France (Feb 17, 2005). 802.11 - Les Réseaux Sans Fils (in French) - Roaming Itinerance. Available at: http://www.nantes-wireless.org/pages/wiki/index.php/RoamingItin%E9rance. Steven D. Baker (Oct 19, 2000). The Benefits of Frequency Hopping Spread Spectrum in the 2.4 GHz ISM Band for Patient Monitoring Applications. Retrieved from: http://www.monitoring.welchallyn.com/pdfs/resourcelib/frequency.pdf. Chris Anderson (May 2003). The Wi-Fi Revolution. Retrieved from: http://www.wired.com/wired/archive/11.05/unwired/wifirevolution.html?pg=1&topic=&topic_set=. Tanvir Alam & Maurice P. Jenkins (Spring 2005). Wireless Network Security. Paper available at: http://www.idt.mdh.se/kurser/ct3040/vt05/reports/WNS.doc. Rick Anderson and Pat Demko (Spring 2005). Wireless security. Paper available at: http://www.sis.pitt.edu/~jjoshi/TELCOM2813/Spring2005/. Cisco aironet 1200 specifications, Retrieved in June 2005 from: http://www.cisco.com/en/US/products/hw/wireless/ps430/. Cisco (2004). Channel Deployment Issues for 2.4-GHz 802.11 WLANs. PDF paper available at: http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1200/accsspts/techref/channel.pdf. Humphrey Cheung (May 2005). How To Crack WEP. Article online at: http://www.tomsnetworking.com/Sections-article118-page2.php. Additional references (papers not quoted in this report): Rob Flickenger (Sept 2003). Wireless Hacks - 100 Industrial-Strength Tips & Tools. Publisher: O'Reilly

coursework 2 - tdelazzari.free.frtdelazzari.free.fr/files/asmnwireless.pdf · coursework 2 secure...

Documents