Upload
christopher-harrison
View
213
Download
0
Embed Size (px)
Citation preview
Wireless Security IssuesWireless Security Issues
Implementing a wireless LAN Implementing a wireless LAN without compromising your without compromising your
networknetworkMarshall Breeding
Director for Innovative Technologies and ResearchVanderbilt University
http://staffweb.library.vanderbilt.edu/breedinghttp://www.librarytechnology.org
Security concernsSecurity concerns
Eavesdropping a major concernEavesdropping a major concern Unprotected wireless access points are an Unprotected wireless access points are an
easy of entry for mobile hackerseasy of entry for mobile hackers Many rogue Wireless LANS were put up in Many rogue Wireless LANS were put up in
corporate networks without IT support or corporate networks without IT support or adequate securityadequate security
War Driving / War ChalkingWar Driving / War Chalking Some war driving / freeloading happens in Some war driving / freeloading happens in
residential settingsresidential settings
Positioning your wireless Positioning your wireless networknetwork
Libraries should already have a Libraries should already have a network security architecture that network security architecture that separates public access computing separates public access computing from the business networkfrom the business network
Adding a wireless LAN is easy when Adding a wireless LAN is easy when the library already has a solid the library already has a solid security environment in placesecurity environment in place
Encryption necessary to Encryption necessary to ensure securityensure security
Sensitive data must be encrypted when Sensitive data must be encrypted when transmitted across any untrusted networktransmitted across any untrusted network
Most Encryption algorithms uses a secure Most Encryption algorithms uses a secure key to encode the data and decode it after key to encode the data and decode it after transmissiontransmission
The longer the key, the more difficult it is The longer the key, the more difficult it is to use brute force to decrypt the messageto use brute force to decrypt the message
WEP uses 40, 64, or 128 (WEP2) bit keysWEP uses 40, 64, or 128 (WEP2) bit keys
Wired Equivalency PrivacyWired Equivalency Privacy
Optional Encryption scheme part of the Optional Encryption scheme part of the 802.11b specification802.11b specification
RC4 encryptionRC4 encryption Single key encrypts all trafficSingle key encrypts all traffic No system for key managementNo system for key management Hackers can easily recover the key Hackers can easily recover the key WEP often not enabledWEP often not enabled WEP can be defeated by sophisticated WEP can be defeated by sophisticated
hackershackers Provides a barrier to most potential intrudersProvides a barrier to most potential intruders
Wireless Hacking toolsWireless Hacking tools
At least two open source tools are At least two open source tools are available for recovering 802.11 WEP available for recovering 802.11 WEP keys:keys:
WEPCrackWEPCrackhttp://wepcrack.sourceforge.net/http://wepcrack.sourceforge.net/
AirSnortAirSnorthttp://airsnort.shmoo.com/http://airsnort.shmoo.com/
802.11i802.11i
Security Standard for the 802.11 arenaSecurity Standard for the 802.11 arena Includes WPA and RSN (Robust Security Includes WPA and RSN (Robust Security
Network)Network) Relies on 802.1x Relies on 802.1x specification for port-specification for port-
based user and device authenticationbased user and device authentication Ratified June 2004Ratified June 2004 Marketed as WPA2Marketed as WPA2
WPAWPA
Wi-Fi Protected AccessWi-Fi Protected Access Enhanced security over WEPEnhanced security over WEP TKIPTKIP Available now Available now Backwardly compatible with WEP – Backwardly compatible with WEP –
requires only a firmware upgrade.requires only a firmware upgrade.
Temporal Key Integrity Temporal Key Integrity Protocol (TKIP)Protocol (TKIP)
128 bit encryption keys128 bit encryption keys Each packet encrypted with a different key based Each packet encrypted with a different key based
on a 48-bit serial number, incremented with each on a 48-bit serial number, incremented with each use.use.
Avoids replay attacksAvoids replay attacks Relies on a base key with is generated when a Relies on a base key with is generated when a
device associates with the base stationdevice associates with the base station Ideally unique base keys transmitted during Ideally unique base keys transmitted during
802.1x authentication802.1x authentication Pre-shared keys used otherwisePre-shared keys used otherwise
WPA2WPA2
WPA + AES = WPA2WPA + AES = WPA2 Advanced Encryption Standard instead of Advanced Encryption Standard instead of
TKIPTKIP Stronger encryption algorithm Stronger encryption algorithm Not guaranteed to be backwardly Not guaranteed to be backwardly
compatible with existing WEP equipmentcompatible with existing WEP equipment Personal version uses pre-shared keyPersonal version uses pre-shared key Enterprise version uses 802.1X Enterprise version uses 802.1X
authentication through RADIUS server.authentication through RADIUS server.
WPA/802.1x DiagramWPA/802.1x Diagram
See:See: http://www.infoworld.com/infoworld/http://www.infoworld.com/infoworld/
img/20FEwifi_in-x.gifimg/20FEwifi_in-x.gif
Wi-Fi Security ServicesWi-Fi Security Services
SecureMyWiFi (SecureMyWiFi (http://www.witopia.net/http://www.witopia.net/))
RADIUS authentication and security RADIUS authentication and security key distribution servicekey distribution service
Operates with AP’s that support WPA-Operates with AP’s that support WPA-Enterprise or WPA2-Enterprise Enterprise or WPA2-Enterprise
$29 annual fee$29 annual fee
Virtual Private Networks Virtual Private Networks (VPN)(VPN)
A technology that offers strong securityA technology that offers strong security Common approach for remote users that Common approach for remote users that
rely on accessing organizational resources rely on accessing organizational resources through the Internetthrough the Internet
Applicable to wireless users on premises Applicable to wireless users on premises Enhances security / adds inconvenience. Enhances security / adds inconvenience.
WEP SecurityWEP Security
VPN SecurityVPN Security
ConclusionsConclusions
Solutions are available that provide Solutions are available that provide solid security for wireless networkssolid security for wireless networks
Trade-off between convenience and Trade-off between convenience and security.security.
Open wireless networks can be Open wireless networks can be operated without jeopardizing the operated without jeopardizing the library’s business networklibrary’s business network