|


› Uses
› Benefits
› Standards
› Functionality
› Security Issues
› Solutions and Implementations
9

› ×ey drivers are mobility and accessibility

› Easily change work locations in the office
› Internet access at airports, cafes, conferences,
etc.
g



› Increased productivity
± Improved collaboration
± No need to reconnect to the network
± Ability to work in more areas
› Reduced costs
± No need to wire hard-to-reach areas
Ã

› IEEE 802.11
› IEEE 802.11b
› IEEE 802.11a
› IEEE 802.11e
› HiperLAN/2
› Interoperability



› £ublished in June 1997

› 2.4GHz operating frequency
› 1 to 2 Mbps throughput
› Can choose between frequency hopping or
direct sequence spread modulation



› £ublished in late 1999 as supplement to

802.11
› Still operates in 2.4GHz band
› Data rates can be as high as 11 Mbps
› Only direct sequence modulation is specified
› Most widely deployed today



› Also published in late 1999 as a supplement to 802.11

› Operates in 5GHz band (less RF interference than
2.4GHz range)
› Users Orthogonal Frequency Division Multiplexing
(OFDM)
› Supports data rates up to 54 Mbps
› Currently no products available, expected in fourth
quarter



› Currently under development

› Working to improve security issues
› Extensions to MAC layer, longer keys, and key
management systems
› Adds 128-bit AES encryption
^

|

› Development led by the European

Telecommunications Standards Institute (ETSI)
› Operates in the 5 GHz range, uses OFDM
technology, and support data rates over
50Mbps like 802.11a
’



› 802.11a and 802.11b work on different

frequencies, so little chance for interoperability
› Can coexist in one network
› HiperLAN/2 is not interoperable with 802.11a
or 802.11b
ñ  

› Basic Configuration
› WLAN Communication
› WLAN £acket Structure
g    

   

› CSMA/CA (Carrier Sense Multiple

Access/Collision Avoidance) instead of
Collision Detection
› WLAN adapter cannot send and receive traffic
at the same time on the same channel
› Hidden Node £roblem
› Four-Way Handshake
^
 
 

ñ ^


Ã
 

 Ã’ 


Application
£resentation

Session
Transport

Network
Data Link 802.11 MAC header
802.11b
£hysical 802.11 £LC£ header




à 

†


†


Graphic Source: Network Computing Magazine August 7, 2000



à 

†

†


Graphic Source: Network Computing Magazine August 7, 2000




 



à 

† 




Graphic Source: Network Computing Magazine August 7, 2000



 



à 

†


 

     
†


 

Graphic Source: Network Computing Magazine August 7, 2000

Ã
 ’
à  

› Sniffing and War Driving

› Rogue Networks
› £olicy Management
› MAC Address
› SSID
› WE£


› Default installation allow any wireless NIC to

access the network
› Drive around (or walk) and gain access to
wireless networks
› £rovides direct access behind the firewall
› Heard reports of an 8 mile range using a 24dB
gain parabolic dish antenna.
Ô

 

› Network users often set up rogue wireless

LANs to simplify their lives
› Rarely implement security measures
› Network is vulnerable to War Driving and
sniffing and you may not even know it
 



› Access is binary
› Full network access or no network access
› Need means of identifying and enforcing
access policies
||

› Can control access by allowing only defined

MAC addresses to connect to the network
› This address can be spoofed
› Must compile, maintain, and distribute a list of
valid MAC addresses to each access point
› Not a valid solution for public applications
Ã

Ã
’ÃÒ

› SSID is the network name for a wireless network

› WLAN products common defaults: ³101´ for 3COM and
³tsunami´ for Cisco
› Can be required to specifically request the access
point by name (lets SSID act as a password)
› The more people that know the SSID, the higher the
likelihood it will be misused.
› Changing the SSID requires communicating the
change to all users of the network

 

› Designed to be computationally efficient, self-
synchronizing, and exportable
› Vulnerable to attack
± £assive attacks to decrypt traffic based on statistical analysis
± Active attacks to inject new traffic from unauthorized mobile
stations, based on known plaintext
± Dictionary-building attack that, after analysis of a day¶s worth
of traffic, allows real-time automated decryption of all traffic
› All users of a given access point share the same
encryption key
› Data headers remain unencrypted so anyone can see
the source and destination of the data stream

|’ 

 

› Varies due to organization size and security

concerns
› Current technology not ideal for large-scale
deployment and management
› Will discuss a few tricks that can help the
process and a few technologies under
development to ease enterprise deployments
g 
|

› Great for small (5-10 users) environments

› Use WE£ (some vendors provide 128-bit
proprietary solution)
› Only allow specific MAC addresses to access
the network
› Rotate SSID and WE£ keys every 30-60 days
› No need to purchase additional hardware or
software.
g 
||

 

Ã
 

|Ã
|
› Intent to protect link between wireless client and
(assumed) more secure wired network
› Similar to a V£N and provides server authentication,
client authentication, data privacy, and integrity using
per session and per user short life keys
› Simpler and more cost efficient than a V£N
› Cross-platform support and interoperability, not highly
scaleable, though
› Supports Linux and Windows
› Open Source (slan.sourceforge.net)
Ã
||

 

Ã
|Ã

1. Client/Server Version Handshake

2. Diffie-Hellman ×ey Exchange
3. Server Authentication (public key fingerprint)
4. Client Authentication (optional) with £AM on
Linux
5. I£ Configuration ± I£ address pool and adjust
routing table
Ã
|


Client Application Encrypted Traffic to

ie Web Browser SLAN Server
£laintext Traffic Encrypted Traffic

SLAN Driver £hysical Driver

£laintext
Traffic Encrypted Traffic

User Space £rocess

’



|

› 11-100 users
› Can use MAC addresses, WE£ and rotate
keys if you want.
› Some vendors have limited MAC storage
ability
› SLAN also an option
› Another solution is to tunnel traffic through a
V£N
’



||

 

6

› £rovides a scaleable authentication and

encryption solution
› Does require end user configuration and a
strong knowledge of V£N technology
› Users must re-authenticate if roaming between
V£N servers
6|

 

6|

 


 

|

› 100+ users
› Reconfiguring WE£ keys not feasible
› Multiple access points and subnets
› £ossible solutions include VLANs, V£Ns,
custom solutions, and 802.1x
6
|

› Combine wireless networks on one VLAN

segment, even geographically separated
networks.
› Use 802.1Q VLAN tagging to create a wireless
subnet and a V£N gateway for authentication
and encryption
6
||

 

  



› Georgia Institute of Technology

› Allows students with laptops to log on to the campus
network
› Uses VLANs, I£ Tables, and a Web browser
› No end user configuration required
± User access a web site and enters a userid and password
± Gateway runs specialized code authenticating the user with
×erberos and packet filtering with I£Tables, adding the user¶s
I£ address to the allowed list to provide network access

|

 




› General-purpose port based network access control

mechanism for 802 technologies
› Based on AAA infrastructure (RADIUS)
› Also uses Extensible Authentication £rotocol (EA£,
RFC 2284)
› Can provide dynamic encryption key exchange,
eliminating some of the issues with WE£
› Roaming is transparent to the end user

 

› Could be implemented as early as 2002.

› Cisco Aironet 350 supports the draft standard.
› Microsoft includes support in Windows X£

|

 

*
  

› NetMotion Wireless authenticates against a

Windows domain and uses better encryption
(3DES) than WE£. Also offers the ability to
remotely disable a wireless network card¶s
connection.
› Fortress Wireless Link Layer Security (WLLS).
Improves WE£ and works with 802.1x.
› Enterasys provides proprietary RADIUS
solution similar to 802.1x

  
 

› Cannot forget client security

› Distributed £ersonal Firewalls
› Strong end user security policies and
configurations
› Laptop Theft Controls
   

› Wireless LANs very useful and convenient, but

current security state not ideal for sensitive
environments.
› Cahners In-Stat group predicts the market for
wireless LANs will be $2.2 billion in 2004, up
from $771 million in 2000.
› Growing use and popularity require increased
focus on security