Wi-Fi and security Wireless Networking and Security by Alain RASSEL 1 23.11.04
Overview: Simple configuration example Obvious simple protection means Change Administrator Password Restrict administrator access to trusted interface Network Structures Single firewalled internet attached computer What does a firewall do? Internet attached NAT'ted network with wired router DNS name, IP address and MAC address More about MAC addresses and DHCP NAT function Why NAT acts as a client firewall How to dig holes into a NAT firewall
Overview continued. Internet attached NAT'ted network with wireless router Wi-Fi: the problem zone Simple access protection means Infrastructure mode Physical location ESSID protection Disabling DHCP Non-standard IP address MAC address filter Why use these methods? Dissuasion Data securing with individual firewalls WEP encryption is insecure WPA is still secure Conclusions
Simple setup: part 1 Wi-Fi and Security
Simple setup: part 2 Wi-Fi and Security
Simple setup: part 3 Wi-Fi and Security
Obvious simple protection Set/Change Administrator Password The default passwords for standard equipment are the first ones to be tried out by crackers. Restrict administration authorization to computers on trusted interface This should not, unless specially secured, be the wireless interface. If no computer resides permanently on trusted interface, repeat simple setup procedure connection in case of administration needs.
Single firewalled internet attached computer All data exchanged are filtered by the computer internal firewall Public Area : probable threats Internet Single public IP address Firewall in the computer User Programs Computer to be protected
What does a firewall do? Computers on the Internet exchange DATA PACKETS between PORTS using PROTOCOLS. A PORT is like a mailbox for sending or receiving a DATA PACKET. A PROTOCOL is a data exchange procedure. TCP (Transport Control Protocol) is like a registered letter: you are sure the recipient receives the packet UDP (User Datagram Protocol) is like an unregistered letter: the recipient must confirm he received the data A specific program inside the computer listens to a port/protocol and sends his packets to his correspondent from a certain port. Example: the web server (e.g. APACHE) listens for requests on port 80, and sends his data back to the originating port from which the browser (e.g. Internet Explorer or Mozilla) originated the request. A client FIREWALL simply blocks all incoming ports, so that our programs do not receive any packets from external computers. The only accepted packets are the ones that are sent in response to our packets, i.e. we only consider answers from computers/programs that we have spoken to first. As we are a client, not a server, no external machine can take the initiative to communicate with us. This would keep programs like P2P file sharing and games from working, so some HOLES must be opened for allowing external access to them.
Internet attached NAT'ted private network Data exchanged pass the router with Network Address Translation layer Public Area : probable threats Internet Single public IP address ROUTER firewall NAT layer DHCP server Private IP addresses 10.z.y.x DHCP served 192.168.y.x 172.16.1.x User computer User computer User computer Private area: Computers to be protected
DNS name, IP address and MAC address Computer (DNS) Name: e.g. www.lgl.lu. Translation by DNS (Domain Name System). Usually static name attribution, sometimes dynamic attribution by DHCP server. The IP (Internet Protocol) address (e.g. 158.64.72.230) contains all information to make a computer reachable from anywhere in the internet. Translation in case of ethernet or wireless by ARP (Address Resolution Protocol). Initial IP address attribution static or by DHCP server. The Interface address, also called Media Access Control or MAC address (e.g. 67:8A:BC:DE:F0:12) is specific to the physical communication media used ( e.g. ethernet or wi-fi). In the case of a point-to-point link (e.g. modem connection) it does not even exist.
More about MAC adresses and DHCP Programs on different computers talk to each other using ports, protocols and IP adresses, but on the ethernet (and also the wi-fi) physical level, the interfaces talk to each other using MAC addresses. Ethernet example: two computers on the same ethernet: Computer A with IP 10.0.0.1 and MAC 01:02:03:04:05:06 wants to talk to computer B with IP 10.0.0.2 from which he knows that he is on the same ethernet, but whose MAC address he does not know. 10.0.0.1 sends an ARP (Address Resolution Protocol) ethernet broadcast over his interface : ARP-who-is 10.0.0.2? 10.0.0.2 is listening to all ethernet broadcasts, he recognizes his IP address and answers: I am 10.0.0.2 have MAC 11:12:13:14:15:16 How does a computer know his own IP address? It has been statically configured. Easiest way, but if we give two computers the same IP address, both will answer the ARP request,and so will become unreacheable. A central DHCP (Dynamic Host Configuration Protocol) server keeps book and hands out the IP address on request (ethernet broadcast). Our client computer then does not need to know what network he is in, and he is sure to receive an address the other computers in the same net consider reachable.
How NAT works Standard IP communication Masqueraded hosts
Why NAT acts as firewall The client-type firewall keeps external computers from initiating connections. A NAT layer fills the same purpose, because: NAT translation entries in the router are only generated on the initiative of the masqueraded computers, not on the initiative of external computers. The NAT layer hides the IP addresses behind the router: no external computer can initiate an exchange with a protected computer, as there is no port translation entry in the NAT table at that time. Making holes into a NAT firewall is more complicated, it can be done by: Static permanent port forwarding: always forward a certain port to a certain fixed host. This is generally called a DMZ (DeMilitarized Zone) host. Used for many P2P programs. Disadvantage: if the DMZ host can be cracked via that port (i.e. the listening program), the attacker has an operations base in the (now in)secure zone. Dynamic temporary port forwarding: Port Triggering (FTP=File Transfer Protocol, many games,etc.) UPnP (Universal Plug-and-Play, used for many other games)
Internet attached NAT'ted network with wireless router Wireless area adds complexity Public Area : probable threats Internet additional discrimination and protection layer needed threat Only possible in AdHoc mode ok ok Forbidden in Infrastructure mode ok Private area: Computers to be protected ok Wireless area: Mix of threat and computers to be protected
WI-FI : the problem zone Without wi-fi, it is easy: the private computers can be trusted and must be protected from the external, internet computers. The private computers are physically secure, we checked them and connected them to the trusted zone. With wi-fi, we cannot trust all computers within reach of our access point. So, on one hand, we want to consider our own wireless computer secure, grant it full access to the safe zone and protect it from the internet, but on the other hand, we want to deny a hostile computer in reach of our access point the same privileges. We cannot use the traditional firewall on the wi-fi interface of the access point, as the possible intruders are in the same zone as our client station. Another problem is data confidentiality:all packets are transmitted over radio waves, any station can eavesdrop on them. So we must find a way to allow only our computer to talk to the access point, to keep the access point from relaying packets from unauthorized stations, and to make the data transmitted between the access point and our computer unuseable for eavesdroppers.
Simple access control means In order to prevent uncontrolled direct (i.e. not going through the access point) communication between our wireless station and a rogue station within its radio reach, restrict our station to Infrastructure mode and disable AdHoc mode. Place the access point in the center of the area to be covered: physical distance will make communication harder for rogue stations. However do not feel completely protected because of this: any metal object larger than 12.5cm will reflect the radio waves, so their reach is not always limited by obvious line of sight obstacles! If a consumer parabolic dish can receive similar frequencies from a Radio-TV satellite 36000km away, it is obvious that on a free line of sight such a dish can be used to listen in on wi-fi from many kilometers away! Prevent the access point from broadcating its ESSID, and manually set the ESSID to the same value on your station. The ESSID is a token meant to identify all participants in a wireless net. If the access point does not broadcast the ESSID, the station must know it to be accepted by the access point. However do not feel completely protected because of this: An eavesdropper can intercept the value of the ESSID your station sends to the access point, and use it for himself later!
More simple access controls Obfuscate the IP addresses of your internal network, so as to prevent the intruder from knowing what IP address to use to be accepted. Disable the DHCP server on the wireless interface and give a fixed IP address to your wireless station. Do not use as internal network the standard preset of your access point (typically 192.168.0.x or 192.168.1.x) but another subnet in the acceptable range. However, do not feel completely protected because of this: An eavesdropper will find out what IP address your station used, and can use the same one once your station stops transmitting! Activate the MAC address filter on the wireless interface and restrict access to the MAC adresses of your computer(s) However, do not feel completely protected because of this: By eavesdropping on the ARP broadcasts, an intruder can find out the authorized MAC address(es). As many wireless cards allow the reconfiguring of their MAC address, if the intruder has such a card, he will reconfigure it to broadcast an authorized MAC address he obtained in the step above!
Why use these methods? If none of the previous methods is completely secure, why should they be used? Every single of one of the previous measures makes it more difficult and tedious to penetrate the wireless network. Even if you cannot be completely secure, the odds that a casual attacker will de dissuaded from this target and driven to an easier prey are quite good. A determined attacker will not be deterred by these means, so they are no good to protect important data from access or damage (bank account details, etc.) What can be done to keep data secure in a wireless network? Do not trust any computer on your wireless network, fit out every computer in the supposedly secure zone with an individual firewall, just as if it were connected to the internet. This will keep your data safe, but not keep an intruder from using your internet access. The chances that an intruder who only wants to use your internet access will be driven away by the previous measures are however quite high.
What about WEP encryption? In principle, if we can encrypt the communication between the access point and our station, the intruder has lost: none of the previous attacks will succeed, and we are safe. However, we need an unbreakable encryption scheme, because a broken encryption scheme provides no more protection than the hassle to use a penetration program, normally readily available on the internet. A strong encryption scheme means more processing power is needed to implement it in the access point, so the hardware of the access point becomes more expensive. Unfortunately the original scheme deployed in wireless devices is a weak scheme, called WEP (Wired Equivalent Privacy). In the beginning the methods used to break the scheme needed listening in on a station for several days, so one could at least be safe by changing the keys every day. Nowadays it takes programs such as AIRSNORT less than an hour to crack WEP even with a 128 bit key, so changing the keys every day is no real protection anymore. This puts WEP in the same efficiency category as the other simple dissuasion methods.
Are there no better encryption methods? Yes, in particular WPA (stands for WI-FI Protected Access). WPA needs however more processing power than WEP, so not every old access point is upgradeable and not every new one has it implemented. Not only the access point must support WPA, but the driver of the wireless station card must also be able to use it. If you have not yet bought your wireless equipment, make sure it fully supports WPA. WPA comes in two flavours: WPA-PSK (Pre-Shared Key) which depends on a secure secret key being shared between the access point and the station. If the key is chosen too simple, the encryption can be broken via a dictionary attack (program already available on the internet). It is of utmost importance to choose a non-obvious, long enough (20 characters or more) for WPA-PSK to be secure. WPA with RADIUS server. This entails an infrastructure too complex for this presentation. WPA has a small theoretical weakness that nobody has exploited yet. Because of this weakness an improved standard, WPA2 is currently being readied. For completeness' sake, we mention a technique called 'end-to-end encryption via VPN ' that can be used, along with an appropriate network structure, to integrate a wireless station securely into the safe net. This technique does not however prevent abuse of the internet connection.
Conclusions Complete security can only be achieved through the use of WPA, with a strong password in the case of WPA-PSK. Data security can be achieved by considering the private network insecure and putting an individual firewall on every computer. Simple measures will probably dissuade a casual attacker from stealing bandwidth while the data is secure behind the individual firewalls. WEP can only be counted as a dissuasion measure against a casual attacker, not as a secure protection. And the META-CONCLUSIONS: Every security feature is a trade-off between the amount of threat it averts and the hassle it is to implement! Where security is the concern, paranoïa is not a disease, but a survival trait!