CCSCSE 2003 1

WIRELESS LAN SECURITY AND WIRELESS LAN SECURITY AND LABORATORY DESIGNS LABORATORY DESIGNS

Yasir Zahur T. Andrew Yang

University of Houston – Clear Lake

1717thth CCSC Southeastern Conference CCSC Southeastern ConferenceGeorgia Perimeter College - Dunwoody, GAGeorgia Perimeter College - Dunwoody, GA

CCSCSE 2003 2

Agenda

Introduction Standards & Specifications Vulnerabilities Alternate Security Solutions Laboratory Setup

CCSCSE 2003 3

Where Does WLAN Fit ?Where Does WLAN Fit ?

CCSCSE 2003 4

Source: http://www.jiwire.com/?cid=95&kw=802.11&se=google (Nov. 6, 2003)

Traveler's Quick Finder

Browse by location   

Free Hotspots  510 hotspots

  Hotels  5,910 hotspots

  Airports  432 hotspots

  Cafes  5,344 hotspots

CCSCSE 2003 5

Growth of WLANGrowth of WLAN

CCSCSE 2003 6

Infrastructure Mode of WLAN

CCSCSE 2003 7

Typical WLAN ArchitectureTypical WLAN Architecture

CCSCSE 2003 8

IEEE 802.11 StandardsIEEE 802.11 StandardsStandard Description Current Status

IEEE 802.11 Standard for WLAN operations at data rates up to 2 Mbps in the 2.4-GHz ISM band

Approved in July 1997

IEEE 802.11a Standard for WLAN operations at data rates up to 54 Mbps in the 5-GHz UNII band

Approved in Sept 1999. End-user products began hipping in early 2002

IEEE 802.11b Standard for WLAN operations at data rates up to 11 Mbps in the 2.4-GHz ISM band

Sept 1999. End-user products began shipping in early 2000

IEEE 802.11g High-rate extension to 802.11b allowing for

data rates up to 54 Mbps in the 2.4-GHz

ISM band

Draft standard adopted Nov 2001.

Full ratification expected late 2002

or early 2003

IEEE 802.11e Enhance the 802.11 MAC to improve and manage Quality of Service, provide classes of service, and enhanced security and

authentication mechanisms. These enhancements should provide the quality required for services such as IP telephony and video

streaming

Still in development, i.e., in the task group (TG) stage

IEEE 802.11f Develop recommended practices for an Inter- access Point Protocol (IAPP) which provides the necessary capabilities to

achieve multi-vendor AP interoperability across a DS supporting IEEE P802.11 Wireless LAN Links

Still in development, i.e., in the task group (TG) stage

IEEE 802.11i Enhance the 802.11 Medium Access Control (MAC) to enhance security and authentication mechanisms

Still in development, i.e., in the task group (TG) stage

CCSCSE 2003 9

Interferences (802.11b)Interferences (802.11b)

2.4GHzCordless

Phone

Access Point

Some other wireless network

Microwave oven

CCSCSE 2003 10

IEEE 802.11b SpecificationsIEEE 802.11b Specifications (a brief overview)(a brief overview)

Transmission of approximately 11 Mbps of data Half Duplex protocol Use of CSMA/CA (collision avoidance) instead of CSMA/CD (collision

detection) Total of 14 frequency channels. FCC allows channels 1 through 11

within the U.S in 2.4 GHz ISM band Only channels 1, 6 and 11 can be used without causing interference

between access points Wired Equivalent Privacy (WEP) based on Symmetric RC4 Encryption

algorithm Use of Service Set Identifier (SSID) as network identifier

CCSCSE 2003 11

General WLAN VulnerabilitiesGeneral WLAN Vulnerabilities

• Eavesdropping• Invasion and Resource Stealing • Traffic Redirection • Denial Of Service Attack • Rogue Access Point • No per packet authentication • No central authentication, authorization, and

accounting (AAA) support

CCSCSE 2003 12

802.11b Vulnerabilities802.11b Vulnerabilities

• MAC address based authentication• One-Way authentication • SSID • Static WEP Keys • WEP key vulnerabilities

o Manual Key Management o Key Size o Initialization Vector o Decryption Dictionaries

CCSCSE 2003 13

WEP EncryptionWEP Encryption

CCSCSE 2003 14

IEEE 802.1xIEEE 802.1x

IEEE 802.1x is a port based authentication protocol. It forms the basis for IEEE 802.11i standard. There are three different types of entities in a typical 802.1x network

including a supplicant, an authenticator, and an authentication server. In an un-authorized state, the port allows only DHCP and EAP

(Extensible Authentication Protocol) traffic to pass through.

CCSCSE 2003 15

EAPOL ExchangeEAPOL Exchange

CCSCSE 2003 16

IEEE 802.1x – Pros / ConsIEEE 802.1x – Pros / Cons

Dynamic Session Key Management Open Standards Based Centralized User Administration User Based Identification Absence Of Mutual Authentication Lack of clear communication between 802.11 and 802.11i

state machines and message authenticity

CCSCSE 2003 17

Absence Of Mutual AuthenticationAbsence Of Mutual Authentication

Supplicant always trusts the Authenticator but not vice versa This opens the door for “MAN IN THE MIDDLE ATTACK”

CCSCSE 2003 18

Session Hijack AttackSession Hijack Attack

802.11i State Machine 802.11 State Machine

CCSCSE 2003 19

Session Hijack AttackSession Hijack Attack (…cont)(…cont)

CCSCSE 2003 20

Alternate SolutionsAlternate Solutions

Virtual Private Networks (VPN) User Authentication Encryption

Cisco LEAP Mutual Authentication Per Session based Keys

Secure Socket Layer (SSL) Encryption Digital Certificates

CCSCSE 2003 21

WEP AttackWEP Attack

CCSCSE 2003 22

Man In The Middle & Man In The Middle & Session Hijack AttacksSession Hijack Attacks

CCSCSE 2003 23

Cisco LEAP SetupCisco LEAP Setup

LEAP Enabled Access Point

LEAP Enabled Client

AAA Server

CCSCSE 2003 24

VPN SetupVPN Setup

Pass Through Access Point

VPN Client VPN Server

CCSCSE 2003 25

SSL SetupSSL Setup

Pass Through Access Point

SSL Client SSL Server

CCSCSE 2003 26

A Specialized Computer Security Lab

NSF CCLI A&I grant: 2003-2005

Two Focuses:a) DCSL: Distributed Computer Security Lab

Between UHCL and UHDPossibly extended to other small or medium-sized collegesCustomizable testbed for various security-related

experiments/projects

b) Module-based Computer Security Courseware DesignOn-goingLooking for collaborators, courseware developers, users, …

CCSCSE 2003 27

CCSCSE 2003 28

Computer Security Courseware

b) Module-based Computer Security Courseware DesignUnits: Modules, submodules, artifacts, …

CCSCSE 2003 29

ReferencesReferences

John Pescatore, “Wireless Networks: Can Security Catch Up With Business?” Arunesh Mishra, William A. Arbaugh

, “An Initial Security Analysis of the IEEE 802.1x Standard”, Department Of Computer Science, University Of Maryland, Feb 06 2002

WLAN Association, “Wireless Networking Standards and Organizations”, WLANA Resource Center, April 17 2002

Cisco Networks, “Cisco Aironet Response to University of Maryland’s paper” John Vollbrecht, David Rago, and Robert Moskowitz

. “Wireless LAN Access Control and Authentication”, White Papers at Interlink Networks Resource Library, 2001

Nikita Borisov, Ian Goldberg, and David Wagner “Security of WEP Algorithm”, ISAAC, Computer Science Department, University Of California Berkely