WHITE PAPER. WEP Cloaking for Legacy Encryption Protection

Transcription

1 WHITE PAPER WEP Cloaking for Legacy TM Encryption Protection

2 Introduction Wired Equivalent Privacy (WEP) is the encryption protocol defined in the original IEEE standard for Wireless Local Area Networks (WLANs). Several known vulnerabilities and attack tools have compromised WEP, making it unsuitable for secure WLAN implementations without additional layers of security. Motorola s WEP Cloaking solution is designed to make WEP virtually invulnerable to known attacks and tools, making existing WEP deployments much stronger than they otherwise would be. Motorola s WEP Cloaking module leverages the Motorola Wireless Intrusion Prevention System (WIPS) using wireless monitoring sensors to protect handheld devices, in use at thousands of retailers world-wide, from passive and active attempts to crack WEP encryption keys. These wireless handheld devices, such as point of sale systems, barcode scanners and VoIP handsets commonly support only WEP encryption which can be easily broken with popular cracking tools. Motorola Wireless IPS in combination with the WEP Cloaking module provides enterprises peace of mind from security and compliance issues.

3 Motorola WEP Cloaking TM WEP Cloaking does not require any hardware or software modifications to the legacy WLAN infrastructure. It is designed to work seamlessly through the Motorola Wireless Intrusion Prevention System. The remote monitoring sensors analyze all the received packets locally, collect several statistics and events of interest, and use a bandwidth efficient secure TCP/IP communication link to aggregate information in a centralized server appliance. The Motorola Wireless IPS system provides: a centralized repository of all current and historical information management and troubleshooting policy definition wizards reporting and compliance modules WEP Cloaking is an add-on module to the Motorola Wireless IPS platform that uses the same WIPS sensors to constantly protect access points (AP s), laptops and handheld devices, by intelligently injecting chaff WEP frames designed to confuse WEP attack tools. By default, the sensor is a passive wireless monitoring device and does not transmit (provided AirLockdown is not active). Enabling the sensors for WEP cloaking will cause the sensors to actively transmit on the channels of the AP s it is protecting. WIPS sensors communicate with the server to coordinate cloaking operation. The server can be configured to instruct a group of sensors to cloak authorized devices in a given location. Sensors are designed to intelligently adjust their frequency scanning patterns to maximize cloaking effectiveness while performing regular Wireless IPS scanning on other channels. More than one sensor can cloak a single wireless device depending on spatial coverage. Once configured for cloaking, sensors intelligently analyze local traffic and insert carefully timed cloaking frames as shown in Figure 1. To attackers, who do not have the secret WEP key, these cloaking frames appear as legitimate WEP traffic between authorized devices. Authorized devices, configured with the production WEP key, automatically ignore the cloaking frames as their integrity test fails. Figure 1: WEP Cloaking with Motorola Sensors 3 WHITE PAPER: WEP Cloaking TM for Legacy Encryption Protection

4 An attacker sniffing traffic will not be able to distinguish between cloaking frames and legitimate frames, and therefore, cannot filter out the cloaked frames. When statistical WEP cracking tools are run on the captured data, they simply fail to decode the key. Figure 2 depicts a screenshot of aircrack-ng with WEP Cloaking enabled. Figure 2: Screen shot of WEP cracking failure with Aircrack-ng In the event of a wired network outage, if sensors lose connection with the centralized server, they will continue to cloak. In addition, WEP Cloaking is optimized to not disturb the wireless environment or impact Wireless LAN performance. The sensors use countermeasures, correlation through the server and mutual coordination over the air to maximize the effectiveness of cloaking with nominal wired and wireless bandwidth consumption. Sensor Deployment Motorola Wireless IPS uses remote sensors to collect data transmitted by a-, b-, and g compliant devices in the 2.4 GHz and/or 5 GHz spectrum. Every site is unique in terms of actual sensor coverage. This section merely describes sensor placement and respective coverage in a simplified way. Actual radio frequency (RF) signal propagation is a very complex issue due to environmental factors like the reflection and absorption properties of different building materials such as walls, furniture, elevator shafts, large moving objects, etc. Please refer to the WIPS User Guide for more detailed information on sensor deployment considerations such as: Building Structure - Many materials used in building construction may significantly impact the propagation of signals in the 2.4GHz or 5 GHz spectrum. Device Density and Location - You should consider the density and location of your wireless a, b, and g devices. Assets to be Protected - Wireless-capable devices that contain sensitive data must be protected. Power and Data cabling - Sensors are often placed in areas that take advantage of preexisting power and data cabling. 4 WHITE PAPER: WEP Cloaking TM for Legacy Encryption Protection

5 Application choice will significantly impact the sensor density and sensor placement. For example, rogue detection in a no wireless zone needs fewer sensors as even sporadic emanations from a wireless device, at the lowest data rate and longest range, can reveal the presence of a rogue. As the applications become more complex, they may require a representative sample of frames or meet certain minimum signal level thresholds, increasing the sensor density requirement. Using these factors in baseline decisions with regard to sensor placement, the following coverage area guidelines may be applied to establish an effective deployment: b/g (2.4GHz) WEP Cloaking & Location Tracking Connection Termination Policy Enforcement Rogue Detection Indoor/Office 15,000 17,000 20,000 30,000 Warehouse, Distribution, Manufacturing 19,000 22,000 30,000 45,000 Outdoor, Hangar 25,000 30,000 40,000 60, a(5 GHz) WEP Cloaking & Location Tracking Connection Termination Policy Enforcement Rogue Detection Indoor/Office 11,000 14,000 17,000 25,000 Warehouse, Distribution, Manufacturing 17,000 19,000 26,000 35,000 Outdoor, Hangar 19,000 24,000 30,000 45,000 Figure 3: Baseline sensor coverage numbers (in square feet) by application 5 WHITE PAPER: WEP Cloaking TM for Legacy Encryption Protection

6 WEP Cloaking will typically require a higher density of sensor deployment than most other applications. This puts WEP cloaking in the highest category sensor density deployments similar to Location Tracking. For effective WEP Cloaking, there are two other important considerations: 1. Spatial coverage - The sensors enabled with WEP Cloaking must at a minimum cover the same area as the authorized Access Points and Stations they are protecting. For this requirement, you should leverage any site surveys you conduct or have conducted for placement of Access Points as aids to sensor placement decisions. Another option is using a WLAN simulation tool such as LANPlanner. Figure 4 below shows a simulation of access point coverage based on the building s RF properties loaded into the system. For example, in a typical retail location most wireless point-of-sale devices will be in the front of the store near the check-out stations. Assuming the hacker would be outside of the building, sitting in the front parking lot, it would make sense to place at least 2 sensors in each of the corners in the front of the store. If there is public access from the back of the building, or the retail location is surrounded by parking areas, you may want to consider additional sensors in the back for complete protection. 2. Channel coverage - A single sensor should not be required to cloak more than 3 authorized access points at a time. For effective cloaking there must be sufficient chaff WEP frames to confuse the statistical WEP cracking tools. At the same time the sensors must perform regular Wireless IPS scanning on other channels. The sensors are designed to intelligently adjust their frequency scanning patterns. However, to maximize cloaking effectiveness and scan all other channels for possible intrusions, sensors should not be expected to cloak more than three authorized AP s, or more specifically 3 unique communication channels, at a time. Figure 4: WLAN AP coverage simulation with LANPlanner 6 WHITE PAPER: WEP Cloaking TM for Legacy Encryption Protection

7 Typically, it will take several sensors deployed at the perimeter of the building to adequately protect all wireless devices with WEP Cloaking. This also implies that, even in small stores, it may take more than one sensor for adequate WEP Cloaking protection; the higher the density of sensors you deploy, the better your legacy encryption devices will be protected. Any deployment should start with a site survey or RF simulation of the WLAN environment, followed by a mapping of sensor coverage to access point coverage of unique channels. WEP Cloaking Best Practices Although wireless security professionals have long recognized the need to use technologies stronger than WEP, organizations may require months or years before such a change can be fully implemented. There are millions of legacy WEP devices already deployed, such as wireless scanners, barcode readers, Wi-Fi phones, and embedded Wi-Fi clients. Many of these devices may not be firmware upgradeable to stronger encryption protocols. The Motorola WEP Cloaking solution extends the shelf-life of existing WLAN infrastructure deployments or protects companies that are in the process of upgrading to a stronger protocol during that transition. The only way for organizations to fortify their wireless networks is to use a layered approach to security. Following is a list of recommendations for securing a wireless network that must include WEP wireless devices: When choosing your WEP key, it is best to use a randomly chosen hexadecimal key. Analyze the power output of the APs to ensure that the AP is not transmitting any further than is necessary. Authorize only specific data rates: o Check the AP s allowed data rates to ensure that unnecessarily distant wireless associations, which would result in a low negotiated data rate, do not provide a wireless client access to the network through the AP. o If the AP is b/g and the stations which require WEP are b devices and not g, disable the AP from supporting data rates higher than 11 Mbps. Product Documentation Additional documentation for Motorola s Wireless IPS system can be found in: Online Help Resident in the Wireless IPS application Motorola User Guide Quick Start Guides These guides include WIPS installation and setup instructions for the WIPS Server, Sensors, and User access. Updated Quick Starts are shipped with your WIPS server software. Use Motorola WEP Cloaking to protect the wireless network using WEP Encryption. Enable policy-based termination on a Rogue Station and Replay Injection Attack alarms If the access points support PSPF (Public Secure Packet Forwarding) mode, also referred to as AP isolation, you must enable it. PSPF mode prevents wireless client to wireless client communication and will limit the effectiveness of typical replay attack. 7 WHITE PAPER: WEP Cloaking TM for Legacy Encryption Protection

8 motorola.com Part number WP-WEBCLOAK. Printed in USA 06/08. MOTOROLA and the Stylized M Logo and Symbol and the Symbol Logo are registered in the US Patent & Trademark Office. WEP Cloaking is a registered trademark of AirDefense. All other product or service names are the property of their respective owners. Motorola, Inc All rights reserved. For system, product or services availability and specific information within your country, please contact your local Motorola office or Business Partner. Specifications are subject to change without notice.