Wireless Networking - SANS ©2001 4Wireless Vertical Markets • to use with roving lab equipment to have it send statistics into the network patient database Retail and Food Service •To al
Trang 1Encryption and Exploits - SANS ©2001 1
Wireless Networking Security
Security Essentials The SANS Institute
Hello, in this module we are going to discuss wireless networking Specifically, we'll take a look at how wireless technology works, how it is commonly deployed, and the security issues associated with using it Because wireless communications can penetrate opaque objects such as buildings, the risk of someone accessing a private network increases markedly With wireless, an attacker does not need to gain access to physical cables or jacks, but only needs to have an antenna and be within range of the transmissions
We will focus a great deal of this discussion on wireless LANs (WLANs) For the most part we think
of these like regular LANs with workstations, servers, and laptops but without the wires
However, it is important to remember that wireless devices include cell phones, pagers, PDAs, etc These less powerful devices are very widely deployed and are increasingly being used to connect to the Internet Further, their computational capabilities are becoming ever more sophisticated, making the devices vulnerable to traditional Internet threats such as viruses and worms
We will explore several aspects of wireless security in this part of the course, but before jumping in it
is interesting to note that industry analysts are projecting extreme growth in the worldwide wireless market over the next few years Some even speculate that the number of wireless devices accessing the Internet will soon surpass that of wired PCs (expected to happen around 2003)
The link below points to a report by IDC that provides some interesting background on the wireless industry, and discusses future challenges many of which revolve around wireless security
http://www.tivoli.com/products/documents/whitepapers/wireless_security.pdf
Trang 2Wireless Networking - SANS ©2001 2
Popular Wireless Devices
The popularity of wireless devices is staggering, and the trend shows no sign of slowing The
worldwide mobile data market is expected to be worth $80 billion by 2010 The wireless LAN market alone is expected to grow to over US $2 billion by 2002 Further, forecasters expect more than 1 billion wireless phones to be in use worldwide by 2003
http://www.india-today.com/ctoday/19991201/buzz3.html
Any device that can interact with the Internet must be prepared to handle the hostility of the Internet environment Any Internet-connected node can be attacked Further, the mounting sophistication of wireless devices, combined with wide deployment, makes them attractive targets As an example of the increasing computational complexity of cell phones, consider this recent article (link below) that likens the capabilities of today's cell phones to arcade games from the 1970s Even more interesting
is the fact that there is an entire market evolving around networked cell phone gaming! In some cases networked gameplay includes having cell phones accept executable code from the air Such a
"feature" could provide a whole new avenue of entry for malicious code
Trang 3Wireless Networking - SANS ©2001 3
Why Wireless?
• Wireless solves problems that wired solutions cannot address
• Users can access the network from anywhere
• Users can be mobile while staying connected
• Usable in environments where wires are problematic
- Historic buildings with construction restrictions
- Factories, assembly lines, warehouse floors, hospital
rooms, stock trading floors
- Temporary networks, such as for exhibitions
So what's so great about wireless? Why does everyone want wireless LANs? The Gartner Group, Inc has released a study forecasting that more than half of the Fortune 1,000 companies will have deployed wireless LANs within the next two years Why?
The reason is that wireless LANs provide freedom the freedom to move around, and freedom from the hassles and expenses of running wires It is sometimes more cost effective for an organization to deploy a wireless network than to run wires through the walls of their office buildings Further, the convenience of having employees bring their laptops to meetings and then take them back to their desks (without any service interruptions) is not to be underestimated Home WLAN users enjoy working on the computer from the living room couch or a lounge chair in the yard rather than being confined to the home's "computer room"
Wireless networks also enable connectivity in places where it just wasn't possible before Historic buildings often have restrictions against punching holes in walls and ceilings Factories and assembly lines would typically be dangerous places to run wires, but wireless provides a solution Wireless allows doctors to access patient record databases while making their rounds Warehouse workers can carry wireless order-taking devices as they move around the warehouse checking inventories And of course, wireless networks can be set up and torn down quickly, making them ideal for short term engagements like exhibitions and business meetings
Clearly there are many cases when wireless technologies provide big advantages
Trang 4Wireless Networking - SANS ©2001 4
Wireless Vertical Markets
• to use with roving lab equipment to have it send statistics into the network patient database
Retail and Food Service
•To allow inventory information to be scanned in and update the inventory database remotely
•To allow restaurant orders to be transmitted back to the kitchen right away
• Trace inventory to the responsible parties
• Warehouse workers use wireless LANs to exchange information with central databases and increase their productivity
Trang 5Wireless Networking - SANS ©2001 5
Wireless LAN Network
Architectures
• Ad-hoc/Peer-to-Peer
• Single Access Point (AP)
• Multiple Access Points (APs)
Now lets talk about how wireless LANs are architected and deployed
Typically, WLANs are configured in one of three ways: Ad-Hoc (sometimes called peer-to-peer), Single Access Point (sometimes called one-to-local access), and Multiple Access Points (sometimes called one-to-many access) We will consider each of these architectures in the next few slides
In the terminology of IEEE's 802.11 protocol standard, network architectures that do not use an access point are called "ad hoc", and architectures that include access points are called
"infrastructure"
Trang 6Wireless Networking - SANS ©2001 6
Ad-hoc/Peer-to-Peer
Architecture
In an ad-hoc network, wireless stations communicate directly with each other A good description is given in the ExtremeTech article "Wireless LAN Deployment and Security Basics" referenced and quoted below:
http://www.extremetech.com/article/0,3396,s%253D1034%2526a%253D13521,00.asp
"In the ad-hoc network, computers are brought together to form a network "on the fly" There is no structure to the network, there are no fixed points, and usually every node is able to communicate with every other node An example of a situation where an ad hoc network would be useful is a meeting where everyone brings laptops in order to work together and share common documents Although it seems that order would be difficult to maintain in this type of network, algorithms such
as the "spokesman election algorithm (SEA)" have been designed to "elect" one machine as the base station (master) of the network with the others being the slaves Another algorithm in ad-hoc network architectures uses a broadcast and flooding mechanism to all other nodes to establish who's who
In an ad hoc wireless network, participating clients associate with each other through the use of a common network identifier Once associated, they can share files and other resources exactly as they would in a wired peer-to-peer network The limitations of wireless peer-to-peer networking are the same as wired peer-to-peer networking administrative hassles and poor scalability Though
convenient to set up, they are difficult to manage when you have more than just a few nodes The recommended practice is that ad hoc networks only be used for the smallest of networks where convenience is paramount and security is not an issue No doubt people can imagine that large peer-to-peer networks could be very useful in temporary situations, such as large business meetings In fact, at the Fall 2001 Intel Developer Forum in San Jose, there was a technology demonstration of an
ad hoc, self-configuring wireless network that involved about 500 people in the audience all
attaching to the same network within about 10 seconds."
Trang 7Wireless Networking - SANS ©2001 7
Single Access Point
Further, the AP is responsible for authenticating wireless clients and deciding whether a particular
client should be allowed to access the network Typically, authentication is performed based on a
"password" (more on this later) and possibly on the client's MAC address The process of association
can be described as a handshaking mechanism between the AP and a wireless device that ensures that the device is only connected to one AP at a time The area surrounding the access point is referred to as a "Basic Service Set", or BSS
Because the wireless signal strength decreases as distance from the access point increases, client stations that are far from the AP will experience degraded network performance Worse, clients that are close to the AP can sometimes monopolize the available bandwidth, leaving far away clients starved for network resources In order to increase the range and coverage of the wireless network, it
is necessary needs to deploy additional access points The multiple access point configuration is referred to as an Extended Service Set (ESS), and is described next
Trang 8Wireless Networking - SANS ©2001 8
Multiple Access Point
Architecture
This slide shows several wireless clients connecting to the network via multiple access points This
"one-to-many" setup allows users to roam around provided they remain within range of at least one
AP The access points communicate amongst themselves and "hand off" the user's information as needed The idea is to keep the client connected to the "closest" AP regardless of how the client moves In this context, "closest" means the AP that is able to exchange the strongest communications signal with the client The client device makes the decision automatically on-the-fly based on the strength of the beacon signals it receives from each nearby access point The strongest signal wins
Trang 9Wireless Networking - SANS ©2001 9
Infrared Wireless Networks
• 2 Mbps
• Cannot penetrate opaque objects
• Uses directed or diffused technology
- directed (requires line of sight)
- diffused (limited to short distances such as
a single room)
In wireless networks, information is transferred using electromagnetic waves, most commonly via radio and infrared signals Of the two, radio-based wireless networks are more commonly deployed,
as infrared signal propagation requires either a direct line of sight or a short transmission distance
In this slide we consider the different types of Infrared wireless technology called "directed" and
"diffused" The online report entitled "Wireless Networks" (link below) provides a good description
of the two mechanisms and is reproduced below
http://www.jtap.ac.uk/reports/htm/jtap-014-1.html
"Directed infrared requires a clear line of sight to make a connection The most fmailiar direct
information communication device is the TV remote control A connection is made by transmitting data using two different intensities of infrared light to represent the ones and zeros The infrared light
is transmitted in a 20 degree cone giving some flexibility in orientation of the equipment, but not much Some disadvantages exist with direct connections, one of which is range, usually restricted to less than 3 meters Also because it needs a clear line of sight, the equipment must be pointing
towards the general area of the receiver or the connection is lost However, advantages include low cost and a high reliable data rate
Diffuse infrared technology operates by flooding an area with infrared light, in much the same way
as a conventional light bulb illuminates a room The infrared signal bounces off the walls and ceiling
so that a receiver can pick up the signal regardless of orientation Diffuse infrared technology is a compromise between direct infrared and radio technology It combines the advantages of high data rates from infrared and the freedom of movement from radio However, it also inherits some
disadvantages For example, although it transmits at 4Mbits/s twice that of current radio systems, this must be shared among all users, unlike direct infrared And although a user can roam around freely, which is an advantage over direct infrared, the user is still confined to individual rooms unlike
Trang 10Wireless Networking - SANS ©2001 10
Radio Frequency (RF) Wireless Networks
• Most popular WLAN technology
• Covers longer ranges
• Penetrates walls
• Most use 2.4 GHz frequency range
• Includes narrowband and spread spectrum
technology
• Previous versions ran at max of 2 Mbps
• Most current versions run at 11 Mbps
• New standards allow use at 54 Mbps
As noted on the previous page, radio signals have the advantage of being able to penetrate walls This means that the network architect has much more flexibility in deciding how the network should
be configured Radio signal technology is what makes WLANs practical for large scale deloyment.The report referenced on the previous page (link below) provides some interesting background on radio technologies which will serve us well in this discussion The relevant information is reproduced below:
http://www.jtap.ac.uk/reports/htm/jtap-014-1.html
"Radio network technology exists in two forms: narrowband technology and spread spectrum
technology Narrowband systems transmit and receive data on a specific radio frequency; the bands
are kept as close together as possible and strong filters are used to filter out other signals to make efficient use of the bandwidth In order to prevent different signals from interfering with each other,
a regulatory body was set up to licence the frequencies and monitor their use These licences are very expensive and in the past have prevented manufacturers from using narrowband technology, an example of a narrowband network would be a commercial radio station In the early 1990s, the regulatory bodies around the world set aside a band at 2.4GHz (the Instrumental, Scientific and Medical band) for use by new technologies This band could be used without a license making it more accessible for private networks, and consequently manufacturers soon started to produce products which used the new band However, one condition of using the ISM band was that signals must share the airwaves with one another, and as narrowband methods did not allow this, spread spectrum technology was used instead
Spread spectrum technology spreads the signal out over the whole band preventing concentration of
the signal in anyone place, which allows large numbers of users to share the same bandwidth There are two different methods involved in spread spectrum technology, Direct Sequence and Frequency Hopping, with both having advantages and disadvantages associated with them."
Spread spectrum technologies are discussed next
Trang 11Wireless Networking - SANS ©2001 11
Spread Spectrum Technology
DSSS (Direct Sequence Spread Spectrum)
• Data is segmented and different segments are sent on
different frequencies
• Transmitter sends a redundant bit pattern called a "chip" along with each informational bit
FHSS (Frequency Hopping Spread Spectrum)
• Transmitter and receiver agree on pseudo-random
frequency changes, called "hopping"
• Data is sent in short sequential bursts, one burst on
each frequency
Direct Sequence Spread Spectrum works by chopping the signal into small pieces and spreading
the pieces across the frequency domain The particular "chopping algorithm" is defined by
something called the "spreading code" Only receivers who know the unique spreading code being used can decipher the signal In fact, the uniqueness of each spreading code is what allows multiple DSSS transmitters to operate in the same area at the same time Because each transmission is spread across a wide frequency band, the per-frequency transmission power is low Thus, "bystander" radio users see a direct sequence transmission as low power background noise rather than interference.The downside of having DSSS signals be low power and spread across a number of frequencies is that the transmissions become susceptible to noise corruption To combat noise problems, DSSS uses redundancy to recover the signal in the case of lost data Specifically, DSSS adds redundant
information called "chips" to the signal, usually at the rate of 10 chips per data bit Using more
"chips" directly increases the immunity from noise interference
On the other hand, Frequency Hopping Spread Spectrum operates by splitting the signal up across
the time domain Short bursts of data are sequentially tranmitted on different narrowband
frequencies The sequence of frequencies used by the transmitter (called "hops") is chosen
pseudorandomly The receiver also knows the pseudorandom sequence, allowing it to synchronize with the transmitter and recover each short burst of data Other radio users see the frequency hopping signal as short bursts of noise
In general, Frequency Hopping devices use less power and are cheaper than Direct Sequence
devices However, Frequency Hopping devices tend to be less resistant to interference and have lower overall performance
The report referenced on the previous page provides additional information
Trang 12Wireless Networking - SANS ©2001 12
Top 5 Security Issues
1 Eavesdropping
2 Theft or loss of wireless devices
3 Denial of Service (DOS)
4 Wireless viruses
5 Masquerading
At this point let us turn our attention to a few security issues that arise in all types of wireless networks, regardless of the protocol (e.g WAP, Bluetooth, 802.11) employed It turns out that wireless networks face most of the same security issues, threats and vulnerabilities as wired networks, along with a few additional problems of their own
Trang 13Wireless Networking - SANS ©2001 13
Wireless Eavesdropping
• Attackers can gain access to wireless transmissions
without being close to the network
• Anyone with a suitable transceiver within range of the
signal can eavesdrop
• Access can be gained while being hundreds of feet
away (e.g From a parking lot or nearby street)
• Difficult to detect eavesdropping
• Can gain access to confidential information
• Loss of information can be costly
Eavesdropping is very easy in the radio environment When a message is sent over the radio path, everyone equipped with a suitable transceiver in range of the transmission can receive the message Worse, the wireless transceiver equipment needed to perform eavesdropping is very reasonably priced, and it is virtually impossible to detect that someone is "listening in"
It is important to note that the frequency band and transceiver power used has a great effect on the range where the transmission can be heard In the case of a 2 or 5 MHz radio band and transceiver power up to 1 W (as in the case of the current wireless LAN standards) the wireless communications can usually be heard from outside the building where the network is operating Attackers know this, and will often set up their transcievers and antennas in an unmarked vehicle parked on the street in front of the building
Trang 14Wireless Networking - SANS ©2001 14
Protecting Against Eavesdropping
• Use encryption in the higher layer protocols
• Use authentication and access control to
prevent random strangers from being able to
connect to the network
• Spread spectrum technology makes it more
difficult for an eavesdropper to makes sense of
the transmissions
• Prevent AP from broadcasting SSID
Even if an attacker can "hear" a transmission, he will not be able to make sense of the information if
it is protected by encryption Note that, in today's networks, simply turning on WEP encryption (discussed later) is not sufficient Automated tools are freely available to crack WEP encryption, so it
is necessary to implement encryption in the higher layer protocols An example of such protection would be using IPSec, SSL, SSH, or a VPN technology
In addition, spread spectrum implementations can provide obstacles to eavesdropping Unless the attacker knows the particular frequency hopping or frequency spreading mechanism being used, he will find it difficult to recover the transmitted signal In order to be informed of the spread spectrum information, the attacker needs to "associate" his receiver with the access point In order to
"associate", the client device must know the WLAN "password" called the SSID Unfortunately, access points typically broadcast the SSID in a beacon signal, and will further respond with the SSID when "pinged" Thus, in practice, random strangers usually find it easy to get the spread spectrum information they need they simply listen for the SSID broadcast, and then use the broadcasted information to associate with the access point Now the rogue client is synchronized with the spread spectrum mechanism in use
Note: Some access point products allow the user to disable beacon broadcasts and responses to pings
In such a configuration, an attacker would need to obtain the SSID via some other method in order to associate with the AP Other AP products do not allow the beacon signals and ping response to be disabled
Trang 15Wireless Networking - SANS ©2001 15
Risks due to Theft or Loss of
Wireless Devices
• Wireless devices can be stolen or lost
• Devices can contain confidential corporate information
• Data stored on these devices is in clear text
• Attacker gains access to corporate network with stolen
device
• Attacker gains access to corporate data on the device
• Exposes network to possible malicious attacks and to
Trojan horses or viruses entering the network
Because wireless devices are small and carried by mobile users, the devices are often lost or stolen
An attacker who can recover a lost or stolen device gains access to all the information contained on the device, and gains access to whatever authentication credentials the device possesses We can easliy imagine a situation where an attacker who steals a mobile worker's laptop gains access to sensitive company documents, and further gains access to the company internal network by using cryptographic keys stored on the laptop to authenticate
Trang 16Wireless Networking - SANS ©2001 16
Protecting Against Risks due to
Theft or Loss
• Audit devices
connecting to network
and create strong
security policies for
In order to protect against this threat, we must operate under the assumption that every wireless device has the potential to fall into the hands of a malicious person Our objective is to create a
security system that requires that the device be used by the right person before it will reveal its
secrets
In terms of protecting the documents, authentication credentials and other information stored on a laptop or PDA, one potential solution would be to encrypt all data before it is written to the
filesystem However, this scheme requires that the keys used to encrypt the data be made
inaccessible to an attacker For example, if the keys themselves are stored in clear text on the device, the data protection is worthless
One way to solve the problem is to encrypt the data encryption keys themselves such that the keys can only be unlocked by the correct user Such a scheme must rely on a passphrase (something the user knows), a physical key (something the user has), or biometric authentication (something the user is) to unlock the keys that will decrypt the filesystem data
Another useful protection mechanism revolves around the network being able to uniquely identify each device that connects, and block access based on device identifier If such protections are in place, the network can begin rejecting connection attempts from a device as soon as it is reported missing
Trang 17Wireless Networking - SANS ©2001 17
Denial of Service Attacks
• Attacker has a powerful enough
transmitter that can generate radio
interference jams all communication
• Cost of buying a transmitter for this
kind of attack isn’t expensive
• Attack does not require specialized
technical knowledge
Due to the nature of radio communications, wireless LANs are vulnerable to Denial of Service attacks based on transmission jamming If an attacker has a powerful enough transceiver, he can generate so much radio interference that the targeted WLAN is unable to communicate effectively.Like eavesdropping, this kind of attack can be initiated from a distance, for example from a van parked on the street or from an apartment in the next block Further, the equipment needed to wage the attack can be purchased from any electronics store at a reasonable price, and any amateur radio enthusiast has the knowledge needed to configure the equipment
Trang 18Wireless Networking - SANS ©2001 18
Protecting Against DoS
• Very difficult to protect against a
jamming denial of service attack
• In small environments consider using
Infrared instead of RF
• Operate wireless networks only from
shielded buildings
• Locate and disable the attacking device
Protecting a WLAN against jamming-based denial of service attacks is difficult The only real solution is to implement special shielding on the building that houses the wireless network As might
be imagined, such a solution is very expensive and is only practical for extremely high-security sitations such as the military might require
Recall that infrared transmissions are confined to a line of sight or a single room Thus infrared signals are difficult to jam even if the attacker is sitting in the same room with the wireless network
It is impossible for an attacker who is separated from the infrared network by a wall to cause
interference Unfortuntately however, due to the previously discussed limitations on Infrared
networks, this solution is only approriate for very small environments
The good news is that an attacker who generates a flood of noise traffic using a radio transmitter is very easily located Thus, these attacks are typically of limited duration, lasting only as long as it takes for the authorities to apprehend the miscreant
Trang 19Wireless Networking - SANS ©2001 19
Wireless Viruses
• Viruses affecting wireless devices have already been
discovered in the wild
• Timofonica is a cell phone virus that can replicate by
sending messages to randomly dialed phone numbers
• Phage is a virus that destroys all data and applications on
devices running Palm OS
• The disposable nature of handheld devices makes them
attractive launch points for viruses and worms
• Networked cell phone gaming may provide new avenues
of entry for cell phone malware
The news articles linked below describe a cellular phone virus that surfaced in Spain during June of
2000 The virus, named Timofonica, replicated by sending messages to randomly dialed mobile
phones belonging to the European Global System for Mobile Communications network The enabling
technology was the phone network's messaging system It allowed one device to "push" a message to another When the receiving device "opened" the message, it became infected
http://www.cnn.com/2000/TECH/computing/06/14/wireless.threat.idg/
http://www.oreillynet.com/pub/a/network/2000/06/09/magazine/cell_phone.html
In September of 2000, the first virus targeting the Palm handheld operating system was discovered According to Sophos and Symantec, the virus completely destroys all applications and data files on a victim system The virus is called Phage, is only 963 bytes long, and can be acquired by running an infected executable on the Palm Once run, the virus seeks out other Palm applications and
overwrites them with the viral code The only way to recover from an infection is to reset the
handheld back to its factory defaults, and re-install everything (including applications) from a
handheld devices may one day be used to launch new viruses into the public network.
Trang 20Wireless Networking - SANS ©2001 20
Protecting Against Wireless
Viruses
Anti-virus protection for wireless devices is
starting to become available
• Trend Micro PC-cillin for Wireless
• McAfee VirusScan Wireless
• F-Secure AntiVirus for PalmOS, SymbianOS
and PocketPC
• Symantec AntiVirus for PalmOS
Anti-virus protection for handhelds is now being offered by the major anti-virus vendors Some information from Trend Micro's and McAfee's websites describing their products is reproduced below Experts expect antivirus software for cell phones to be made available eventually Quoting Gartner's John Pescatore (see article linked below): "The antivirus vendors are dying to sell antivirus software for every cell phone."
http://www.ecfonet.com/articles/al_a_pretty_skimpy_epidemic.html
Trend Micro http://www.antivirus.com/free_tools/wireless/
PC-cillin® for Wireless Version 2.0 for Palm OS now provides automatic real-time launch scanning
to prevent viruses that enter the device from every possible entry point - beaming, synching, email and Internet downloading Real-time launch scanning activates whenever applications on the device are launched and prevents viruses from activating on the device
McAfee http://www.mcafeeb2b.com/products/virusscan-wireless/default.asp
Not only does VirusScan Wireless offer coverage for all the major handheld device platforms, it also gives you protection when you need it the most-when you synchronize Your network is in the most danger when users synchronize their PDAs with their PCs That's when VirusScan Wireless kicks in, scanning all files for all types of viruses and eliminating the chance of infection
For PalmOS-based devices, such as Palm Pilots and Handspring Visors, VirusScan Wireless offers another level of protection - on-device scanning With on-device scanning, VirusScan Wireless can protect your PDA from infection even when you transfer files via infrared link or access the Internet wirelessly VirusScan Wireless is the only solution that offers both on-device and on-sync protection for Palm devices
F-Secure http://www.f-secure.com/wireless/
Symantec http://www.symantec.com/sav/