ߜ Minimize/eliminate operational losses ߜ Minimize investment ߜ Maximize positive returns (where ROI applies) ߜ Accelerate the timing of returns Your goal is to implement cost-effective security, in which the expected cost of a control is less than the expected loss. Such controls generate a positive ROSI; that is, you can expect to save money over time. Ideally, you want to deploy the most cost-effective controls — those that maximize ROSI. Your challenge is to measure ROSI for given security controls. You should try to base measurements on empirical data and mathematical analysis, rather than opinions. You should evaluate all proposals, techniques, products, and ser- vices in terms of ROSI. You should establish best practices based on ROSI. Unfortunately, most companies currently base security decisions on expert opinion and conventional wisdom, not on empirical data and mathematical analysis. Perform a risk assessment to understand the value of the assets in your organization that need protection. Understanding the value of organiza- tional assets and the level of protection required is likely to enable more cost- effective wireless solutions that provide an appropriate level of security. You don’t want to spend money to protect data that has no value. We doubt that you will find any case in which the data has no value, but you don’t want to spend more on security measures than the value of the data. Several companies sell risk management software, including Methodware Enterprise Risk Assessor ( www.methodware.com) and Risk Services & Technology RiskTrak ( www.risktrak.com). 184 Part III: Using Your Network Securely 15_575252 ch10.qxd 9/2/04 4:03 PM Page 184 Chapter 11 Maintaining Network Security In This Chapter ᮣ Reviewing security mechanisms ᮣ Understanding authentication ᮣ Filtering SSIDs, MAC addresses, and protocols ᮣ Encrypting frames ᮣ Looking at WEP problems ᮣ Upgrading to WPA ᮣ Using AES ᮣ Using EAP I n this chapter, we look at several built-in security features of 802.11 for network security. Risks in wireless networks are equal to the sum of the risk of operating a wired network (as in operating a network in general) plus the new risks introduced by weaknesses in wireless protocols. In Chapter 2, we discuss the need to specify security requirements. This includes determining the security stance of the organization. You need to per- form a security assessment prior to implementation to determine the specific threats and vulnerabilities that wireless networks will introduce in your envi- ronment. In performing your assessment, you should consider your existing security policies, known threats and vulnerabilities, legislation and regula- tions, safety, reliability, system performance, the life-cycle costs of security measures, and technical requirements. After you complete your risk assess- ment, you can begin planning and implementing the measures that you will put in place to safeguard your systems and lower your security risks to an acceptable level. Your organization should periodically reassess the policies and measures that it puts in place because technologies and malicious threats are ever-changing. As with wired networks, you must make your man- agement aware of security issues. 16_575252 ch11.qxd 9/2/04 4:04 PM Page 185 Understanding Security Mechanisms The IEEE 802.11 specification identified several features to provide a secure operating environment. Your challenge is to decide how many of these secu- rity features you need. In this chapter, we provide an overview of the inher- ent network security features to better illustrate the limitations. When reviewing the security requirements, we use the following requirements: ߜ Authentication: One entity proves to the other their identity. ߜ Access control: An entity can be allowed or denied access to the network. ߜ Replay prevention: An entity can determine a previously sent message. ߜ Message integrity: An entity can verify that no one has changed the content of a message in transit. ߜ Message privacy: Sensitive information is encrypted when transmitted between two wireless entities to prevent interception and disclosure or prevent a third party from tracking communications between two other entities. ߜ Non-repudiation: An entity can verify the origin or the receipt of a spe- cific message. ߜ Accountability: An entity can trace the actions of an entity uniquely to that entity. ߜ Key protection: The system can protect the confidentiality of a key used by an entity. As we go through this chapter, you will note that the 802.11 standard did not specifically address these security services. The 802.11 standard attempts to address privacy and integrity but falls well short and does not offer the other security services. As with many newer technologies (and some older ones), you may not find the available security features as comprehensive or robust as you would like. Although the security features have weaknesses described as you will see in this chapter, they can provide a degree of protection against unauthorized disclosure, unauthorized network access, and other active probing attacks. We strongly recommend that you use the built-in security features as part of an overall defense-in-depth strategy. Unfortunately, vendors frequently dis- able the built-in security features by default. You must enable, use, and rou- tinely test the built-in security features, such as authentication and encryption, that exist in wireless technologies. 186 Part III: Using Your Network Securely 16_575252 ch11.qxd 9/2/04 4:04 PM Page 186 Three States of Authentication A necessary security service is authentication. It is as basic a service as you can get. In the standard 802.11, we don’t authenticate users. If you want, you can make sure someone knows the shared key. Before we finish this chapter, we will show you why you don’t want to use the shared key to authenticate. While authenticating, a wireless client goes through three states: ߜ Unauthenticated and unassociated: The client selects a basic service set by sending a probe request to an access point with a matching SSID. ߜ Authenticated and unassociated: The client and the access point per- form authentication by exchanging several management frames. After authentication, the client moves into this state. ߜ Authenticated and associated: Client must send an association request frame, and the access point must respond with an association response frame. A client can authenticate to many access points, but will associate only with the access point with the strongest signal. In the second state, we just casually mention the client authenticates to the access point. It’s not quite that simple. Authentication The IEEE 802.11 specification defines two ways to “validate” wireless users attempting to gain access to a wired network: open system authentication and shared-key authentication. Shared-key authentication is based on cryp- tography, and the other is not. The open system authentication technique is not truly authentication; the access point accepts the mobile station without verifying the identity of the station. With open system authentication, the AP authenticates a client when the client simply responds with a MAC address during the two-message exchange. The open system authentication process is as follows: 1. Client makes a request to associate to an access point. 2. AP authenticates client and sends a positive response and client is associated. 187 Chapter 11: Maintaining Network Security 16_575252 ch11.qxd 9/2/04 4:04 PM Page 187 Shared-key authentication is a cryptographic technique for authentication. It is a simple “challenge-response” scheme based on whether a client has knowledge of a shared secret. In this scheme, the access point generates a random 128-bit challenge and sends it to the wireless client. The client, using a cryptographic key that is shared with the access point, encrypts the chal- lenge, or nonce (as it is called in security vernacular), and returns the result to the AP. The AP decrypts the result computed by the client and allows access only when the decrypted value is the same as the random challenge transmitted. The algorithm used in the cryptographic computation and for the generation of the 128-bit challenge text is the same RC4 stream cipher used for Wireless Equivalent Privacy (WEP). This authentication method is a rudimentary cryptographic technique that does not provide mutual authentication. That is, the client does not authenti- cate the AP, and therefore there is no assurance that a client is communicat- ing with a legitimate AP and wireless network. It is also worth noting that simple unilateral challenge-response schemes have long been known to be weak. They suffer from numerous attacks, including the infamous “man-in- the-middle” attack. The shared-key authentication process follows: 1. Client requests association. 2. AP sends random cleartext (128-bit challenge). 3. Client encrypts challenge. 4. AP verifies the challenge. 5. The access point authenticates the client and sends a positive response and then associates the client. Table 11-1 lists the pros and cons of the two types of authentication. The IEEE 802.11 specification does not require shared-key authentication. Table 11-1 Open System versus Shared-Key Authentication Open System Shared-Key A station is allowed to join a network A station is allowed to join the without any identity verification. network when it proves it shares the WEP key. 1-stage challenge/response (not required). 2-stage challenge/response (required). Non-cryptographic. Cryptographic using RC4. 188 Part III: Using Your Network Securely 16_575252 ch11.qxd 9/2/04 4:04 PM Page 188 Logically, you may guess that shared-key authentication is more secure than open system authentication. But this is not the case. Because of the way the shared-key authentication is done, it is less secure. Let’s look at why. An attacker gathers management messages from the authentication process. One message contains the random challenge in cleartext. The next message contains the encrypted challenge using the shared-key. The encryption process is simple. The algorithm does an exclusive OR on the plaintext to derive ciphertext as follows: P XOR R = C From here, the rest is just simple math: If P XOR R = C then C XOR R = P If P XOR R = C then C XOR P = R Now, the attacker knows everything from passive networking monitoring: algorithm number, sequence number, status code, element ID, length, and challenge text. The attacker requests authentication. The access point responds with a cleartext challenge. The attacker uses the challenge with the value R above to compute a valid authentication response frame by XORing the two values together and computes a valid CRC value. Finally, the attacker responds with a valid authentication response message and associates with the AP to join the network. Because of the flaw, the attacker did not need to know the shared-key! Protecting Privacy The 802.11 standard supports privacy (confidentiality) through the use of cryptographic techniques for the wireless interface. The WEP crypto- graphic technique for confidentiality also uses the RC4 symmetric-key, stream cipher algorithm to generate a pseudo-random data sequence. This key stream is simply added modulo 2 (exclusive ORed) to the data to be transmitted. Through the WEP technique, you can protect data from disclosure during transmission over the wireless link. WEP is applied to all data above the 802.11 WLAN layers to protect datagrams such as Internet Protocol (IP) and Internet Packet Exchange (IPX), or application protocols such as HyperText Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP). As defined in the 802.11 standard, WEP supports only a 40-bit cryptographic key size for the shared key. However, numerous vendors offer nonstandard 189 Chapter 11: Maintaining Network Security 16_575252 ch11.qxd 9/2/04 4:04 PM Page 189 extensions of WEP that support key lengths from 40 bits to 104 bits. At least one vendor supports a key size of 128 bits (that is, 152 bits). The 104-bit WEP key, for instance, with a 24-bit initialization vector (IV) becomes a 128-bit RC4 key. In general, all other things being equal, increasing the key size increases the security of a cryptographic technique. However, it is always possible for flawed implementations or flawed designs to prevent long keys from increas- ing security. Research has shown that key sizes of greater than 80 bits, for robust designs and implementations, make brute-force cryptanalysis (code breaking) an impossible task. For 80-bit keys, the number of possible keys — a key space of more than 10 26 — exceeds contemporary computing power. In practice, most WLAN deployments rely on 40-bit keys. Moreover, recent attacks have shown that the WEP approach for privacy is, unfortunately, vulnerable to certain attacks regardless of key size. The attacks mentioned above are described later in the following sections. Protecting Message Integrity The IEEE 802.11 specification also outlines a way for providing data integrity for messages transmitted between wireless clients and access points. This security service was designed to reject any messages that an active adver- sary “in the middle” had changed. This technique uses a simple Cyclic Redundancy Check (CRC) approach. The access point and client compute a CRC-32 or frame check sequence called an integrity check value (ICV) for each frame prior to transmission. Referring to Figure 11-1 (later in the chap- ter), you can see that WEP then encrypts the integrity-sealed packet using the RC4 key stream to provide the ciphertext message. The receiver decrypts the frame and recomputes the CRC on the message. The CRC computed at the receiving end is compared with the one computed with the original message. When the CRCs are not equal, there is an error, and the receiver discards the frame. Great idea, but again poorly implemented. It is possible to flip bits and still end up passing the CRC check. The CRC is not a crypto- graphically secure mechanism such as a secure hash, message digest, or message authentication code (MAC). CRC-32 and other linear block codes are inadequate for providing crypto- graphic integrity. Message modification is possible. Linear codes are inade- quate for protecting against intentional data integrity attacks. You need real cryptographic protection to prevent deliberate attacks. Use of non- cryptographic protocols often facilitates attacks against the cryptography. In our case, it does. One reason is that we use our 64- or 128-bit key for integrity and privacy, a cryptography no-no. 190 Part III: Using Your Network Securely 16_575252 ch11.qxd 9/2/04 4:04 PM Page 190 Filtering the Chaff As mentioned previously, we want to build our security in-depth. We never rely on one control because it may fail. You can build defense-in-depth by using some of the filtering capabilities offered on your access point. They are not the strongest and you should not rely on only these filters, but they may act as a departure point for your network security. SSID filtering The simplest filter you have is SSID filtering. You can eliminate casual attempts to join your network by turning off SSID broadcast and requiring your client to know the SSID of the network. Let’s be sure we understand that an SSID is not a passcode of any kind but an identifier for your network. Now, you can use Kismet, Wellenreiter, and other tools to monitor packets until you figure out the SSID, so this might discourage an individual looking for the “low hanging fruit,” but not a determined attacker. MAC filtering MAC (or physical or hardware) address filtering provides basic control over the stations that you want connecting to your access point. A MAC (media access control) address is a hardware or physical address uniquely identify- ing each computer or attached device on a network. It is a 48-bit number set by the manufacturer. The 48 bits break down into a 24-bit organizationally unique identifier (OUI), assigned by the IEEE, and a 24-bit unique card identi- fier. You can find a list of OUIs at http://standards.ieee.org/regauth/ oui/index.shtml . The address is a unique 6-part hexadecimal with each part numbered from 00 to FF. You can write the address unhyphenated (for example, 123456789ABC) or with one hyphen (for example,123456-789ABC), but correctly you should write it hyphenated by octets (for example, 12:34: 56:78:9A:BC). The numbering scheme gives a theoretical 281,474,976,710,656 addresses — more than 56,000 MAC addresses for each person on the planet! However, the flat addressing scheme limits the available addresses to 2 24 for each vendor. Because we don’t have 2 24 vendors, some addresses are wasted. When sending a frame, you send the frame to the hardware address ultimately. You use software addresses (for example, IP addresses) to route packets to the destination subnet or segment. 191 Chapter 11: Maintaining Network Security 16_575252 ch11.qxd 9/2/04 4:04 PM Page 191 You can use the MAC address to restrict access based on MAC access control lists (ACLs) that are stored and distributed across many APs, although some other access points have only the ability to filter trusted MAC addresses. Regardless, the MAC filter grants or denies access to a computer using a list of permissions designated by MAC address. The Ethernet MAC filter, however, does not represent a strong defense mech- anism by itself. Because your client transmits its MAC address in the clear, someone can easily capture the MAC address. Malicious users can spoof a MAC address by changing the actual MAC address on their computer to a MAC address that has access to the wireless network. You can add a NetworkAddress to the Registry with regedit. (Don’t forget to back up your registry before making changes to any registry entry.) Alternatively, you can use the Set MAC Address software ( www.klcconsulting.net) shown in Chapter 17. If you are using UNIX/Linux, use the ifconfig tool or a short C program calling the ioctl() function with the SIOCSIFHWADDR flag. You can also find a program called macchanger to help out. For the Mac OS X plat- form, use xnu (www.securemac.com/macosxxnu.php) or etherspoof (http://slagheap.net/etherspoof). Because someone can use a tool like SMAC to change her MAC address to any value, this may negate the value of MAC filtering. It may have some value against casual eavesdropping, but it is not effective against determined adversaries. However, you should weigh the administrative burden of enabling the MAC ACL (assuming they are using MAC ACLs) against the true security provided. In a medium-to-large network, you may find the burden of establishing and maintaining MAC ACLs or filters exceeds the value of the security countermeasure. In addition, most products support only a limited number of MAC addresses in the MAC ACL or filter. You may find the size of the access control list insufficient for medium-to- large networks. You also may find this feature difficult to implement in a dynamic environment: Configuring your access points for each and every trusted client can be quite tedious. Table 11-2 shows the pros and cons of MAC Filtering. Table 11-2 MAC Filtering Pros Cons Predefined users accepted Administrative overhead Filtered MACs do not get access Cost of implementation Provides a good first level of defense Administrative nightmare 192 Part III: Using Your Network Securely 16_575252 ch11.qxd 9/2/04 4:04 PM Page 192 You may find that enabling this security feature is more effort than the actual security benefit that it provides. For small networks where you have fewer than ten workstations, MAC filtering might prove practicable. Some security professionals believe that you don’t need both MAC filtering and shared- secret authentication since they basically accomplish the same thing. Protocol filtering Although not specified in the 802.11 standard, some vendors have provided protocol filtering. Like MAC filtering, this is another way to minimize risk. You can specify inbound and outbound allowable protocols. You must take care when setting up protocol filtering, or you may find you have blocked clients or let everyone in. You can use protocol filtering to prevent anyone from trying to use the Simple Network Management Protocol (SNMP) to reconfig- ure your AP. Similarly, you can filter Internet Control Message Protocol (ICMP) messages and potentially prevent some denial-of-service (DoS) attacks. The benefits are great and the disadvantages are small: potentially locking out authorized clients. You’re best to use protocol filtering to block unwanted traffic. Some vendors also offer port forwarding. Port forwarding associates traffic destined for a specific port to a device on the internal network that you cannot necessarily access from the outside. This is another useful security feature that you should use to your advantage. Using Encryption The three basic security services defined by the IEEE 802.11 standard are as follows: ߜ Authentication: A primary goal of WEP was to provide a security service to verify the identity of communicating client stations. This provides access control to the network by denying access to client stations that cannot authenticate properly. This service addresses the question, “Are only authorized persons allowed to gain access to my network?” ߜ Integrity: Another goal of WEP was a security service developed to ensure that messages are not modified in transit between the wireless clients and the access point in an active attack. This service addresses the question, “Is the data coming into or exiting the network trustworthy — has it been tampered with?” 193 Chapter 11: Maintaining Network Security 16_575252 ch11.qxd 9/2/04 4:04 PM Page 193 [...]... consider using these inside a wireless network Many wireless access points have built-in support for remote access using virtual private networking A remote user can direct a request to connect to the access point using the appropriate VPN port If you are on a hotel’s wireless network and provide the proper address, port, and associated VPN methodology, and then Chapter 12: Secure Wireless Access with Virtual... really a physical topology when dealing with wireless networks, is there? You are right But security is still important, isn’t it? In fact, a VLAN is a great idea for your wireless network because it segregates the traffic and parses your users into groups, reducing the risk of accidental or intentional data interception One use for such a configuration in your wireless environment is to segregate user... 40-/128-bit static-WEP co-existing with other wireless devices using stronger 802.1x with dynamic WEP Placing the less secure devices on a dedicated network segment reduces your overall risk You need specialized equipment that supports VLAN technology in order to implement wireless VLANs There are many vendor products, including Cisco’s Aironet 1200 and Symbol’s WS 5000 Wireless Switch To implement this functionality,... wireless eavesdropping or active wireless attacks, we strongly recommended its use However, it must be recognized that a datalink level wireless protocol protects only the wireless subnetwork Where traffic traverses other network segments — either local or wide area networks, including wired segments, the Internet, or your backbone — you also may require higher-level, FIPS-validated, end-to-end cryptographic... authentication The standard does not specify the authentication mechanism 205 2 06 Part III: Using Your Network Securely Typically, EAP runs over the link layer without requiring IP It was originally used for Point-to-Point (PPP) remote access but is now being used by wireless network applications Windows XP and many hardware vendors are building 802.1x security standards into their access points For Windows... protect access to your network, helping ensure that only authorized users get connected In this chapter, you discover ways to protect your data as it crosses someone else’s wireless network This way, using those hotel and airport wireless networks is safer, and you ensure that prying eyes are unable to see those cute pictures of your new niece Using a virtual private network (VPN) involves some work and... risks of wireless networks The possibility of eavesdropping is one of the risks If you value the information on your network, it needs protecting A VPN does that for you 210 Part III: Using Your Network Securely This chapter shows you numerous types of VPNs and allows for all levels of budget and skill Hey, we know not everyone is rich and can afford those large commercial implementations Using a wireless. .. in the loo! What a picture that evokes Ugh Don’t use your wireless connection in the loo; there are some places that should remain sacrosanct from such goings on All this additional freedom is good, but you don’t want just anyone to peer at your innermost thoughts as your work travels across the wireless network, or especially across a public wireless network It is a good thing to have unfettered access... Internet So now you have three networks involved: your cable company, the Internet, and your organization All of these can view the packets of data as they travel back and forth across these networks The one method used to reduce that potential viewing is to use yet another network, your virtual private network This network runs on top of the others So now you are using four networks to get the work done... integrity It is now time to tackle the issue of confidentiality The popular press has done a lot to discourage organizations and individuals from using wireless networks If you have been paying attention, then you are aware of all the negative articles about wireless security, especially encryption Part of the problem is that people (including the press pundits) don’t understand the basis for WEP As implied . write it hyphenated by octets (for example, 12:34: 56: 78:9A:BC). The numbering scheme gives a theoretical 281,474,9 76, 710 ,65 6 addresses — more than 56, 000 MAC addresses for each person on the planet! However,. authentication and encryption, that exist in wireless technologies. 1 86 Part III: Using Your Network Securely 16_ 575252 ch11.qxd 9/2/04 4:04 PM Page 1 86 Three States of Authentication A necessary. address is a unique 6- part hexadecimal with each part numbered from 00 to FF. You can write the address unhyphenated (for example, 1234 567 89ABC) or with one hyphen (for example,1234 56- 789ABC), but