 |
||
 |
 |
|
|
|
|
||||||||||||||||||||||||
|
Insights into
wireless protocols and standards: Creating a Secure Network for Your BusinessWireless Local
Area Network (802.11b) Security White Paper Chris
Griffin With preliminary information from: Abstract Wireless networks have
become increasingly popular due to their mobility and ease of installation. The proliferation of such networks benefits
industry by allowing employees increased flexibility in their work, thereby
increasing overall efficiency and output.
During the course of implementation of these systems, the question of
security often arises. Such concerns
have recently come to the forefront of research in the wireless networking
environment as more businesses realize the benefits of these systems. The following document provides a summary of
noted security issues involved in wireless networking, and endeavors to offer
practical solutions to combat the problems that arise when such networks are
utilized in a business environment. Background
It is common in enterprises
today to see wireless networks in use.
From warehouses to commercial dairy farms these systems keep people
connected thus increasing workplace efficiency.
Recent articles have demonstrated some security flaws in the most common
form of wireless network known as an 802.11b wireless local area network (WLAN
or LAWN). Such networks have recently
become popular due to their operation on unlicensed frequencies and the
adoption of a common standard. Mass
production of 802.11b hardware has lowered the price of necessary equipment and
further led to the popularity of this communications medium. Though there are security concerns, by
employing a mixture of radio frequency (RF) control, new 802.11b authorization
and packet encryption, and a top layer encryption, any wireless network can be
secured with enterprise class results. Securing your RF
Wireless networks consist of both an access point
and a client, each with a receiver and a transmitter. The amount of energy that is required to
propagate the signal throughout the coverage area can have a direct impact on
the security of the system--if an attacker cannot “see” the signal he has
nothing to attack. Competent RF
engineering in a WLAN installation is absolutely essential to lowering the
probability of an attack. When security
is a concern WLANs should not be allowed to propagate into insecure or
unnecessary locations just as sensitive wired connections should not be placed
in public areas. Proper antenna
selection and placement in addition to post installation site surveys are
necessary to ensure a low incidence of unintended propagation leakage. These procedures do not make a network
completely invulnerable, but just as with wired systems, the level of skill and
equipment necessary to mount an attack increases substantially so as to make
the likelihood of an attack less probable.
As an added benefit, proper network design results in general noise
reduction on other access points sharing the same channel allowing for less
power output and thereby further securing neighboring access points. Text from The Unofficial 802.11 Security
Web Page and The Security White Paper for the AP 350 from Cisco will
provide the background information in security software, hardware, and
standards necessary for the proper implementation of a wireless business
network. The following information from The
Unofficial 802.11 Security Web Page describes some security vulnerabilities
of the 802.11b protocol: IEEE 802.1X and 802.11
The task of defining the
interaction between IEEE [Institute of Electrical and Electronic Engineers]
802.1X and 802.11 has been given to IEEE 802.11 Task Group I (Security), which
is in the process of completing its recommendations. Given the popularity of
IEEE 802.1X and 802.11, many pre-standard implementations of IEEE 802.11 TG I
[Task Group I] are now on the market. Some of these pre-standard
implementations have known vulnerabilities. These include vulnerabilities in
802.11, problems addressed in 802.11 TG I (but not yet implemented), and
problems in the 802.1X implementations themselves. Here's a summary of what to look out for: Known security vulnerabilities in
802.11 The IEEE 802.1X standard [as currently deployed]
focuses largely on use within wired networks. Utilizing IEEE 802.1X to secure
802.11 is the job taken on by IEEE 802.11 Task Group I. As a result, the IEEE 802.1X specification
does not directly address known weaknesses in 802.11, including: a. Use of 802.11 without encryption. Unencrypted
802.11 sessions are subject to snooping and hijacking, regardless of how the
session is authenticated. As a result, customers desiring confidentiality and
session hijacking protection should operate 802.11 networks with encryption
enabled. b. Weaknesses in WEP [Wired Equivalent Privacy].
The weaknesses of the WEP encryption scheme are well documented, and cannot be
remedied merely by the application of enhanced authentication and key
management schemes such as IEEE 802.1X. For example, WEP lacks support
for per-packet integrity protection and offers only weak encryption. This
enables a wide variety of attacks, including insertion of packets into the data
stream. As a result, customers with deployed 802.11 networks using WEP should
consider transitioning to alternative ciphers under development by IEEE 802.11
Task Group I.
Network Configuration
with Firewall Only c. Lack of authentication for 802.11 management
messages. 802.11 management messages include the beacon, probe
request/response, association request/response, reassociation request/response,
disassociation, and deauthentication. Since 802.11 does not [authenticate]
these management messages, denial of service attacks are possible. IEEE
802.11 Security Task Group I is currently examining proposals for
authentication for the reassociation, dissassociation and deauthentication
messages based on the key negotiated by IEEE 802.1X. Weak authentication of the
other management messages is also being considered, based on the default key.
Customers should utilize these enhancements to 802.11 security when available. (The Unofficial 802.11 Security Web Page,
”IEEE 802.1X and 802.11”) Without added security measures, 802.11b has
little built in protection. MAC (Media
Access Control)- and IP (Internet Protocol)-based limiting are subject to
spoofing. Placing a firewall in the way
will also deter some intruders but this puts a big security burden on the
firewall [fig. 1]. The data network is
subject to WEP sniffing and network intrusion by anyone more skilled than the
casual intruder [fig. 2]. Enterprise
solutions will require additional security implementation but the basic
security built in to the 802.11b standard is sufficient for most home users and
small office networks. The Unofficial 802.11 Security Web Page describes some security fixes to the
protocol as recommended by TG I:
Figure 2 Network Configuration with WEP Only d. Mandatory mutual authentication. For use
with IEEE 802.11, the IEEE 802.11 [TG
I] specification requires that supplicants and authenticators not send data
traffic until mutual authentication is complete. Some pre-standard
implementations do not support this. 802.11 Task Group I also mandates use of
EAP methods providing mutual authentication, such as EAP SRP [Extensible
Authentication Protocol Secure Remote Password] or EAP TLS [Extensible
Authentication Protocol Transport Layer Security]. Most existing
implementations do support this today, including Windows XP, which ships with
support for EAP TLS. e. Use of ciphers providing per-packet
authentication as well as encryption. The IEEE 802.11 [TG I] specification
defines two new [cipher suites], TKIP [Temporal Key Integrity Protocol] and AES
[Advanced Encryption Standard], both of which include support for per-packet
integrity protection and confidentiality. TKIP should be available
in the near future, can typically be deployed as an upgrade to existing access
points, and includes support for a (weak) message integrity check. However, it
is largely based on WEP, and as a result, is only a short term solution.
Customers should be planning on migrating to AES-based ciphers in the long
term, with keys provided by IEEE 802.1X.
(The Unofficial 802.11 Security Web Page, “Issues in the current
IEEE 802.11 TG I draft not yet implemented”)
Figure 3 Mutual Authentication
Process
Although only EAP (Extensible Authentication
Protocol) is currently widely available for implementation, [fig. 3] these two
provisions take care of most of the security issues with 802.11b. Since AES and TKIP are not widely available
today, a new layer of security must be implemented. The most talked about version is Transport
Layer Security (TLS), a successor to Secure Sockets
Layer
(SSL), which is built in to Microsoft’s
XP operating system. TLS is composed of two layers: the TLS Record Protocol and
the TLS Handshake Protocol. The TLS Record Protocol provides connection
security with an encryption method
such as the Data Encryption Standard (DES).
The TLS Record Protocol can also be used without encryption. The TLS Handshake
Protocol allows the server and client to authenticate each other and to
negotiate an encryption algorithm
and cryptographic keys before data is exchanged. This ensures the communication starts out encrypted
and can’t be decoded easily. One drawback is that it requires administrators to
set up a certificate of authority on each piece of equipment that will pass the
TLS packets, thus adding to the overall system complexity. It might also require users to obtain a different
certificate for each terminal they use. AES will eventually be the standard that all
wireless devices follow, but it is still under development. As is documented in An Initial Security
Analysis of the IEEE 802.1X Standard from Arunesh Mishra and William A.
Arbaugh, some manufacturers are now providing customers products equipped with
such pre-implementation protocols. The
problems that these protocols are susceptible to include: f. Dictionary attacks on EAP methods. 802.11
frames, including 802.1X messages, are easily sniffed. For this reason, IEEE
802.11 Task Group I [recommends] EAP methods [resistant] to dictionary attack.
It's worth heeding this advice, since dictionary attacks enable an attacker to
recover the user password, which often can provide access to more than just the
802.11network. Therefore these attacks are more serious than the previously
documented WEP attacks and customers using 802.1X should strongly consider
adopting dictionary [attack-resistant] authentication methods such as EAP TLS,
SRP [Secure Remote Password], TTLS [Tunneled Transport Layer Security] and PEAP
[Protected Extensible Authentication Protocol]. g. Attacks on the default key. Some early IEEE
802.1X implementations cannot use the per-session keys derived in IEEE 802.1X
to encrypt the data. Instead, these implementations only encrypt data using the
multicast/broadcast keys known in the 802.11 lingo as "default keys".
Such implementations are vulnerable to many of the WEP attacks, particularly if
the default keys are not automatically changed in a frequent and unpredictable
way. Since Access Points typically do not have much randomness with which to
change default keys securely, administrators may wish to automate this
themselves using scripts or SNMPv3 [Simple Network Management Protocol]. Of
course, for this to be secure, the Access Points need to support updating of
the default key as well as secure management mechanisms such as SNMPv3 or SSH
[Secure SHell}. h. Denial of service attacks based on sending of
EAPOL[Extensible Authentication Protocol Over LAN]-Logoff frames. Since the
EAPOL logoff frame is not authenticated an attacker can potentially spoof this
frame, logging the user off the Access Point. Access Point vendors whose
implementations are susceptible to these attacks should fix their
implementations. Since the purpose of the EAPOL-Logoff frame is to signal
disconnection, and this is already taken care of by the 802.11 Disassociation
message (which can be authenticated) it is not clear that EAPOL-Logoff frame is
really necessary with 802.11. As a result, [access point manufacturers] should
consider filtering these messages, and the IEEE 802.11 [TG I] specification
should [clarify] this issue going forward. i. Denial of service attacks based on sending of EAPOL-Start
frames. An attacker can
attempt to bring down an Access Point by flooding it with EAPOL-Start frames [fig. 4]. Access Point vendors whose
implementations are susceptible to these attacks should fix their
implementations. The key to avoiding problems is not to allocate significant
resources on receipt of an EAPOL-Start frame. j. Denial of service attacks based on cycling
through the EAP Identifier space. An attacker could attempt to bring down
an Access Point by consuming the EAP Identifier space (0-255). Access Point
vendors whose implementations are susceptible to these attacks should fix their
implementations. Since the EAP Identifier is only required to be unique within
a single Port or 802.11 Association, there is no need for an Access Point to
lock out further connections once the Identifier space has been exhausted. This
issue should be clarified in the revision to the IEEE 802.1X specification. k. Denial of service attacks based on sending of
premature EAP Success packets. The IEEE 802.1X specification enables a
client to avoid bringing up its interface where the required mutual
authentication has not been completed. This enables a well implemented
Supplicant to avoid being fooled by a rogue Authenticator sending premature EAP
Success packets. Supplicant implementations that are vulnerable to this attack
should fix their implementations. This issue should be clarified within the
revisions to the EAP and IEEE 802.1X specifications. l. Denial of service attacks based on spoofing EAP
Failure packets. The EAP specification requires clients to be able to rely
on alternative indications of authentication success or failure. This enables a
well implemented Supplicant to avoid being fooled by an attacker spoofing EAP
Failure packets. For example, a Supplicant that receives an EAP-Failure from an
Authenticator outside of an 802.1X exchange can ignore the packet. If the
Authenticator wishes to remove the Supplicant, this will later be followed by a
Disassociation frame, which can be authenticated. Supplicant implementations
that are vulnerable to this attack should fix their implementations. This issue
should be clarified within a revision to the EAP and IEEE 802.11 [TG I]
specifications. m. Denial of service attacks based on modification
of EAP packets. Integrity protection and encryption of packets is supported
within individual EAP methods. For example, the EAP TLS protocol provides
integrity protection and encryption for authentication and key management
exchanges, including indications of Failure (TLS Alert) and Success (Finished
message). In addition, more recent proposals protect the entire EAP exchange by
encapsulating it within TLS. These proposals are known as Protected EAP (PEAP)
and Tunnelled TLS (TTLS). Customers wishing to [mitigate] packet modification
attacks should migrate to use of the EAP TLS, PEAP or TTLS protocols. (qtd.
in The Unofficial 802.11 Security Web Page, “Known issues with
pre-standard IEEE 802.11 [TG I] implementations”)
Figure 4 802.11b client
spoofing EAPOL-Start frames Denial of service attacks based on cycling through
the EAP Identifier space. An attacker could attempt to bring down an Access
Point by consuming the EAP Identifier space (0-255). Since the EAP Identifier
is only required to be unique within a single Port or 802.11b Association,
there is no need for an Access Point to lock out further connections once the
Identifier space has been exhausted. This issue [should] be clarified in the
revision to the IEEE 802.1X specification. While the world is waiting for the complete
support of the 802.1X protocol temporary solutions abound. Many of the vulnerabilities in EAP can be
closed by adding an encryption protocol to EAP, the most common of which is TLS
due to Microsoft support for this protocol.
EAP plus an encryption protocol can secure most 802.11b networks with
enterprise acceptable security. Above
and beyond 802.11b packet level security, IP-based encryption is the most
widespread and available security solution.
Many enterprise organizations already have a VPN (Virtual Private
Network) or SSH server which can be used to further secure the data
integrity. Placing a slave server behind
each access point and having it report back to a master server provides
security in both the wired and wireless realm.
Mindful of the new and
upcoming standards as well as the security problems with the existing
standards, Cisco is securing its Access Points using a combination of a
proprietary EAP called LEAP (Lightweight Extensible Authentication Protocol)
and the 802.11b TG I TKIP provisions.
The following is an excerpt from a Cisco product bulletin regarding the
security enhancements to the Cisco AP-350 access point: ·
Mutual authentication—The Cisco
Aironet Wireless security solution offers customers a mutual authentication
scheme instead of one-way authentication. Standards-based mutual authentication
implementations that are easily deployable are still evolving. Therefore, Cisco
created EAP—Cisco Wireless (LEAP) to ensure mutual authentication between a
wireless client and a back end RADIUS [Remote Authentication for Dial-In User
Services] server (Access Control Server 2000 V2.6). Communication between the
access point and the RADIUS server is via a secure channel. This eliminates
"man-in-the-middle attacks" by rogue access points and RADIUS
servers. Even though [this bulletin] does not address this area of concern,
Cisco recommends that customers factor this class of vulnerability into their
wireless security requirements. ·
Secure key derivation—The
original shared secret secure key derivation is used to construct responses to
the mutual challenges. It undergoes irreversible one-way hashes that make
password-replay attacks impossible. The hash values sent over the wire are
useful for one-time use only at the start of the authentication process, never
after. ·
Dynamic WEP keys—In addition, by offering a
hassle-free, dynamic per-user, per-session WEP key, Cisco has made it easy for
administrators to move away from static WEP keys, thus increasing the security.
Cisco believes that one of the biggest security exposures in WLANs is primarily
due to static WEP and the tremendous administrative burden it imposes. With the
Cisco Aironet solution, session keys are unique to the users and are not shared
among them. Also, with LEAP authentication, the broadcast WEP key is encrypted
using the session key before being delivered to the end client. By having a
session key unique to the user, and by tying it to the network logon, the
solution also eliminates vulnerabilities due to stolen or lost client cards or
devices. ·
Re-authentication policies—Customers
can also set policies for re-authentication at the back-end RADIUS server
ACS2000. This will force users to re-authenticate more often and get new
session keys. Because the vulnerability window can be configured to be very
small, we can minimize attacks where traffic is injected during the session. ·
Initialization Vector changes—The Cisco
Aironet wireless security solution also changes the initialization vector (IV)
on a per-packet basis so that hackers can find no predetermined sequence to
exploit. This capability, coupled with the reduction in possible attack
windows, greatly mitigate exposure to hacker attacks due to frequent key
rotation. In particular, this makes it difficult to create table-based attacks
based on the knowledge of the IVs seen on the wireless network. (Cisco Product Bulletin, “Cisco enhancements to
802.11b WEP to increase security”) While this is of course a
proprietary solution and likely not compatible with other vendor products, it
does provide a complete enterprise solution.
These provisions were established by the 802.11b TG I but may or may not
follow Cisco’s implementation methods.
Like Cisco, most equipment vendors have their own answers to the 802.11b
security puzzle, each with its own caveats that must be investigated. Checking with your equipment vendor is
recommended. VPNs and security
Any
IP based encryption protocol offers the same protection for the integrity of
your data on a wireless LAN as it would on a wired one. This is the best solution to the 802.11b
encryption problem, aside from a large hardware investment, that is currently
available. The only attack that can be
mounted when using an IP-based encryption scheme is a denial of service attack
directed at the access point in the 802.11b layer. VPN
addresses WEP security problems, but, as is documented in The Unofficial 802.11 Security Web Page, “almost all IPsec tunnel mode
products shipping today are proprietary, interoperability is poor and many of
the proprietary extensions have security flaws”
(The Unofficial
802.11 Security Web Page, “
VPN standards and security analyses”). The
following references have been collected from The Unofficial 802.11 Security Web Page: Security
analysis of PPTP [Point to Point Tunneling Protocol]v2 (The
Unofficial 802.11 Security Web Page, “ VPN standards and security analyses”) Conclusion
Wireless security is an
issue regardless of the size or type of your business. In order to evaluate
your security needs, you need first to identify the kind of data you will be
sending, the exposure of the network to the public, and the level of security
currently employed in the network infrastructure. The level of necessary security is
proportional to the sensitivity of the data being transferred--lower levels of
sensitivity do not require high levels of security. Effective wireless network engineering will
take into account the sensitivity of the information on the network as well as
the potential for attack to implement a practical, affordable solution. Low Security Risk
Wireless networks falling
under this category are characterized by low sensitivity of transmitted data,
low level of public exposure, and/or networks at little risk for attack. These networks generally include personal
networks, inventory systems, and temporary networks. The data on these networks generally is not
an attractive target for potential attack due to the fact that little will be
gained from entering or attacking such systems.
Most networks in this category should be satisfied with the most basic
level of security inherent to 802.11b wireless networking. Simple security implementations are included
in the network standard and are sufficient deterrents for the casual
attacker—all that should be necessary to protect a network of this type. A brief summation of low level security
options follows: Turn off SSID (Service Set Identifier) SSID is the broadcast name
of the WLAN within range of the network.
The SSID enables users or clients to easily locate the network from any
location within the coverage area. All
access points will broadcast an SSID unless this feature is disabled. While the operation of SSID is beneficial
because it allows wireless devices to locate and utilize the network services,
this creates an obvious security problem.
A person interested in locating a network of which he is not a part can
find the network due to the publicly broadcast SSID, login, and utilize the
services with only the standard 802.11b client software. Deactivating SSID limits the ability of
random users to access the network by eliminating the public broadcast, simply
requiring that the network administrator supply clients with the necessary
network information. MAC Address Limiting The MAC address is a unique
address that identifies each node on a WLAN and allows the access point to
differentiate between the data being sent from client to client. It recognizes the client, gives permission
for the client to log on to the network, and makes sure data is sent to the
appropriate user. You can limit which IP
addresses you will allow on the network from the access point. This prevents people from associating with
the access point if the administrator has not recorded the MAC address in the
table of allowed MAC addresses. This is,
of course, administrative-intensive, and so is not practical for situations in
which the clients are extremely dynamic. IP Address Limiting An IP address is an address
on a network which identifies a particular client. This address can be constant if you are
running a static network, or it can change in the case of a DHCP server which
gives IP addresses to clients on the network.
Unauthorized users may gain access to the network by associating with an
access point and guessing an IP address from those within the class C grouping. This is easily accomplished by simply
accessing publicly available information and trying each address in turn. There are scripts that will perform this task
at a high rate of speed. IP address
blocking is similar to MAC address blocking in that it only allows certain IPs
to access the network. For static
networks, this can be accomplished by assigning a specific and unchanging IP
address to each client. This can be
combined with MAC address blocking to require a specific IP address to be
attached to a specific MAC address, such that the combination must be
recognized in order for the client to gain access to the network. If you require a DHCP server in your network,
IP blocking will not be appropriate as it will prevent the proper function of
the DHCP server. WEP (Wired Equivalent
Privacy) WEP is a security mechanism which is part of
the 802.11 standard. It was designed to
provide 802.11 networks with the same level of security as that found on wired
networks. It has been at the center of the 802.11 security debate since it was
found to be insecure in and of itself due to a flaw in its algorithm resulting
in the production of large numbers of weak keys. Weak keys are keys produced when sending
data which can be very easily guessed using a WEP-cracking program. However, WEP at 128 bit will not be cracked
by anyone who is not intent on doing so.
On a small network on which there is very little data (<10 Megabytes)
going over the network per day there is little chance WEP will be cracked due
to a relatively small number of weak keys produced (fewer keys are produced
overall, so there will be fewer weak keys).
Combined with weekly or even monthly key changes there is little chance
a WEP key will be cracked even over a long period of time. WEP does have other, unrelated drawbacks in
that it adds a little extra data to each packet. This “extra” data is known as overhead and
cannot be reserved for clients. This
issue simply requires that the administrator find an appropriate balance
between encryption and acceptable throughput levels. Medium Security Risk
Wireless networks falling
under this category are characterized by medium sensitivity of transmitted
data, low to medium level of public exposure, and/or networks at some risk for
attack. These networks generally include
billing and accounting networks with low traffic, company networks with
occasional trade secrets, and permanent networks in public places with little
data exchange. The data on these
networks is somewhat sensitive and therefore an attractive target for potential
attack. Most networks in this category
should be satisfied with the grade of security offered by the new 802.1x
provisions. A brief summation of medium
level security options follows: EAP (Extensible
Authentication Protocol) EAP works by
authenticating users to a back-end RADIUS (Remote Authentication Dial-In User
Service) server. After the client
requests access to an access point, the access point forces the user into an
unauthorized state that allows the client to only send an EAP start message.
The access point returns an EAP message requesting the user's identity. The
client returns the identity, which is then forwarded by the access point to the
RADIUS server, which uses an
algorithm to authenticate the user and then returns an accept message or a
reject message back to the access point. If an accept message is received, the
access point changes the client's state to authorized and normal traffic can
then begin. EAP by itself does little to
stop the determined attacker but when EAP is combined with a security protocol
such as TLS the combination becomes a very powerful deterrent. TLS (Transport Layer
Security) TLS is a security protocol
that, when combined with EAP, yields a very secure mutual (client and server)
authentication with encrypted key exchange.
Certificates must be set up on the client’s registry or can be provided
on smart cards. The clients must have a
software client that supports both EAP and TLS.
To provide an added level of safety the time for re-authentication or
session time-out length should be kept low.
This changes the encryption keys regularly and at short intervals
further protecting the encrypted data. Every available version of
802.1X is currently proprietary so you must take into account the caveats of
each one. High Security Risk
Wireless networks falling
under this category are characterized by high sensitivity of transmitted data,
high level of public exposure, and/or networks at great risk for attack. These networks include accounting networks
with medium to high traffic levels, company networks with top trade secrets,
and permanent networks in public places with high levels of data exchange. The data on these networks is very sensitive
and therefore an attractive target for potential attack. Most networks in this category should be
implementing security measures from the 802.1x standard and added security at
the TCP/IP layer: VPN (Virtual Private Network) Virtual Private Networks are
private data networks that are implemented in some way other than the
traditional manner of leasing dedicated telephone lines. VPNs require some
additional software that usually requires additional hardware. A VPN encrypts data and usually has some form
of rotating or generated login key. This
allows networks to be connected by “tunneling” through the public networks,
encapsulating the data in an encryption scheme that is as strong as you want it
to be. This is at the TCP/IP layer so it
will not stop denial of service attacks directly at the 802.11 layer. For that you still need 802.1x. This solution guarantees the data itself is
safe. Each VPN system is different and
every one must be evaluated on its own merits.
Your encryption level must be balanced with the amount of overhead that
the network can stand.
Figure 5 Complete End-to-End
Security In conclusion, it is recommended from a
network standpoint to implement third level security on your network. By beginning with proper RF Engineering,
utilizing an 802.11b packet level security and authentication scheme (EAP+TLS)
and implementing top level VPN security, you can secure your enterprise class
network until the 802.1X security standard is fully supported. [fig. 5] Glossary of Terms
802.11b- applies to wireless LANs
and provides 1 or 2 Mbps transmission in the 2.4 GHz band using either frequency hopping
spread spectrum (FHSS) or direct sequence
spread spectrum (DSSS). 802.1x-Also called 802.1X
for 802.11. 802.1X is the new standard for wireless LAN security,
as defined by the Institute of Electrical and Electronics Engineers (IEEE). An
access point that supports 802.1X and its protocol, Extensible Authentication
Protocol (EAP), acts as the interface between a wireless client and an
authentication server, such as a Remote Authentication Dial-In User Service
(RADIUS) server, to which the access point communicates over the wired network. Access
Point-A wireless LAN data
transceiver that uses radio waves to connect a wired network with wireless
stations. AES- Advanced Encryption Standard, a symmetric
128-bit block
data encryption
technique developed by Belgian cryptographers Joan Daemen and Vincent Rijmen.
The U.S government adopted the algorithm as
its encryption technique in October 2000, replacing the DES encryption it
used. AES works at multiple network layers simultaneously. The National
Institute of Standards and Technology (NIST) of the U.S. Department of Commerce
selected the algorithm, called Rijndael (pronounced Rhine Dahl or
Rain Doll), out of a group of five algorithms under consideration,
including one called MARS from a large research team at IBM. Associated -A station is configured properly to allow it to
wirelessly communicate with an access point. Bandwidth- Specifies the amount of the frequency spectrum that
is usable for data transfer. It identifies the maximum data rate that a signal
can attain on the medium without encountering significant power loss. Cipher Suite- A group of encryption algorithms (ciphers). DHCP - Dynamic Host Configuration Protocol.
A protocol available with many operating systems that automatically issues IP
addresses within a specified range to devices on the network. The device
retains the assigned address for a specific administrator-defined period. DES- Data Encryption Standard. An encryption algorithm originally introduced in
1976 as the Lucifer algorithm and eventually changed to DES. The replacement for DES will be AES. DOS- Denial of Service. An attack in which the targeted piece of
equipment shuts down or stops functioning, the purpose of which is to deny
service. EAP- Extensible Authentication Protocol.
EAP is the protocol for the optional IEEE 802.1X wireless LAN security feature.
An access point that supports 802.1X and EAP acts as the interface between a
wireless client and an authentication server, such as a Remote Authentication
Dial-In User Service (RADIUS) server, to which the access point communicates
over the wired network. EAPOL- Extensible Authentication Protocol Over
LAN. EAP over a LAN. See EAP, LAN. EAP SRP- EAP running in conjunction with SRP.
See EAP, SRP. EAP TLS- EAP running in conjunction with TLS.
See EAP, TLS. Ethernet- The most widely used wired local area network.
Ethernet uses carrier sense multiple access (CSMA) to allow computers to share
a network and operates at 10, 100, or 1000 megabits per second (Mbps),
depending on the physical layer used. Firmware Software that is programmed on a memory chip and
kept in a computer's semi-permanent memory. IEEE- Institute of Electrical and Electronic Engineers.
A professional society that serves electrical engineers through its
publications, conferences, and standards development activities. The body
responsible for the Ethernet 802.3 and wireless LAN 802.11 specifications. IETF- Internet Engineering Task Force. A group of
individuals in network related careers concerned with the continual development
and proper operation of the Internet. IP Address The Internet Protocol
(IP) address of a station. Unique
address of a machine on the World Wide Web. LAN- Local Area Network LEAP- Lightweight Extensible Authentication Protocol, or EAP-Cisco Wireless, is the 802.1X
authentication type that is available for use with operating systems that do
not have built-in EAP support. Support for LEAP is provided in the client
adapter's firmware and the Cisco software that supports it, rather than in the
operating system. With LEAP, a username and password are used by the client
adapter to perform mutual authentication with the RADIUS server through an
access point. MAC Address - The Media Access Control
(MAC) address is a unique serial number assigned to a networking device by the
manufacturer. Message integrity check- A comparison of received packet contents to sent
packet contents so as to determine whether or not the packet has undergone any
changes. Packet - A basic message unit for communication across a network. A packet
usually includes routing information, data, and sometimes error detection
information. PEAP- Protected Extensible Authentication Protocol. A
mutual authentication protocol with session key generation used in a
roaming environment. Radio Channel- The frequency at which a radio operates. RADIUS- Remote Authentication for Dial-In
User Services. An
authentication and accounting system which matches user name and password with
a back-end database. This authorizes
access to the network. Receiver Sensitivity - A measurement of the weakest signal a receiver can
receive and still correctly translate it into data. RF- Radio Frequency. A generic term for
radio-based technology. SNMPv3- Simple Network Management Protocol
version 3. A network
management protocol for the monitoring of all network devices and their
functions. SSH- Secure Shell.
Provides for strong authentication over insecure channels and can be
used to execute commands on remote machines or move files from machine to
machine. SSL- Secure Socket Layer. An
encryption standard commonly used with web clients. SRP- Secure Remote Password. A secure password based authentication and key
exchange protocol that solves the problem of authenticating clients securely. TG I- Task Group I. The group responsible for the development and
updates of the 802.1X standard for 802.11b security. TKIP- Temporal Key Integrity Protocol. A security algorithm developed with the help
of some encryption experts that exposed WEP’s vulnerabilities. See WEP. TLS- Transport Layer Security. See WTLS. TTLS- Tunneling Transport Layer Security. Allows older protocols that may still be in
existence to be used when authenticating clients. The protocol also allows for cryptographic
keying between the client and access point.
It protects against eavesdropping, man-in-the-middle and other attacks
against the cryptography. VPN- Virtual Private Network. A VPN offers private line security over public data
pathways by utilizing high encryption levels.
WEP - Wired Equivalent Privacy. An
optional security mechanism defined within the 802.11 standard designed to make
the link integrity of wireless devices equal to that of a cable. WLAN-Acronym for Wireless Local Area
Network. Also referred to as LAWN. A type of local
area network that uses high-frequency radio waves rather than wires to communicate
between nodes.
WTLS-Short for Wireless Transport
Layer Security. WTLS is the security layer of the WAP, providing
privacy, data integrity and authentication
for WAP services. WTLS, designed specifically for the wireless environment, is
needed because the client and the server must be
authenticated in order for wireless transactions to remain secure and because
the connection needs to be encrypted.
For example, a user making a transaction with a bank over a wireless device
needs to know that the connection is secure and private and not subject to a
security breach during transfer (sometimes referred to as a man-in-the-middle
attack). WTLS is needed because mobile networks do not provide complete
end-to-end security. WTLS is based on the widely used TLS v1.0
security layer used in Internet. Because of the nature of wireless transmissions,
modifications were made to the TLS v1.0 in order to accommodate for wireless'
low bandwidth,
datagram
connection, limited processing power and memory capacity, and cryptography
exporting restrictions Works Cited“The Unofficial 802.11 Security Web
Page”. comp. Aboba. Home page.
Accessed 18 April 2002. <http://www.drizzle.com/~aboba/IEEE/>. Product Bulletin.
“Cisco Aironet Security Solution
Provides Dynamic WEP to Address Researchers' Concerns”. Posted: Thursday 1 November 2001. Accessed 18 April 2002. http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1281_pp.htm. Source Links
www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/a350w_ov.htm www.networkcomputing.com/1301/1301colmoskowitz.html www.microsoft.com/windowsxp/pro/techinfo/administration/wirelesssecurity/improvedsolutions.asp www.nwfusion.com/reviews/2001/1217rev.html www.certicom.com/about/pr/02/020207_funk.html www.eweek.com/article/0,3658,s=720&a=22272,00.asp |
