Wireless Local Area Networks got a important and singular repute across the computing machine web market. Still, security and the menace frights related with them prevented some web directors and decision makers for non put ining radio LAN, in malice of the assorted benefits that they offer. They know if they come up with security steps to do the radio LAN more secure would be a expansive benefit and a manner of net income for them.
In this chapter, we will show the security issues that are related to the IEEE 802.11. Then, we will discourse the different security mechanisms bing in the market. Besides security menaces and failings related with the Wireless LAN are explored and legion countermeasures to contend them are being proposed.
Goals of Wireless LAN Security
The chief end of the radio LAN is to protect and keep the user privateness, to do certain that an aggressor will non be able to entree the web without any mandate and assail them. The undermentioned ends should be considered for effectiveness radio LAN security:
Identify and do certain the individuality of the transmitter and receiving system of a message.
Keep the dependability of informations as it is processed, stored or transmitted over a wireless LAN.
Keep the confidentiality of informations as it is processed, stored or transmitted over a wireless LAN.
Keep the capableness to treat informations, every bit good as handiness of informations stored on a Wireless LAN and transmit the information in clip consuming.
IEEE 802.11 Standards
This subdivision states the security mechanisms available in the IEEE 802.11 criterion and their failings. The cardinal direction jobs of the WEP protocol and its exposure are identified and the advancements to work out the security defects are besides stated.
IEEE 802.11 Security Issues
Opposite to a wired Network, a radio LAN does non hold a physical connexion ( wired connexion ) ; it sends informations over the air that travel between user devices and base station utilizing wireless moving ridges. That means ; any radio LAN station near an entree point service country can have informations transmitted from or to the entree point. Therefore, if non encrypted the information or packages transmitted can be viewed by aggressors within the country. The transmittal manner is one of the most targeted Network engineerings for aggressors ( Hackers ) in the radio LAN. Nevertheless, the traditional 802.11 radio LAN offers some security means to protect the Network. These security means include the usage of inactive wired tantamount privateness ( WEP ) keys and the usage of unfastened or shared-key hallmark. Their mixture provides a degree of entree control and privateness but each one of them can be compromised. The undermentioned subdivisions explain the issues and security challenges being faced by the IEEE 802.11.
The cardinal direction is a inactive WEP key that can be either 40-bits or 128-bits of sizes. The inactive key has to be the same on every device that are connected to the radio LAN, while utilizing this method. The negative facet of utilizing it is that, if the inactive WEP key has been cracked by an aggressor ( Hacker ) , there is no manner of cognizing that.
Are you sure that the logged in user is truly that user? It is a familiar pattern for people to utilize other people ‘s histories to authenticate themselves to the waiter. In most wireless LANs, companies or other concern countries frequently create one history, “ Wireless User Access, ” and this history can be used by many different devices. The job is that an aggressor ( Hacker ) with his radio device could easy login to this general history and addition entree to the Network.
To forestall an aggressor from authenticating himself into your radio LAN, you can put your router to let lone connexions from authorized radio Network cards. Each card has a ( MAC ) Media Access Control reference that separately identifies it. You can pull off your router merely to authenticate those Network cards that are pre-authenticated to log onto your Network. This protects you from other users who are seeking to acquire entree to your system by rolling around your edifice looking for good signal to log onto your radio LAN.
The IEEE 802.11 maintains two sorts of user hallmark methods: the shared-key hallmark method and the unfastened hallmark method.
Shared-key hallmark method: while utilizing this method, the entree point sends a challenge text package to the user station and the user has to cognize the text and code it with the right WEP key and resend it to the entree point. If the user does non cognize the cardinal nor has a incorrect key, he will non be able to authenticate himself to the system. This method is non truly procure because an aggressor ( Hacker ) can easy observe both the text challenge and the WEP key and uses them to entree the radio LAN.
Open hallmark method: It is the default hallmark method. While utilizing, it does non necessitate any hallmark at all and any user can entree the radio LAN at anytime. With unfastened hallmark method, the WEP protocol prevents the user from having and directing informations from the entree point, except if he has the right WEP key.
Wired Equivalent Privacy ( WEP ) protocol is the first security mechanisms proposed by the makers. For coding radio LAN traffic the WEP is included as portion of the 802.11 criterion. It can besides be used at 40-bit or 128-bit depending on the radio LAN decision maker. WEP requires that all the linking devices to portion the same key.
The symmetric watercourse cypher RC4 algorithm is used by WEP Protocol to code all Network traffic. Besides it uses the same key for encoding and decoding procedures. Figure 3.1 demonstrates the operation of the encoding method of the WEP Protocol.
Figure 3.1: WEP Encoding
Figure 3.1, The Wired Equivalent Privacy Protocol uses two procedures to code the plaintext information. The first procedure encrypts the plaintext and the other procedure protects it against any unauthorised alterations. Then, a 40-bits secret key is combined with a 24-bits Initialization Vector ( IV ) ensuing in a 64-bits sum cardinal size that is placed into the Pseudorandom Number Generator ( PRNG ) . The PRNG ( RC4 ) generates a pseudorandom cardinal sequence based on the input key. The consequence sequence is being used to code the informations by making a bitwise XOR.
Figure 3.2 shows the decoding attack of the Wired Equivalent Privacy Protocol, for the decoding of the incoming message it uses the Initialization Vector ( IV ) of the incoming message for the coevals of the sequence key, which is necessary for decoding the incoming message.
Figure 3.2: WEP Decoding
From Figure 3.2, the combination of the proper cardinal sequence and the cypher text produces the Integrity Check Value ( ICV ) and original field text. Performing the ICV algorithm on the recovered plaintext and comparing the end product Integrity Check Value to the transmitted ICV with the message this technique verifies the decoding. If the end product Integrity Check Value is different from the familial ICV, an mistake message is received and an mistake warning will be sent to the MAC direction and to the directing station. Any error message from the sender caused by failure to decode will non be able to authenticate and entree the web.
WEP Security Problems
The WEP Protocol offers some security means for the IEEE 802.11. It reduces the effectivity of the onslaughts by hackers, but it is defenceless to assorted cryptanalytic onslaughts that expose the shared-key used to code and authenticate informations.
Assorted design defects have caused the WEP Protocol to be vulnerable. Some of these defects are:
Short encoding keys.
Lack of cardinal direction procedures.
Coevals of little Initialization Vectors ( IV ) .
There are legion plans and tools in the radio market that make incursion the Wireless Network by hackers truly easy for them. One of the most popular plans that are presented by WildPackets is Airopeek, it is a plan that has the capableness to perforate the WEP key and supply the hacker with plaintext decodes. Another popular plan based on Fluhrer, Mantin, and Shamir ( FMS ) onslaught is AirSnort which can besides assist the hacker to perforate Wireless Networks.
Based on these defects, it is clear that the security of the WEP Protocol is uneffective. Therefore, new solutions and betterment of this protocol are provided in this research.
More high-level of security mechanisms should be installed, because the security processs that are provided in the IEEE 802.11 criterions are all weak to onslaughts and these mechanisms are:
Virtual private webs.
To better the security and hallmark mechanisms, the commission of the IEEE 802.11 built a undertaking group called the 802.11i. Their work was ; foremost to better the Wired Equivalent Privacy ( WEP ) with the Temporal Key Integrity Protocol ( TKIP ) , Second the replacing of the 802.11 criterion with 802.1x hallmark and key, last the deployment of Enhanced Security Network ( ESN ) solution.
WEP Improvement with TKIP
The IEEE 802.11i working group offered a new security criterion it is called the Temporal Key Integrity Protocol ( TKIP ) besides named as WEP2. The new security criterion is a replacing for the old WEP that had tonss of jobs. WEP2 fixes the short encoding keys and the little of Initialization Vector ( IV ) and it besides uses the RC4. It generates longer keys to work out the short-key job of the WEP. For undetected onslaughts it uses a technique called Message Integrity Code ( MIC ) to repair the jobs. However, it is non accepted by some applications. But it can be used to replace the WEP Protocol.
Replacement of the IEEE 802.11 Standard with the IEEE 802.1x
Developing a model is one of the options to better the WLAN security ; it provides a dynamic-key distribution and hallmark. The 802.1x is an authentication criterion for 802-based LANs utilizing port-based web entree control. There are three basicss of the IEEE 802.1x attack:
Common hallmark is between user and hallmark waiter ( Distant Access Dial-In User Service [ RADIUS ] ) .
Encryption keys dynamically derived after hallmark.
Centralized policy control.
ESN Solutions Proposed
The ESN solution is focused on stronger encoding for informations over wireless webs by utilizing a non-proprietary 128-bit encoding solution, which supports the advanced encoding criterion ( AES ) algorithm. HMAC4-SHA1-128 can be used as the hashing map to back up message hallmark with AES.
Wireless Security Threats and Attacks
The security solutions decrease the opportunities or chances for an aggressor to perforate the Wireless LAN but still most of them are vulnerable to onslaughts. The onslaughts that allow unauthorised users to acquire entree to the system are divided into: active and inactive onslaughts. Figure 3.3 shows several types of onslaughts and security menaces that can be used by an aggressor to assail a Wireless LAN.
Figure 3.3: Security Threats and Attacks
This is the type of onslaught in which the aggressor or hacker additions entree to a web and do some alterations to the resources or to the messages being transmitted over this web. It is likely to place this onslaught but in some instances, it may non be preventable. There are four different types of active onslaughts, these onslaughts are defined below:
i‚·iˆ Masquerading: The hacker ( aggressor ) uses a sniffer to capture user name and watchword of an authorized user to acquire entree to the web or to derive certain unauthorised privileges. She/he can besides put his/her ain entree point into the web and fast ones unwitting users to uncover watchwords. i‚·iˆ Replay: The aggressor listens and monitors the traffic between two parties ( inactive onslaught ) and retransmits the message as one of the valid user.
i‚·iˆ Message Alteration: The aggressor changes the contents of a valid message by taking, adding to, altering it.
i‚·iˆ Denial-of-service: The normal usage is prevented by the aggressor, besides working and direction of a web by shooting a big sum of traffic into the web. The proficient term for it is thronging or deluging the frequence of the web. The legitimate traffic gets jammed because bastard traffic overwhelms the frequences, and legitimate traffic can non acquire through.
This is an onslaught in which an aggressor or hacker gets entree to a web but does non alter or makes any alterations to the resources of the web. There are two types of inactive onslaughts: Eavesdropping and Traffic analysis. These two types of onslaughts are described below.
i‚·iˆ Eavesdropping: In this type of onslaught, the aggressor uses several tools to listen or supervise the transmittals for message content.
i‚·iˆ Traffic Analysis: Hackers monitors the traffic of a web and obtains a batch of information about this web. Once the aggressor obtains this information, he/she can analyse them statistically and happen himself a manner to entree the web. She/he can besides construct an onslaught lexicon by utilizing the statistics obtained from the monitoring session.
Assorted security algorithms have been invented and some of them provide good security characteristics against these onslaughts, particularly the Advanced Encryption Standard ( AES ) Algorithm which took an aggressor an infinite figure of old ages by utilizing current calculating capableness to decode it. In fact, several countermeasures need to be taken or applied to protect Wireless LAN against the possible onslaughts.
Several countermeasures can be used to turn to or contend specific onslaughts and menaces related to the Wireless LANs. Certain countermeasures involved: the alteration of SSID, the use of the MAC hallmark security mean and the WEP hallmark protocol built in of most of the entree point. This subdivision discusses different basic security steps to forestall insouciant onslaughts.
0.1Updating Default Passwords
Normally, the entree point or radio devices come with a default watchword or without any watchword. Then, it is the duty of the decision maker of the web to alter the default watchword or to come up with a new watchword to protect the web against certain menaces or onslaughts.
0.2Changing default SSID
The entree point should non utilize the default SSID provided by the maker because most of them have published on the net and they are good known by the aggressors. Then, the default SSID needs to be changed at the first usage and constellation of the entree point to avoid easy entree by unauthorised users. Even though an equipt aggressor can capture the SSID over the wireless interface, it has to be changed merely to forestall unequipped users or aggressors to entree the resources of the web.
0.3Enable MAC Authentication
A MAC reference is a hardware reference that uniquely identifies each computing machine or affiliated device on a web. Networks use the MAC reference to modulate communications between different computing machine web interface cards ( NICs ) . The IEEE 802.11 WLAN used the Media Access Control ( MAC ) reference filtrating to increase the security of the web. When it is used or enabled as security step, the users are authorized by their alone device MAC reference. In that instance, users who want to utilize the web have to take their wireless card to the web decision maker so it can be registered, so they will hold entree to the web.
This technique increases the security means but it still have some desertions because an aggressor can easy find the MAC reference authorized by a radio web via eavesdropping and plans his/her wireless card by utilizing some package to come in the coveted MAC reference and acquire entree to the web. The MAC hallmark method is non wholly unafraid but it is better to enable the MAC hallmark method alternatively of non utilizing any security means.
0.4WEP Authentication and Encryption
The radio equipments or entree point are non shipped out with the WEP security protocol activated. By default, the WEP encoding is disabled. It is the duty of the web decision maker to trip the WEP protocol and to utilize the shared hallmark method alternatively of unfastened system as basic protection of the radio LAN. As mentioned before, the WEP protocol supports two sizes of encoding key: 40 or 128 spots. It is of import to utilize the strongest encoding method ( 128 spots ) available every bit long as it is non affected the web.
0.5Default Channel Alteration
To avoid Denial of Service ( DoS ) onslaughts and wireless intervention between two entree points in close propinquity, the scene of the default channel must be modified to run in different frequence set. Once that is being done, it reduces the opportunities of holding intervention job.
0.6DHCP Server Use
For certain radio LAN, the connexion of a user to the web is being done automatically by utilizing a Dynamic Host Control Protocol ( DHCP ) waiter. The DHCP waiter automatically assigns or provides IP references to the users that are associated with an Access Point. The usage of a DHCP waiter provides users the advantages of rolling or set uping ad-hoc webs. The dainty with the DHCP waiter is that a malicious user or an aggressor could easy acquire unauthorised entree on the web through the usage of a portable computing machine with a radio web interface card. Since the DHCP waiter will non necessary know which wireless devices have entree, it will automatically delegate the laptop a valid IP reference. Then, the aggressor has entree to the web.
Several solutions can be used to repair the DHCP unbarred jobs. First, these jobs can be solved by delegating a inactive IP reference to each user of the WLAN alternatively of utilizing DHCP waiter. But, this method can be practically used for little webs and it besides negates certain advantages of the web such as: roaming and the constitution of ad-hoc webs. Another possible solution is to implement the DHCP waiter interior of a wired web ‘s firewall that grants entree to a radio web located outside of the wired web ‘s firewall. The last solution is to utilize entree point with incorporate firewalls. In fact, a web decision maker should measure the demand for a DHCP waiter by taking into consideration the size of their web.
Additional Security Extensions
So far, several security mechanisms and methods have been presented but they are all vulnerable to onslaughts. Therefore, extra agencies and extensions of security are needed. This subdivision presents the strongest security mechanisms for Wireless LANs.
IPSec has a practical application to procure Wireless LANs by overlapping IPSec on top of the clear text of the IEEE 802.11 radio traffic. When IPSec is used in a WLAN, each Personal computer that is connected to the web has an IPSec user and it requires directing any transportation to the wired web, in instance of being of a anchor wired web.
Two major architectures and matching package types are supported by IPSec:
Encapsulating Security Payload ( ESP ) heading which provides privateness, genuineness and unity.
Authentication Header ( AH ) that provides unity and hallmark merely for packages.
The IPSec can run in two different manners ; the conveyance manner which can procure an bing IP package and the tunnel manner that can set an bing IP package inside a new IP package that is sent to a tunnel terminal point in the IPSec format, typically between a brace of firewalls/security gateways over an un-trusted web. Figure 3.4 shows both, the operational tunnel manner of the IPSec.
Figure 3.4: IPSec Operational Tunnel Modes
0.2Robust Security Network Protocol
The Robust Security Network ( RSN ) besides known as the 802.1x criterion is another security mechanism used to curtail entree to unauthorised user to the radio web by centralising hallmark of the WLAN users and mitigates some of the failings of the WEP. It is basically a criterion for directing hallmark messages ( keys ) between an 802.11 entree point and a centralised hallmark waiter. The protocol used in the RSN method is called Extensile Authentication Protocol ( EAP ) .
0.2.1Extensible Authentication Protocol
The Extensile Authentication Protocol ( EAP ) was generated as an enlargement to the Point-to-Point Protocol ( PPP ) that allows for development of arbitrary web entree hallmark methods and provides centralised hallmark and dynamic cardinal distribution. When EAP is used as security mechanism in a WLAN environment, a user can non acquire entree to the web with an entree point until heshe executes a web logon. After connexion, the user executes common hallmark into the webs by interchanging EAP messages with the entree point or the RADIUS waiter of the WLAN. The Extensile Authentication Protocol petitioner is used on the user device to obtain the user certificates such as: user ID and watchword, or digital certification. In the EAP hallmark procedure, over the wireless nexus nether cardinal session and the user watchwords are transmitted in the clear-text.
EAP provides three important benefits when it comes to the 802.11 security:
i‚·iˆ The first benefit provided is the common hallmark strategy, as described antecedently. This strategy eliminates wholly the types of onslaughts named “ man-in-the-middle ( MITM ) onslaughts ” .
i‚·iˆ The 2nd 1 is the centralised direction and distribution of encoding keys. Even though the WEP execution of RC4 had no security flaws ; there would still be the administrative trouble of administering inactive keys to all the entree points and users in the web. Each clip a wireless device got lost, the web would necessitate to be rekeyed to forestall the lost system from deriving unauthorised entree.
i‚·iˆ The 3rd benefit is the ability that the EAP security mechanism has to specify centralised policy control.
Several and different types of EAP are available today for user hallmark over either wired or wireless web. Current available EAP types include: EAP-TLS, EAP-TTLS, PEAP and EAP MD-5.
0.2.1.1EAP-TLS ( Transport Layer Security )
This is one of the most common execution being used. It is extremely unafraid because it requires asymmetric public and private keys on the user and server side to hold the hallmark stage traveling on. It takes a batch of stairss to deploy the EAP-TLS within an organisation and it is non a simple undertaking.
0.2.1.2EAP-TTLS ( Tunnel Transport Layer Security )
This version of EAP developed by Funk Software requires a certification merely on the hallmark of the waiter, which doing it easier to deploy and about every bit secure as EAPTLS.
This is the least unafraid version and it does non back up dynamic WEP cardinal rotary motion. It is susceptible to dictionary onslaughts because it uses user name and watchword for hallmark. Figure 3.6 illustrates the hallmark procedure stairss for EAP-MD5.
Figure 3.6: EAP-MD5 Authentication Procedure
0.2.1.4PEAP ( Protected EAP )
PEAP is a similar and more unafraid version of EAP co-developed by Cisco and Microsoft. It was designed with the intent to decide the job in which, the full EAP conversation might be sent as clear text and an aggressor with entree to the media can shoot packages into the conversation or gaining control the EAP messages from a successful hallmark for offline analysis. PEAP solves this job by first making a secure channel that is both encrypted and integrity-protected with TLS.
0.2.2Wi-Fi Protected Access
WPA is besides a security mechanism that uses 802.1x hallmark combines with Temporal Key Integrity Protocol ( TKIP ) encoding to do Wireless LAN more secure against onslaughts. The TKIP protocol includes cardinal blending map, a message unity cheque characteristic and a re-keying mechanism that rotates keys faster than they can be cracked by hackers. Many security experts and research workers believe that the combination of TKIP and 802.1x mechanisms should supply equal security for most WLAN users.
This chapter presents an overview of the security mechanisms that can be used to protect a radio LAN. The WEP and other rudimentss security means used to protect the WLAN were revealed insecure. The menaces and security issues that can impact the WLAN were besides given. These menaces were divided into active and inactive menaces. Faced to the WLAN security jobs, several countermeasures that need to be taken to protect the radio web were besides presented. At the terminal of this chapter, other security mechanisms such as EAP, PEAP and WPA ( Wi-Fi Protected Access ) were besides presented.