Wireless Networking Introduction Nov 13 2002 - 17:44 EST @ Articles -> Networking ::: Wireless sauroni writes: Wireless networking is one of the ways of connecting a computer to a network, but without cables. The machines connected to a Wireless Network transmit to each other using radio signals. This flexibility makes many things easy, such as mobility inside the room where you are using the machine and of course the lack of cable problems. Unfortunately all these benefits come at a price, security. This paper covers the potential flaws, methods, means and ways security is breached as well as how to protect your network from intruders. Security and Wireless Networking Introduction Wireless networks have spread fast and everywhere. Just walking around the city one is being exposed to millions of bytes of data worth of radio waves. Even here at this university until recently we were using wireless networking to connect the buildings. The advantages of wireless networking (WLANs) very often seem to be valued higher than the security risk it poses. Many people will sacrifice their data integrity for mobility. There are point-to-point and client/server wireless networks. The later usually have an Access Point, a controller that receives and re-transmits the data from the machine. There are four types of wireless networks: Bluetooth, IrDA, HomeRF (SWAP) and WECA (Wi-Fi). Bluetooth is used but not that widely. It is not yet available for transmitting high rates of data between computers. IrDA (Infrared Data Association) is the standard being used by devices that work using infrared waves. In order for these devices to operate there must be no physical obstacles between them. HomeRF and WECA are both based on the IEEE 802.11 specification, or wireless Ethernet. Facts and Risks With WLANs we open doors to unauthorized users. We give access to people from the outside. Identifying these people is harder than in wired networks. WLANs pose the following risks: · Exposure of confidential information (passwords, secret data). This information, unlike in wire networks where it is enclosed in wires, flows through the air. This makes it easy for it to be sniffed[1]. Once passwords are sniffed the network can be compromised further. · Loss of data reliability and integrity occurs. The data that is considered important to your work can be accessed, modified, stolen, damaged, deleted and maybe even used against you. WLANs offer many more options to people to access this kind of data. · Difficulties arise with dealing with the network, resources, detecting network problems, detecting intrusion. In wire networks we can detect if someone is sniffing our packets, in WLANs it’s harder. The Way of Hacking Most people as we said over-look the security issue of WLANs. Most think that the network is contained within the walls of their premises. Same as when dealing with wire security issues, WLANs can easily be compromised by both insider and outsider attackers[2] like an employee or a power-user[3]. If WLAN is enclosed within walls a simple RF (Radio Frequency) link to the outside can be installed so that everyone out there can access your network. Devices like this cost no more than $150. In order for users to access WLANs, they need to setup Wireless Network Interface Cards (WNIC) that are usually PCMCIA cards and an Access Point, or the gateway to the network. An Access Point consists of a WNIC and an Ethernet port, these two are tied together; the linkage between the two can be also done with software. The function of the link is to pass traffic from the WNIC to the Ethernet card. People believe that the signals from a WNIC don’t leave the building. But signals are still strong enough to pass through and travel in the air, with windows and doorways being the hotspots because they offer little obstacles. This could bring disaster to the company or university if an employee or student decided to connect from the outside and cause damage to the network. Many attackers can use camouflage techniques to hide Access Points they themselves have installed (since Access Points are very light and generally no bigger than an average book). This would be hiding them among books, roof tiles (to increase transmitting range) or hide it anywhere. Access points of such type are good only for transmitting within 1000 ft (304.8 Meters), for greater distances RF antennas must be used. This makes them more difficult to conceal but an experienced attacker will build their own antennae, one that will blend-in with the environment, like a picture frame or hocked on a piece of furniture. Attackers prefer to place antennas in places where there is a lot of traffic, such as a switch, so that access to more information is possible. An attacker from inside can also setup a wireless relay that would retransmit traffic to an outside destination. Some of these relays can go as far as 20 miles (32 Km). Another generally and often overlooked security threat would be cell phones. They are harder to detect since they are so common thus a laptop connected to one would serve as an Access Point for anyone outside the premises of the WLAN. But one of the most spread vulnerabilities of WLANs comes from administrators themselves. They often use DHCP[4] to assign IP addresses and this makes it possible for anyone to simply sit outside the building and get connected. Stopping Attackers As an administrator of a WLAN the first thing one must do is try to reduce as much as possible the amount of RF signals escaping the building. Hopefully if there were no signal an attacker would try and hit the gateways that are monitored better than the rest of the network. The location of the antennas and Access Points must be chosen carefully. Another step would be to modify the building to stop “bleeding” or leaks of RF signals. There are a number of proposed steps in this: · Grounding interior walls when using metallic covering · Installing thermally insulating glass (which attenuates RF and IR signals) · Usage of metallic Venetians instead of plastic · Place WLAN devices such as Network Closets[5] and sensitive areas away from exterior walls · Lining Network Closets with aluminum foil · Use of metallic doped paint for walls · Limiting the power of a signal by changing the attenuation of the transmitter Besides shielding us from attackers the other benefit of this shielding is that inside resources are protected from outside interference, either intentional or unintentional. Detecting Intrusions RF Perimeter Detection System offers protection from wireless attackers located outside the building or a certain perimeter. This can also be used to separate the network into a private and public domain, thus increasing the security of the network. All users coming from the public domain (or part) of the network would be treated as any other user from the Internet. Signal Leakage Detection System is consisted of receivers placed along the perimeter of the building. These receivers are directed toward the building and are used to detect any abnormal signaling coming from the building. This can help to monitor what comes out and goes into the WLAN. Passive Monitoring Stations are similar to Leakage Detection Systems but are usually within the building. These monitor any unknown Ethernet signals and for big networks there might be a need for a few of them to cover the whole network. These can be used to detect the following: unregistered MAC addresses cloned MAC addresses[6] or an increase in re-authentication frames. Often “sweeps” of the network are required to discover sources of unauthorized signals and devices. Many consumer solutions exist for this but these generally look for known types of device. If one wants to do a through sweep then we must look not only for RF signals but also for IR signals using night vision or thermal imaging devices. Ensuring Security from the Network Itself An attacker can sniff out the network traffic. Thus data between computers on a WLAN must be encrypted and protected. Establishing an encrypted tunnel between the machines can do this. One of the encryption standards used today is IPSecurity (IPSec); it has proven to be stabile and hard to break. Other options exist such as SSH or an encrypted protocol such as SSL (Secure Socket Layer). Authentication is another important aspect. The infrastructure of 802.1x networks offers the use of the Extensible Authentication Protocol (EAP) to authenticate wireless stations on the network. There is also the option of using an authentication server to do this job. Unfortunately some of the IEEE specifications have vulnerabilities. If we talk about the integrity of information the 802.11 specification uses a shared public key to encrypt the connection. The problem is that this key is used by everybody else on the network and the mechanism of encryption it uses is nothing more than a CRC (Circular Redundancy Check) mechanism which is actually an error checking method. The authentication method of this specification (802.11) is also vulnerable due to a flawed publicly shared key. How Do Attackers Do It? This is a post on USENET news groups regarding wireless network hacking when asked how is it done: “it's very simple, i drive around the town, with my card set to roam, and look for a dhcp network, with a short script i wrote, and it alearts me when it finds one. VERY simple, i originally got the card cause my school runs a wireless network, and it's nice to sit around campus, but it's also nice sitting at the park or starbucks and be able to surf with my linux box :-)” So to hack, hackers use some sort of a scanner. This scanner can be a simple Laptop with a Wireless Network Interface Card (WNIC). This kind of a laptop can be set to continually ask for an IP from the network and thus when it happens to be in the range of one (assuming that the network is using DHCP) it will receive an IP and as a result will be able to access the internet, sniff traffic on the network or even maybe (if the network is very insecure) use resources and data. A laptop can also be equipped with GPS[7] so that the hacker can mark the position where the signal is the strongest. Another option is to use directional antennae[8]. These antennas are used to receive network traffic from distances or receive traffic that is directed in one way. These antennas make it possible to hackers to do their job from the distance. If strong enough these can be used to access networks at very large distances. If the network we want to connect to doesn’t have DHCP then we can try and grab some of their packets and try and figure out what their IP range is. This would enable us to find a free IP and connect using it. One tool for discovering wireless networks is Kismet (for Linux). All you need with this is a WNIC. This tool will check the area in the vicinity for any wireless LANs. Why Is It Important One may ask why is it important for me to secure my WLAN if I don’t have any sensitive information on it? The answer is simple: You can get arrested. There are those people who will launch a virus, an attack on a server, credit card fraud or DDoS[9]. This happens today in normal LANs, computers are “hijacked” by attackers to do illegal things. WLANs offer a new perspective to this. They make it easier and more anonymous. The probability of capturing the people responsible for illegal things if they used WLANs is very small, especially if they are operating from distance. Consulted Sources BMX Num 24. (2001). Hacking into 802.11 wireless networks. Usenet: alt.hacking, October 15, 2002. Message-ID: 20010908010906.03970.00000032@mb-de.aol.com. De Savant. (2002). How ya tap into wireless internet connection with a laptop???. Usenet: alt.hacker, October 15, 2002. Message-ID: 3D3C06B9.6FE2C1B0@Malthacker.org. Johny Durango. (2002). How ya tap into wireless internet connection with a laptop??? Usenet: alt.hacker, October 15, 2002. Message-ID: 0sZ_8.628346$cQ3.101345@sccrnsc01. Hassick, B. Simple Wireless Exposures in Traditional Networks. (@Stake, Secure Business Quarterly) Retrieved October 15, 2002, from http://www.sbq.com/sbq/wireless/sbq_wireless_exposures.pdf Pollino D, and Miller, M. The Deployment of a Wireless Network in a Hostile Environment. (@Stake, Secure Business Quarterly) Retrieved October 15, 2002, from http://www.sbq.com/sbq/wireless/ sbq_wireless_hostile_environment.pdf -------------------------------------------------------------------------------- [1] Sniffing – the process of retrieving the data packets from a network and thus acquiring the data, be it passwords, chat sessions, file transfers or system requests. Simply, sniffing permits people to capture packets from your network [2] An Attacker – a person who is intentionally trying to break into your system. To not be confused with Hacker, or people who break into systems for sheer pleasure of learning. Attackers (or crackers, lamers, script kiddies) are not worthy of being called Hackers [3] Power User – a name for users who have more rights on the computer than usual/average/normal users. Power Users can install software and make limited system changes [4] DHCP – Assigns IP addresses to new computers on the network automatically [5] Network Closets – a big box that contains hubs, switches, routers and has tons of cables coming out of it, a very important piece of network equipment [6] Cloned or Spoofed is along the same lines, it is faking an address, either a MAC or IP address [7] GPS – Global Positioning System, used to give accurate location on the globe [8] An antennae that looks like a cylinder and receives/sends signals in one direction [9] DdoS – Denial of service attack, an attack launched against a server with the intention of bringing its services down read comments (1) / write comment views: 387   printer-friendly version