What Is The State Of 802.11 Security?The current 802.11 wireless networks are capable of using WEP encryption of the data being transmitted. This technology uses either 40/64-bit or 104/128-bit private encryption keys (see Appendix B for a description of WEP encryption). The existing systems may be capable of no WEP encryption, 40/64-bit encryption only (“Silver” devices) or 104/128-bit encryption (“Gold” devices).
The “Gold” devices typically are capable of using either 40/64-bit encryption or the 104/128-bit encryption. The original expectation was that these encryption techniques would provide the privacy that was desired in a “corporate” environment. Unfortunately, many scientists and hackers have proven this to be an error in judgment.
The current knowledge base tells us that the WEP encryption technique can be broken somewhere between 20 seconds and 45 days using available software and a reasonable Intel-type processor 5 6 7 . The fact that these techniques exist and that they are completely passive (i.e. they don’t require any input to the wireless network) makes them extremely dangerous to the wireless user.
At the same time, with an active attack, it is estimated that a Gold encrypted system can be broken in hours. This type of attack requires that the attacker present an association request to the AP. The response to the presented packet is used to understand the encryption key that the AP is expecting. This type of attack, being active in nature, can be identified but identification requires that data collection is done and a monitoring policy is in place.
What Can Be Done
Until the implementation of 802.11i, there are several steps that can be undertaken to lessen the
risk of a security breach. We will discuss each of these steps in greater detail. We will not address installation issues such as site surveys, cell layout and roaming configuration. There are checklists in Appendix C that address these recommendations both when evaluating wireless LAN (WLAN) vendors and the configuration of that equipment.
The first step is to “close” the APs. Each AP is configured as being a member of a WLAN. This SSID is used for determining whether a client may connect to an AP. In the case of an “open” AP, the AP will respond to a SSID query packet with the SSID of the WLAN that it is configured to use. This allows a client to determine the WLAN SSID and provides a first step toward hacking into the network.
Most APs can be configured to be “closed”. In this case, the AP will not respond to the requests for its WLAN SSID. This keeps the attacker from being able to determine the WLAN SSID. However, the WLAN SSID can be determined from passive monitoring of the traffic for a connection request that is completed successfully. The second step is to use MAC Filtering. The basis for this step is the identification of those MACs that are allowed to use the AP. This step provides a simple method for keeping unwanted clients from using the AP. The only method to overcome this step is to use what is called “spoofing”. In this approach, the MAC address of the hacker’s client device is changed to match that of one of the authorized MACs in the system. This MAC address can be determined from passive monitoring. However, this method requires a special client device that can have its MAC modified easily. These devices are not the typical off-the-shelf devices. This step is not as often used due to the amount of labor required to change the MAC Filtering List on each AP when client devices are added to or deleted from the system.
The third step is to change the WEP keys on a regular basis. This minimizes the amount of time that a hacker can access the system if they are able to gain access. The problem with this step is that the configuration of each AP and client must be changed when the key is changed. Although, this can cause significant effort and frustration on the part of both the support personnel and the users, it will provide additional protection.
The fourth step is to use IP-based security precautions. These require the introduction of additional software on both the client and the server. This can take the form of VPNs or Radius/Kerberos authentication on both ends of the connection. This step does not keep the hacker from accessing the network it merely controls access to the data stored on your system. The fifth and final step is the use of proprietary solutions. A number of the wireless vendors have
proprietary APs and clients that include additional security features. This approach can minimize
the ability of the hacker to gain access to your WLAN. The downside is that you are committed to the use of hardware from only the single vendor since the solutions will not be interoperable with the hardware from other vendors.
The “Gold” devices typically are capable of using either 40/64-bit encryption or the 104/128-bit encryption. The original expectation was that these encryption techniques would provide the privacy that was desired in a “corporate” environment. Unfortunately, many scientists and hackers have proven this to be an error in judgment.
The current knowledge base tells us that the WEP encryption technique can be broken somewhere between 20 seconds and 45 days using available software and a reasonable Intel-type processor 5 6 7 . The fact that these techniques exist and that they are completely passive (i.e. they don’t require any input to the wireless network) makes them extremely dangerous to the wireless user.
At the same time, with an active attack, it is estimated that a Gold encrypted system can be broken in hours. This type of attack requires that the attacker present an association request to the AP. The response to the presented packet is used to understand the encryption key that the AP is expecting. This type of attack, being active in nature, can be identified but identification requires that data collection is done and a monitoring policy is in place.
What Can Be Done
Until the implementation of 802.11i, there are several steps that can be undertaken to lessen the
risk of a security breach. We will discuss each of these steps in greater detail. We will not address installation issues such as site surveys, cell layout and roaming configuration. There are checklists in Appendix C that address these recommendations both when evaluating wireless LAN (WLAN) vendors and the configuration of that equipment.
The first step is to “close” the APs. Each AP is configured as being a member of a WLAN. This SSID is used for determining whether a client may connect to an AP. In the case of an “open” AP, the AP will respond to a SSID query packet with the SSID of the WLAN that it is configured to use. This allows a client to determine the WLAN SSID and provides a first step toward hacking into the network.
Most APs can be configured to be “closed”. In this case, the AP will not respond to the requests for its WLAN SSID. This keeps the attacker from being able to determine the WLAN SSID. However, the WLAN SSID can be determined from passive monitoring of the traffic for a connection request that is completed successfully. The second step is to use MAC Filtering. The basis for this step is the identification of those MACs that are allowed to use the AP. This step provides a simple method for keeping unwanted clients from using the AP. The only method to overcome this step is to use what is called “spoofing”. In this approach, the MAC address of the hacker’s client device is changed to match that of one of the authorized MACs in the system. This MAC address can be determined from passive monitoring. However, this method requires a special client device that can have its MAC modified easily. These devices are not the typical off-the-shelf devices. This step is not as often used due to the amount of labor required to change the MAC Filtering List on each AP when client devices are added to or deleted from the system.
The third step is to change the WEP keys on a regular basis. This minimizes the amount of time that a hacker can access the system if they are able to gain access. The problem with this step is that the configuration of each AP and client must be changed when the key is changed. Although, this can cause significant effort and frustration on the part of both the support personnel and the users, it will provide additional protection.
The fourth step is to use IP-based security precautions. These require the introduction of additional software on both the client and the server. This can take the form of VPNs or Radius/Kerberos authentication on both ends of the connection. This step does not keep the hacker from accessing the network it merely controls access to the data stored on your system. The fifth and final step is the use of proprietary solutions. A number of the wireless vendors have
proprietary APs and clients that include additional security features. This approach can minimize
the ability of the hacker to gain access to your WLAN. The downside is that you are committed to the use of hardware from only the single vendor since the solutions will not be interoperable with the hardware from other vendors.
