... threats eavesdropping –and recording radio traffic –and recording IP traffic / traffic on the MAC level (e.g. tcpdump) denial of service –IP DoS attacks –Radio DoS attacks –Interference from other devices on unlicensed 2.4GHz band (e.g Bluetooth, microwave ovens, other links) integrity / replay –MAC address forging, IP hijacking –replay registration attacks against WLAN access point –IP replay / integrity / man-in-the-middle attacks (e.g. forging email, capturing keys)
... solutions WEP (Wireless Equivalent Privacy) encryption –unique and common shared secrets –changing the shared secret often, key exchange secured by vendor specific solution IPSEC / VPN, encrypting traffic on IP level, the authentication of user to network and the network to user MAC address access filtering in WLAN access point (AP) Vendor specific solutions like Lucent’s ”closed network” setting. Legislation concerning deliberate interference of telecommunications
... problems There are several known weaknesses in the structure of WEP encryption WEP shared secret is useless when it’s common knowledge WEP key exchange is not yet a defined standard, different vendors have implemented their own solution that usually are not interoperable. MAC address can be faked very easily => additional authentication is required Radio DoS attacks may only be prevented by legislation, radio interference from other devices cannot be prevented, only avoided The only methods to authenticate radio network on non-IP level to user are network id (essid) and the possible shared secret Replay attacks may be prevented to some extent with WEP but the network is as vulnerable as every other IP network
... network structure operator x core network Internet application servers and databases security gw / firewall authentication server (e.g. Radius) regional access zone regional access zone regional access zone regional access zone Point of Presence (PoP) regional access zone regional access zone router / wireless router IPSEC/VPN secured tunnel through regional access zone to operator network
... threats Denial of service due to radio interference or malicious user Unauthorized or unaccounted access to the network and Internet Eavesdropping and recording other users’ traffic Faked servers and networks, intercepting other users’ traffic Network performance loss due to extensive traffic using private network addresses and bypassing the security gateway
... solutions Network management that can determine overloaded access points and based on e.g. GPS coordinates of the access points also pinpoint the area where the disturbance is Some radio interference can be avoided by careful radio network planning, using licensed frequencies, VPN/IPSEC client and security gateway IPSEC protected traffic between routers Filters, firewall / class of service rules, traffic shaping in (wireless) routers The selection of secure management / dynamic routing protocol Filtering out routing/management protocols in routers that may be potentially dangerous
... problems Most of the vendor products available on market today do not have the features needed to handle the threats or implement the solutions => need for customized/homemade network elements VPN IPSEC implementations and their interoperability (key exchange and authentication) Faked servers and services can still cause trouble within one cell => need for network elements that can handle also this kind of problems, and also need of user education Double tunneling if two VPNs are used, one to secure access through radio way and other to connect for example company intranet What if some devices / users do / can not have an interoperable VPN client installed? How to create and combine public access to this scenario?
... network structure operator x core network Internet public access service provider’s network public access service provider’s network public access zone public access zone public access zone public access zone public access zone public access zone company intranet company intranet security gw / firewall public access controller / firewall IPSEC secured access to company intranet with company certified client nonencrypted websurfing access to Internet User Database WEP ”personal key” server
... threats Denial of service due to radio interference or malicious user Unauthorized and unaccounted access to the network and Internet Eavesdropping and recording other users’ traffic Faked servers and networks, intercepting/diverting other users’ traffic The lack of traceability if many-to-one NAT is used Possible access to IP-level without authentication => better possibilities to eavesdrop traffic
... solutions Denial of service attack sources are more easy to find as the average public access zone may be only one cell, network management also helps Public Access Controller (PAC) and related vendor solutions use WWW (https) secured authentication and MAC address based access filtering the usage of VPN client for corporate access after the PAC has opened the hole to Internet limit the access to Internet only to few ports (WWW, IMAP, etc.) => attacking hosts in Internet does not seem to be feasible use real IP addresses if possible
... problems WEP cannot be used shared keys cannot be used how to do the WEP key exchange with multiple vendor products Authentication WWW authentication may be the only feasible method MAC address by itself is not reliable nor does every card have a smart card reader embedded into them => more authentication is needed Accounting how to bill random users (paying with credit card for access)? combined GSM/WLAN billing is a pretty good idea, how to do it with every vendor’s card? VPN trouble with NAT interoperability key distribution is hard for every terminal there’s not a client users cannot be ”forced” to use just one single vendor solution
... network structure operator x core network Internet security gw / firewall corporate access zone corporate access zone Access servers net (e.g. DHCP, possible WEP ”personal key” server”) corporate visitor access zone corporate visitor access zone corporate access zone corporate access zone security gw firewall IPSEC/VPN secured access to company intranet company intranet company intranet Noncrypted access to Internet and possibility to use own VPN client
... threats Unauthorized and unaccounted access to the intranet Eavesdropping and recording intranet / users’ traffic Faked servers and networks, intercepting/diverting/modifying other users’ traffic Denial of service attack threat is not in author’s opinion very likely. However denial of service of network elements may cause losses depending on the company
... solutions IPSEC/VPN client Also WEP encryption (helps in authenticating network to user and user to network) Firewalls Company policies / standards (client, software/hardware configuration, security) Personnel security training Careful selection of software/hardware solutions to minimize interoperability problems Redundancy for high availability and load balancing
... problems the different requirements of different users and business units (R&D requires more flexibility, but also more security, production may not need only standard solution etc.) People and their attitudes towards security, company policies and standards. These must not feel like paper pushing because of the paper pushing. Questions like: can the service provider be trusted to terminate company user’s IPSEC tunnel and then create another one? how can the user terminal be protected outside company network so that it won’t serve as a host for trojan horses or reveal sensitive data to non-employes about the network? Creating the security policy and rules.
More Information -(In)Security of the WEP algorithm by Nikita Borisov, Ian Goldberg, and David Wagner (http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html)http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html -Wireless LANs –course at Tampere University of Technology -http://www.cs.tut.fi/kurssit/83800/ and the seminar presentation therehttp://www.cs.tut.fi/kurssit/83800/ -About Access Zones and WLAN, check Nokia’s Operator WLAN concept as well as Cisco’s and Lucent’s WLAN pages and solutions and of course the author’s seminar report -About Wireless Network Services Oy (http://www.wnsonline.net/)http://www.wnsonline.net/
Mahdollisia koekysymyksiä Esittele yksi WLAN-verkoissa käytettävän WEP-algoritmin heikkous ja sitä vastaan toimiva hyökkäys sekä niiden periaatteet. Miksi heikkous on heikkous ja kuinka hyökkäys käyttää heikkoutta hyväkseen? Millä tavoin voit torjua WLAN-verkoissa radiotien salakuuntelun uhkaa? Sinulle on annettu tehtäväksi suunnitella WLAN-pääsyalue yhtiön työntekijöille yhtiön sisäiseen verkkoon, minkälainen on suunnittelemasi verkon rakenne ja mitä ratkaisuja käytät tietoturvallisuuden varmistamiseen. Torjutut uhat ja perustelut ratkaisuille mukaan. Julkisten pääsyalueiden suojaamisen IPSEC:llä ja muilla VPN-tekniikoilla liittyy useita ongelmia. Esittele näistä muutamia. Tehtävänäsi on suunnitella julkinen WLAN-pääsyalue Internet- palveluntarjoajan käyttöön. Piirrä pääsyalueen verkon rakenne laitteineen ja analysoi mitkä turvallisuusuhat olet pystynyt välttämään, mitä et ja miksi?