802.11 Insecurities

Wireless NewsWireless News

'BlueBag' PC sniffs out 'BlueBag' PC sniffs out Bluetooth flawsBluetooth flaws • In just under 23 hours of In just under 23 hours of

travel, BlueBag was able travel, BlueBag was able to spot more 1,400 to spot more 1,400 devices with which it devices with which it could have connectedcould have connected

• If you happened to fly If you happened to fly through Milan's Malpensa through Milan's Malpensa Airport last March, your Airport last March, your mobile phone may have mobile phone may have been scanned by the been scanned by the BlueBag.BlueBag.


Next generation wireless is new, nifty, but Next generation wireless is new, nifty, but not yet standardnot yet standard• The The good newsgood news is that there's a new generation is that there's a new generation

of wireless networking products on the horizon, of wireless networking products on the horizon, products that feature about four times as much products that feature about four times as much coverage and more than 10 times faster access coverage and more than 10 times faster access than traditional WiFi networks.than traditional WiFi networks.

• The The bad newsbad news is that this new-and-improved is that this new-and-improved wireless standard doesn't actually exist yet, wireless standard doesn't actually exist yet, even though there's no shortage of retailers even though there's no shortage of retailers who are more than willing to sell it to you right who are more than willing to sell it to you right now.now.


A team of researchers A team of researchers from Research Triangle from Research Triangle Institute successfully Institute successfully tested a paint-on tested a paint-on antenna for high-antenna for high-altitude airships on altitude airships on June 21, in the Nevada June 21, in the Nevada desert. desert.

Misbehaving with WiFiMisbehaving with WiFi

Chapter EightChapter Eight

Wireless LAN Security and Wireless LAN Security and VulnerabilitiesVulnerabilities

TopicsTopics

Snake oil access controlSnake oil access control MAC layers lacks per frame authenticationMAC layers lacks per frame authentication The spoofing problems which resultThe spoofing problems which result 802.1X issues related to spoofing802.1X issues related to spoofing WEP (dead horse, I’ll discuss it briefly)WEP (dead horse, I’ll discuss it briefly) Attacks against these schemesAttacks against these schemes RecommendationsRecommendations Wireless tools you can mess withWireless tools you can mess with WEP Crack DemoWEP Crack Demo

TerminologyTerminology

SSIDSSID – Service Set ID – Service Set ID• A text string used to identify sets of APs A text string used to identify sets of APs

SpoofingSpoofing• Illegitimate generation of network trafficIllegitimate generation of network traffic

Fake packets all togetherFake packets all together Insert traffic into a streamInsert traffic into a stream

WEPWEP – Wired Equivalent Privacy – Wired Equivalent Privacy• Broken 802.11 encryption schemeBroken 802.11 encryption scheme• Should be “Should be “WWhat on hat on EEarth does this arth does this PProtect?”rotect?”

Terminology (continued)Terminology (continued)

Access pointAccess point• Device serving as wireless-to-wired bridgeDevice serving as wireless-to-wired bridge

Association requestAssociation request• Wireless stations ‘associate’ with an APWireless stations ‘associate’ with an AP• Follows rudimentary authentication procedureFollows rudimentary authentication procedure

Per Frame AuthenticationPer Frame Authentication• Every Frame authenticity informationEvery Frame authenticity information• Should be used with initial auth. exchangeShould be used with initial auth. exchange

Terminology (continued)Terminology (continued)

Snake oilSnake oil is a Traditional Chinese is a Traditional Chinese medicine used for joint pain. However, the medicine used for joint pain. However, the most common usage is as a derogatory most common usage is as a derogatory term for medicines to imply that they are term for medicines to imply that they are fake, fraudulent, and usually ineffective. fake, fraudulent, and usually ineffective. The expression is also applied The expression is also applied metaphorically to any product with metaphorically to any product with exaggerated marketing but questionable exaggerated marketing but questionable or unverifiable quality. or unverifiable quality.

(borrowed from Wikipedia)(borrowed from Wikipedia)

Ted’s HackerTed’s Hacker

TED’S HACKER

Auth. in the 802.11 MAC LayerAuth. in the 802.11 MAC Layer Two typesTwo types

• Open SystemOpen System No authenticationNo authentication Gratuitous accessGratuitous access

• Shared KeyShared Key Uses WEP – broken scheme Uses WEP – broken scheme Key distribution and usage issuesKey distribution and usage issues

No per frame auth.No per frame auth.• frame spoofing is easy frame spoofing is easy • If a authentication scheme is to be effective, it needs to be If a authentication scheme is to be effective, it needs to be

per frameper frame No AP auth. – allows impersonation of APsNo AP auth. – allows impersonation of APs MAC layer MAC layer doesdoes leave room for other auth. schemes leave room for other auth. schemes

• None presently implementedNone presently implemented• New schemes which conform to standard still can’t be per New schemes which conform to standard still can’t be per

frameframe• Per frame authenticationPer frame authentication

Other Forms of Access ControlOther Forms of Access Control SSID hiding (complete snake oil)SSID hiding (complete snake oil)

• SSID often beaconed by APsSSID often beaconed by APs• APs can be configured to stop beaconingAPs can be configured to stop beaconing

MAC address filtering (snake oil)MAC address filtering (snake oil)• DHCP serversDHCP servers• AP ACLsAP ACLs

802.1X (spoofing issues)802.1X (spoofing issues)• Takes places following MAC layer auth. and assoc. to APTakes places following MAC layer auth. and assoc. to AP• Controls access only to world beyond AP via EAPControls access only to world beyond AP via EAP• Does allow for more robust authentication (Kerberos, Does allow for more robust authentication (Kerberos,

others)others)• Doesn’t solve per packet auth. problemDoesn’t solve per packet auth. problem• No clients for all OS’s which all use the same auth. schemeNo clients for all OS’s which all use the same auth. scheme

WEP, the “Sweet & Low” of 802.11WEP, the “Sweet & Low” of 802.11

Passive listeningPassive listening• Numerous documented attacksNumerous documented attacks• Attacks widely implementedAttacks widely implemented• Key can be recovered at worst in a few hours of passive Key can be recovered at worst in a few hours of passive

listeninglistening Only encrypts data framesOnly encrypts data frames

• Management, control frames sent in the clearManagement, control frames sent in the clear• We can still spoof these frame types without a keyWe can still spoof these frame types without a key

Key management issuesKey management issues• If key changes all devices must change it at the very same If key changes all devices must change it at the very same

time, so short key periods won’t help muchtime, so short key periods won’t help much• Employee leaves with key in handEmployee leaves with key in hand• Basically BrokenBasically Broken

Sniffing the SSID - Sniffing the SSID - easyeasy

Assoc. Request (…, SSID ‘Paris’, …)

Regular User Station being innocent AP w/ SSID ‘Paris’

Mischievous Station Running

NetStumbler or similar

Sniff, sniff,

sniff…

Beating MAC Address Filters - Beating MAC Address Filters - easyeasy

Sniff legitimate MAC AddressesSniff legitimate MAC Addresses Wait for a station to leaveWait for a station to leave Set your MAC to a legitimate addressSet your MAC to a legitimate address

• linux# ifconfig wlan0 hwaddr 00:00:de:ad:be:eflinux# ifconfig wlan0 hwaddr 00:00:de:ad:be:ef• openbsd# wicontrol wi0 –m b5:db:5d:b5:db:5dopenbsd# wicontrol wi0 –m b5:db:5d:b5:db:5d

You can now authenticate and associateYou can now authenticate and associate MAC filtered by DHCP server?MAC filtered by DHCP server?

• Sniff addresses and set your IP staticallySniff addresses and set your IP statically

Cracking WEP – Cracking WEP – easy, time consumingeasy, time consuming

WEP encrypted Data Frames

(A1%h8#/?e$! ...)

Regular User Station being innocent

Access Point

Mischievous Station Running

AirSnort or similar

Sniff, sniff…

CRACK!

Back to the SpoofingBack to the Spoofing Spoofing allows lots of naughty behaviorSpoofing allows lots of naughty behavior

• Station disassociation DoSStation disassociation DoS Disrupt wireless station’s accessDisrupt wireless station’s access

• Access point saturation DoSAccess point saturation DoS MAC level limit the number of associated stations to ~2000 MAC level limit the number of associated stations to ~2000 Implementation limits set lower to prevent congestionImplementation limits set lower to prevent congestion Prevent new stations from authenticating to an APPrevent new stations from authenticating to an AP

• Hijacking of legitimately authenticated sessionsHijacking of legitimately authenticated sessions• Man in the middle attacks Man in the middle attacks

Old ARP cache poisoning, DNS spoofing affect 802.11 tooOld ARP cache poisoning, DNS spoofing affect 802.11 too Impersonate APImpersonate AP to a client, tamper with traffic, pass it to a client, tamper with traffic, pass it

alongalong

Tools for Spoofing FramesTools for Spoofing Frameschallenging, getting easierchallenging, getting easier

LibradiateLibradiate makes it easy makes it easy• No longer supportedNo longer supported

AirSnarfAirSnarf• mimics a legitimate access point mimics a legitimate access point

DoS Tools (DoS Tools (disassocdisassoc, , AP saturateAP saturate, etc), etc) THC-RUTTHC-RUT

• combines detection, spoofing, masking, and combines detection, spoofing, masking, and cracking into the same tool cracking into the same tool

HotspotterHotspotter• deauthenticate frame sent to a MS Windows XP deauthenticate frame sent to a MS Windows XP

user’s computer that would cause the victim’s user’s computer that would cause the victim’s wireless connection to be switched to a non-wireless connection to be switched to a non-preferred connection, AKA a rouge AP. preferred connection, AKA a rouge AP.

Disassociating a Wireless Station – Disassociating a Wireless Station – easy after implementation!easy after implementation!

Disassociate Frame(SANTA’S MAC, AP BSSID,

DISASSOC, …)Regular User Station being innocent

Access Point

MischievousStation

running dis2

Sniff, sniff…

DISASSOC!

General Wireless Traffic(MGMT, CRTL, DATA)

Session HijackingSession HijackingMITM (Man-In –The-Middle)MITM (Man-In –The-Middle)

The wireless advantage: easy access to medium!The wireless advantage: easy access to medium! Hijacking a wireless sessionHijacking a wireless session

• Known network/transport layer attacks – easy w/ implementationsKnown network/transport layer attacks – easy w/ implementations• MAC level hijacking MAC level hijacking • Simple combination of disassociation and MAC spoofingSimple combination of disassociation and MAC spoofing• Can beat 802.1X, if hijacking after EAP Success received by Can beat 802.1X, if hijacking after EAP Success received by

stationstation MITMMITM

• SSH, SSL – easy w/ SSH, SSL – easy w/ sshmitmsshmitm, , webmitmwebmitm (dsniff package) (dsniff package) ARP Poisoning, DNS redirect still work (may need retooling for 802.11 ARP Poisoning, DNS redirect still work (may need retooling for 802.11

MAC)MAC) Same issues that go along with these attacks on wired medium exist Same issues that go along with these attacks on wired medium exist

herehere• AP impersonate MITM – doable, challenging AP impersonate MITM – doable, challenging • Could be detectableCould be detectable

Main PointsMain Points

Wireless medium is an inherently Wireless medium is an inherently insecureinsecure

The 802.11 MAC poorly compensatesThe 802.11 MAC poorly compensates MAC layer needs stronger MAC layer needs stronger

authenticationauthentication Per packet auth. could solve many Per packet auth. could solve many

issuesissues 802.1X exchange comes too late802.1X exchange comes too late Spoofing attacks will become publicSpoofing attacks will become public

RecommendationsRecommendations The first rule is… The first rule is…

• Secure your network protocolsSecure your network protocols• SECURE NETWORK PROTOCOLSSECURE NETWORK PROTOCOLS• SECURE NETWORK PROTOCOLSSECURE NETWORK PROTOCOLS

wireless only makes attacks wireless only makes attacks easiereasier Snake oil can provide hurdles for the Snake oil can provide hurdles for the

casualcasual Treat wireless the way you treat remote Treat wireless the way you treat remote

traffictraffic High security environments: no wireless High security environments: no wireless

allowedallowed

Wireless Tools for your TinkeringWireless Tools for your Tinkering

WindowsWindows• Netstumbler – find APs and their SSIDsNetstumbler – find APs and their SSIDs• Airopeek – wireless frame snifferAiropeek – wireless frame sniffer

LinuxLinux• Airsnort (and other WEP tools)Airsnort (and other WEP tools)• Airtraf (Netstumbler-like)Airtraf (Netstumbler-like)• Kismet (Netstumbler-like, WEP capture, other Kismet (Netstumbler-like, WEP capture, other

stuff)stuff)

WEP Cracking DemoWEP Cracking Demo

Cracking WEP in 10 MinutesCracking WEP in 10 Minutes http://www.hackingdefined.com/movihttp://www.hackingdefined.com/movi

es/see-sec-wepcrack.zipes/see-sec-wepcrack.zip This is a demo from a distro called This is a demo from a distro called

Woppix which later became Woppix which later became BackTrackBackTrack

Wireless SecurityWireless Security

““The nice thing about standards is that The nice thing about standards is that there are so many to choose from.”there are so many to choose from.”

- Andrew S. Tannenbaum- Andrew S. Tannenbaum

Wireless Security –Wireless Security –Obviously Many Don’t BotherObviously Many Don’t Bother

Wireless Security ProblemsWireless Security Problems

Common Techniques to Compromise Common Techniques to Compromise Wireless Data Networks:Wireless Data Networks:• Rogue Access Point InsertionRogue Access Point Insertion• Traffic SniffingTraffic Sniffing• Traffic Data InsertionTraffic Data Insertion• ARP-Snooping (via “Dsniff”) – trick wired ARP-Snooping (via “Dsniff”) – trick wired

network to pass data over wirelessnetwork to pass data over wireless

Approximate Wireless RangesApproximate Wireless Ranges

802.11b/g Wireless Radio 802.11b/g Wireless Radio Channels (USA)Channels (USA)

Note: Only using channels 1, 6, and 11 incur the least amount of adjacent radio channel interference.

Security OverviewSecurity OverviewAuthenticationAuthentication

Determines:Determines:• If you are who you say you areIf you are who you say you are• If (and What) access rights are grantedIf (and What) access rights are granted

Examples are:Examples are:• ““Smart Card” - SecureIdSmart Card” - SecureId®® Server/Cards Server/Cards• S/Key – One time passwordS/Key – One time password• Digital CertificatesDigital Certificates

Examples of “Smart Cards”Examples of “Smart Cards”

http://www.rsasecurity.com

Wireless Security OverviewWireless Security Overview Data EncryptionData Encryption

• WEP – Wired Equivalent Privacy (No Authentication)WEP – Wired Equivalent Privacy (No Authentication)• WPA – WiFi Protected AccessWPA – WiFi Protected AccessNote: Due to computational overhead, almost all data Note: Due to computational overhead, almost all data

encryption techniques impose an Access Point encryption techniques impose an Access Point performance / throughput penalty.performance / throughput penalty.Average Throughput Reduction ExampleAverage Throughput Reduction Example – (Relative to No – (Relative to No [email protected] w/Linksys WRT54gs):[email protected] w/Linksys WRT54gs):WPA-PSK w/AES (29.005Mbps)WPA-PSK w/AES (29.005Mbps) = ~14.8% slower= ~14.8% slowerWPA-PSK w/TKIP (28.464Mbps)WPA-PSK w/TKIP (28.464Mbps) = ~16.4% slower= ~16.4% slowerWEP-128 (22.265Mbps)WEP-128 (22.265Mbps) = ~34.6% slower= ~34.6% slower

http://www.tomsnetworking.com/Reviews/images/scrnshots/linksys_wrt54gs_security.pnghttp://www.tomsnetworking.com/Reviews/images/scrnshots/linksys_wrt54gs_security.png

WEPWEP(Wired Equivalent Privacy)(Wired Equivalent Privacy)

RC4 (Rivest Cipher 4 / Ron’s Code 4) Encryption RC4 (Rivest Cipher 4 / Ron’s Code 4) Encryption Algorithm Algorithm <<http://www.cebrasoft.co.uk/encryption/rc4.htmhttp://www.cebrasoft.co.uk/encryption/rc4.htm>>

Shared (but Shared (but staticstatic) secret 64 or 128-bit key to ) secret 64 or 128-bit key to encrypt and decrypt the dataencrypt and decrypt the data• 24-bit ‘initialization vector’ (semi-random) leaving only 24-bit ‘initialization vector’ (semi-random) leaving only

40 or 104 bits as the ‘real key’40 or 104 bits as the ‘real key’ WEP Key Cracking SoftwareWEP Key Cracking Software

• WEPCrack / AirSnort / Aircrack (as well as others)WEPCrack / AirSnort / Aircrack (as well as others)• Cracking Time:Cracking Time: 64-bit key = 2 64-bit key = 2 secondsseconds

128-bit key = 128-bit key = ~ 3-10 ~ 3-10 minutesminutes

www.netcraftsmen.net/welcher/papers/wlansec01.htmlwww.netcraftsmen.net/welcher/papers/wlansec01.html and and www.tomsnetworking.com/Sections-article111-page4.php www.tomsnetworking.com/Sections-article111-page4.php

WEP Attack ApproachesWEP Attack Approaches

Traffic (Packet) Collection TechniquesTraffic (Packet) Collection Techniques• High Traffic Access Points (APs)High Traffic Access Points (APs)

Simple/passive traffic sniffing / captureSimple/passive traffic sniffing / capture

• Low Traffic Access PointsLow Traffic Access Points Have client ‘deauth’ to disassociate from the Have client ‘deauth’ to disassociate from the

APAP• (Forces traffic when AP re-associates to the AP) (Forces traffic when AP re-associates to the AP)

Replay captured ‘arp’ requests to the APReplay captured ‘arp’ requests to the AP Sniff / capture resulting packets for analysisSniff / capture resulting packets for analysis

WPA and WPA2WPA and WPA2(WiFi Protected Access)(WiFi Protected Access)

Created by the Wi-Fi Alliance industry Created by the Wi-Fi Alliance industry group due to excessive delays in 802.11i group due to excessive delays in 802.11i approvalapproval

WPA and WPA2 designed to be backward WPA and WPA2 designed to be backward compatible with WEPcompatible with WEP

Closely mirrors the official IEEE 802.11i Closely mirrors the official IEEE 802.11i standards but with EAP (Extensible standards but with EAP (Extensible Authentication Protocol)Authentication Protocol)

Contains both authentication and Contains both authentication and encryption componentsencryption components

Wireless AuthenticationWireless Authentication 802.11i802.11i

• EAP – Extensible Authentication ProtocolEAP – Extensible Authentication Protocol Currently ~40 different EAP authentication methodsCurrently ~40 different EAP authentication methods

PEAP (Protected EAP) = EAP + RADIUS PEAP (Protected EAP) = EAP + RADIUS ServerServer

RADIUS = RADIUS = Remote Authentication Dial-In User ServiceRemote Authentication Dial-In User Service KerberosKerberos

• Provided as Part of Win2K+ UNIX Server Provided as Part of Win2K+ UNIX Server PlatformsPlatforms

IPSec (IP Security) / VPN’sIPSec (IP Security) / VPN’s• End-to-End EncryptionEnd-to-End Encryption

RADIUS AuthenticationRADIUS Authentication Remote UserRemote User

• Desktop / ClientDesktop / Client NAS Client (Network NAS Client (Network

Access Server)Access Server)• Access desired to Access desired to

this Client/Serverthis Client/Server AAA (RADIUS) AAA (RADIUS)

ServerServer• Authentication, Authentication,

Authorization, and Authorization, and AccountingAccounting

http://www.wi-fiplanet.com/img/tutorial-radius-fig1.gif

Kerberos (a.k.a. “Fluffy”)Kerberos (a.k.a. “Fluffy”)End-to-End AuthenticationEnd-to-End Authentication

Kerberos is a widely used authentication server in an open Kerberos is a widely used authentication server in an open environment.environment.

Kerberos tickets have a limited life – generally configured to be 8 Kerberos tickets have a limited life – generally configured to be 8 hours.hours.

ClientClientAuthentication Authentication

Server (AS)Server (AS)

Ticket-grantingTicket-grantingServer (TGS)Server (TGS)

KerberosKerberos

User User secret keyssecret keys

Request a ticket for TGSRequest a ticket for TGS

Ticket for TGSTicket for TGS

Request a ticket for ServiceRequest a ticket for Service

Ticket for ServiceTicket for Service

ServiceServiceRequest ServiceRequest Service

http://www.cs.dartmouth.edu/~minami/Presentations/security.ppt

The name Kerberos comes from Greek mythology; it is the three-headed dog that guarded the entrance to Hades.

http://www.faqs.org/faqs/kerberos-faq/general/section-4.html

WPA / WPA2 EncryptionWPA / WPA2 Encryption

WPAWPA• Mandates Mandates TKIP (Temporal Key Integrity Protocol)TKIP (Temporal Key Integrity Protocol)

Scheduled Shared Key Change Scheduled Shared Key Change (i.e.; every 10,000 data packets)(i.e.; every 10,000 data packets)

• Optionally specifies AES (Advanced Encryption Optionally specifies AES (Advanced Encryption Standard) capabilityStandard) capability

WPA will essentially fall back to WEP-level WPA will essentially fall back to WEP-level security if even a single device on a network security if even a single device on a network cannot use WPAcannot use WPA

WPA2WPA2 Mandates both TKIP and AES capabilityMandates both TKIP and AES capability

WPA / WPA2 networks will drop any altered packet WPA / WPA2 networks will drop any altered packet or shut down for 30 seconds whenever a message or shut down for 30 seconds whenever a message alteration attack is detected.alteration attack is detected.

WPA / WPA2 (Cont’d)WPA / WPA2 (Cont’d)

AuthenticationAuthentication

MethodMethodEncryptionEncryption

MethodMethod

WPAWPA

SOHO / PersonalSOHO / PersonalPre-Shared KeyPre-Shared Key Temporal Key Temporal Key

Integrity ProtocolIntegrity Protocol

WPAWPA

EnterpriseEnterprise802.1X / Extensible 802.1X / Extensible

Authentication Authentication ProtocolProtocol

Temporal Key Temporal Key Integrity ProtocolIntegrity Protocol

WPA2WPA2

SOHO /PersonalSOHO /PersonalPre-Shared KeyPre-Shared Key Advanced Advanced

Encryption StandardEncryption Standard

WPA2WPA2

EnterpriseEnterprise802.1X / Extensible 802.1X / Extensible

Authentication Authentication ProtocolProtocol

Advanced Advanced Encryption StandardEncryption Standard

WPA / WPA2 (Cont’d)WPA / WPA2 (Cont’d)

Personal Pre-shared KeyPersonal Pre-shared Key• User–entered 8 – 63 ASCII Character User–entered 8 – 63 ASCII Character

Passphrass Produces a 256-bit Pre-Shared KeyPassphrass Produces a 256-bit Pre-Shared Key• To minimize/prevent key cracking, use a To minimize/prevent key cracking, use a

minimumminimum of 21 characters for the passphase of 21 characters for the passphase• Key GenerationKey Generation

passphrase, SSID, and the SSIDlength is hashed 4096 passphrase, SSID, and the SSIDlength is hashed 4096 times to generate a value of 256 bitstimes to generate a value of 256 bits

WPA Key Cracking SoftwareWPA Key Cracking Software• coWPAtty / WPA Cracker (as well as others)coWPAtty / WPA Cracker (as well as others)

WPA AuthenticationWPA Authentication(Before Extended EAP-May 2005)(Before Extended EAP-May 2005)

Personal Mode = Pre-Shared KeyPersonal Mode = Pre-Shared Key

Enterprise Mode = EAP-TLSEnterprise Mode = EAP-TLS• (Transport Layer Security)(Transport Layer Security)

WPA / WPA2 AuthenticationWPA / WPA2 Authentication (Since Extended EAP-May 2005) (Since Extended EAP-May 2005)

Now Now FiveFive WPA / WPA2 Enterprise WPA / WPA2 Enterprise StandardsStandards

1.1. EAP-TLSEAP-TLSa.a. Original EAP ProtocolOriginal EAP Protocol

b.b. Among most secure but seldom Among most secure but seldom implemented as it needs a Client-implemented as it needs a Client-side certificate ie; smartcard side certificate ie; smartcard (SecurId Key Fob (SecurId Key Fob http://www.securid.com/)http://www.securid.com/)


2.2. EAP-TTLS/MSCHAPv2EAP-TTLS/MSCHAPv2a.a. Better than #1, as username and Better than #1, as username and

password not in clear textpassword not in clear text

(Tunneled Transport Layer Security)(Tunneled Transport Layer Security)

3.3. PEAPv0/EAP-MSCHAPv2PEAPv0/EAP-MSCHAPv2a.a. Commonly referred to as “PEAP”Commonly referred to as “PEAP”

b.b. Most Widely Supported EAP StandardMost Widely Supported EAP Standard


4.4. PEAPv1/EAP-GTCPEAPv1/EAP-GTCa.a. Created by Cisco as alternative to #3. Created by Cisco as alternative to #3.

Cisco’s LEAP or EAP-FAST standard not Cisco’s LEAP or EAP-FAST standard not frequently used as it can be cracked.frequently used as it can be cracked.

b.b. This standard is rarely usedThis standard is rarely used

5.5. EAP-SIMEAP-SIMa.a. Used by GSM mobile telecom industry Used by GSM mobile telecom industry

with SIM card authenticationwith SIM card authentication

Other Security TechniquesOther Security Techniques

The following techniques may provide The following techniques may provide marginal additional security, but may also marginal additional security, but may also make network administration tasks more make network administration tasks more difficult:difficult:

The six dumbest ways to secure a wireless LANThe six dumbest ways to secure a wireless LAN

• MAC Address FilteringMAC Address Filtering• Disabling SSID BroadcastsDisabling SSID Broadcasts• Disabling Access Point’s DHCP server (so new client addresses Disabling Access Point’s DHCP server (so new client addresses

are not automatically issued)are not automatically issued)• Cisco LEAP / EAP-FASTCisco LEAP / EAP-FAST• Use 802.11a / BluetoothUse 802.11a / Bluetooth• Antenna type, placement, direction, and transmitted power Antenna type, placement, direction, and transmitted power

levels - Effective Isotropic Radiated Power (EIRP)levels - Effective Isotropic Radiated Power (EIRP)http://www.netstumbler.com/2002/11/13/antenna_to_boost_wireless_security/http://www.netstumbler.com/2002/11/13/antenna_to_boost_wireless_security/

Security ConfigurationSecurity ConfigurationRecommendationsRecommendations

EnterpriseEnterprise1.1. WPA2 – RADIUS / KerberosWPA2 – RADIUS / Kerberos2.2. WPA2 – Pre-shared KeyWPA2 – Pre-shared Key3.3. (Continue With SOHO / Personal Options)(Continue With SOHO / Personal Options)

SOHO / PersonalSOHO / Personal1.1. WPA with AESWPA with AES2.2. WPA with TKIPWPA with TKIP3.3. WEP with 128-bit keyWEP with 128-bit key4.4. WEP with 64-bit keyWEP with 64-bit key5.5. No EncryptionNo Encryption

Security ConfigurationSecurity Configuration

When configuring a wireless router / When configuring a wireless router / access point, access point, alwaysalways use a ‘wired’ use a ‘wired’ connection!connection!• (Don’t cut ‘the branch you’re standing on’!)(Don’t cut ‘the branch you’re standing on’!)

When changing a configuration option, When changing a configuration option, always make the change on the always make the change on the router / access point firstrouter / access point first,, then make then make the compatible change on your local the compatible change on your local wireless network card / configuration!wireless network card / configuration!

Security Configuration OptionsSecurity Configuration Options









Other Firmware OptionsOther Firmware Options

Cisco/Linksys WRT54G/GS wireless Cisco/Linksys WRT54G/GS wireless router /access point utilizes some router /access point utilizes some Open Source (Linux) code.Open Source (Linux) code.

Cisco released the firmware source Cisco released the firmware source code in July, 2003 – Additional code in July, 2003 – Additional branches of firmware are now branches of firmware are now available.available.

Sources Of Other FirmwareSources Of Other Firmware

SveasoftSveasoft• http://www.sveasoft.com/http://www.sveasoft.com/

DD-WRT (I use this)DD-WRT (I use this)• http://www.dd-wrt.orghttp://www.dd-wrt.org

EarthlinkEarthlink SputnikSputnik LinksysInfoLinksysInfo WRT54G.netWRT54G.net

Other Firmware Options Other Firmware Options Support / Provide:Support / Provide:

VPN ServicesVPN Services VoIP ServicesVoIP Services Configure as a repeater / bridgeConfigure as a repeater / bridge A Managed ‘Hot Spot’ with RADIUS SupportA Managed ‘Hot Spot’ with RADIUS Support Manage bandwidth per protocolManage bandwidth per protocol Control traffic shapingControl traffic shaping Support IPv6Support IPv6 Boost antenna powerBoost antenna power Remotely access router logsRemotely access router logs Use router as a low power PC running Linux ApplicationsUse router as a low power PC running Linux Applications Bad firmware flash recovery:Bad firmware flash recovery:

• WRT54G Revival GuideWRT54G Revival Guide

http://www.wi-fiplanet.com/tutorials/article.php/3562391http://www.wi-fiplanet.com/tutorials/article.php/3562391

Miscellaneous LinksMiscellaneous Links

WEP Cracking ArticleWEP Cracking Article• http://www.securityfocus.com/infocus/1814http://www.securityfocus.com/infocus/1814

SecureDVDSecureDVD• http://securedvd.org/screenshots.htmlhttp://securedvd.org/screenshots.html

Documents

802.11 Insecurities