Wi-Fi and security Wireless Networking and Security by Alain RASSEL

22  Download (0)

Full text

(1)

23.11.04 1

Wireless Networking and Security

Wireless Networking and Security

by Alain RASSEL

(2)

Overview:

Overview:

Simple configuration example

Obvious simple protection means

Change Administrator Password

Restrict administrator access to trusted interface

Network Structures

Single firewalled internet attached computer

What does a firewall do?

Internet attached NAT'ted network with wired router

DNS name, IP address and MAC address

More about MAC addresses and DHCP

NAT function

Why NAT acts as a client firewall

(3)

Overview continued.

Overview continued.

Internet attached NAT'ted network with wireless router

Wi-Fi: the problem zone

Simple access protection means

Infrastructure mode

Physical location

ESSID protection

Disabling DHCP

Non-standard IP address

MAC address filter

Why use these methods?

Dissuasion

Data securing with individual firewalls

WEP encryption is insecure

WPA is still secure

(4)

Simple setup: part 1

(5)

Simple setup: part 2

(6)

Simple setup: part 3

(7)

Obvious simple protection

Obvious simple protection

Set/Change Administrator Password

The default passwords for standard equipment are the first ones to be

tried out by crackers.

Restrict administration authorization to computers on trusted interface

This should not, unless specially secured, be the wireless interface.

If no computer resides permanently on trusted interface, repeat simple

(8)

Single firewalled internet

Single firewalled internet

attached computer

attached computer

All data exchanged are filtered by the computer internal firewall

User Programs

Computer to be protected

Firewall in the computer

Internet

Single public IP address

Public Area : probable threats

(9)

What does a firewall do?

What does a firewall do?

Computers on the Internet exchange DATA PACKETS between PORTS using

PROTOCOLS.

A PORT is like a mailbox for sending or receiving a DATA PACKET.

A PROTOCOL is a data exchange procedure.

TCP (Transport Control Protocol) is like a registered letter: you are

sure the recipient receives the packet

UDP (User Datagram Protocol) is like an unregistered letter: the

recipient must confirm he received the data

A specific program inside the computer listens to a port/protocol and

sends his packets to his correspondent from a certain port.

Example: the web server (e.g. APACHE) listens for requests on port

80, and sends his data back to the originating port from which the browser (e.g. Internet Explorer or Mozilla) originated the request.

A client FIREWALL simply blocks all incoming ports, so that our programs do

not receive any packets from external computers.

The only accepted packets are the ones that are sent in response to our

packets, i.e. we only consider answers from computers/programs that we have spoken to first.

As we are a client, not a server, no external machine can take the initiative

to communicate with us.

This would keep programs like P2P file sharing and games from working,

(10)

Internet attached NAT'ted

Internet attached NAT'ted

private network

private network

Data exchanged pass the router with Network Address Translation layer

firewall

Internet

Single public IP address

DHCP server

User computer

User computer

User computer

User computer

User computer

User computer

Private IP addresses

DHCP served

NAT layer

Private area: Computers to be protected

Public Area : probable threats

10.z.y.x 192.168.y.x 172.16.1.x

(11)

DNS name, IP address and

DNS name, IP address and

MAC address

MAC address

Computer (DNS) Name: e.g. www.lgl.lu .

Translation by DNS (Domain Name System). Usually static name attribution, sometimes dynamic attribution by DHCP server.

The IP (Internet Protocol) address (e.g. 158.64.72.230) contains all information

to make a computer reachable from anywhere in the internet.

Translation in case of ethernet or wireless by ARP (Address Resolution Protocol). Initial IP address attribution static or by DHCP server.

The Interface address, also called Media Access Control or MAC address (e.g.

67:8A:BC:DE:F0:12) is specific to the physical communication media used ( e.g. ethernet or wi-fi). In the case of a point-to-point link (e.g. modem

(12)

More about MAC adresses and

More about MAC adresses and

DHCP

DHCP

Programs on different computers talk to each other using ports, protocols and

IP adresses, but on the ethernet (and also the wi-fi) physical level, the interfaces talk to each other using MAC addresses.

Ethernet example: two computers on the same ethernet:

Computer A with IP 10.0.0.1 and MAC 01:02:03:04:05:06 wants to talk to

computer B with IP 10.0.0.2 from which he knows that he is on the same ethernet, but whose MAC address he does not know.

10.0.0.1 sends an ARP (Address Resolution Protocol) ethernet

broadcast over his interface : ARP-who-is 10.0.0.2?

10.0.0.2 is listening to all ethernet broadcasts, he recognizes his IP

address and answers: I am 10.0.0.2 have MAC 11:12:13:14:15:16

How does a computer know his own IP address?

It has been statically configured. Easiest way, but if we give two

computers the same IP address, both will answer the ARP request,and so will become unreacheable.

A central DHCP (Dynamic Host Configuration Protocol) server keeps

book and hands out the IP address on request (ethernet broadcast). Our client computer then does not need to know what network he is in, and he is sure to receive an address the other computers in the same net consider reachable.

(13)

How NAT works

How NAT works

Standard IP communication

(14)

Why NAT acts as firewall

Why NAT acts as firewall

The client-type firewall keeps external computers from initiating connections.

A NAT layer fills the same purpose, because:

NAT translation entries in the router are only generated on the initiative of

the masqueraded computers, not on the initiative of external computers.

The NAT layer hides the IP addresses behind the router: no external

computer can initiate an exchange with a protected computer, as there is no port translation entry in the NAT table at that time.

Making holes into a NAT firewall is more complicated, it can be done by:

Static permanent port forwarding:

always forward a certain port to a certain fixed host. This is generally

called a DMZ (DeMilitarized Zone) host. Used for many P2P programs.

Disadvantage: if the DMZ host can be cracked via that port (i.e. the

listening program), the attacker has an operations base in the (now in)secure zone.

Dynamic temporary port forwarding:

Port Triggering (FTP=File Transfer Protocol, many games,etc.)

(15)

Internet attached NAT'ted

Internet attached NAT'ted

network with wireless router

network with wireless router

Wireless area adds complexity

Internet

ok

ok

Public Area : probable threats

Private area:

Computers to be protected

ok

threat

Wireless area:

Mix of threat and

computers to be protected

additional discrimination

and protection layer needed

ok

Only possible in AdHoc mode Forbidden in Infrastructure mode

(16)

WI-FI : the problem zone

WI-FI : the problem zone

Without wi-fi, it is easy: the private computers can be trusted and must be

protected from the external, internet computers. The private computers are physically secure, we checked them and connected them to the trusted zone.

With wi-fi, we cannot trust all computers within reach of our access point. So,

on one hand, we want to consider our own wireless computer secure, grant it full access to the safe zone and protect it from the internet, but on the other hand, we want to deny a hostile computer in reach of our access point the same privileges.

We cannot use the traditional firewall on the wi-fi interface of the access point,

as the possible intruders are in the same zone as our client station.

Another problem is data confidentiality:all packets are transmitted over radio

waves, any station can eavesdrop on them.

So we must find a way to allow only our computer to talk to the access point,

to keep the access point from relaying packets from unauthorized stations, and to make the data transmitted between the access point and our computer unuseable for eavesdroppers.

(17)

Simple access control means

Simple access control means

In order to prevent uncontrolled direct (i.e. not going through the access point)

communication between our wireless station and a rogue station within its radio reach, restrict our station to Infrastructure mode and disable AdHoc mode.

Place the access point in the center of the area to be covered: physical

distance will make communication harder for rogue stations.

However do not feel completely protected because of this:

any metal object larger than 12.5cm will reflect the radio waves, so

their reach is not always limited by obvious line of sight obstacles!

If a consumer parabolic dish can receive similar frequencies from a

Radio-TV satellite 36000km away, it is obvious that on a free line of sight such a dish can be used to listen in on wi-fi from many

kilometers away!

Prevent the access point from broadcating its ESSID, and manually set the

ESSID to the same value on your station.

The ESSID is a token meant to identify all participants in a wireless net. If

the access point does not broadcast the ESSID, the station must know it to be accepted by the access point.

However do not feel completely protected because of this:

An eavesdropper can intercept the value of the ESSID your station

(18)

More simple access controls

More simple access controls

Obfuscate the IP addresses of your internal network, so as to prevent the

intruder from knowing what IP address to use to be accepted.

Disable the DHCP server on the wireless interface and give a fixed IP

address to your wireless station.

Do not use as internal network the standard preset of your access point

(typically 192.168.0.x or 192.168.1.x) but another subnet in the acceptable range.

However, do not feel completely protected because of this:

An eavesdropper will find out what IP address your station used, and

can use the same one once your station stops transmitting!

Activate the MAC address filter on the wireless interface and restrict access to

the MAC adresses of your computer(s)

However, do not feel completely protected because of this:

By eavesdropping on the ARP broadcasts, an intruder can find out

the authorized MAC address(es).

As many wireless cards allow the reconfiguring of their MAC address,

if the intruder has such a card, he will reconfigure it to broadcast an authorized MAC address he obtained in the step above!

(19)

Why use these methods?

Why use these methods?

If none of the previous methods is completely secure, why should they be

used?

Every single of one of the previous measures makes it more difficult and

tedious to penetrate the wireless network.

Even if you cannot be completely secure, the odds that a casual attacker

will de dissuaded from this target and driven to an easier prey are quite good.

A determined attacker will not be deterred by these means, so they are no

good to protect important data from access or damage (bank account details, etc.)

What can be done to keep data secure in a wireless network?

Do not trust any computer on your wireless network, fit out every

computer in the supposedly secure zone with an individual firewall, just as if it were connected to the internet.

This will keep your data safe, but not keep an intruder from using your

internet access. The chances that an intruder who only wants to use your internet access will be driven away by the previous measures are however quite high.

(20)

What about WEP encryption?

What about WEP encryption?

In principle, if we can encrypt the communication between the access point

and our station, the intruder has lost: none of the previous attacks will succeed, and we are safe.

However, we need an unbreakable encryption scheme, because a broken

encryption scheme provides no more protection than the hassle to use a penetration program, normally readily available on the internet.

A strong encryption scheme means more processing power is needed to

implement it in the access point, so the hardware of the access point becomes more expensive.

Unfortunately the original scheme deployed in wireless devices is a weak

scheme, called WEP (Wired Equivalent Privacy).

In the beginning the methods used to break the scheme needed listening

in on a station for several days, so one could at least be safe by changing the keys every day.

Nowadays it takes programs such as AIRSNORT less than an hour to

crack WEP even with a 128 bit key, so changing the keys every day is no real protection anymore.

This puts WEP in the same efficiency category as the other simple dissuasion

(21)

Are there no better encryption

Are there no better encryption

methods?

methods?

Yes, in particular WPA (stands for WI-FI Protected Access).

WPA needs however more processing power than WEP, so not every old

access point is upgradeable and not every new one has it implemented.

Not only the access point must support WPA, but the driver of the

wireless station card must also be able to use it.

If you have not yet bought your wireless equipment, make sure it fully

supports WPA.

WPA comes in two flavours:

WPA-PSK (Pre-Shared Key) which depends on a secure secret key

being shared between the access point and the station. If the key is chosen too simple, the encryption can be broken via a dictionary attack (program already available on the internet). It is of utmost importance to choose a non-obvious, long enough (20 characters or more) for WPA-PSK to be secure.

WPA with RADIUS server. This entails an infrastructure too complex

for this presentation.

WPA has a small theoretical weakness that nobody has exploited yet. Because

of this weakness an improved standard, WPA2 is currently being readied.

For completeness' sake, we mention a technique called 'end-to-end encryption

via VPN ' that can be used, along with an appropriate network structure, to integrate a wireless station securely into the safe net. This technique does not however prevent abuse of the internet connection.

(22)

Conclusions

Conclusions

Complete security can only be achieved through the use of WPA, with a strong

password in the case of WPA-PSK.

Data security can be achieved by considering the private network insecure

and putting an individual firewall on every computer.

Simple measures will probably dissuade a casual attacker from stealing

bandwidth while the data is secure behind the individual firewalls.

WEP can only be counted as a dissuasion measure against a casual attacker,

not as a secure protection.

And the META-CONCLUSIONS:

Every security feature is a trade-off between the amount of threat it

averts and the hassle it is to implement!

Where security is the concern, paranoïa is not a disease, but a survival

trait!

Figure

Updating...

References

Related subjects :