Wireless Network Security

Wireless Network Security By

Wireless Network Security Page 2 of 18 1. Executive Summary The concept of wireless communication is not new. One inventor, Nikola Tesla, envisioned over 100 years ago a system of wireless communication that encompassed the world and transmitted voice, news and pictures to anyone with a receiver/transmitter. 1 The lack of physical network wires makes wireless networking very appealing. The medium broadcasts through the ether or air. Cost of installation is therefore less than wired networks. Roaming allows a computer to journey to many physical locations without rejoining the network. The flexibility, cost and ease of use make for a good business case in any organization. The largest problem with wireless networking is security. Wireless networks have been plagued with inherent reliability and security flaws. Efforts to rectify these problems continue. The recent Wi-Fi Protected Access (WPA/WPA2) specification alleviates key security issues. In 2004, the Gartner Group predicted, Through 2006, 70 percent of successful wireless local area network (WLAN) attacks will be because of the misconfiguration of WLAN access points (APs) and client software. 2 Before Syntact tackled the project of installing a wireless network, we researched the risks and got familiar with the security features and protocols to ensure a safe, secure setup. With the use of certain security encryption and protocols, any organization can install and maintain a secure, industrial strength, wireless network. While securing our wireless network, we discovered the following: 1. Do not rely on the default configuration of APs. Create a unique Service Set Identifier (SSID), turn off broadcasting of the SSID and use Media Access Control (MAC) filtering. 2. Purchase APs that use WPA or WPA2. If possible, use Remote Authentication Dial In User Service (RADIUS) for authentication. For small networks, use strong, pre-shared keys. 1 For more information on Tesla s wireless communication vision, please visit the PBS website http://www.pbs.org/tesla/ll/ll_todre.html. 2 Air Defense White Paper: Wireless LANs: Is My Enterprise at Risk? http://www.airdefense.com

Wireless Network Security Page 3 of 18 3. For extra security, configure a second layer of encryption, such as IPSec in conjunction with Public Key Infrastructure (PKI) certificates. If a hacker compromises the WPA encryption, the payload also requires deciphering. This scenario also works for older, less secure Wired Equivalent Privacy (WEP) APs. 4. Configure firewalls to use a trust layer approach. IPSec and a firewall control access from the wireless network to the private, most trusted network.

Wireless Network Security Page 4 of 18 2. Overview Wireless networks have interested Syntact for quite some time. Syntact s head office is a renovated heritage building. The installation of a wired computer network required additional labor and cost to preserve the original look of the office space. Wireless networks eliminate the need to cut holes in walls and allow users to roam freely from office to office with laptop computers. During the wireless network project, we researched, analyzed and designed a secure, reliable, wireless, production network. The remainder of this document describes the history of networks, and the findings of Syntact s wireless networking project.

Wireless Network Security Page 5 of 18 3. Wired vs. Wireless Security In the early days of computing, securing computer facilities meant installing physical barriers. Since data was housed and transferred on physical assets (wires, tapes, and various other media), intrusion threats were limited. Locked doors, vaults and cabinets secured the area and the information. Stealing information from this kind of facility required physical access to the computer or to the locked cabinet. The invention of the computer network introduced new, security-related challenges: 1. Wired network conduits now transmitted sensitive information. 2. Securing these conduits is a difficult task. 3. The secure area is now much larger by extending to terminals or workstations. 3.1 Wired Network Conduits A conduit is the physical layer of the network. Over the years, there have been many different conduits, ranging from coaxial cable to fiber optic wires. 3.1.1 Coaxial Networks The coaxial network performs radio transmissions over a single conductor. Transmitters and receivers tape data into the cable conduit, allowing network devices to communicate. The coaxial conduit forms a sort of large antenna. This allows inventive hackers to gather network signals through use of sensitive antennas external to the network or through use of radio wave signal propagation on electrical wiring. The latter case requires a hacker get a sensitive detector very close to the network or to physically plug-in to the electrical system. A coaxial network hacker must possess an intimate knowledge of electronics. The equipment employed by the hacker exists specifically for this purpose, and the hacker may require very expensive electronic devices such as data loggers and oscilloscopes. The probability of a hacker attempting to gather data from a home coaxial network is low. Why would the hacker want to capture bank account numbers from accounts that probably could not pay one tenth of what the equipment costs?

Wireless Network Security Page 6 of 18 The probability increases for banks, government and military installations. The payoff for stolen information reaps greater returns in this context. Coaxial network security requires data encryption and/or radio signal shielding. In some extreme situations, networks reside in secure radio-shielded rooms, blocking all signals - even on electrical wiring. The terms TEMPEST room and TEMPEST-shielded computer arose in the mid 1980 s when the U.S. military demonstrated that these signals could give access to private information. The TEMPEST computer includes shielding that eliminates interception of radio waves. 3.1.2 Twisted Pair Networks This type of network, deployed in a hub and spoke configuration, makes use of telephonepaired wiring. The signals generated from twisted pair networks are much weaker than coaxial networks, therefore increasing their security. In addition, switched twisted pair networks allow multiple computers to transmit and receive information simultaneously. The resulting data stream becomes very difficult for hackers to interpret. 3.1.3 Fibre Optic Networks Fibre optic networks transmit data through light waves. Eavesdropping requires a physical connection to the network and thus is very difficult. 3.2 Wireless Network Conduits Wireless networking has become very popular in recent years. Setup is easy and no requirements exist for additional wiring. Hardware costs are not prohibitive. Users roam freely within the network s coverage area. The wireless network transmits and receives data via radio signals. The conduit is primarily the atmosphere but radio signals can also travel along wires and steel structures. In the atmosphere, these radio signals can travel reasonably long distances and depending on the type of antenna used, the area covered by the radio transmitter can deliver wide area coverage. To connect base stations and further extend the network, special directional antennas are used. Ease

Wireless Network Security Page 7 of 18 of setup, coupled with inexpensive network cards and base stations make good business sense for companies to adopt this network strategy. The inexpensive user-friendly hardware and software has also caused some interesting problems. Hackers can purchase a wireless network card inexpensively. They can then install it in a laptop, drive around the local area and detect wireless APs. In the past, individuals buying equipment with the same capability paid thousands of dollars. Lower hardware costs benefit both software professionals and hackers. It becomes more challenging to keep a private network secure. In the past, hacking required skills in electronics and operating systems. Today, a hacker simply requires a laptop, wireless card, some Internet-accessible software tools and a car to discover new networks. In the past, hackers targeted banks, military installations and governments but now, home wireless networks provide valuable targets a way to gain access to potentially many people s private information.

Wireless Network Security Page 8 of 18 4. Network Trust Securing a network requires the following: analysis of security risks, design of the trust layer architecture, development of security procedures and policies and, implementation of the physical security model. We will discuss trust layer architecture in this section. 4.1 Trust Layer Architecture Network trust layers are the layers of security required for a network. This concept is not new. For many years, banks, military facilities, biohazard facilities and nuclear generating stations have employed the same security method. In the case of a bank, the bank vault is the most protected zone with strict access control. In the case of a computer network, the servers and workstations, physically located within the office structure may form the most trusted zone. We trust nothing outside the perimeter of the zone. 4.1.1 One Zone Trust Layer Using a bank as an example, the vault is the circle perimeter. Protection extends only to what is in the vault. A security mechanism, such as a door with lock and key, controls access to the vault. Only trusted people with security clearance can go inside. In the virtual world of the network, the firewall acts as a door that inspects all arriving and departing network traffic and makes decisions, utilizing security policies that grant or deny access to the protected zone. Here, the zone perimeter is a virtual entity created by the firewall system. Nothing outside the firewall is trusted. Computers, data and network traffic inside the perimeter are trusted. The Figure 1 shows a one zone trust layer:

Wireless Network Security Page 9 of 18 Figure 1: One Zone Trust Layer For many network security professionals, a single network layer is undesirable. If a breach in security occurs on a public web server, the compromised computer has access to resources on the private network. 4.1.2 Two Zone Trust Layer The natural progression of this architecture is to define a second low trust zone that encircles the trusted bank vault zone. In a bank, this zone is the teller s area. The workers here are more trusted than the public, but not all tellers have security clearance to access the vault. Figure 2 shows this architecture:

Wireless Network Security Page 10 of 18 Figure 2: A Two Zone Trust Layer A second firewall appears in Figure 2. The physical boundary of the teller s area forms the outer perimeter and security codes and security personnel control access to this area. This is a low trust zone. The most trusted zone is still the bank vault. In a computer network, this low trust zone could contain servers that publish information to Internet users. Although the outermost firewall protects these resources, there is a greater probability that a breach of security could occur. The area of low trust is the demilitarized zone (DMZ). If a security breach occurs, an inner firewall still protects the trusted zone. 4.1.3 Three Zone Trust Layer In the case of a bank, where the most secure area is the vault, teller stations are trusted but not as much as the vault. A third area creates a trust zone between the teller area and the vault - possibly a zone containing money-counting machines. In the case of a computer network, this zone could contain a network connection to a business client. The client possesses excellent physical and network security. Limited access exists to the high trust network from the client network. Only certain computers, protocols and ports can access the client s network. This high trust zone requires that a different set of firewall access rules be set up on a third network interface. Figure 3 shows this.

Wireless Network Security Page 11 of 18 Figure 3: Three Zone Trust Layer 4.2 Firewalls As shown in the previous diagrams, firewalls perform inspection of all incoming and outgoing network traffic. We allow only trusted ports and protocols, such as http and https, in and out. Depending on how many trust layers exist, the incoming traffic directs to web servers located in a DMZ, forming a back-to-back firewall configuration. For a single trust zone, the incoming traffic directs straight to servers located on the private network. 4.3 Protocols Trusting protocols at the application layer requires research. There is a vast amount of information on the subject available on the Internet. A good firewall will have application-level inspection capabilities for protocols like http and https exploits. An investment in one or more state inspection firewalls with application-level filtering is vital. For wireless networks, there are security protocols with known security problems. The WEP or Wireless Encryption Protocol is such a protocol. One documented exploit captures a sample of encrypted data and runs a decipher program to crack the encryption.

Wireless Network Security Page 12 of 18 The new WPA or Wi-Fi Protected Access has a much better encryption scenario and uses a Temporal Key Integrity Protocol (TKIP). The TKIP changes the public key on a user-defined interval, thus making deciphering very difficult. A128-bit key could be any one of 3.4 * 10 38 keys. 3 Therefore, it takes 2 120 operations to crack WPA with 128-bit encryption if the brute force method is used. Using temporal keys limits the hacker s time to crack the key, rendering it virtually unbreakable. Encrypted protocols such as IPSec are very trustworthy and secure when used with a public/private key certificate. 3 Please see http://www.netaction.org/encrypt/appendixa.html for more information.

Wireless Network Security Page 13 of 18 5. Trusting Wireless We required several weeks of research to understand wireless and its security pitfalls. The following sections outline some of the information we discovered. 5.1 Prohibit SSID Broadcasting Broadcasting the network identifier called the Service Set Identifier or SSID is one of the first signs of an insecure wireless network. By default, most APs have a default, factory-set SSID and openly broadcast it. Broadcasting the default SSID makes network discovery simple. If the network offers services to the public, such as wireless coffee shops, then this configuration is appropriate. However, if the network is private, the network administrator must assign it a unique SSID and turn SSID broadcasting off. 5.2 Avoid Wired Equivalent Privacy (WEP) Wrought with well-known security problems, WEP alone is insufficient for business use. It requires a second layer of encryption such as IPSec or Virtual Private Network (VPN) technology to make it secure. 5.3 Use Wi-Fi Protected Access (WPA) During the design phase of this network, we decided not to trust WPA encryption. WPA is very new and likely contains undiscovered vulnerabilities, though WPA provides very strong encryption with 128-bit keys. We required a second layer of encryption. 5.4 Selecting the Second Layer of Encryption Several VPN technologies can perform the second layer of encryption. Proven protocols, such as Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP), received special attention. The strongest encryption protocol in use today is IPSec paired with a good Public Key Infrastructure (PKI) service. An internal certificate authority issues certificates for the organization. We selected IPSec and PKI certificates for our second layer of encryption.

Wireless Network Security Page 14 of 18 5.5 Chose Pre-Shared Keys Wisely Protocols, such as WPA and IPSec, use pre-shared keys or pass phrases for authentication. Using pre-shared keys requires a strong phrase containing at least eight alphanumeric characters, for example: 2the_sun_sh1nes@spain. A dictionary attack cracks encryption by randomly selecting properly spelled words. For this project, we decided to use a long, alphanumeric phrase similar to the Microsoft Product Id code a key not vulnerable to a dictionary attack. 5.6 Select 802.1X Authentication Where Appropriate For larger wireless networks, implementers should take advantage of 802.1X authentication. This authentication and authorization protocol utilizes RADIUS. For large wireless networks, this eases setup time and administration. RADIUS is a security service for authenticating and authorizing external users. It requires a backend authentication server. The RADIUS server authenticates users and authorizes access to internal network resources. The most important feature of RADIUS is its distributed security model. 4 For this project, we decided not to use 802.1X because of the small quantity of wireless users. 4 http://www.linktionary.com/r/radius.html

Wireless Network Security Page 15 of 18 6. Implementation Many security-related concepts require consideration when implementing a wireless network. We documented our requirements in a network architecture document, and addressed each requirement in terms of software, hardware and architecture. The following list outlines our requirements and solutions: Wireless Network Access Requirement: We require that a secure, wireless network be accessible within our head office. Solution: We installed two APs to ensure complete office coverage. Wireless Network Security Requirement: We require that the latest and most secure protocols protect the wireless network. Solution: We achieved this by using Wi-Fi Protected Access (WPA), very large alphanumeric shared secret, Media Access Control (MAC) filtering, and IPSec tunneling. IPSec tunnels connect the workstations to the private network via certificate-based authentication in a node-to-network VPN. Wireless Network Administration Requirement: We require that the wireless network APs support remote administration. Solution: We achieved this by creating firewall rules that allow http protocol traffic from the private network to the wireless APs only. Figure 4 shows the wireless network configuration developed by this project.

Wireless Network Security Page 16 of 18 Laptop Internet Moncton Network Laptop Wireless 802.11g Wireless Access Point Wireless Access Point Comm. Tower Wireless Stub Future Office Networks Firewall VPN Stub DMZ Proxy Client Private Network High Trust Firewall Project Shared Administration Workstation Server Server Printer Workstation Server Printer Figure 4: The Final Wireless Network We purchased two wireless APs and placed them at the front and back of the head office. Within the network, the two wireless APs reside on the third interface of the outer firewall. The firewall now allows traffic to the Internet and pass-through, IPSec-encrypted packets to flow to the inner firewall. The inner firewall will only accept IPSec traffic from nodes having certificates issued by the certificate authority server located within the high-trust shared network. To gain access to the wireless network the wireless client must have the following information:

Wireless Network Security Page 17 of 18 1. SSID name 2. 30-byte alphanumeric shared secret used by the WPA service running on the AP 3. Known MAC address To gain access to the private network, the wireless workstation must have a certificate issued by the internal certificate authority.

Wireless Network Security Page 18 of 18 7. Conclusion The wireless project carried out by Syntact proved to be interesting and enlightening. Is it possible to implement a corporate, wireless network in a secure and reliable manner? The answer is yes. The reliability of wireless networks depends on many things. First, a good wireless signal survey of the office area determines how many access points will be required and where they must reside. Second, the use and placement of other devices such as microwave ovens, cordless phones and energy saving light bulbs affect the wireless network. Guidelines located on the Internet suggest minimum distances that should separate wireless access points and potentially troublesome devices. With today s wireless technology and excellent network architecture, a secure, reliable wireless network performs very well in a corporate environment. Wireless security is evolving quickly. In the near future, use of the Advanced Encryption Standard (AES) will make wireless networks secure enough for government and military use. These security improvements only increase the business case for corporate wireless networks.