Wireless 802.11b is
riddled with insecurities. In addition to various improprieties within WEP (see
attached), 802.11b access association scheme is inherantly insecure. The
University of Maryland Study found that "while the
current access points provide several security mechanisms,[their] work
combined with the work of others show that ALL of these mechanisms
are completely in-effective."
The mechanisms they
are referring to are:
WEP (Wired
Equivalent Protocol)
Open Systems
Authentication
Shared Key
Authentication
Access Control
Lists (MAC Address Lists)
Closed Network Access Control (LUCENTS Proprietary Access
Control)
The
important thing to note here is that EVERY one of these
mechanisms can be worked around.
WEP has known
vulnerabilities allowing someone to decrypt information in real-time after
capturing about a days worth of traffic.
Open Systems
Authenticationhas
"shown that the authentication management
frames are sent in the clear even when WEP is enabled."
Shared Key Authenitication has shown that it is rudimentary to capture
the Initialization Vector since it is sent in the clear as part of a WEP
frame.
Standard Access Control Lists are easily circumvented by an attacker
sniffing the network for a valid MAC and thus reprogramming their network card
to an appropriate value to gain access to the network.
The proprietary Closed Network Access Control list that LUCENT (and
others)touts as "a system that will not send the network identification
(SSID) as a broadcast, thereby mandating that someone KNOW the SSID before
they can associate to the network," is inherently flawed
since:
"Several management messages contain the
network name, or SSID, and these messages are broadcast in the clear by
access points and clients. The actual message containing the SSID
depends on the vendor of the access point. The end result, however, is that
an attacker can easily sniff the network name, determining the shared
secret and gaining access to the "protected" network. This flaw exists even
with WEP enabled because the management messages are broadcast in the
clear."
When setting up a
wireless 802.11b network, you MUST consider it to be publicly
accessible. Anyone who is motivated can gain access to your physical network.
They need not be within 300 meters, and through the use of a Yagi antenna or
some other directional device could gain access from miles away. If setting up a
wireless network despite the vulnerabilities please follow the following
suggestions:
The most effective strategy would be
to put your wireless access points into aIPSEC enabled DMZ, and have your wireless
users tunnel into your network using a VPN. If your corporation doesn't
already have a VPN infrastructure in place, it's going to cost you some money
to implement. Even if you do have a VPN in place, and all of your clients
already have the VPN software, there's going to be an extra effort associated
with setting up a VLAN for your DMZ. But this solution adds a layer of
encryption and authentication that could make a wireless network suitable for
sensitive data.
Consider using an additional level of authentication, such as RADIUS, before you permit an association with
your access points. While it's not part of the 802.11b standard, a number of
companies are optionally including some provision for RADIUS authentication.
Orinoco access points, for example, can enforce RADIUS authentication of MAC
addresses to an external RADIUS server. Intermec access points include a
built-in RADIUS server for up to 128 MAC addresses.( EAP (Extensible Authentication Protocol) is used to
allow wireless clients to authenticate to RADIUS servers using a single
sign-on. )
At an absolute minimum, even with it's
vulnerabilities, you should enable WEP. Whether you implement 64-bit or
128-bit doesn't really matter too much, as it's not the encryption scheme
that's determining how long it takes to crack it, but the number of possible
Initialization Vectors. WEP is only a low barrier to entry, but it will keep
out many of the casual hackers because there are so many other wireless
networks that are wide open and easier targets.
Slashdot Mirror
- WEP (Wired
Equivalent Protocol)
- Open Systems
Authentication
- Shared Key
Authentication
- Access Control
Lists (MAC Address Lists)
- Closed Network Access Control (LUCENTS Proprietary Access
Control)
The important thing to note here is that EVERY one of these mechanisms can be worked around.- WEP has known
vulnerabilities allowing someone to decrypt information in real-time after
capturing about a days worth of traffic.
- Open Systems
Authenticationhas
"shown that the authentication management
frames are sent in the clear even when WEP is enabled."
- Shared Key Authenitication has shown that it is rudimentary to capture
the Initialization Vector since it is sent in the clear as part of a WEP
frame.
- Standard Access Control Lists are easily circumvented by an attacker
sniffing the network for a valid MAC and thus reprogramming their network card
to an appropriate value to gain access to the network.
- The proprietary Closed Network Access Control list that LUCENT (and
others)touts as "a system that will not send the network identification
(SSID) as a broadcast, thereby mandating that someone KNOW the SSID before
they can associate to the network," is inherently flawed
since:
"Several management messages contain the network name, or SSID, and these messages are broadcast in the clear by access points and clients. The actual message containing the SSID depends on the vendor of the access point. The end result, however, is that an attacker can easily sniff the network name, determining the shared secret and gaining access to the "protected" network. This flaw exists even with WEP enabled because the management messages are broadcast in the clear." When setting up a wireless 802.11b network, you MUST consider it to be publicly accessible. Anyone who is motivated can gain access to your physical network. They need not be within 300 meters, and through the use of a Yagi antenna or some other directional device could gain access from miles away. If setting up a wireless network despite the vulnerabilities please follow the following suggestions:- The most effective strategy would be
to put your wireless access points into aIPSEC enabled DMZ, and have your wireless
users tunnel into your network using a VPN. If your corporation doesn't
already have a VPN infrastructure in place, it's going to cost you some money
to implement. Even if you do have a VPN in place, and all of your clients
already have the VPN software, there's going to be an extra effort associated
with setting up a VLAN for your DMZ. But this solution adds a layer of
encryption and authentication that could make a wireless network suitable for
sensitive data.
- Consider using an additional level of authentication, such as RADIUS, before you permit an association with
your access points. While it's not part of the 802.11b standard, a number of
companies are optionally including some provision for RADIUS authentication.
Orinoco access points, for example, can enforce RADIUS authentication of MAC
addresses to an external RADIUS server. Intermec access points include a
built-in RADIUS server for up to 128 MAC addresses.( EAP (Extensible Authentication Protocol) is used to
allow wireless clients to authenticate to RADIUS servers using a single
sign-on. )
- At an absolute minimum, even with it's
vulnerabilities, you should enable WEP. Whether you implement 64-bit or
128-bit doesn't really matter too much, as it's not the encryption scheme
that's determining how long it takes to crack it, but the number of possible
Initialization Vectors. WEP is only a low barrier to entry, but it will keep
out many of the casual hackers because there are so many other wireless
networks that are wide open and easier targets.
REFERENCESUniversity of Maryland Study: http://www.cs.umd.edu/~waa/wireless.pdf
Fluhrer, Mantin and Shamir Study: http://www.eyetap.org/~rguerra/toronto2001/rc4_ksa proc.pdf
AT&T Labs and Rice University Study: http://www.cs.rice.edu/~astubble/wep/wep_attack.ht ml