Sunday, November 1, 2009

Wireless Security

Overview of Wireless Technologies

As mentioned above wireless technologies, in the simplest sense, enable one or more devices to communicate without physical connections—without requiring network or peripheral cabling. Wireless technologies use radio frequency transmissions as the means for transmitting data, whereas wired technologies use cables. Wireless technologies range from complex systems, such as Wireless Local Area Networks (WLAN) and mobile phones including the new generation of 3G mobile phones, to simple devices such as wireless headphones, microphones, and other devices that do not process or store information. They also include Infrared (IR) devices such as remote controls, some cordless computer keyboards and mice, and wireless hi-fi stereo headsets, all of which require a direct line of sight between the transmitter and the receiver to close the link.

Wireless networks serve as the transport mechanism between devices and among devices and the traditional wired networks (enterprise networks and the Internet). Wireless networks are many and diverse but are frequently categorized into five groups based on their coverage range: Wireless Wide Area Networks (WWAN); Wireless Metropolitan Area Network (WMAN); Wireless Local Area Network (WLANs), Mobile Broadband Wireless Access (MBWA), and Wireless Personal Area Networks (WPAN). WWAN includes wide coverage area technologies such as 2G cellular, Cellular Digital Packet Data (CDPD), Global System for Mobile Communications (GSM), General Packet Radio Service (GPRS) and Mobitex. WMAN and MBWA represents wireless internet connection at broadband speeds within city or suburbs, it includes 802.16 and emerging standards such as 802.20. WLAN, representing wireless local area networks, includes 802.11, HiperLAN, and several others. WPAN, represents wireless personal area network technologies such as Bluetooth and IR.


Wireless Technologies and Standards

There are a number of standards used in wireless technologies. Some of the key ones include:

  • The IEEE 802.11 standards provide specifications for high-speed networks that support most of today’s applications. The IEEE 802.11 specifications are wireless standards that specify an "over-the-air" interface between a wireless client and a base station or access point, as well as among wireless clients. These 802.11 standards can be compared to the IEEE 802.3 standard for Ethernet for wired LANs. The IEEE 802.11 specifications address both the Physical (PHY) and Media Access Control (MAC) layers and are tailored to resolve compatibility issues between manufacturers of Wireless LAN equipment.

  • IEEE802.15 provides standards for low complexity and low-power consumption connectivity.
  • IEEE 802.16 standard, the “Air Interface for Fixed Broadband Wireless Access Systems” is also known as the IEEE WirelessMAN air interface. This technology is designed to provide wireless last-mile broadband access in the Metropolitan Area Network (MAN), delivering performance comparable to traditional cable, DSL, or T1 offerings.
  • Bluetooth (Wireless Personal Area Network) is an alternative wireless network technology that has followed a different development path than the 802.11 family. Bluetooth supports a very short range (approximately 10 metres) and relatively low bandwidth (1 Mbps). In practice, Bluetooth networks PDAs or cell phones with PCs but does not offer much value for general-purpose WLAN networking. The Bluetooth standard was developed by a computer and communications industry consortium, specifying how mobile phones, computers, and PDAs interconnect with each other, with home and business phones, and with computers using short-range wireless connections.
  • IEEE 802.1X offers an effective framework for authenticating and controlling user traffic to a protected network, as well as dynamically varying encryption keys. 802.1X ties a protocol called EAP (Extensible Authentication Protocol) to both the wired and wireless LAN media and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication.


This list of standards is in no way comprehensive. This paper does not go into the detail of each of the standards within the IEEE 802.11 family but in general terms stipulates the concerns/risks/vulnerabilities within this group of standards and some ways to manage them. There are several standards within IEEE 802.11 ranging from IEEE 802.11a to IEEE 802.11R. There are also emerging standards including IEEE 802.11j, 802.11k, 802.11m and 802.20.

It is also important to note that this paper does not focus on other WLAN standards besides IEEE 802.11 such as the European Telecommunications Standards Institute’s (ETSI) HiperLan and the HomeRF standard for the home user and small businesses.

Security Features of IEEE 802.11

The IEEE 802.11 WLAN – or WiFi specification has identified several services to provide a secure operating environment. The security services are provided largely by the Wired Equivalent Privacy (WEP) protocol to protect link level data during wireless transmission between clients and access points. WEP does not provide end-to-end security, but only for the wireless portion of the connection. However, there are a number of problems with the WEP protocol and its vulnerabilities significantly limit its ability to safeguard data. Commonly available tools such as AirSnort, WEPCrack and dweputils have the ability to crack WEP keys by analysing traffic from totally passive data captures. An improvement on WEP is the Wi-Fi Protected Access (WPA) which was introduced in 2003. WPA avoids most of WEP's vulnerabilities and WPA-PSK is the current minimum standard and WPA2 (Advanced Encryption Standard (AES) with RADIUSauthentication), is industry best practice.



Network Security Controls


The list of security attacks is very long, and the news media carry frequent accounts of serious security incidents. From these, you may be ready to conclude that network security is hopeless. Fortunately, that is not the case. Previous chapters have presented several strategies for addressing security concerns, such as encryption for confidentiality and integrity, reference monitors for access control, and overlapping controls for defense in depth. These strategies are also useful in protecting networks.

Encryption

Encryption is probably the most important and versatile tool for a network security expert. We have seen in earlier chapters that encryption is powerful for providing privacy, authenticity, integrity, and limited access to data. Because networks often involve even greater risks, they often secure data with encryption, perhaps in combination with other controls.

In network applications, encryption can be applied either between two hosts (called link encryption) or between two applications (called end-to-end encryption). We consider each below. With either form of encryption, key distribution is always a problem. Encryption keys must be delivered to the sender and receiver in a secure manner. In this section, we also investigate techniques for safe key distribution in networks. Finally, we study a cryptographic facility for a network computing environment.

Virtual Private Networks

Link encryption can be used to give a network's users the sense that they are on a private network, even when it is part of a public network. For this reason, the approach is called a virtual private network (or VPN).

Typically, physical security and administrative security are strong enough to protect transmission inside the perimeter of a network. Thus, the greatest exposure for a user is between the user's workstation or client and the perimeter of the host network or server.

SSH Encryption

SSH (secure shell) is a pair of protocols (versions 1 and 2), originally defined for Unix but also available under Windows 2000, that provides an authenticated and encrypted path to the shell or operating system command interpreter. Both SSH versions replace Unix utilities such as Telnet, rlogin, and rsh for remote access. SSH protects against spoofing attacks and modification of data in communication.

The SSH protocol involves negotiation between local and remote sites for encryption algorithm (for example, DES, IDEA, AES) and authentication (including public key and Kerberos).

SSL Encryption

The SSL (Secure Sockets Layer) protocol was originally designed by Netscape to protect communication between a web browser and server. It is also known now as TLS, for transport layer security. SSL interfaces between applications (such as browsers) and the TCP/IP protocols to provide server authentication, optional client authentication, and an encrypted communications channel between client and server. Client and server negotiate a mutually supported suite of encryption for session encryption and hashing; possibilities include triple DES and SHA1, or RC4 with a 128-bit key and MD5.

To use SSL, the client requests an SSL session. The server responds with its public key certificate so that the client can determine the authenticity of the server. The client returns part of a symmetric session key encrypted under the server's public key. Both the server and client compute the session key, and then they switch to encrypted communication, using the shared session key.

The protocol is simple but effective, and it is the most widely used secure communication protocol on the Internet.

IPSec

As noted previously, the address space for the Internet is running out. As domain names and equipment proliferate, the original, 30-year old, 32-bit address structure of the Internet is filling up. A new structure, called IPv6 (version 6 of the IP protocol suite), solves the addressing problem. This restructuring also offered an excellent opportunity for the Internet Engineering Task Force (IETF) to address serious security requirements.

As a part of the IPv6 suite, the IETF adopted IPSec, or the IP Security Protocol Suite. Designed to address fundamental shortcomings such as being subject to spoofing, eavesdropping, and session hijacking, the IPSec protocol defines a standard means for handling encrypted data. IPSec is implemented at the IP layer, so it affects all layers above it, in particular TCP and UDP. Therefore, IPSec requires no change to the existing large number of TCP and UDP protocols.

Signed Code

As we have seen, someone can place malicious active code on a web site to be downloaded by unsuspecting users. Running with the privilege of whoever downloads it, such active code can do serious damage, from deleting files to sending e-mail messages to fetching Trojan horses to performing subtle and hard-to-detect mischief. Today's trend is to allow applications and updates to be downloaded from central sites, so the risk of downloading something malicious is growing.

Encrypted E-Mail

An electronic mail message is much like the back of a post card. The mail carrier (and everyone in the postal system through whose hands the card passes) can read not just the address but also everything in the message field. To protect the privacy of the message and routing information, we can use encryption to protect the confidentiality of the message and perhaps its integrity.

Cryptographic Checksum

Malicious modification must be handled in a way that prevents the attacker from modifying the error detection mechanism as well as the data bits themselves. One way to do this is to use a technique that shrinks and transforms the data, according to the value of the data bits.

A cryptographic checksum (sometimes called a message digest) is a cryptographic function that produces a checksum. The cryptography prevents the attacker from changing the data block (the plaintext) and also changing the checksum value (the ciphertext) to match.

Kerberos

Kerberos is a system that supports authentication in distributed systems. Originally designed to work with secret key encryption, Kerberos, in its latest version, uses public key technology to support key exchange. The Kerberos system was designed at Massachusetts Institute of Technology. [STE88, KOH93]

Kerberos is used for authentication between intelligent processes, such as client-to-server tasks, or a user's workstation to other hosts. Kerberos is based on the idea that a central server provides authenticated tokens, called tickets, to requesting applications. A ticket is an unforgeable, nonreplayable, authenticated object. That is, it is an encrypted data structure naming a user and a service that user is allowed to obtain. It also contains a time value and some control information

Firewalls

A firewall is designed to do the screening that is less appropriate for a router to do. A router's primary function is addressing, whereas a firewall's primary function is filtering. Firewalls can also do auditing. Even more important, firewalls can examine an entire packet's contents, including the data portion, whereas a router is concerned only with source and destination MAC and IP addresses. Because they are an extremely important network security control

Honeypots

How do you catch a mouse? You set a trap with bait (food the mouse finds attractive) and catch the mouse after it is lured into the trap. You can catch a computer attacker the same way.

You put up a honeypot for several reasons:

· to watch what attackers do, in order to learn about new attacks (so that you can strengthen your defenses against these new attacks)

· to lure an attacker to a place in which you may be able to learn enough to identify and stop the attacker

· to provide an attractive but diversionary playground, hoping that the attacker will leave your real system alone

A honeypot has no special features. It is just a computer system or a network segment, loaded with servers and devices and data. It may be protected with a firewall, although you want the attackers to have some access. There may be some monitoring capability, done carefully so that the monitoring is not evident to the attacker.

Network Security Threats

Viruses and Worms

The term virus has long been used generically to describe any computer threat, but in actuality it refers specifically to malware that inserts malicious code into existing documents or programs, and then spreads itself by various means.

Trojan Horses

A Trojan horse is a malware attack that disguises itself as something innocent, such as a computer game, or a YouTube search results page. A recent example of a devastating Trojan horse used an email with a link that supposedly connected the reader to a video of the Saddam Hussein hanging, but instead just infected them with malware. Once installed on a computer, the 'Saddam' Trojan horse then downloaded and installed a keylogger onto the infected computer. This keylogger was used to record every keystroke by a computer’s user, thus stealing financial account information and passwords.

Spam

Depending on the source cited, spam makes up 70 to 84 percent of daily emails sent throughout the world. All that spam results in billions of dollars in lost productivity and creates an ever increasing need for IT resources to filter out this irritating and potentially malicious menace.

Phishing

Anyone who has ever used PayPal or does their banking online has probably received dozens of emails with titles such as, "URGENT: Update Account Status". These emails are all attempts by a spammer to "phish" your account information. Phishing refers to spam emails designed to trick recipients into clicking on a link to an insecure website. Typically, phishing attempts are executed to steal account information for e-commerce sites such as eBay, payments processors such as PayPal, or regular financial institutions' websites. A phishing email supplies you with a link to click on, which will take you to a page where you can re-enter all your account details, including credit card number(s) and/or passwords. Of course, these sites aren't the actual bank's site, even though they look like it.

Packet Sniffers

Packet sniffers capture data streams over a network, thus allowing for the capture of sensitive data like usernames, passwords and credit card numbers. The result, unsurprisingly, is the loss of data, trade secrets, or online account balances. For network managers specifically, even bigger losses can come from lawsuits due to noncompliance of data protection regulations.

Maliciously-Coded Web sites

Maliciously-coded Web sites can take many different forms, from installing Trojan horses to redirecting you to an unrequested site. But one of the most threatening forms of maliciously-coded websites, those that are designed to steal passwords, are on the rise [4]. A very common form of these Web sites takes advantage of human's charitable instincts by setting up traps in what appear to be sites that allow you to make donations to victims of natural disasters such as Hurricane Katrina. Hackers set up a fake sign-in page, and then encourage unsuspecting victims to enter their credit card number and other personal information.

In addition to stealing personal information, maliciously-coded websites are also often designed for the following purposes:

  • installation of keyloggers
  • adware/ spyware/ reading cookies
  • drive-by downloads
  • XSS - cross--site scripting to utilize web browser flaws for other intentions.

Password Attacks

A 'Password Attack' is a general term that describes a variety of techniques used to steal passwords to accounts.

  • Brute-force. One of the most labor intensive and unsophisticated methods hackers use to steal passwords is to try to guess a password by repeatedly entering in new combinations of words and phrases compiled from a dictionary. This 'dictionary attack' can also be used to try to guess usernames as well, so developing difficult to guess usernames and passwords is increasingly vital to network security.
  • Packet sniffers. As discussed above, Packet Sniffers glean data electronically from a compromised network.
  • IP-spoofing. Similar to 'Honeypots', this attack involves the interception of data packets by a computer successfully pretending to be a trusted server/ resource.

  • Trojans. Trojans are actually invasive, as discussed above, and of these methods, are the most likely to be successful, especially if they install keyloggers.

Shared Computers

In the IT community, it is often said that shared computers are like public bathrooms, they may appear clean, but are usually chock full of viruses. Thankfully, the danger of shared computers is one network threat that you can largely render harmless by limiting the activities that you and your employees perform.