Transcript THE WIRELESS PARADIGM - Texas Tech University

THE WIRELESS PARADIGM
ISQS 6342
Spring 2003
R.K. Miller
INTRODUCTION
The concept of Wireless LAN or wireless home networking (wireless LAN
on a small scale) is to use omni directional radio frequency analog carrier
signals to transmit digital and analog data between desktop and laptop
computers and between an internet gateway and these same devices. A
home network or corporate LAN strung together by T1 operates in the
same way as the wireless version, except you lose the “wire.” The market
for home, SmallOffice/HomeOffice (SOHO) and large-scale corporate users
has just begun to take off. Though the technology and availability of
unlicensed bandwidth has been around since 1985, it has only been since
1999 when the equipment price range has come down sufficiently to make
this option attractive to the corporate and individual consumer. Add to this
the very recent advances in securing data packets transmitted over the ether
and controlled access to “access points” and the security shortcomings of
wireless are becoming the same as those associated with wired
configurations.
STANDARDS
Spectrum – In 1985 the FCC opened up an unlicensed set of radio frequency
bands for Industrial, Scientific and Medical use (“ISM”).
900 -- 928 MHz Industrial band
2.4 -- 2.4835 GHz Scientific band
5.15 -- 5.825 GHz Medical band
802.11b – The 1997 IEEE Layer 1 standard for the first generation of
wireless networks operating in the 2.4 GHz spectrum (1.6 to 2 Mbps at first).
Enhanced by IEEE in 1999, it is now widely available with data speeds up to 11
Mbps by aggressively using direct sequence spread spectrum (“DSSS”)
modulation versus frequency hopping spread spectrum (“FHSS”) modulation.
Problems with 802.11b
 It has gotten a bad “security” rap because most users have
failed to enable WEP and other security measures.
 Although the 2.4 GHz spectrum is open to all, there is a
primary owner: the microwave oven manufacturers. Thus
if there is any overlap with the primary owner, he gets the
right-of-way. A WLAN NIC operates at 100 mW versus
microwaves at 600-1000 Watts.
 Maximum data transfer rates are presently 11 Mbps with
direct sequencing (with a possibility of up to 33 Mbps by using
all three22-MHz-wide channels). With major corporate
networks wanting 100 Mbps pipes (and higher, especially
with video applications), this is a serious limitation.
ENTER 802.11a
(are we going backwards??)
802.11a -- uses a 300 MHz bandwidth divided into three 100 MHz sections: 5.15 – 5.25
GHz, 5.25 – 5.35 GHz and 5.725 – 5.825 GHz, each with differing maximum transmission
wattages. Orthogonal Frequency-Division Multiplexing, which requires no guard band, is
used. 802.11a’s faster speeds (54 Mbps), greater security and better data reliability through
the addition of forward error correction (not in 802.11b), are presently somewhat
outweighed by high equipment costs, putting it out of the range of most consumers, e.g.
Circuit City has an Access Point (without router) from Linksys priced at $299. Both
802.11a and 802.11b use the same MAC protocol: carrier sense multiple access with
collision avoidance (“CSMA-CA”).
The Corporate Potential – For corporate WLAN’s the 5.25-5.35 GHz range (U-NII 2)
and the 5.725-5.825 GHz range (U-NII 3) offer the most attraction. These devices may
transmit at up to 250 mW and 1 W respectively (vs. 50 mW for U-NII 1) and allow
indoors/outdoors and outdoors operations respectively. The former can easily handle intrabuilding WLAN’s while the latter is favored for point-to-point and point-to-multipoint
installations. Guess who uses this type of installation, powered by Cisco devices?
Cisco Security
What about the Europeans?
Are the standards the same?
HiperLAN/1 and HiperLAN/2 -- Developed by the European
Telecommunications Standards Institute (“ETSI”), these standards are similar to
802.11b and 802.11a respectively. One major difference is the MAC protocol, where
the Europeans use time division multiple access (“TDMA”), also seen in European
cellular phone technology, instead of CSMA-CA. It is not likely to be in use in the
U.S., but the 2.4 GHz and 5.4 GHz bands in Europe have been reserved for
HiperLAN/1 and HiperLAN/2. Therefore 802.11b and 802.11a are not yet
certifiable in those markets. IEEE and ETSI are trying to work out the
incongruities.
Other Standards and Technologies
802.11g – Myth or fact? Just released, operates in the 2.4GHz waveband, and is
basically an enhanced version of 802.11b enabling higher data transfer rates, by
developing a new physical layer extension. This technology will be beneficial for
improved access to fixed network LAN and inter-network infrastructure (including
access to other wireless LANs) via a network of access points, as well as creation of
higher performance ad hoc networks. It does not address security issues—that is
covered by 802.1X.
Other Standards (cont.)
Bluetooth -- The much heralded, easy and cheap solution to linking PC’s, PDA’s,
laptops and other electronic devices, in a home, office and public environment, just has
not gotten off the ground. The Bluetooth device is a small 1/3 inch square chip which can
be integrated in all these devices and should allow hook-ups within a 30 foot range.
Present cost per device is $30, expected to drop to $4. Few PC and other electronic device
manufacturers have incorporated Bluetooth into their products. Because its data link
protocol is inefficient and uses FHSS, data throughput is only about 780 Kbps, also in the
crowded 2.4 GHz band. It is an unofficial standard, which may be recognized by IEEE as
part of 802.15.
Infrared -- Not really part of the traditional wireless technology, though it is part of the
802.11 standard, infrared is limited by line-of-sight restraints and operates effectively
within a small range without the use of relay reflectors. This is not really a viable
competitor in the home market, but more suited for building-to-building relays. It is also
relatively expensive.
Ultra Wideband – More about this later. This may be the real sleeper in the whole
wireless scenario as it promises data transfer speeds of up to
1 Gbps over a two kilometer range.
EQUIPMENT
Wireless Cards/Adapters – These devices allow each electronic unit (PC, laptop, PDA,
etc.) to talk to another device so equipped (ad hoc topology) or to a wireless router
connected to another device(s). The price of these varies depending on the data
transmission technology.
Network Access Points (NAP) – This device serves to allow multiple devices access to the
cable or ADSL modem or a server, but does nothing for letting each device talk to others.
Routers – This device enables the adapter-equipped devices to talk to each other just as
with a regular wired router.
NAP/Router Combo – Combines a NAP with a router, but usually costs more.
Linksys
Security Issues
The Human Factor – first and foremeost, as with wired networks, the ultimate
weak link has two legs, two arms and not much upstairs. The Wardrive coalition,
which did a study on WLAN’s by literally driving around and accessing them,
found that 72% of the access points/networks they compromised did not even
have their “Wired Equivalent Privacy” (WEP) enabled.
Authentication – is the client who is trying to gain access to the network via tht
access point a bona fide user? 802.11b and a are very weak in their WEP standards
which are either open or “NULL” access or a shared key access as shown below.
Security Issues (cont.)
Shared Key Authentication is a rudimentary cryptographic technique for
authentication. It is a simple “challenge-response” scheme based on whether a client
has knowledge of a shared secret. A random challenge is generated by the access
point and sent to the wireless client. The client, using a shared WEP key, encrypts
the challenge and returns the result to the AP. The AP decrypts the result computed
by the client and allows access only if the decrypted value is the same as the random
challenge transmitted. It does not provide mutual authentication and therefore
there is no assurance that a client is communicating with a legitimate AP, and
wireless network. Such unilateral challenge-response schemes have long been
known to be weak and suffer from numerous attacks including the infamous “manin-the-middle” attack.
Security Issues (cont.)
802.1X Authentication – The new IEEE standard for authentication on wired and
wireless networks, can provide dynamic per-user, per-session WEP keys, removing the
administrative burden and security issues surrounding static WEP keys. The particular
types include a common framework and the Extensible Authentication Protocol (EAP).
The credentials used for authentication, such as a log-on password, are never transmitted
in the clear, or without encryption, over the wireless medium. Combined with an
“Access Control List” (“ACL”) of authorized MAC’s, 802.1X effectively limits access
to the WLAN by an unauthorized user.
Confidentiality/Frame Encryption – “For Your Eyes Only.” The 802.11b standard
supports privacy (confidentiality) through the use of cryptographic techniques for the
wireless interface. The WEP supports cryptographic keys sizes from 40-bits to 104-bits
and can be expanded to 128-bit by adding a 24-bit initialization vector (“IV”) key.
Research has shown that key sizes of greater than 80-bits make brute-force cryptanalysis
(codebreaking) an impossible task. The graph on the following slide illustrates the WEP
Frame encryption process. Replacing WEP with IPSec and other frame encryption and
adding cyclic key management, such as Kerberos, easily brings this aspect of WLAN
security to its wired cousin’s standards.
Security Issues (cont.)
Security Issues (cont.)
Integrity – 802.11b uses a non-encrypted Cyclic Redundancy Check (CRC) at the
MAC level, as shown in the previous diagram. If the CRC’s between the sending
and receiving units do not match, this would indicate an integrity violation
(perhaps a message spoofer), and the packet would be discarded. But, this
combination of noncryptographic checksums with stream ciphers is dangerous and
often leads to unintended “side channel” attacks. An attacker could decrypt any
packet by systematically modifying the packet and CRC, sending it to the AP, and
noting whether the packet is acknowledged.
802.1X & Proprietary Security Systems – The problems associated with
802.11b’s confidentiality and integrity protocols are also addressed in 802.1X and
proprietary systems like Cisco’s Aironet, e.g. using pre-standard Temporal Key
Integrity Protocol (TKIP), support for Message Integrity Check (MIC), per-packet
key hashing, and broadcast key rotation.
The following slide from Cisco’s product promotion, shows the relative
weaknesses of the 802.11 standard out of the box and the means by which these
shortcomings are overcome. Bottom line, security should be no more of a concern
with WLAN’s than it is with their wired brethren.
Table 1: WLAN Attack Mitigation Chart
Cisco Wireless
Security Suite
Attack
Static WEP
Cisco
LEAP and
WEP
Man-In-TheMiddle
Vulnerable
Vulnerable Vulnerable
Mitigated
Authentication
Forging
Vulnerable
Mitigated
Mitigated
Fluhrer (FMS
Paper)
Vulnerable
Vulnerable Vulnerable
Mitigated
Rogue Access
Points
Vulnerable
Mitigated
Mitigated
Mitgated
Dictionary
Attacks1
Vulnerable
Mitigated2
Mitigated
Mitigated2
1A dictionary
EAP-TLS
Mitigated
Cisco LEAP, TKIP,
Broadcast
Key Rotation, MAC
Authorization, and
Per-packet Keying
attack is a brute force method of compromising network security. During a dictionary attack, a network intruder uses a list
of known passwords in various combinations to try to access the network via a known user's account. The intruder uses weak user
passwords or words that are found in the dictionary during this attack
2Requires Strong Passwords
Ultra Wideband
Pulse-Type Radio Transmission – employs billions of radio frequency pulses per
second over the entire radio spectrum, with each pulse lasting no more than a
nanosecond. The wide swath and very low power (< .05 mW) cause UWB
transmissions to appear as background noise to anyone without a very finely
tuned receiver.
Uses Unlicensed Spectrum – per discussions with the FCC and preliminary
approval given 2/14/02, commercial users of UWB will be given access to unused
portions of the overall spectrum and which don’t interfere with DOD or airline
radar/communication frequencies. Therefore, it could use the ISM bands as
well as those small portions of spectrum which lie between licensed bands (i.e.
the guardbands).
High Data Carrying Capacity – at least one developer, PulseLink of San Diego,
CA, is predicting data rates of up to 1 Gbps in the 802.11a spectrum over a range
of up to 2 kilometers.
Wireless ISP’s
Kick the Copper and Fiber Optic Habit – if you are in a remote location or
don’t want to fool around with DSL or cable modems or can’t afford to lease a
T1 line, there are other options:
 Satellite, e.g. DirecTV or EchoStar.
 Wireless ISP’s, e.g. airBand Communications of Dallas or
our own Door right here in Lubbock.
REFERENCES
Cisco - SAFE Wireless LAN Security in Depth.htm and
Cisco Aironet Wireless LAN Security Overview.htm
at http://www.cisco.com/go/safe
Wireless Network Security
802.11, Bluetooth™ and Handheld Devices
Tom Karygiannis, Les Owens
Recommendations of the National Institute of Standards and Technology
NIST Special Publication 800-48
WEP Security Statement
Wireless Ethernet Compatibility Alliance (WECA)
September 7, 2001
O'Reilly Network Wireless LAN Security A Short History.htm
http://www.oreillynet.com/pub/a/wireless/2002/04/19/security.html
News Networks suffer from wireless insecurity.htm
http://www.zdnet.com/
OVERVIEW AND GUIDE TO THE IEEE 802 LMSC
December 2002, IEEE