Security Implementation for Wireless Network *Subhash Kumar, *Arun Kumar Rathode, *Rajesh Singh

Transcription

1 Security Implementation for Wireless Network *Subhash Kumar, *Arun Kumar Rathode, *Rajesh Singh *M.Tech. Scholar, Bhagwant University, Ajmer, Rajasthan, India ABSTRACT This paper addresses the internal and the external security challenges in organizations that implements wireless networks. Distributed security is designed to provide a more secure data communication among faculty members, staff and students. A description of the technique used to protect and keep PC's up and running is illustrated with applications. Keywords: Access point, LAN. 1. INTRODUCTION The market for wireless communications has experienced incredible growth over recent years and wireless LANs have rapidly become a very important network architecture offering benefits of increased flexibility and mobility. Unlike a traditional wired LAN, users can access servers with much greater freedom. Mobility in IP architecture as well as mobility between wireless LANs and wireless WANs enhances these benefits even further. Such benefits of mobility and access come with significant security and performance requirements. The importance of maintaining secure and reliable connections between 'the communicating parties is often underestimated or even ignored. Security risks in wireless networks are equal to the sum of the risk of operating a wired network plus the new risks introduced as a result of the portability of wireless devices [I]. To reduce these risks, organizations need to adopt security measures and practices, which lower such risks to a manageable level. WLANs do not replace wired solutions but complement them. It provides network connectivity in difficult wiring areas and allows mobile users to work with traditional wired applications with high throughput for both indoor and outdoor environments. Although WLANs came into the market almost a decade ago, standardized WLANs have been available since the late 1990s when IEEE was born. There are two types or modes of WLANs exist, the technology that provides connectivity to the infrastructure network and the technology that provides the 104 P a g e connectivity of one device to another or an ad hoc network. IEEE based WLANs work in both modes.ieee Ib works in the 2.4 GHz band, like g, while the IEEE la solution works in the 5 GHz frequency band. These spectrums are license free. 2. SECURITY ARCHITECTURES IN WIRELESS LANs Wireless LANs provide greater flexibility and portability than do traditional wired LANs. Unlike a wired LAN, a wireless LAN connects computers and other components to the network via a wireless Access Point (AP). IEEE is an international standard which provides transmission speeds ranging from 1 Mbps to 54 Mbps in either the 2.4GHz or 5 GHz frequency bands. In addition it incorporates the IEEE 802. ix authentication protocol (an enhancement for default WEP authentication) which employs port-based network access control. It is used for communication between wireless clients and an AP, while RADIUS operates between an AP and an authentication server. IEEE was proposed to address WEP vulnerabilities by providing access control and key distribution to any (wired or wireless) Ethernet port. The link layer security provisions in the IEEE standards are all vulnerable to attacks. Therefore in practice, implementations need to deploy additional higher-level security mechanisms such as access control, end-to-end encryption, password protection, authentication, virtual private networks, firewalls, etc and assume WEP as a very basic layer of security only. 3. ISSUES AND SECURITY ATTACKS In this section, issues and security attacks that wireless networks security protocols are vulnerable to will be mentioned and some explanation will be provided: Modification: is considered to be an active attack in which the intruder modifies the content of the

2 original message and sent it instead of the actual message. Fabrication: is considered to be an active attack in which the intruder generate a non-original message and sent it to the receiver. Interception: is considered to be a passive attack in which the intruder listens and records the sent encrypted messages to be decrypted later on. Brute Force: is considered to be a passive attack in which the intruder will generate every possible Some security measures include: l. Use of Intrawalls: Firewalls that separate an organization from the Internet are blind to attacks launched by unwitting insiders and hostile insiders. These firewalls may provide some protection unless client to server VPNs are used. These VPNs effectively blind perimeter firewalls. The firewall functions may be moved deeper into the network. Intrawalls suffer from the following shortcomings. 2. Use of Network Edge Security: Network Edge Security is the second-generation firewall architecture which changes 1st generation firewall paradigms. Network Edge Security pushes network security policy enforcement to the edge of the network (in other words all the way to the host) to address the insider problem. The architecture is not host-based software such as personal firewall but it is a host operating system independent and hardware based implementation on NIC (network interface card), with its own processor and memory that cannot be accessed by the host [5]. Network Edge Security is implemented as a remotely managed policy-enforcing device that is independent (from a policy enforcement perspective) of the host operating system. The NIC should be configured to send a periodic heartbeat to the policy server to reduce the threat of undetected physical tampering. The policy server creates policy and pushes it to the NICs. The NICs provide packet filtering and other simple network security support functions. This approach needs hardware modifications to the NIC as well as software that must match networking standards. 3. Implementing a Distributed Personal Firewall: The solution that can be by some means effective and inexpensive is installing an internal firewall at every host in the administration and academic staff subnets, however the administration should be centralized. So a personal firewall policy server should be added to provide a centralized management of all the firewalls. The firewall policy server provides all of 105 P a g e the user interface, policy management, personal firewall policy enforcement, group management, and audit database functions. The firewall policy server creates policy and pushes it to the individual personal firewalls. The personal firewalls provide packet filtering and other simple network security support functions. This approach places the complex functions at the firewall policy server allowing the personal firewalls to be simple, fast, and inexpensive. The uses of these personal firewalls in an organizational environment produce tamperresistance architecture and protect a host from the network. This approach (Distributed Personal Firewall) with the use of the wireless Ii protocols was used in this paper to protect the staff and administration hosts and servers from being cracked by the students. The following are to be followed to ensure a proper implementation of the network security: a. Installation of antivirus software to protects computers from computer Viruses / Worms, commercial antivirus software are available and recommended. Most of universities have antivirus in place, however, some of them have a loose policy regarding upgrading of antivirus data files or they are not obeyed to policy. It should be mentioned very strictly in the policy that upgrading antivirus is a vital issue that needs to be firmly pursued. b. Assigning fixed IP address ranges to computer laboratories and student workstations in order to block traffic towards admin and faculty staff network which is very useful in the case of personal firewalls approach. These ranges of IP addresses of student's workstations are considered as non-trusted addresses in the firewall policy. c. Control the students' access to workstations. Universities suffering from students keep changing the computers' initial configuration. Also they try to install their own pirated programs, garnes, and illegal software. Moreover they may uninstall some required software, delete important files particularly system files, and installing sniffing programs for hacking and cheating purposes. To have a proper control over such a common students' behavior, every student should have his own private logging name and password and be prevented from installation of new software or deletion of an existing one. d. Physical security of computers and resources. In old networks physical security was not as much of a challenging task as it is today, because computers

3 were mostly mainframes locked away in server rooms with a handful of people who knew what to do with them. Nowadays there is a computer on almost every desk and devices and resources are spread throughout the environment, several wiring closets and server rooms, and remote and mobile users take computers and resources out of the facility. Properly protecting these computer systems and devices has become an overwhelming burden to many universities [6]. The proposed network was implement in one of the colleges that has an existing network infrastructure. The network is implemented using the proposed distributed personal firewall technique and lb protocol. The changes to the network were implemented as follows: Commercial Antivirus software was installed in each host in the network with weekly scheduled update of permutation in the key and try to decrypt the encrypted message with each generated permutation, and validate the output by means of cross comparison with words, file header or any other data. Maintainability: is the ability of the protocol or the mechanism to maintain the security of the network after one or some of the encryption / decryption algorithms were compromised for any reason. Time Factor: is a very important factor in which we measure how long will it take to brute force a protocol, currently this is done by calculating how many mutations are there in the encryption / decryption key. 3.1 Issues WEP shares the original 40-bit between each node in the network, which means that only one key is used to encrypt and decrypt all the traffic in the network. Reusing the shared key with a different IV values does this. It was proven that this technique has a number of vulnerabilities. WEP is not maintainable because WEP uses only one algorithm to encrypt and decrypt the message (RC4), which means if the RC4 can be mathematically broken then the hall mechanism is compromised. In general a computer network in any Organization has three main segments the administration segment, the faculty segment, and the students segments. These segments are connected together through a main network backbone. The major segments available in an Organization. As shown all LANs are connected through a workgroup switches to the main services available in the server room and to the Internet connection, which is secured by the perimeter firewall. In the client/server environment, two factors should be taken into consideration the security of servers as well as the security of clients. If the security of even one server is weak, it threatens all the other servers to which it is linked. Therefore, even though individual departments are responsible for the security of their server(s), their actions or lack of actions - it can affect other server on campus. On the other side the security of clients is also very important in that any worm or virus spread among clients' computers can affect the workability of all the computers in the college [3]. All aspects of the network and procedures should be examined, such as general security practices, network vulnerability, encryption strategy, access control (logical and physical), and virus protection. From the first look at the security practices in most universities, it was found that they are applying lenient IT policies and procedures. Staff and students do not have a clear written document about what to do and what should not be done (DO's and Don'ts). The physical security or access control is partially implemented. Logically every student and staff member has his login name and password, which would allow him to login to its dedicated server. Moreover the whole Organization network is designed and implemented with the absent of an internal firewall between the various buildings of the Organization, however externally available between the college network and other networks. Encryption strategy is also missing in order to secure important data e.g. Test files, students' grades, etc. A proxy server is normally available to stop browsing prohibited websites. Virus protection is also available on each server and PC in the college, however the weekly live update of virus data files is not strictly followed, as a result the college could be hammered by the latest harsh warms or viruses just launched and spread over the internet. Backup data may not be done regularly which could cause a disaster of loosing vital information exist continuously. Table I summarizes the findings of the internal assessment of a normal Organization. 106 P a g e

4 Security Process Virus Protection Firewall Security Policy Proxy Backup 107 P a g e Available Not Available Table 1 : Finding of internal security 4. PROPOSED NETWORK SECURITY One important aspect of computer security that usually most of the Organizations, colleges, and academic institutes do not take care of is the possibility to be hacked internally. Students will never give up; they keep trying to crack the security of the administration using any of the hacking software easily available and downloadable from the Internet, or by triggering any of the severe worms among the organization network. This would become very harmful specially if success to penetrate through the academic and/or administration staff files and folders and the consequences is also very hazardous, credibility of the organization or college will be on line. Perimeter firewalls were never designed to solve the insider problem, and intrawalls, which move security enforcement closer to the user and to the host level. This implies that we need more firewall ideally, one firewall for every host, however this seems unfeasible due firstly to the difficulties of managing a firewall on every host and secondly the cost and the budgeting complications. The solution here could be one of the following: 1. Use of lntrawalls: Firewalls that separate an organization from the Internet are blind to attacks launched by unwitting insiders and hostile insiders. These firewalls may provide some protection unless client to server VPNs are used. These VPNs effectively blind perimeter firewalls. The firewall functions may be moved deeper into the network. Intrawalls suffer from the following shortcomings. 2. Use of Network Edge Security: Network Edge Security is the second-generation firewall architecture which changes 1st generation firewall paradigms. Network Edge Security pushes network security policy enforcement to the edge of the network (in other words, all the way to the host) to address the insider problem. The architecture is not host-based software such as personal firewall but it is a host operating system independent and hardware based implementation on NIC (network interface card), with its own processor and memory that cannot be accessed by the host [5]. Network Edge Security is implemented as a remotely managed policy-enforcing device that is independent (from a policy enforcement perspective) of the host operating system. The NIC should be configured to send a periodic heartbeat to the policy server to reduce the threat of undetected physical tampering. The policy server creates policy and pushes it to the NICs. The NICs provide packet filtering and other simple network security support functions. This approach needs hardware modifications to the NIC as well as software that must match networking standards. 3. Implementing a distributed personal firewall: The solution that can be by some means effective and inexpensive is installing an internal firewall at every host in the administration and academic staff subnets, however the administration should be centralized. So a personal firewall policy server should be added to provide a centralized management of all the firewalls. The firewall policy server provides all of the user interface, policy management, personal firewall policy enforcement, group management, and audit database functions. The firewall policy server creates policy and pushes it to the individual personal firewalls. The personal firewalls provide packet filtering and other simple network security support functions. This approach places the complex functions at the firewall policy server allowing the personal firewalls to be simple, fast, and inexpensive. The uses of these personal firewalls in an organizational environment produce tamperresistance architecture and protect a host from the network. This approach (Distributed Personal Firewall) with the use of the wireless Ii protocols was used in this paper to protect the staff and administration hosts and servers from being cracked by the students. The following are to be followed to ensure a proper implementation of the network security: a. Installation of antivirus software to protects computers from computer Viruses / Worms, commercial antivirus software are available and recommended. Most of universities have antivirus in place, however, some of them have a loose policy

5 regarding upgrading of antivirus data files or they are not obeyed to policy. It should be mentioned very strictly in the policy that upgrading antivirus is a vital issue that needs to be firmly pursued. b. Assigning fixed IP address ranges to computer laboratories and student workstations in order to block traffic towards admin and faculty staff network which is very useful in the case of personal firewalls approach. These ranges of IP addresses of student's workstations are considered as non-trusted addresses in the firewall policy. c. Control the students' access to workstations. Universities suffering from students keep changing the computers' initial configuration. Also they try to install their own pirated programs, games, and illegal software. Moreover they may uninstall some required software; delete important files particularly system files, and installing sniffing programs for hacking and cheating purposes. To have a proper control over such a common students' behavior, every student should have his own private logging name and password and be prevented from installation of new software or deletion of an existing one. d. Physical security of computers and resources. In old networks physical security was not as much of a challenging task as it is today, because computers were mostly mainframes locked away in server rooms with a handful of people who knew what to do with them. Nowadays there is a computer on almost every desk and devices and resources are spread throughout the environment, several wiring closets and server rooms, and remote and mobile users take computers and resources out of the facility. Properly protecting these computer systems and devices has become an overwhelming burden to many universities [6]. 4.1 IMPLEMENTATION OF THE PROPOSED NETWORK The proposed network was implement in one of the colleges that has an existing network infrastructure. The network is implemented using the proposed distributed personal firewall technique and lb protocol. The changes to the network were implemented as follows: Commercial Antivirus software was installed in each host in the network with weekly scheduled update of the virus database IP address ranges were defined for each subnet and a software personal firewall was installed in each host in the staff and administration subnets. This firewall was defined to block the IP address range defined for the student's sub net. Each student is given a unique user ID and password with limited access to the network resources. Encryption software was used in every host. Whenever a staff saves a file in a certain directory, a symmetric encryption technique will arise automatically. Windows protection software (a commercial security software system) was installed in all workstations in the college. This software is designed to restore the original settings of the PC (set by the administrator) once it is restarted no matter the student did to any software component. The network was tested using different penetration software (that can be found in the market or internet) and proved to be robust in terms of its resistance to internal hacking and password cracking. The only thing is that we assumed that the protocol is installed to prevent many types of attacks that focus on breaking the encryption of the radio link. 5. CONCLUSION The implementation of the proposed network has shown very positive results in term of securing the universities network and preventing students from cracking the staff or administration servers. The implementation of the distributed firewalls acts as a double protection against internal breaching of the network security. It also blocked all the trials of the student to reach any of the staff or administration host. The definition of an IP address range for every subnet in the network was very effective in filtering the packets corning from other subnets. Also the encryption of the radio link works well in terms of securing the confidentiality of the network while taking advantage of mobility. 6. REFERENCES [1]Karygiannis, T., and Owens, L., (2002). Drof: Wireless NerworkSecurir)' , Bluetooth and Hond held Devices. USA. National Lnstitute of Standards and cchnalagy. 108 P a g e

6 [2]Hunt, R., Vargo, J., Wang, J., Impact of Security Architectures on Wireless Network Performance, 51h IEEE International Conference an Mobile and Wireless Communications Networks (MWCN 2003), Pages , Singapore October, 2003 [3]Lewis Z. Kock, "Outsourcing Security", ZDNet Interactive week, t. Markbam T. & Payne C. "Security at the network Edge: A Distributed Firewall Architecture", IEEE-CNF, [4]S. Harris, "ALL IN ONE CISSP Certification ", McGraw / Osborne, P a g e