Part 3 - Cisco Networking Academy

advertisement
An Introduction to Wireless Networking (Part 3) - Security, Tips & Tricks
ITNW 2313 – Networking Hardware
Prof. Michael P. Harris, CCNA, CCAI
Types of Security
In Part 1 of this series I mentioned WEP, SSID and MAC Address filtering as three
methods of wireless networking security. Here we will get to know a little more about
these and what other methods of security are available.
WEP (Wired Equivalent Privacy)
Developed in the late 1990s, WEP is a basic protocol that is sometimes overlooked by
wireless administrators because of its numerous vulnerabilities. The original
implementations of WEP used 64-bit encryption (40-bit + 24-bit Initialization Vector).
By means of a Brute Force attack, 64-bit WEP can be broken in a matter of minutes,
whereas the stronger 128-bit version will take hours. It’s not the best line of defense
against unauthorized intruders but better than nothing and mainly used by the
average home user. One of the drawbacks of WEP is that since it uses a shared key, if
someone leaves the company then the key will have to be changed on the access
point and all client machines.
WEP2 (Wired Equivalent Privacy version 2)
In 2004, the IEEE proposed an updated version of WEP; WEP2 to address its
predecessor’s shortcomings. Like WEP it relies on the RC4 algorithm but instead uses a
128-bit initialization vector making it stronger than the original version of WEP, but
may still be susceptible to the same kind of attacks.
WPA (Wi-Fi Protected Access)
WPA provides encryption via the Temporary Key Integrity Protocol (TKIP) using the
RC4 algorithm. It is based on the 802.1X protocol and addresses the weaknesses of
WEP by providing enhancements such as Per-Packet key construction and distribution,
a message integrity code feature and a stronger IV (Initialization Vector). The
downside of WPA is that unless your current hardware supports WPA by means of a
firmware upgrade, you will most likely have to purchase new hardware to enjoy the
benefits of this security method. The length of a WPA key is between 8 and 63
characters – the longer it is the more secure it is.
WPA2 (Wi-Fi Protected Access version 2)
Based on the 802.11i standard, WPA2 was released in 2004 and uses a stronger
method of encryption – AES (Advanced Encryption Standard). AES supports key sizes of
128 bits, 192 bits, and 256 bits. It is backward compatible with WPA and uses a fresh
set of keys for every session, so essentially every packet that sent over the air is
encrypted with a unique key. As did WPA, WPA2 offers two versions – Personal and
Enterprise. Personal mode requires only an access point and uses a pre-shared key for
authentication and Enterprise mode requires a RADIUS authentication server and uses
EAP.
MAC Address Filtering
I covered this is Part 1 and talked about it briefly in the Troubleshooting Wireless
Networks Article, but it’s worth another mention for the benefit of those who haven’t
read my previous literature on the subject and also to refresh one’s memory. MAC
Address Filtering is a means of controlling which network adapters have access to the
access point. A list of MAC Addresses is entered into the access point and anyone
whose MAC address on the wireless network adapter does not match an entry in the
list will not be permitted entry. This is a pretty good means of security when also
used with a packet encryption method. However, keep in mind that MAC addresses
can be spoofed. This type of security is usually used as a means of authentication, in
conjunction with something like WEP for encryption. Below is a basic image
demonstrating the MAC Address Filtering process:
A laptop, with MAC Address 00-0F-CA-AE-C6-A5 wants to access the wireless network
via the access point. The access point compares this Address to its list and permits or
denies access accordingly.
SSID (Service Set Identifier)
An SSID, or Network Name, is a “secret” name given to a wireless network. I put
secret in inverted commas because it can be sniffed pretty easily. By default, the SSID
is a part of every packet that travels over the WLAN. Unless you know the SSID of a
wireless network you cannot join it. Every network node must be configured with the
same SSID of the access point that it wishes to connect, which becomes a bit of a
headache for the network administrator.
VPN (Virtual Private Network) Link
Perhaps the most reliable form of security would be to setup a VPN connection over
the wireless network. VPNs have for long been a trusted method of accessing the
corporate network over the internet by forming a secure tunnel from the client to the
server. Setting up a VPN may affect performance due to the amount of data
encryption involved but your mind will be at rest knowing your data is secure. The
VPN option is preferred by many enterprise administrators because VPNs offer the
best commercially available encryption. VPN software uses advanced encryption
mechanisms (AES for example), which makes decrypting the traffic a very hard, if not
impossible, task.
For a clearer understanding of the VPN link method, see the image below.
There are various levels of VPN technology, some of which are expensive and include
both hardware and software. Microsoft does however provide us with a basic VPN
technology – commonly used in small to medium enterprise networks - Windows 2000
Advanced Server and Windows Server 2003. These are more than capable of handling
your wireless VPN requirements.
802.1X
With 802.1X the authentication stage is done via a RADIUS server (IAS on Windows
Server 2003) where the user credentials are checked against the server. When a user
first attempts to connect to the network they are asked to enter their username and
password. These are checked with the RADIUS server and access is granted
accordingly. Every user has a unique key that is changed regularly to allow for better
security. Hackers can crack codes but it does take time, and with a new code being
generated automatically every few minutes, by the time the hacker cracks the code it
would have expired. 802.1X is essentially a simplified standard for passing EAP
(Extensible Authentication Protocol) over a wireless (or wired) network.
Below is an image showing the 802.1X process.
The wireless client (laptop) is known as the Supplicant. The Access Point is known as
the Authenticator and the RADIUS server is known as the Authentication server.
General Tips and Tricks








When purchasing a wireless NIC card, try and get one that can take an external
antenna. This will allow you to change it for a stronger one if ever required.
When you are out and about with your Wi-Fi enabled laptop, disable Microsoft
File and Printer sharing (which enables other computers to access resources on
your computer) so as not to leave your computer vulnerable to hackers.
If you are concerned about the interference from other Wireless Access Points
or wireless devices in the area, set the AP and wireless clients to use a nonoverlapping channel such as 1, 6 or 11.
Change the configuration interface password of the access point before you
enable it. This is more common sense than a tip but most people overlook this
part of setting up a wireless network.
Only buy an access point that has upgradeable firmware. This will allow you to
take advantage of security enhancements or interface updates.
On the same note as above, keep the access point firmware up to date.
Upgrade your firmware whenever a new one is available. It will probably
consist of a new or improved feature.
When you are not using Wi-Fi on your Wi-Fi enabled laptop, turn it off. As well
as protecting yourself from hackers you will be saving battery power.
From time to time, scan the area for rogue access points. If an employee went
out and bought a cheap AP and NIC card, and plugged it into the corporate
network behind the firewall then all your hard work securing the network will
go out the window. This is commonly seen on university campuses where
students purchase hardware and setup a rogue access point in their dorm
rooms.
News and Statistics
Even though the approval of 802.11n isn’t expected until the end of 2006, hardware
manufacturers such as Belkin have already started to offer Pre-N routers and wireless
network adapters. These offer improved network speed and range which would
benefit users who wish to transfer larger files and stream audio/video. With Pre-N, an
Access Point and Wireless NIC Card 10 feet away from each other have an average
throughput of about 40mbps.
Hardware vendors, such as Linksys and D-Link have also announced the use of MIMO
(Multiple- In-Multiple-Out) in their products. MIMO allows the signal to be bounced off
several antennas and paths so that data delivery is guaranteed. Basically, many
unique data streams are passed in the same frequency channel. It is a technology that
allows for the boosting of wireless bandwidth and range, effectively providing better
performance for wireless multimedia and entertainment systems.
In Part 2 (May 2004), I mentioned that there were about 30,000 hotspots worldwide
and that that number should grow to over 210,000 in the next five years. The latest
forecast indicates that by 2006 the number of worldwide hotspots is predicted to rise
to over 110,000.
The Wi-Fi market is booming with over 95% of all laptops shipped in 2005 being Wi-Fi
enabled.
In the last quarter of last year, Wi-Fi hardware revenues grew by 17% over the
previous year.
Guest access looks set to be a key requirement for enterprises. The ability to send
and receive mail and access information on the enterprise servers while attending a
meeting at another company is a major plus for mobile workers.
Wireless data revenues are set to grow to 130 billion US Dollars within the next few
years.
50% of hotels in the tourism industry deploy WI-FI themselves, without using a service
provider. They usually bill it to the room or offer it free as an amenity to guests.
In a recent Poll, forty per cent of people said they would buy a cell phone with Wi-Fi
and only twelve per cent said they would want to get TV on their cell phone. The
possibility of using voWLAN (Voice Over Wireless Local Area Network) is appealing to
many business users. This would allow someone to use GSM while out and about and
switch to voWLAN as soon as they step back into the office.
Download