|Security WLAN Technologies : Whitepapers : Home|
Securing WLAN Technologies
Secure Configuration Advice on Wireless Network Setup
The Growth of Wireless LAN
In recent years, there have been a number of substantial developments in the acceptance and functionality of wireless networks. Contemporary organisations are finding their workforce increasingly more mobile, often equipped with notebook computers and spend more of their productive time working away from the standard office-desk or personal-computer environment. Wireless networks support mobile workers by providing the required freedom in their network access. Workers can thus access networked resources from any point within range of a wireless access point. For IT managers, the combination of lowering wireless hardware costs and the ease of implementation in to diverse office environments means that wireless deployment is actively promoted, for it provides the combination of wired network throughput with mobile access and configuration flexibility.
A wireless LAN (WLAN) provides location-independent network access over radio waves rather than traditional cable infrastructures (e.g. 10BaseT, Token Ring, etc.). For most organisations, the WLAN is implemented as the final link between the wired network and the mobile (or inaccessible) wireless devices, thus providing access to all resources and services normally accessible through the wired network.
Previously, WLAN’s were largely implemented in environments (such as warehouses, manufacturing facilities and retail environments) where flexibility of network access took precedence over costly vendor specific wireless implementations. Already, due to the lowering price of components and development of the IEEE 802.11 standards, there has been a large increase in the application of WLAN technology to the corporate enterprise and home environment. Future development areas are likely to include Healthcare equipment and street-wide home Internet access (along the lines of Cable and DSL).
Security often plays second-fiddle to ease-of-use and if security is not transparent to the application and easy to use, it will not be used. However, given the wireless medium, certain security considerations must be applied to protect both the transmitted data and connected hosts. This page aims to explain the current suite of security issues for the most popular WLAN standards and provide advice on the secure configuration of a wireless network.
Inherent Weaknesses in Wireless Networks
Wireless networks typically utilise radio frequency (RF) signals that are capable of passing through barriers such as cubicle partitions, glass and standard walls. Cement walls and metal tend to act as solid barriers, however due to the reflective nature of the RF signal, they can be received (bounced) around corners when a barrier cannot be penetrated. The signal range, and corresponding power, is thus dependant on intermediary barriers and signal reflections. An interesting exercise is to measure signal strength throughout a building and locating “sweet-spots” (where signal strength is greater than expected given the range from the wireless node). Conducting such an exercise outside of the building can also be highly enlightening.
It is important to understand that many of the security risks and issues associated with WLAN’s also apply to the wired LAN. The real difference between a wired LAN and a wireless LAN is at the physical layer. All other network services and vulnerabilities remain; these include:
Often, organisations do not realise that wired LANs also have an unintended wireless component. Almost all types of LAN cabling radiate energy, particularly unshielded twisted pair; this radiation can be significant and detectable. Thus, with sufficient motivation and the right radio equipment, it is possible to intercept wired Ethernet data packets from a point external to most buildings, provided they were equipped with an appropriate antenna.
However, the fact remains that WLAN’s are designed to broadcast network traffic, and devices are readily available to receive and decode this traffic. As such, the current wireless standards were designed to include various methods of encryption and authentication from conception. Unfortunately, many of these security features have suffered from design or implementation flaws. It is important to note that the greater the level of security, the more complex the implementation can be. If network and security managers wish to implement a strong security policy, they will need to possess a reasonable knowledge of the security mechanisms inherent to the technology.
Current Wireless Standards
There are of course numerous standards in the world of wireless networking and it often appears that every vendor has their own. The WLAN market is comprised of many competing technologies, each with different operational characteristics. The most common WLAN standards include:
Of these WLAN standards, the most prevalent (and are commonly available at most High Street retailers) will adhere to one of following three standards:
Although each standard offers different technological advantages or disadvantages, all three mentioned above operate in the 2.4 GHz Industrial, Scientific & Medical (ISM) band. This band offers 83 MHz of spectrum for all wireless traffic and is currently shared with cordless phones, building-to-building transmissions, and microwave ovens.
An emerging fourth wireless standard is the IEEE 802.11a, operating at the higher 5 GHz U-NII band and offering 300 MHz of spectrum, is not currently certified in Europe although negotiations between IEEE and the European Telecommunications Standards Institute (ETSI) is currently underway.
Table 1: Wireless Standards by Frequency Band
It is important to note that both Wi-Fi (802.11b) and 802.11a are service sub definitions of the overall IEEE 802.11 standard. The IEEE 802.11 defines a standard on wireless communications and is not limited to RF communications, but also supports methods such as diffused infrared (IR). IR wireless LANs are inherently more secure and are immune from electromagnetic radiation that can interfere with RF and cable based systems. IR based WLAN’s are often used in high-security applications because the signals are line-of-sight only and will not penetrate solid objects like walls.
The key difference between the Bluetooth and Wi-Fi standards is the expected operational range. Bluetooth’s native 1 Mbps data rate is designed to connect devices that are in close proximity, such as notebook computers to printers and PDA’s to mobile phones. This short-range network is often referred to as a Personal Area Network (PAN). Wi-Fi is designed to offer full LAN connectivity and support the full suite of networking protocols (i.e. TCP/IP).
Bluetooth was never originally designed for truly sensitive data transmission. It is not a true competitor of Wi-Fi, but rather Bluetooth was intended to form PANs, where security is desirable but not absolutely essential, as shown by Bluetooth's goal to facilitate for cordless applications instead of being used for networking purposes.
The Home RF and Wi-Fi technologies both provide very similar services to home users. In the highly competitive wireless market, only one of these standards is expected to survive longterm. Given the wider support from the development community, the greater uptake in the business environment, higher transmission rates, and the greater choice of vendor compatible products – the Wi-Fi standard is expected to win this battle.
Developed by the Bluetooth Special Interest Group in May 1998, it was designed to provide short-range, low-cost, low-power wireless communications. The key uses for this technology were seen to be data synchronization between computers, hand-held devices, mobile phones and pagers. Bluetooth is ideally suited to devices that travel in and out of a home network, as opposed to remaining connected to a network for extended periods.
Version 1.0 of the Bluetooth specification was approved in the summer of 1999. The IEEE standards body is currently reviewing a faster successor to Bluetooth (IEEE 802.15.3), which will offer data transfer rates of 20 Mbps, while maintaining backward compatibility.
Key Features of Bluetooth:
Technology: Home RF
Developed by the Home RF Working Group, it was designed as a lower-cost wireless network technology for use in the home.
Key Features of Home RF:
Wi-Fi is the friendlier name for devices adhering to the IEEE 802.11b High Rate wireless technology standard. It is hoped that IEEE 802.11b will become known as “Wi-Fi” just as IEEE 802.3 is currently known as “Ethernet”. Due to the current prevalence of the Wi-Fi standard and the large installed base of WLAN devices, this standard will be discussed in greater detail in a following section.
Key Features of Wi-Fi:
The IEEE 802.11 Standard and Evolution of 802.11b
Proposed and ratified by the IEEE as 802.11 in 1997, the standard defines the specifications and services for wireless network communications such as:
It allows for two different (and incompatible) methods of encoding RF signals, FHSS and DSSS. FHSS (Frequency Hopping Spread Spectrum) spreads the communications across 75 sub channels, each consisting of 1 MHz, and continually skipping between them. DSSS (Direct Sequence Spread Spectrum) divides the band into 14 overlapping 22 MHz channels which are utilised one at a time.
FHSS frequency-hopping cards were the first to arrive to the marketplace, as they were cheaper to produce and easier to implement than DSSS. However, as the technology matured and faster processors became available, it became cheaper to implement DSSS. DSSS was the preferred encoding scheme due to US government constraints on broadcasting in the ISM band.
In September 1999, the IEEE 802 committee extended the specification (802.11b) and decided to standardise on DSSS and utilised better encoding techniques. This in turn extended the data throughput from 1-2 Mbps to 5.5-11 Mbps, while allowing backwards compatibility with the older, slower, DSSS standard.
Due to speed and security considerations, various alternatives and extensions to 802.11b are currently under review or have been ratified by the IEEE.
The 802.11 standard defines three basic topologies to be supported by the MAC layer implementation:
The 802.11 standard further defines the following two modes:
The Ad-hoc (sometimes referred to as IBSS topology) mode is analogous to a standard peer-to-peer office network in which no dedicated system is required to assume the role of a server. In WLAN terms, a number of wireless nodes or computers will communicate directly with one another in a mesh or partial-mesh topology (i.e. free-for-all). Typical instances of such an ad-hoc implementation would not connect to a larger network and cover only a limited area. If a client in an ah-hoc network wishes to communicate outside of the peer-to-peer cell, a member MUST operate as a gateway and perform routing.
Bluetooth devices can also form an ad-hoc network. In these networks, one Bluetooth device will act as a master and the others as slaves. The master defines the frequency-hopping behaviour of the network, and it is possible to connect up to 10 of these networks together.
Utilising the Infrastructure mode of 802.11 devices requires the installation of at least one wireless Access Point (AP, but also often referred to as a base station) connected to the wired network infrastructure, and a set of wireless nodes or computers. This most basic configuration is referred to as a BSS topology in the 802.11 standard. Communication between wireless nodes, wireless computers and the wired network will be via the AP. Wireless computers conduct all communications through the AP, unlike the Ad hoc peer-to-peer communications.
Before being able to communicate data, wireless clients and AP’s must establish a relationship, or an association. Only after an association is established can the two wireless stations exchange data.
All AP’s transmit a beacon management frame at fixed intervals. To associate with an access point and join a BSS, a client listens for beacon messages to identify the access points within range. The client selection of which BSS to join is carried out in a vendor independent manner. A client may also send a probe request management frame to find an access point associated with the desired SSID (service set identifier).
It is possible to combine multiple wireless access points into a single sub network; this is referred to as an ESS topology. It is thus possible to expand the wireless network with multiple AP’s utilising the same channel or utilise different channels to boost aggregate throughput.
An Access Point acts as a bridge between the wired and wireless networks. The device consists of a radio, a wired network interface and bridging software. It thus acts as the base station for the wireless network, aggregating access for multiple wireless stations onto the wired network.
Although the Wi-Fi standard defines how a wireless computer communicates with an AP, it does not define how roaming should be conducted and supported within an ESS topology network, in particular when a roaming user crosses a router boundary between subnets. Roaming between AP’s is largely reliant on vendor-specific implementations and management. Organisations should carefully evaluate vendors support for roaming and evaluate the ease of operation.
In theory it is possible to implement DHCP across the network and force users to release and renew their IP address as migrate from one subnet to another. However, this is not seen as a practical solution for non-technical staff or where continuous communications are required while roaming.
For environments where DCHP is not in use, Cisco offers a solution referred to as local-area mobility (LAM). Cisco’s LAM enables computers with static addresses to move from one subnet to another while maintaining transparent connectivity without software changes on the roaming host.
Compatibility between Wireless Networks
There has been a lot of talk about interoperation, backwards compatibility and interference between the various WLAN technologies.
The most prevalent WLAN technology, Wi-Fi, has several potential speed increases and security modifications in store from the IEEE 802.11 Task Force g. This yet to be ratified standard (IEEE 802.11g) is proposed to be backwardly compatible with Wi-Fi. It is likely that, in the very near future, wireless products adhering to this standard will replace current Wi-Fi equipment and will be produced by the same companies currently producing Wi-Fi chipsets.
Although sharing the 802.11 nomenclature, Wi-Fi (802.11b) and the faster 802.11a standard are incompatible. Companies with an existing Wi-Fi network cannot simply deploy a new 802.11a network on the Wi-Fi access points and expect to suddenly jump from 11 Mbps to 54 Mbps. The physics and operational characteristics simply do not work that way, and an 802.11a AP will only cover approximately a fourth of the area covered by a Wi-Fi AP. Thus, to cover a similarly sized area and all factors being equal, four 802.11a AP’s are required for every Wi-Fi AP. This is not to say that the two cannot be deployed together. In the near future, it is likely that WLAN access points will support both standards within a single device. Thus Wi-Fi’s range and sustainable 11 Mbps data rate could be complemented with 802.11a’s concentrated 54 Mbps.
Within the crowded 2.4 GHz ISM band, interference between devices can cause concern. Of primary concern has been the interference between Wi-Fi and Bluetooth. However, multiple companies have researched this interference issue and have concluded that, when separated by 2 metres or more, there is no significant interference. With separation distances less than 2 metres, the two technologies can interfere with each other and this can be severe when collocated within a single device (i.e. a combination PCMCIA card). Several solutions have already been proposed; ranging from modifications and extensions to the existing standards, through to recommended best practices and technological advances.
Security within the Standards
By default, Wi-Fi utilises open system authentication, and authenticates anyone who requests authentication. Wireless nodes perform a mutual authentication using this method when joining a network. In many cases the management authentication frames are sent in the clear even when WEP is enabled.
Until very recently, the law used to be that a manufacturer could only export up to 56-bit encryption. The Wi-Fi standard specified up to only 40-bit for export reasons. It is important to note that, with the 40-bit encryption option, a 24-bit initialisation vector is appended and all encryption is conducted with a 64-bit key length. While not officially part of the Wi-Fi standard, many vendors now implement 128-bit key lengths for encrypting data. This 128-bit key consists of the 24-bit initialisation vector and a 104-bit pseudo-random key.
Although the IEEE 802.11 standards body is currently working to improve the security of the standard, it is too late for deployed networks and those networks about to be deployed. Nether the less, Wi-Fi vendors have provided numerous mechanisms to help secure both communications and the operating environment:
Table 2: 802.11b security measures
Bluetooth technology provides three security attributes (authorisation, authentication and encryption), and three modes of security:
As there are numerous services that a Bluetooth device may have, a sizable database of services the device has authorisation to use is required. The user can choose to “auto” trust devices or “manually” trust devices.
Table 3: Bluetooth security measures
Signals and Data Throughput
Although each of the technologies and standards specify maximum data rates for wireless communications, it is important to realise that these rates differ greatly from what an organisation can expect to achieve using real data in a live environment. Just as wired Ethernet is touted as 10 or 100 Mbps, the actual throughput maximum is roughly 85% of these values due to overheads inherent to the technology. For instance, with Ethernet, once the network traffic load reaches beyond 60%, the probability of network collisions is very high – at levels beyond, this collisions and retransmissions of data can cause the network to stall.
When securing the wireless network by utilising either the native encryption mechanisms or third-party products, actual data throughput can drop even further. Organisations should carefully review not only the strength of the encryption mechanism, but also the overhead to throughput. For instance, Wi-Fi’s highest data rate is 11 Mbps – this corresponds to approximately 7 Mbps actual throughput. Buy utilising WEP, it is not untypical for this rate to drop to 6 Mbps.
Table 4: Transmission speed comparisons
Another important consideration is range. Due to the physics of wireless wave propagation, signal strength is inversely proportional to the range between devices. Thus, in real terms, range corresponds to maximum data rates. The maximum rate for Wi-Fi (11 Mbps) can only be achieved within a certain range of the transmitter. Moving further away from the transmitter causes the data rate to “step down” to 5.5 Mbps, 2 Mbps, 1 Mbps and finally no-signal. This range is dependant on the transmitter design and type of receiving antenna.
IEEE 802.11a provides a higher data transfer rate than Wi-Fi (36-54 Mbps versus 11 Mbps) when close to the WLAN access point (within 10-15 metres), making it more attractive for dense user environments that also require high throughput, but the data rate is closer to 9-12 Mbps at ranges over 30 metres.
A typical maximum range (at the lowest data rate of 1 Mbps) for standard Wi-Fi devices is 500 metres. However, utilising improved or specially designed receiving antennas, ranges in excess of 14 km have been achieved. The ranges achieved with standard external PCMCIA Wi-Fi cards are generally poor due to the antenna being in the worst possible orientation: sideways, and very close to the laptop (the radiation pattern is thus almost straight up and down). To address this, and offer greater ranges, many laptop vendors now build the Wi-Fi antennas into and around the screen.
WLAN Security Solutions
The omni directional broadcasting of WLAN traffic is of a primary security concern. Although various mechanisms for securing the data have been included within each of the established wireless standards, the nature of the media ensures that an anonymous attacker or interloper can easily monitor or collect traffic. Given the current range of security flaws within these security mechanisms, it is inevitable that the data content will be decoded or decrypted by those who have the time and tools to do so. Unfortunately, the tools required to sniff, decrypt and gain access to most wireless networks are freely available through numerous sites on the Internet.
While many of the security systems built into the various wireless standards have been proven to be flawed or open to abuse, there are numerous options that an organization may undertake to help deploy these technologies in a secure manner. These options may range from common-sense practices, to physical implementation, through to proven third-party products. Those members of a Corporation for the management of security and system integrity should review the following suggestions to aid their deployment of WLAN technologies
Almost all WLAN products come preconfigured with a suite of default settings, services and passwords. These defaults are well known and various lists exist on the Internet for ready inclusion in to tools designed expressly for compromising the security of your WLAN.
Always review the literature that comes with the WLAN components and be wary of all default settings. In particular, take note of the default security permissions for Bluetooth devices, and the default SSID and WEP keys for Wi-Fi. For AP’s, review the services utilized for remote management of the device (i.e. web admin and SNMP), decide whether these services can be made secure (through appropriate passwords and access controls or limitations), and whether such mechanisms are compatible or consistent with your corporations existing security management procedures.
The Value of the Data
Consider the value of the data that could be transmitted over the WLAN. The data will be broadcast and may be collected by an anonymous observer. Depending on the security settings and encryption levels used for the WLAN traffic, the difficulty in decoding or decrypting the data may range from trivial through to almost impossible. Beware though, if an observer is able to collect a sizable amount of data and is willing to invest the time and effort, almost all encrypted data can be decrypted.
Organizations should review the value of the data being broadcast and ascertain how important it is that an outsider should not be able to render it readable. For some organizations the value of the data may be best measured in time – consider competitive tender document that may have a life of a couple of months, a sensitive financial data that may have a life of several years, or private banking details that must be kept secret for decades. For some organizations the value of the data may be measured in reputation.
Even using the best commercial encryption algorithms, given the advances in computer processing power, it is unlikely that such confidential data will remain secret in several years should an observer choose to decrypt the data.
Treat as Untrusted
Do not inherently trust connections from the WLAN. Wireless AP’s should be handled similarly to Internet and Dial-in (e.g. RAS) connections. Best practices dictate that all AP’s should be located with separate firewall zones (i.e. DMZ) and similar access controls or filtering rules should be configured as for Internet access into the organization. This is not to say that the AP’s should be located outside the corporate firewall on the same network as the Internet, but on a separate untrusted segment controlled with appropriate rules and policies.
Just as external users may access an organizations LAN through the Internet or RAS services using technologies such as Radius, Kerberos, Secure Sockets Layer (SSL) encryption and virtual private networks (VPN’s) - an organization should extend these authentication and encryption techniques through to the WLAN and carefully examine all access procedures.
The most widely used mechanism for securing VPN traffic is the Internet Protocol Security (IPSec) specification, as defined by the IEEE. IPSec can use keyed hash algorithms (MD5, SHA, HMAC) for authenticating packets, DES, 3DES and other bulk algorithms for encrypting data, and digital certificates for validating public keys.
By employing this solution, WEP is no longer required (as all encryption is handled by the VPN channel) and should be disabled. The VPN server(s) provide the necessary authentication and full encryption over the WLAN. Utilising digital certificates at each wireless node helps ensure strong authentication.
As a more general policy, all organizations should be using secure communication methods all the time to transfer data, even internally. Consider utilizing SSL encryption for internal applications and Intranet components.
Deploying multiple access points on the same frequency can increase the fault tolerance and adds range to a wireless segment, but won't increase your overall bandwidth. When one access point in a segment fails, the wireless clients seamlessly roam to the other access points without interrupting service, provided the appropriate roaming technologies have been configured. Not all vendor WLAN products may support seamless network roaming – choose carefully.
Be Capable of Monitoring the WLAN
Invest in appropriate network technologies to readily identify wireless AP’s or PC Card’s that may be misbehaving and cause a degradation of service. It is important to note that even a single PC Card can saturate a wireless segment. Whether an organization has just one user or 50 on a segment, each user will contend for the same amount of bandwidth. After all, a Wi-Fi network utilizes CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance), and like shared Ethernet, have a finite capacity and a certain amount of overhead associated with it. This is especially important given the threat from attackers who may purposefully seek to disrupt the WLAN services. Such an attack may cost less than £400 to an attacker (i.e. Palm computer and Wi-Fi PCMCIA card) and could be performed anywhere within range of the WLAN.
Be Capable of Detecting and Responding to Intruders
It is important not only to be able to monitor the WLAN, but also record and identify attacks. Modern Intrusion Detection Systems (IDS) are capable of identifying and responding to many of the most popular and dangerous attacks in an automated manner. Where possible, network IDS sensors should be placed on the WLAN DMZ segment, and the organizations wired LAN. Key hosts, particularly authentication servers on the wired LAN used to authorize access from the WLAN should utilize host based IDS sensors.
Having protected the organizations LAN and key authentication servers, ensure that the client WLAN devices (e.g. laptops, printers and access points) on the “dirty” side of the DMZ are also properly secured. As these devices are now likely to be primary targets of an attacker - ensure that each device has been hardened to appropriate security standards, have current anti-virus detection agents, and utilize updated personal IDS monitors.
Ensure that both the WLAN end users and administrative staff understand the security limitations of the technology. It is vital that users be aware of the vulnerabilities of the data they may access or share over the WLAN to other users, and understand the secure access methods available to them. For administrative staff, it is equally important they understand the security configuration of the environment and have the skills to readily maintain and monitor the integrity of the WLAN.
All staff with access to WLAN components of an organisations infrastructure must understand and use good password policies. Almost all security mechanisms used by any organisation can be compromised or thwarted by poor passwords.
Be Aware of Country Specific Laws
Regulation of radio frequency bands is often country specific, and various laws exist controlling their usage. Additionally, many countries have specific laws relating to the monitoring of radio frequency data and the protection of personal data that may be observed and recorded.
Consider the following two wireless standards, 802.11b and 802.11a. 802.11b operates in the 2.4 GHz ISM band and defines a total of 14 frequency channels. Channels 1 through 11 are approved for use within the U.S.; whereas most of Europe can use channels 1 through 13, with the notable exception of France, where only channels 10 through 13 are available. 802.11a operates in the 5 GHz U-NII and, although approved for use in the U.S., is not currently approved for European.
Both suppliers and implementers of all WLAN technologies must carefully review the legal implications of installing and using such wireless technologies. Use of devices operating outside the approved radio frequency bands may interfere with 3rd-party devices, and is likely to lead to legal prosecution in most countries. Additionally, local laws relating to maximum encryption key length, radio broadcast power and range, reception and observation of unintended radio frequency data (e.g. the WLAN from across the road), and data protection regulations must also be carefully reviewed.
Understand the Operational Characteristics of the Technology
Focusing on 802.11b, an important concept to note regarding channel assignments is that the channel actually represents the centre frequency that the transceiver within the radio and access point uses (e.g., 2.412 GHz for channel 1 and 2.417 GHz for channel 2). There is only 5 MHz separation between the centre frequencies, and an 802.11b signal occupies approximately 30 MHz of the frequency spectrum. The signal falls within about 15 MHz of each side of the centre frequency.
As a result, an 802.11b signal overlaps with several adjacent channel frequencies. This leaves only three channels (channels 1, 6, and 11 for the U.S.) that can be used without causing interference between access points. For WLAN’s with only one access point, it is possible to set the access point to any one of the channels. Often, the default setting shipped by the vendor will be adequate. If there are two or three access points, assign any combination of channels 1, 6, and 11. Doing so will keep the signals far enough apart in the RF spectrum to avoid problems.
Table 4: 802.11b channel median frequencies (* indicates non-overlapping channels)