Wireless LAN Management

w.lilakiatsakun

Topics Wireless LAN fundamental

Link characteristic Band and spectrum IEEE 802.11 architecture /channel allocation

Wireless LAN Solution Adhoc / infrastructure Load balancing /Extended Service Set

(Roaming) Wireless repeater /bridge

Wireless LAN security

Wireless Link Characteristics

Differences from wired link …. decreased signal strength: radio signal

attenuates as it propagates through matter (path loss)

interference from other sources: standardized wireless network frequencies (e.g., 2.4 GHz) shared by other devices (e.g., phone); devices (motors) interfere as well

multipath propagation: radio signal reflects off objects ground, arriving ad destination at slightly different times

Transmission over wireless link induces loss and error more often

Wireless network characteristics

AB

C

Hidden terminal problem B, A hear each other B, C hear each other A, C can not hear each othermeans A, C unaware of their

interference at B

A B C

A’s signalstrength

space

C’s signalstrength

Signal fading: B, A hear each other B, C hear each other A, C can not hear each other

interfering at B

Unlicensed Spectrum ISM stands for Industrial Scientific and

Medical Implementing ISM bands is different

for countries

Band FCC-Freq.(us)

ETSI-Freq.(Eu)

Main Use

ISM-900 902-908MHz 890-906MHz Food Process

ISM-2.4 2.4-2.4835GHz

2.4-2.5GHz Microwave Oven

ISM-5.8 5.725-5.850 GHz

5.725-5.875GHz Medical Scanner

ISM Band

Only ISM-2.4 band is available for every country Microwave oven Medical equipment Communication e.g. wireless LAN,

Bluetooth But, it is too crowded

Communication use “Spread Spectrum” to avoid interference

IEEE 802.11 Wireless LAN 802.11b

2.4 GHz unlicensed radio spectrum Using CCK (Complementary Code Keying) to

improve data rate Backward compatible with DSSS system Not compatible with FHSS system Max. at 11 Mbps - Theoretical max capacity

(raw data rate) Max data rate is only 6 Mbps. (only short range

and no interference)

IEEE 802.11 Wireless LAN 802.11a

5 GHz range ,OFDM up to 54 Mbps (31 Mbps – Real throughput)

802.11g 2.4 GHz range - CCK-OFDM backward

compatible with IEEE 802.11b up to 54 Mbps (31 Mbps – Real throughput)

All use CSMA/CA for multiple access

Wireless LAN standards

802.11 LAN architecture wireless host

communicates with base station base station = access

point (AP) Basic Service Set (BSS)

(aka “cell”) in infrastructure mode contains: wireless hosts access point (AP): base

station ad hoc mode: hosts

only

BSS 1

BSS 2

Internet

hub, switchor routerAP

AP

IEEE 802.11: multiple access

avoid collisions: 2+ nodes transmitting at same time

802.11: CSMA - sense before transmitting don’t collide with ongoing transmission by other

node 802.11: no collision detection!

difficult to receive (sense collisions) when transmitting due to weak received signals (fading)

can’t sense all collisions in any case: hidden terminal, fading

goal: avoid collisions: CSMA/C(ollision)A(voidance)

IEEE 802.11 MAC Protocol: CSMA/CA

802.11 sender1 if sense channel idle for DIFS then

transmit entire frame (no CD)2 if sense channel busy then

start random backoff timetimer counts down while channel idletransmit when timer expiresif no ACK, increase random backoff

interval, repeat 2

802.11 receiver- if frame received OK return ACK after SIFS

sender receiver

DIFS

data

SIFS

ACK

Avoiding collisions (more)

idea: allow sender to “reserve” channel rather than random access of data frames: avoid collisions of long data frames

sender first transmits small request-to-send (RTS) packets to BS using CSMA RTSs may still collide with each other (but they’re

short) BS broadcasts clear-to-send CTS in response to RTS CTS heard by all nodes

sender transmits data frame other stations defer transmissions

Avoid data frame collisions completely using small reservation packets!

Collision Avoidance: RTS-CTS exchange

APA B

time

RTS(A)RTS(B)

RTS(A)

CTS(A) CTS(A)

DATA (A)

ACK(A) ACK(A)

reservation collision

defer

Channel partitioning in wireless LAN

With DSSS modulation technique, bandwidth used for one channel is 22 Mbps

In 2.4 GHz band , bandwidth is only 83 MHz available

So, we need 5 channel space for non-overlapping channel Avoiding interference between each other

Consider in frequency reuse and capacity increment

Channel Allocation

Relationship between Data rate and signal strength

802.11: Channels, association

802.11b: 2.4GHz-2.485GHz spectrum divided into 11 channels at different frequencies AP admin chooses frequency for AP interference possible: channel can be same

as that chosen by neighboring AP! host: must associate with an AP

scans channels, listening for beacon frames containing AP’s name (SSID) and MAC address

selects AP to associate with may perform authentication

Interferences in wireless LAN

Microwave oven – 2450 MHz (1000 watts) Around channel 7-10

Bluetooth device (0.01 W) Cordless Phone Toys and etc Use Network Strumbler to show signal /

noise ratio on wireless LAN channels

Network Strumbler

Wireless Solution

Adhoc Infrastructure Load balancing Connect wireless LAN without access

point Extended Service Set Extend range with wireless repeater Wireless bridge

Ad hoc Configuration – set as Adhoc / Peer to peer Set BSSID and channel to use

Infrastructure

Load balancing 5 channel space Maximum 3

access point assigned on overlapped area

Channel 1 /6 /11

Connect wireless LAN without access point

Use a host act as gateway

Extended Service Set

Support mobility

Extend range with Wireless repeater

Wireless bridge (Point to point link)

Wireless LAN security management (1/2)

Common attack and vulnerability The weakness in WEP & key management &

user behavior Sniffing, interception and eavesdropping Spoofing and unauthorized access Network hijacking and modification Denial of Service and flooding attacks

Wireless LAN security management (2/2)

Security countermeasure Revisiting policy Analysis threat Implementing WEP Filtering MAC Using closed systems and Networks Securing user

The weakness in WEP & key management & user behavior

Several papers were published to show vulnerabilities on WEP and tools to recover encryption key AirSnort (http://airsnort.shmoo.com) WEPCrack http://sourceforge.net/projects/wepcrack/

IEEE 802.11 outline that the secret key used by WEP needs to be controlled by external key management Normally, key management is done by user (define 4

different secret keys) RADIUS (Remote Dial-In User Service) not use in small

business or home users

The weakness in WEP & key management & user behavior

Users often operate the devices on default configuration SSID broadcast – turn on Default password as a secret key

3com product – comcomcom Lucent product is the last five digit of network ID

Sniffing, interception and eavesdropping

Sniffing is the electronic form of eavesdropping on the communications that computer have across network

Wireless networks is a broadcast (shared) link

Every communication across the wireless network is viewable to anyone who is listening to the network

Not even need to associated with the network

Sniffing tools All software packages will put network card in

promiscuous mode, every packet that pass its interface is captured and displayed

Ethereal www.ethereal.com/

OmniPeek http://www.wildpackets.com/products/omnipeek

Tcpdump www.tcpdump.org/

Ngrep http:// ngrep.sourceforge.net/

Spoofing and unauthorized access

Spoofing- An attacker is able to trick your network equipment into thinking that the connection is from one of allowed machines

Several way to accomplish Redefine MAC address to a valid MAC address simple Registry edit for windows On unix with a simple command from root shell SMAC (software packages on windows)

Network hijacking and modification

Malicious user able to send message to routing devices and APs stating that their MAC address is associated with a known IP address

From then on, all traffic that goes through that router (switch) destined for hijacked IP address will be handoff to the hijacker machine

ARP spoof or ARP poisoning

Network hijacking and modification

If the attacker spoofs as the default gateway All machines trying to get to the network will

connect to the attacker To get passwords and necessary information

Use of rogue AP To receive authentication requests and

information

Denial of Service and flooding attacks

One of the original DoS attacks is known as a ping flood A large number of hosts or devices to send and

ICMP echo to a specified target One of possible attack would be through a

massive amount of invalid or valid authentication requests. Users attempting to authenticate themselves would

have difficulties in acquiring a valid session If hacker can spoof as a default gateway, it

can prevent any machine from wireless network to access the wired network

Revisiting policy Adjust corporate security policy to

accommodate wireless networks and the users who depend on them ,

Because of wireless environment no visible connection – good authentication

required Ease of capture of RF traffic – good policy

should not broadcast SSID and should implement WEP

Not use default name or password in operating AP devices

Analyzing the threat (1/2)

Identify assets and the method of accessing these from an authorized perspective

Identify the likelihood that someone other than an authorized user can access the assets

Identify potential damages Defacement Modification Theft Destruction of data

Analyzing the threat (2/2) Identify he cost to replace, fix, or track

the loss Identify security countermeasures Identify the cost in implementation of

the countermeasures Hardware/software/personnel Procedures /limitations on access across the

corporate structure Compare costs of securing the resources

versus the cost of damage

Implementing WEP To protect data sniffing during session 128-bit encryption should be considered

as a minimum Most APs support both 40-bit and 128-bit

encryption WEP advantages

All messages are encrypted so privacy is maintained

Easy to implement WEP keys are user definable and unlimited

Implementing WEP

WEP disadvantages The RC4 encryption algorithm is a known

stream cipher can be broken Once the key is changed, it needs to be

informed to everyone WEP does not provide adequate WLAN

security Only eliminate the curious hacker who lacks the

means or desire to really hack your network WEP has to be implemented on every client as

well as every AP to be effective

Filtering MAC To minimize the a number of attack

More practical on small networks It can be performed at the switch attached

to the AP or on the AP itself MAC filtering advantages

Predefined users are accepted/ filtered MAC do not get access

MAC filtering advantages Administrative overhead- large amount of users MAC address can be reprogrammed

Using closed systems and networks

Turn off broadcasting SSID, use proper password (WEP)

Select “close wireless system” Advantages

AP does not accept unrecognized network requests

Preventing Netstrumbler snooping software Easy to implement

Disadvantages Administration required for new users and

changes

Securing users Educate the users to the threats and

where they are at risk How proper password is set ?

Provide policies that enable them to successfully secure themselves Change password on regular interval At least password length

Create policies that secure user behind the scenes Filtering traffic

Securing users

Some of the rule sets that should be in place with the respect to wireless 802.11 No rogue access point Inventory all wireless cards and their

corresponding MAC address No antennas without administrative consent Strong password on wireless network

devices

Other methods VPN WEP + RADIUS WPA (Wi-Fi Protected Access) – IEE802.11i WPA + RADIUS 802.1x + RADIUS

-EAP MD5 , LEAP (cisco) - -, EAP TLS, EAP TTLS MAC filtering +WEP + RADIUS

Mahanakorn solution

Web recommendationhttp://www.thaicert.nectec.or.th/paper/wireless/IEEE80211_4.php