6 - 1 Encryption and Exploits - SANS ©2001 1 Wireless Networking Security Security Essentials The SANS Institute Hello, in this module we are going to discuss wireless networking. Specifically, we'll take a look at how wireless technology works, how it is commonly deployed, and the security issues associated with using it. Because wireless communications can penetrate opaque objects such as buildings, the risk of someone accessing a private network increases markedly. With wireless, an attacker does not need to gain access to physical cables or jacks, but only needs to have an antenna and be within range of the transmissions. We will focus a great deal of this discussion on wireless LANs (WLANs). For the most part we think of these like regular LANs with workstations, servers, and laptops but without the wires. However, it is important to remember that wireless devices include cell phones, pagers, PDAs, etc. These less powerful devices are very widely deployed and are increasingly being used to connect to the Internet. Further, their computational capabilities are becoming ever more sophisticated, making the devices vulnerable to traditional Internet threats such as viruses and worms. We will explore several aspects of wireless security in this part of the course, but before jumping in it is interesting to note that industry analysts are projecting extreme growth in the worldwide wireless market over the next few years. Some even speculate that the number of wireless devices accessing the Internet will soon surpass that of wired PCs (expected to happen around 2003). The link below points to a report by IDC that provides some interesting background on the wireless industry, and discusses future challenges many of which revolve around wireless security. http://www.tivoli.com/products/documents/whitepapers/wireless_security.pdf 6 - 2 Wireless Networking - SANS ©2001 2 Popular Wireless Devices •PDAs • Cellular phones •Palmtops •Laptops •Pagers The popularity of wireless devices is staggering, and the trend shows no sign of slowing. The worldwide mobile data market is expected to be worth $80 billion by 2010. The wireless LAN market alone is expected to grow to over US $2 billion by 2002. Further, forecasters expect more than 1 billion wireless phones to be in use worldwide by 2003. http://www.india-today.com/ctoday/19991201/buzz3.html Any device that can interact with the Internet must be prepared to handle the hostility of the Internet environment. Any Internet-connected node can be attacked. Further, the mounting sophistication of wireless devices, combined with wide deployment, makes them attractive targets. As an example of the increasing computational complexity of cell phones, consider this recent article (link below) that likens the capabilities of today's cell phones to arcade games from the 1970s. Even more interesting is the fact that there is an entire market evolving around networked cell phone gaming! In some cases networked gameplay includes having cell phones accept executable code from the air. Such a "feature" could provide a whole new avenue of entry for malicious code. http://news.bbc.co.uk/hi/english/in_depth/sci_tech/2000/dot_life/newsid_1709000/1709107.stm Finally, the fact that wireless transmissions are, well wireless, makes them vulnerable to yet another class of threats. Attackers wishing to eavesdrop or disrupt wireless services can do so with a RF receiver or transmitter, and do not need to gain physical access to any wires. Worse, over the course of this discussion we will see that many of the wireless technologies in use today were not designed with strong security in mind. Anyone using or considering WLAN technology should be aware of the technology weaknesses, threats to wireless networks, and the available defenses. 6 - 3 Wireless Networking - SANS ©2001 3 Why Wireless? • Wireless solves problems that wired solutions cannot address • Users can access the network from anywhere • Users can be mobile while staying connected • Usable in environments where wires are problematic - Historic buildings with construction restrictions - Factories, assembly lines, warehouse floors, hospital rooms, stock trading floors - Temporary networks, such as for exhibitions So what's so great about wireless? Why does everyone want wireless LANs? The Gartner Group, Inc. has released a study forecasting that more than half of the Fortune 1,000 companies will have deployed wireless LANs within the next two years. Why? The reason is that wireless LANs provide freedom the freedom to move around, and freedom from the hassles and expenses of running wires. It is sometimes more cost effective for an organization to deploy a wireless network than to run wires through the walls of their office buildings. Further, the convenience of having employees bring their laptops to meetings and then take them back to their desks (without any service interruptions) is not to be underestimated. Home WLAN users enjoy working on the computer from the living room couch or a lounge chair in the yard rather than being confined to the home's "computer room". Wireless networks also enable connectivity in places where it just wasn't possible before. Historic buildings often have restrictions against punching holes in walls and ceilings. Factories and assembly lines would typically be dangerous places to run wires, but wireless provides a solution. Wireless allows doctors to access patient record databases while making their rounds. Warehouse workers can carry wireless order-taking devices as they move around the warehouse checking inventories. And of course, wireless networks can be set up and torn down quickly, making them ideal for short term engagements like exhibitions and business meetings. Clearly there are many cases when wireless technologies provide big advantages. 6 - 4 Wireless Networking - SANS ©2001 4 Wireless Vertical Markets • Healthcare •Retail •Academia •Factories • Financial This slide provides some more information about how wireless technologies are being used in various industries. Hospitals • to allow doctors and nurses to communicate with network systems to gain access to patient medical records, treatment information, and prescription information while wandering through the hospital • to use with roving lab equipment to have it send statistics into the network patient database Retail and Food Service •To allow inventory information to be scanned in and update the inventory database remotely •To allow restaurant orders to be transmitted back to the kitchen right away Academia •To support roaming students around campus without having to put in a wired infrastructure to provide them with access to internal campus systems and the Internet. Factories • To provide wireless connectivity in environments that won’t support regular wired connections • Stock control • Customer pickups • Trace inventory to the responsible parties • Warehouse workers use wireless LANs to exchange information with central databases and increase their productivity Financial • To allow traders to update exchange information right away through wireless instead of using paper and pen or hand signals • COMEX, Commodity Exchange, which deals in futures and options for gold, silver, platinum, palladium, copper, and European equities uses wireless lans. The exchange uses hand-held devices where using a touch screen information can be updated right away to the price reporting system. In the past price reporters would use hand signals to alert a supervisor who would call the price change to a data entry clerk who would then enter the information into a computer. • AMEX has traders that can get current price quotes and execute trades via their hand-held devices. In the past traders used order slips 6 - 5 Wireless Networking - SANS ©2001 5 Wireless LAN Network Architectures • Ad-hoc/Peer-to-Peer • Single Access Point (AP) • Multiple Access Points (APs) Now lets talk about how wireless LANs are architected and deployed. Typically, WLANs are configured in one of three ways: Ad-Hoc (sometimes called peer-to-peer), Single Access Point (sometimes called one-to-local access), and Multiple Access Points (sometimes called one-to-many access). We will consider each of these architectures in the next few slides. In the terminology of IEEE's 802.11 protocol standard, network architectures that do not use an access point are called "ad hoc", and architectures that include access points are called "infrastructure". 6 - 6 Wireless Networking - SANS ©2001 6 Ad-hoc/Peer-to-Peer Architecture In an ad-hoc network, wireless stations communicate directly with each other. A good description is given in the ExtremeTech article "Wireless LAN Deployment and Security Basics" referenced and quoted below: http://www.extremetech.com/article/0,3396,s%253D1034%2526a%253D13521,00.asp "In the ad-hoc network, computers are brought together to form a network "on the fly". There is no structure to the network, there are no fixed points, and usually every node is able to communicate with every other node. An example of a situation where an ad hoc network would be useful is a meeting where everyone brings laptops in order to work together and share common documents. Although it seems that order would be difficult to maintain in this type of network, algorithms such as the "spokesman election algorithm (SEA)" have been designed to "elect" one machine as the base station (master) of the network with the others being the slaves. Another algorithm in ad-hoc network architectures uses a broadcast and flooding mechanism to all other nodes to establish who's who. In an ad hoc wireless network, participating clients associate with each other through the use of a common network identifier. Once associated, they can share files and other resources exactly as they would in a wired peer-to-peer network. The limitations of wireless peer-to-peer networking are the same as wired peer-to-peer networking administrative hassles and poor scalability. Though convenient to set up, they are difficult to manage when you have more than just a few nodes. The recommended practice is that ad hoc networks only be used for the smallest of networks where convenience is paramount and security is not an issue. No doubt people can imagine that large peer- to-peer networks could be very useful in temporary situations, such as large business meetings. In fact, at the Fall 2001 Intel Developer Forum in San Jose, there was a technology demonstration of an ad hoc, self-configuring wireless network that involved about 500 people in the audience all attaching to the same network within about 10 seconds." 6 - 7 Wireless Networking - SANS ©2001 7 Single Access Point Architecture In the configuration shown above, one or more wireless clients use an an "access point" (AP) to connect to a wired network, and ultimately to the Internet. Typically, the AP works by forming an "association" with the wireless clients and then acting as a bridge between the clients and the wired network. The AP is also responsible for performing network synchronization tasks that allow the client to interact as if it were directly connected to the wired network. An example of such a task is the forwarding of broadcasts to the wireless LAN. Further, the AP is responsible for authenticating wireless clients and deciding whether a particular client should be allowed to access the network. Typically, authentication is performed based on a "password" (more on this later) and possibly on the client's MAC address. The process of association can be described as a handshaking mechanism between the AP and a wireless device that ensures that the device is only connected to one AP at a time. The area surrounding the access point is referred to as a "Basic Service Set", or BSS. Because the wireless signal strength decreases as distance from the access point increases, client stations that are far from the AP will experience degraded network performance. Worse, clients that are close to the AP can sometimes monopolize the available bandwidth, leaving far away clients starved for network resources. In order to increase the range and coverage of the wireless network, it is necessary needs to deploy additional access points. The multiple access point configuration is referred to as an Extended Service Set (ESS), and is described next. 6 - 8 Wireless Networking - SANS ©2001 8 Multiple Access Point Architecture This slide shows several wireless clients connecting to the network via multiple access points. This "one-to-many" setup allows users to roam around provided they remain within range of at least one AP. The access points communicate amongst themselves and "hand off" the user's information as needed. The idea is to keep the client connected to the "closest" AP regardless of how the client moves. In this context, "closest" means the AP that is able to exchange the strongest communications signal with the client. The client device makes the decision automatically on-the-fly based on the strength of the beacon signals it receives from each nearby access point. The strongest signal wins. 6 - 9 Wireless Networking - SANS ©2001 9 Infrared Wireless Networks • 2 Mbps • Cannot penetrate opaque objects • Uses directed or diffused technology - directed (requires line of sight) - diffused (limited to short distances such as a single room) In wireless networks, information is transferred using electromagnetic waves, most commonly via radio and infrared signals. Of the two, radio-based wireless networks are more commonly deployed, as infrared signal propagation requires either a direct line of sight or a short transmission distance. In this slide we consider the different types of Infrared wireless technology called "directed" and "diffused". The online report entitled "Wireless Networks" (link below) provides a good description of the two mechanisms and is reproduced below. http://www.jtap.ac.uk/reports/htm/jtap-014-1.html "Directed infrared requires a clear line of sight to make a connection. The most fmailiar direct information communication device is the TV remote control. A connection is made by transmitting data using two different intensities of infrared light to represent the ones and zeros. The infrared light is transmitted in a 20 degree cone giving some flexibility in orientation of the equipment, but not much. Some disadvantages exist with direct connections, one of which is range, usually restricted to less than 3 meters. Also because it needs a clear line of sight, the equipment must be pointing towards the general area of the receiver or the connection is lost. However, advantages include low cost and a high reliable data rate. Diffuse infrared technology operates by flooding an area with infrared light, in much the same way as a conventional light bulb illuminates a room. The infrared signal bounces off the walls and ceiling so that a receiver can pick up the signal regardless of orientation. Diffuse infrared technology is a compromise between direct infrared and radio technology. It combines the advantages of high data rates from infrared and the freedom of movement from radio. However, it also inherits some disadvantages. For example, although it transmits at 4Mbits/s twice that of current radio systems, this must be shared among all users, unlike direct infrared. And although a user can roam around freely, which is an advantage over direct infrared, the user is still confined to individual rooms unlike when using radio signals, which can pass through walls." 6 - 10 Wireless Networking - SANS ©2001 10 Radio Frequency (RF) Wireless Networks • Most popular WLAN technology • Covers longer ranges • Penetrates walls • Most use 2.4 GHz frequency range • Includes narrowband and spread spectrum technology • Previous versions ran at max of 2 Mbps • Most current versions run at 11 Mbps • New standards allow use at 54 Mbps As noted on the previous page, radio signals have the advantage of being able to penetrate walls. This means that the network architect has much more flexibility in deciding how the network should be configured. Radio signal technology is what makes WLANs practical for large scale deloyment. The report referenced on the previous page (link below) provides some interesting background on radio technologies which will serve us well in this discussion. The relevant information is reproduced below: http://www.jtap.ac.uk/reports/htm/jtap-014-1.html "Radio network technology exists in two forms: narrowband technology and spread spectrum technology. Narrowband systems transmit and receive data on a specific radio frequency; the bands are kept as close together as possible and strong filters are used to filter out other signals to make efficient use of the bandwidth. In order to prevent different signals from interfering with each other, a regulatory body was set up to licence the frequencies and monitor their use. These licences are very expensive and in the past have prevented manufacturers from using narrowband technology, an example of a narrowband network would be a commercial radio station. In the early 1990s, the regulatory bodies around the world set aside a band at 2.4GHz (the Instrumental, Scientific and Medical band) for use by new technologies. This band could be used without a license making it more accessible for private networks, and consequently manufacturers soon started to produce products which used the new band. However, one condition of using the ISM band was that signals must share the airwaves with one another, and as narrowband methods did not allow this, spread spectrum technology was used instead. Spread spectrum technology spreads the signal out over the whole band preventing concentration of the signal in anyone place, which allows large numbers of users to share the same bandwidth. There are two different methods involved in spread spectrum technology, Direct Sequence and Frequency Hopping, with both having advantages and disadvantages associated with them." Spread spectrum technologies are discussed next. [...]... 5 Security Issues 1 Eavesdropping 2 Theft or loss of wireless devices 3 Denial of Service (DOS) 4 Wireless viruses 5 Masquerading Wireless Networking - SANS ©2001 12 At this point let us turn our attention to a few security issues that arise in all types of wireless networks, regardless of the protocol (e.g WAP, Bluetooth, 802.11) employed It turns out that wireless networks face most of the same security. .. - 35 Wireless Attacks • Wireless technology is getting much cheaper • Base stations for less than $200, with wireless cards under $100 - IEEE 802.11b standard very popular - Employees setting up their own access points so they can roam around the halls - Very dangerous! • War driving - With a laptop and wireless card, an attacker can drive down the street and join many wireless LANs! Wireless Networking. .. Internet server • WTLS: Wireless Transport Layer Security • Used in versions prior to WAP 2.0 • Requires the WAP gateway to decrypt WTLS transmissions and then re-encrypt as TLS/SSL • Sensitive data is exposed as it traverses the gateway Wireless Networking - SANS ©2001 25 Before WAP 2.0 became available in late 2001, WAP users had to rely on the WTLS (Wireless Transport Layer Security) protocol to provide... http://www.zdnet.com/zdnn/stories/news/0,4586,2597657-2,00.html 6 - 19 Protecting Against Wireless Viruses Anti-virus protection for wireless devices is starting to become available • Trend Micro PC-cillin for Wireless • McAfee VirusScan Wireless • F-Secure AntiVirus for PalmOS, SymbianOS and PocketPC • Symantec AntiVirus for PalmOS Wireless Networking - SANS ©2001 20 Anti-virus protection for handhelds is now being... 22 Wireless Protocols • WAP • Bluetooth • 802.11 Wireless Networking - SANS ©2001 23 Now let us move on to a discussion of a few popular wireless protocols We will provide an overview of how each protocol works and then describe a few attacks that can be levied against the specific protocol implementation We will begin by discussing WAP and Bluetooth, which are two protocols often used by handheld wireless. .. Use Restrictions Wireless Networking - SANS ©2001 16 In order to protect against this threat, we must operate under the assumption that every wireless device has the potential to fall into the hands of a malicious person Our objective is to create a security system that requires that the device be used by the right person before it will reveal its secrets In terms of protecting the documents, authentication... simultaneous connections can be established and maintained Wireless Networking - SANS ©2001 27 We begin our discussion of the Bluetooth protocol with a description given in a recent report: "Bluetooth's primary strength is that it can be used to allow almost any wireless device to talk to any other wireless device For example, Bluetooth can work as a lower speed wireless network at a speed that most users will... used as the link key • The link key is used to generate the encryption key Wireless Networking - SANS ©2001 28 For all of its wonderful flexibility, the Bluetooth protocol has some security issues According to the Bluetooth primer previously referenced, analysts have compared the Bluetooth security situation to posting a social security number to a chat room Researchers from Lucent's Bell Labs discovered... Visors, VirusScan Wireless offers another level of protection - on-device scanning With on-device scanning, VirusScan Wireless can protect your PDA from infection even when you transfer files via infrared link or access the Internet wirelessly VirusScan Wireless is the only solution that offers both on-device and on-sync protection for Palm devices F-Secure http://www.f-secure.com /wireless/ Symantec... cellular phones and other wireless terminals •To create a global wireless protocol specification that will work across differing wireless network technologies •To enable the creation of content and applications that scale across a very wide range of bearer networks and device types WAP 2.0 provides support for standard Internet protocols suchs as IP, TCP, and HTTP, optimized for the wireless telecommunications . SANS ©2001 1 Wireless Networking Security Security Essentials The SANS Institute Hello, in this module we are going to discuss wireless networking. Specifically,. http://www.tivoli.com/products/documents/whitepapers /wireless_ security. pdf 6 - 2 Wireless Networking - SANS ©2001 2 Popular Wireless Devices •PDAs • Cellular phones •Palmtops •Laptops •Pagers The