Wireless Communication

Report On Wireless
Security
Risk And Controls

By:
Laksh Maggoo (316)
Prashant Singh (327)
Harshit Aggarwal (302)
Gaurav Kalya (311)
Wireless (in) Security: Risks and Controls
Background and History

Wireless Communication:

Wireless operations permits services, such as long range communications, that are impossible or
impractical to implement with the use of wires. The term is commonly used in the telecommunications
industry to refer to telecommunications systems (e.g. radio transmitters and receivers, remote controls,
computer networks, network terminals, etc.) which use some form of energy (e.g. radio frequency (RF),
infrared light, laser light, visible light, acoustic energy, etc.) to transfer information without the use of
wires. Information is transferred in this manner over both short and long distances.

The term "wireless" has become a generic and all-encompassing word used to describe communications
in which electromagnetic waves or RF (rather than some form of wire) carry a signal over part or the
entire communication path.

Wireless networking (i.e. the various types of unlicensed 2.4 GHz WiFi devices) is used to meet many
needs. Perhaps the most common use is to connect laptop users who travel from location to location.
Another common use is for mobile networks that connect via satellite. A wireless transmission method
is a logical choice to network a LAN segment that must frequently change locations. The following
situations justify the use of wireless technology:

 To span a distance beyond the capabilities of typical cabling,

 To provide a backup communications link in case of normal network failure,
 To link portable or temporary workstations,
 To overcome situations where normal cabling is difficult or financially impractical, or
 To remotely connect mobile users or networks.

Wireless Network
Wireless network is a network set up by using radio signal frequency to communicate among computers
and other network devices. Sometimes it’s also referred to as WiFi network or WLAN. This network is
popular nowadays due to easy to setup feature and no cabling involved. We can connect computers
anywhere without the need for wires.
Types of wireless connections
Wireless PAN
Wireless Personal Area Networks (WPANs) interconnect devices within a relatively small area, generally
within reach of a person. For example, Bluetooth provides a WPAN for interconnecting a headset to a
laptopWi-Fi PANs are also getting popular as vendors have started integrating Wi-Fi in variety of
consumer electronic devices. Intel My WiFi and Windows 7 virtual Wi-Fi capabilities have made Wi-Fi
PANs simpler and easier to set up and configure.

Wireless LAN
A Wireless Local Area Network (WLAN) links two or more devices using a wireless distribution method
(typically spread-spectrum or OFDM radio), and usually providing a connection through an access point
to the wider internet. This gives users the mobility to move around within a local coverage area and still
be connected to the network.

 Wi-Fi: Wi-Fi is increasingly used as a synonym for 802.11 WLANs, although it is technically a
certification of interoperability between 802.11 devices.
 Fixed Wireless Data: This implements point to point links between computers or networks at two
locations, often using dedicated microwave or laser beams over line of sight paths. It is often used
in cities to connect networks in two or more buildings without physically wiring the buildings
together.

Wireless MAN
Wireless Metropolitan area networks are a type of wireless network that connects several Wireless
LANs.

 WiMAX is the term used to refer to wireless MANs and is covered in IEEE 802.16d/802.16e.

Wireless WAN
Wireless Wide Area Networks are wireless networks that typically cover large outdoor areas. These
networks can be used to connect branch offices of business or as a public internet access system. They
are usually deployed on the 2.4 GHz band. A typical system contains base station gateways, access
points and wireless bridging relays. Other configurations are mesh systems where each access point acts
as a relay also. When combined with renewable energy systems such as photo-voltaic solar panels or
wind systems they can be stand alone systems.

The two main components are wireless router or access point and wireless clients.
Wireless Operating Mode

The IEEE 802.11 standards specify two operating modes: infrastructure mode and ad hoc mode.

Infrastructure mode is used to connect computers with wireless network adapters, also known as
wireless clients, to an existing wired network with the help from wireless router or access point. The 2
examples which I specified above operate in this mode.

Ad hoc mode is used to connect wireless clients directly together, without the need for a wireless router
or access point. An ad hoc network consists of up to 9 wireless clients, which send their data directly to
each other.
Threats and Risks
The Current State of WLAN Security

Even after a decade of availability and promising commercial successes, security remains the number
one concern for enterprise WLAN deployments. According to Joanie Wexler’s 2007 WLAN State-of-the
Market report, just over half (53%) of the global respondents identified security issues as their primary
concern. The good news is that this is a significant decrease from the 2006 study where over 70% of
respondents were concerned about WLAN security. Is the anxiety over WLAN security fact or fiction,
perception or reality? And what recent developments account for the growing comfort with WLAN
security?
Much of the trepidation over WLAN security was due to the nature of WiFi. The 802.11 standard – also
known as Wireless Ethernet – is based on the principle of a shared medium. While most managers have
felt comfortable enough with the fact that they can physically secure their wired networking medium,
their LAN, they were less comfortable when the network medium is the open air. There was a general
perception that WLANs are inherently insecure, and early implementations reinforced this notion
through well-publicized vulnerabilities and attacks. This perception has been a major problem that has
kept some network managers from implementing wireless LANs altogether.
In spite of network managers’ reservations, the demand for enterprise wireless connectivity is
continually growing as early adopters demonstrate increased productivity and responsiveness, and
managers take notice of the significant TCO savings. As a result, IT organizations are coming under
increasing pressure to ensure that the wireless network is secure. Fortunately, this can be achieved
today with a minimal investment of time and effort.
There are a number of considerations that must be taken into account when deploying a secure wireless
network, but the recent evolution of the technology has done a great deal to simplify this task.
The 802.11i specification introduced by the IEEE has specifically addressed the problems found in the
industry’s earlier security initiatives. Furthermore, WLAN infrastructure vendors have designed product
portfolios with enterprise-grade security as one of the core tenets in order to distinguish themselves
from consumer-grade offerings. Siemens is one such vendor, and its HiPath Wireless Portfolio delivers a
robust, standards-based security solution that can assure managers that they can finally take advantage
of all the benefits enterprise WLAN has to offer without exposure to security risks. Wireless security is
the prevention of unauthorized access or damage to computers using wireless networks.

Wireless networks are very common, both for organizations and individuals. Many laptop computers
have wireless cards pre-installed. The ability to enter a network while mobile has great benefits.
However, wireless networking has many security issues. Hackers have found wireless networks relatively
easy to break into, and even use wireless technology to crack into wired networks[citation needed]. As a
result, it's very important that enterprises define effective wireless security policies that guard against
unauthorized access to important resources. Wireless Intrusion Prevention Systems are commonly used
to enforce wireless security policies.
The risks to users of wireless technology have increased as the service has become more popular. There
were relatively few dangers when wireless technology was first introduced. Crackers had not yet had
time to latch on to the new technology and wireless was not commonly found in the work place.
However, there are a great number of security risks associated with the current wireless protocols and
encryption methods, and in the carelessness and ignorance that exists at the user and corporate IT level.
Cracking methods have become much more sophisticated and innovative with wireless. Cracking has
also become much easier and more accessible with easy-to-use Windows or Linux-based tools being
made available on the web at no charge.

Wireless Security In The Enterprise

802.11b’s low cost of entry is what makes it so attractive. However, inexpensive equipment also makes
it easier for attackers to mount an attack. “Rogue” access points and unauthorized, poorly secured
networks compound the odds of a security breach. The following diagram depicts an intranet or internal
network that is properly configured to handle wireless traffic, with two firewalls in place, plus intrusion
detection and response sensors to monitor traffic on the wireless segment. One firewall controls access
to and from the Internet. The other controls access to and from the wireless access point. The access
point itself is the bridge that connects mobile clients to the internal network.

The access point has a dedicated IP address for remote management via SNMP (Simple Network
Management Protocol). The wireless clients themselves – usually laptops or desktops and handhelds –
may also use SNMP agents to allow remote management. As a result, each of these devices contains a
sensor to ensure that each unit is properly configured, and that these configurations have not been
improperly altered. The network itself is regularly monitored to identify access points in operation, and
verify that they are authorized and properly configured. While this paper focuses on the risk issues from
a corporate network perspective, these same issues apply to home networks, telecommuters using
wireless, and “public use” networks such as those being set up by Microsoft to allow wireless Internet
access at select Starbucks locations. Remote users are now able to access internal corporate resources
from multiple types of foreign networks. Even organizations without internal wireless networks must
take wireless into account as part of their overall security practices.
Known Risks
Although attacks against 802.11b and other wireless technologies will undoubtedly increase in number
and sophistication over time, most current 802.11b risks fall into seven basic categories:
 Insertion attacks
 Interception and unauthorized monitoring of wireless traffic
 Jamming
 Client-to-Client attacks
 Brute force attacks against access point passwords
 Encryption attacks
 Misconfigurations

Insertion attacks are based on deploying unauthorized devices or creating new wireless networks
without going through security process and review.
 Unauthorized Clients – An attacker tries to connect a wireless client, typically a laptop or PDA,
to an access point without authorization. Access points can be configured to require a password
for client access. If there is no password, an intruder can connect to the internal network simply
by enabling a wireless client to communicate with the access point. Note, however, that some
access points use the same password for all client access, requiring all users to adopt a new
password every time the password needs to be changed.
 Unauthorized or Renegade Access Points – An organization may not be aware that internal
employees have deployed wireless capabilities on their network. This lack of awareness could
lead to the previously described attack, with unauthorized clients gaining access to corporate
resources through a rogue access point. Organizations need to implement policy to ensure
secure configuration of access points, plus an ongoing process in which the network is scanned
for the presence of unauthorized devices.

Interception and Monitoring of Wireless Traffic

As in wired networks, it is possible to intercept and monitor network traffic across a wireless LAN. The
attacker needs to be within range of an access point (approximately 300 feet for 802.11b) for this attack
to work, whereas a wired attacker can be anywhere where there is a functioning network connection.
The advantage for a wireless interception is that a wired attack requires the placement of a monitoring
agent on a compromised system. All a wireless intruder needs is access to the network data stream.
There are two important considerations to keep in mind with the range of 802.11b access points. First,
directional antennae can dramatically extend either the transmission or reception ranges of 802.11b
devices. Therefore, the 300 foot maximum range attributed to 802.11b only applies to normal, as-
designed installations. Enhanced equipment also enhances the risk. Second, access points transmit their
signals in a circular pattern, which means that the 802.11b signal almost always extends beyond the
physical boundaries of the work area it is intended to cover. This signal can be intercepted outside
buildings, or even through floors in multistory buildings. Careful antenna placement can significantly
affect the ability of the 802.11b signal to reach beyond physical corporate boundaries.
 Wireless Packet Analysis – A skilled attacker captures wireless traffic using techniques similar
to those employed on wired networks. Many of these tools capture the first part of the
connection session, where the data would typically include the username and password. An
intruder can then masquerade as a legitimate user by using this captured information to hijack
the user session and issue unauthorized commands.
  Broadcast Monitoring – If an access point is connected to a hub rather than a switch, any
network traffic across that hub can be potentially broadcasted out over the wireless network.
Because the Ethernet hub broadcasts all data packets to all connected devices including the
wireless access point, an attacker can monitor sensitive data going over wireless not even
intended for any wireless clients.

Unauthorized Client Access

Hackers continually probe areas for open wireless networks. If a network has a weak user authentication
scheme – or none at all – it is very easy for a hacker to obtain access to the corporate network and take
information or launch attacks on resources in order to cause disruptions.

Denial of Service (DoS)

Because of the way networking devices work, they need to respond to any client requests. Hackers are
able to exploit this by inundating a network resource with more requests than it is able to handle.
Distributed DoS attacks magnify this problem by enlisting a number of unknowing computers through
hidden code to simultaneously launch denial of service attacks on a potentially massive scale.

Man in the Middle

If data is unprotected, hackers can intercept messages and change the content to mislead parties that
are communicating, making it seem as if the hacker is actually one of the parties.

IP Spoofing
By modifying the source IP address contained in the packet header, a hacker can intercept traffic coming
from a legitimately authenticated user and make it appear that the user is actually using the hacker’s
computer. As a result, all data and messages coming from a server would go back to the hacker.

Hijacking
Using software that is secretly installed on the PC of a corporate user, a hacker can gain control of the
computer to gain access to resources the user is able to see, or to cause damage to servers and other
computers.

Security Issues with 802.11

1. Physical placement of Access Point

2. Logical placement
3. (AP) Mapping and SSID broadcasting, naming
4. Encryption
5. Authentication
6. Default Settings
 1. Physical Placement of AP
Depending on the strength of the signal transmission, physically placing the access point in the wrong
location may give access to the wrong people.
It may be possible to configure the strength of the wireless access point. If so, the strength may be
reduced to limit the leakage of signal outside the perimeter of the building

2. Logical Placement of AP
Placing the wireless access point in the internal network inside the firewall increases the risk of a hacker
access the internal network if he/she manages to bypass the other security controls.

Placing the wireless access point in the internal network inside the firewall increases the risk of a hacker
access the internal network if he/she manages to bypass the other security controls.
3. SSID Broadcasting
SSID is used to uniquely identify wireless networks (“Service Set Identifier”).
It may be set to broadcast. Thus it has a greater security risk as all can receive the SSID.

So, it is recommended that SSID must be turned off SSID broadcasting/advertising.

Default SSID’s are used by manufacturers e.g. “tsunami” for Cisco AP and thus it may lead to a
potent security flaw that must be handled in order to secure the system.
Hence it is important to change default SSID and use a long SSID.

4. Access Point (AP) Mapping

Wireless access points can be monitored and located using freely available software found on
the Internet e.g. Netstumbler.
(Without proper security measures taken, wireless access points are exactly that – they provide
access to your network to anyone with the proper equipment and software).
A hacker could install an access point on the company network and access the network from the
carpark!
Implications and Issues:
There may be hundreds of unsecured access points around the country.
- Confidentiality:
Qantas Club example: If you are at the Qantas Club and use a wireless hot spot there to check
your email.
Someone could be sniffing the network, and capture your email password!
Quick hint – Always use Virtual Private Network from wireless hot spots.
 • Integrity:
Wireless Communications can be modified in a Man in the Middle attack
E.g. An attacker can set up a “fake” access point using software such as HostAP. This may ”trick”
people into connecting to this fake access point. The attacker may then “sniff” various users’
unencrypted credentials such as POP email passwords, telnet passwords.
• Availability:
Denial of Service
E.g. An attacker might spoof a session disassociation frame from the access point to your
machine.
5. Encryption
Used to reduce impact of eavesdropping on wireless traffic
• Wired Equivalent Privacy (“WEP”)
• Wifi Protected Access (“WPA”)
• Wifi Protected Access 2 (“WPA 2”)
• WEP deters casual snooping
• Use WPA 2 as far as possible
• Use strong pass phrases/passwords.
Like a radio, messages transmitted via wireless communication in a network can be ‘eavesdropped’ or
‘sniffed’, compromising confidentiality and integrity of the information. To protect against this, the
message can be encrypted.
Several encryption schemes were thus born, namely:
• WEP was intended to provide comparable confidentiality to a traditional wired network.
However WEP keys can be cracked in two minutes or less. Also WEP does not perform effective
integrity checking hence it is possible to forge packets without knowing the WEP key
• WPA was an interim measure which provides improved encryption and integrity checking
features. Encryption keys are changed dynamically over time
• WPA 2 introduced encryption based on AES
• WPA can be used with a 802.1x authentication server

6. Authentication
Typically access points allow any wireless enabled device within range to associate with the Access
point. Several techniques exist to mitigate this risk.

MAC addresses are unique identifiers of computer hardware like wireless network cards. It is possible in
some types of access points to restrict access to a defined list of MAC addresses. MAC Address filtering
authenticates the network card. However it can be forged.

Additional methods include 802.1x authentication typically involving user name/password based
authentication using a RADIUS server. This in addition authenticates the user.
7. “War driving”
War drivers can frequently be identified by wireless gear, antennae, etc mounted atop vehicles.

8. Default Settings
Default settings for access points straight out of the box may not have security options set up.
Not changing these default settings makes it easier for hackers to access the wireless network , e.g.
default IP address, password and SSID (Service Set Identification – the network name of your Wireless
LAN) that comes with the access point could be found on the Internet by googling.

Some default SSIDS:

 Cisco Aironet -- tsunami
 Linksys -- linksys
 SMC -- WLAN
 Lucent -- WAVE
 3COM -- 101
 Misc. -- Default