Security issues wireless networks, described in a number of articles, provoked distrust in wireless technologies. How justified is it?
Why are wireless networks considered more vulnerable than cable networks? In wired networks, data can only be intercepted if an attacker gains physical access to the transmission medium. In wireless networks, the signal travels over the airwaves, so anyone within range of the network can intercept the signal.
The attacker does not even have to be on the company’s premises; it is enough to get into the radio signal propagation zone.
Threats to wireless networks
When preparing to secure your wireless networks, you first need to understand what might threaten them.
Passive attack
Intercepting wireless network signals is similar to listening to radio transmissions. All you need is a laptop (or PDA) and a wireless protocol analyzer. There is a widespread misconception that unauthorized connections to a wireless network outside the office can be stopped by monitoring output power signal. This is not true, since the use of a high-sensitivity wireless card and a directional antenna by an attacker can easily overcome this security measure.
Even after reducing the likelihood of unauthorized connection to the network, the possibility of “listening” to traffic should not be ignored, therefore, in order to operate securely in wireless networks, it is necessary to encrypt the transmitted information.
Active attack
It is dangerous to connect an unsecured wireless network to a cable network. An unsecured access point connected to local network, presents a wide open door for intruders. For businesses, this risks allowing competitors to gain access to confidential documents. Unsecured wireless networks allow hackers to bypass firewalls and security settings that protect the network from Internet attacks. On home networks, attackers can obtain free access to the Internet at the expense of their neighbors.
Uncontrolled access points connected to the network without authorization should be monitored and identified. Such points are usually established by the enterprise employees themselves. (For example, a sales manager purchased a wireless access point and uses it to stay connected all the time.) Such a point could be specially connected to the network by an attacker in order to gain access to the company’s network outside the office.
It should be remembered that both computers connected to a wireless network and those that have the wireless card with default settings (it usually does not block penetration through a wireless network). For example, while a user waiting for his flight is browsing Internet resources through a server deployed at the airport Wi-Fi network, a hacker sitting nearby is studying information stored on a mobile employee's computer. Users working via wireless networks in cafes, exhibition centers, hotel lobbies, etc. may be subject to similar attacks.
Search for available wireless networks
To actively search for vulnerable wireless networks (War driving), you usually use a car and a set of wireless equipment: a small antenna, a wireless network card, a laptop computer and, possibly, a GPS receiver. Using widely used scanner programs such as Netstumbler, you can easily find wireless network reception areas.
War Driving fans have many ways to share information. One of them (War Chalking) involves drawing symbols on diagrams and maps indicating detected wireless networks. These designations contain information about the strength of the radio signal, the presence of one or another type of network protection, and the ability to access the Internet. Fans of this “sport” exchange information through Internet sites, “posting”, in particular, detailed maps with the location of detected networks. By the way, it’s useful to check if your address is there.
Denial of service
Free access to the Internet or corporate network is not always the goal of attackers. Sometimes the goal of hackers can be to disable a wireless network.
A denial of service attack can be achieved in several ways. If a hacker manages to establish a connection to a wireless network, his malicious actions can cause a number of serious consequences, such as sending responses to Address Resolution Protocol (ARP) requests to change ARP tables network devices in order to disrupt network routing or the introduction of an unauthorized Dynamic Host Configuration Protocol (DHCP) server to issue inoperative addresses and network masks. If a hacker finds out the details of the wireless network settings, he will be able to reconnect users to his access point (see figure), and the latter will be cut off from network resources, which were accessible through a “legitimate” access point.
| Introducing an unauthorized access point. |
An attacker can also block the frequencies used by wireless networks by using a signal generator (this can be made from parts microwave oven). As a result, the entire wireless network or part of it will fail.
Security Considerations in IEEE 802.11 Standards
The original 802.11 standard provides for the security of wireless networks using the Wired Equivalent Privacy (WEP) standard. Wireless networks that use WEP require a static WEP key to be configured on access points and all stations. This key can be used for authentication and data encryption. If it is compromised (for example, if a laptop is lost), it is necessary to change the key on all devices, which is sometimes very difficult. When using WEP keys for authentication, wireless stations send an appropriate challenge to the access point, receiving a clear text challenge in response. The client must encrypt it using its own WEP key and return it to the access point, which will decrypt the message using its own WEP key. If the decrypted message matches the original, this means that the client knows the WEP key. Therefore, the authentication is considered successful and a corresponding notification is sent to the client.
After successfully completing authentication and association, the wireless device can use the WEP key to encrypt traffic between the device and the access point.
The 802.11 standard defines other access control mechanisms. The access point can use hardware address filtering (Media Access Control, MAC), granting or denying access based on the client's MAC address. This method makes it difficult, but does not prevent, the connection of unauthorized devices.
How secure is WEP?
One of the rules of cryptography is that given the plaintext and its encrypted version, you can determine the encryption method used. This is especially true when using weak encryption algorithms and symmetric keys, such as those provided by WEP.
This protocol uses the RC4 algorithm for encryption. Its weakness is that if you encrypt a known plaintext, the output will be the key stream that was used to encrypt the data. According to the 802.11 standard, the key stream consists of a WEP key and a 24-bit initialization vector. For each packet, the following vector is used and is sent in clear text along with the packet so that the receiving station can use it in conjunction with the WEP key to decrypt the packet.
If you receive one key stream, then you can decrypt any packet encrypted with the same vector. Since the vector changes for each packet, decryption requires waiting for the next packet using the same vector. To be able to decrypt WEP, a complete set of vectors and keystreams must be assembled. WEP cracking tools work this way.
You can obtain plaintext and encrypted text during the client authentication process. By intercepting traffic over a period of time, you can collect the required amount of initial data to carry out an attack. To accumulate the data necessary for analysis, hackers use many other methods, including “men in the middle” attacks.
When deciding on the frame format for wireless networks, IEEE proposed its own format called Subnetwork Address Protocol (SNAP).
The two bytes following the MAC header in an 802.11 SNAP frame are always "AA AA". WEP encrypts all bytes following the MAC header, so the first two encrypted bytes always know the plaintext (“AA AA”). This path provides the opportunity to receive fragments of the encrypted and clear message.
Utilities for cracking WEP are distributed free of charge on the Internet. The most famous of them are AirSnort and WEPCrack. To successfully crack a WEP key using them, it is enough to collect from 100 thousand to 1 million packets. New utilities Aircrack and Weplab for cracking WEP keys implement a more efficient algorithm that requires significantly fewer packets. For this reason, WEP is unreliable.
Wireless technologies are becoming safer
Today, many companies use convenient and secure wireless networks. The 802.11i standard took security to a whole new level. The IEEE 802.11i Working Group, whose task was to create a new wireless security standard, was formed after studying the vulnerability of the WEP protocol. It took some time to develop, so most equipment manufacturers, without waiting for the new standard to be released, began to offer their own methods (see. ). In 2004, a new standard appeared, however, equipment suppliers, by inertia, continue to use old solutions.
802.11i specifies the use of the Advanced Encryption Standard (AES) instead of WEP. AES is based on an implementation of the Rendell algorithm, which most cryptanalysts recognize as strong. This algorithm is a significant improvement over its weak predecessor RC4, which is used in WEP: it uses keys of 128, 192 and 256 bits, instead of the 64 bits used in the original 802.11 standard. The new 802.11i standard also defines the use of TKIP, CCMP, and 802.1x/EAP.
EAP-MD5 verifies the user's identity by verifying the password. The issue of using traffic encryption is left to the network administrator. The weakness of EAP-MD5 is that it does not require encryption, so EAP-MD5 allows for a “men in the middle” attack.
The Lightweight EAP (LEAP) protocol, which was created by Cisco, provides not only data encryption, but also key rotation. LEAP does not require the client to have keys because they are sent securely after the user has been authenticated. It allows users to easily connect to the network using account and password.
Early LEAP implementations only provided one-way user authentication. Cisco later added mutual authentication capability. However, the LEAP protocol was found to be vulnerable to dictionary attacks. Joshua Wright, an employee of the American Institute of Systems Administration, Telecommunications and Security (SANS), developed the ASLEAP utility, which carries out a similar attack, after which Cisco recommended using strong passwords of at least eight characters, including special characters, uppercase, lowercase characters and numbers. LEAP is secure to the extent that the password is resistant to guessing attempts.
A stronger implementation of EAP, EAP-TLS, which uses pre-installed digital certificates on the client and server, was developed by Microsoft. This method provides mutual authentication and relies not only on the user's password, but also supports rotation and dynamic key distribution. The disadvantage of EAP-TLS is that it requires installing a certificate on each client, which can be quite time-consuming and expensive. In addition, this method is impractical to use in a network where employees change frequently.
Wireless network manufacturers are promoting solutions to simplify the process for authorized users to connect to wireless networks. This idea is entirely feasible if you enable LEAP and distribute usernames and passwords. But if you need to use a digital certificate or enter a long WEP key, the process can become tedious.
Microsoft, Cisco and RSA have jointly developed a new protocol - PEAP, which combines simplicity using LEAP and EAP-TLS security. PEAP uses a certificate installed on the server and password authentication for clients. A similar solution - EAP-TTLS - was released by Funk Software.
Various manufacturers support Various types EAP, as well as several types at the same time. The EAP process is similar for all types.
Typical EAP Operations
What is WPA
After wireless networks were declared insecure, manufacturers began implementing their own security solutions. This left companies with a choice: use a single vendor solution or wait for the 802.11i standard to be released. The standard's adoption date was unknown, so the Wi-Fi Alliance was formed in 1999. Its goal was to unify the interaction of wireless network products.
The Wi-Fi Alliance has approved the Wireless Protected Access (WPA) protocol, considering it as a temporary solution until the 802.11i standard is released. The WPA protocol uses TKIP and 802.1x/EAP standards. Any Wi-Fi equipment certified to be WPA compliant must work in conjunction with other certified equipment. Vendors may use their own security mechanisms, but must always include support for Wi-Fi standards.
After the initial announcement of 802.11i parameters, the Wi-Fi Alliance created the WPA2 standard. Any equipment that is WPA2 certified is fully compatible with 802.11i. If your enterprise wireless network does not support 802.11i, you should migrate to 802.11i as soon as possible to ensure adequate security.
What is MAC Address Filtering?
If WEP is not secure, can hardware address filtering (Media Access Control (MAC)) protect the wireless network? Alas, MAC address filters are designed to prevent unauthorized connections; they are powerless against traffic interception.
MAC address filtering does not have a noticeable impact on the security of wireless networks. It requires only one thing from the attacker additional action: Find out the allowed MAC address. (By the way, most drivers network cards allow you to change it.)
How easy is it to find out the allowed MAC address? To get working MAC addresses, it is enough to monitor wireless traffic for some time using a protocol analyzer. MAC addresses can be intercepted even if the traffic is encrypted because the packet header that includes the address is sent in the clear.
TKIP protocol
The Temporal Key Integrity Protocol (TKIP) was designed to overcome the shortcomings of the WEP protocol. The TKIP standard improves WEP security through key rotation, longer initialization vectors, and data integrity checks.
WEP cracking programs take advantage of the weakness of static keys: after intercepting the required number of packets, they can easily decrypt the traffic. Regularly changing the keys prevents this type of attack. TKIP dynamically changes keys every 10 thousand packets. Later implementations of the protocol allow you to change the key rotation interval and even set an algorithm for changing the encryption key for each data packet (Per-Packet Keying, PPK).
The encryption key used in TKIP has become more secure than WEP keys. It consists of a 128-bit dynamic key, to which is added the station's MAC address and a 48-bit initialization vector (twice the length of the original 802.11 vector). This method is known as "key mixing" and ensures that any two stations do not use the same key.
The protocol also has a built-in method for ensuring data integrity (Message Integrity Cheek, MIC, also called Michael).
SECURITY ISSUES IN WIRELESS NETWORKS.
METHODS AND WAYS FOR PROTECTING WI-FI NETWORKS.
REALITIES AND PROSPECTS.
Andrushka Igor, Design Engineer, Department of Applied Systems Development Research information society Center for Applied System Research on the Development of the Information Society, State Enterprise "Registru"
Introduction
Over the past few years, wireless networks have become widespread throughout the world. And, if earlier it was mainly about the use of wireless networks in offices and hot spots, now they are widely used both at home and for deploying mobile offices (on business trips). Wireless access points and wireless routers, and for mobile users - pocket wireless routers. However, when deciding to switch to a wireless network, do not forget that at the current stage of their development they have one weak point. We are talking about the security of wireless networks.
General description of the problem
Wireless network security includes two aspects: protection from unauthorized access and encryption of transmitted information. Let us note right away that it is impossible to solve them today with a 100% guarantee, but it is possible and necessary to protect yourself from all kinds of “amateurs”. After all, wireless equipment and software by default contain certain security measures; all that remains is to use them and configure them correctly. However, before moving on to evaluating these funds, we will present several facts confirming the severity of the problem.
If you look at the results of a survey of chief managers of IT companies conducted by Defcom, an interesting picture emerges. About 90% of respondents are confident in the future of wireless networks, but are postponing it indefinitely due to the weak security of such networks at the present stage. Equilibrium, in terms of security, between wired and wireless networks will come, in their opinion, only in 3-5 years. And more than 60% claim that insufficient security seriously hampers the development of this area - there is no trust, and accordingly, many do not risk abandoning time-tested wired solutions.
So, let's move directly to the methods and means of ensuring the security of wireless connections.
Every wireless network has at least 2 key components: base station and an access point. Wireless networks can operate in two modes: ad-hoc (per-to-per) and infrastructure. In the first case, network cards communicate directly with each other, in the second using access points that serve as Ethernet bridges.
The client and the endpoint must establish a connection before transmitting data. It is not difficult to guess that there can be only three states between the point and the client:
- “authentication failed and the point is not identified”;
- “authentication passed, but the point is not identified”;
- “authentication accepted and point connected.”
It is clear that data exchange can only take place in the third case. Before establishing a connection, the parties exchange control packets, the “access point” transmits identification signals at a fixed interval, the “client”, having received such a packet, begins authentication by sending an identification frame, after authorization, the “client” sends a join packet, and the “point” sends a join confirmation packet wireless “client” to the network.
Protection Mechanisms
The fundamental standard for building this type of network is the 802.1 standard. This wireless network standard provides several mechanisms to ensure network security. Among them, the most used are the following:
- Wired Equivalent Protocol, or WEP, developed by the author of the 802.1 standard. The main function of WEP is to encrypt data during radio transmission and prevent unauthorized access to a wireless network. By default, WEP is disabled, but you can easily enable it and it will begin encrypting every outgoing packet. WEP uses the RC4 algorithm for encryption.
- WEP 2 – introduced in 2001 after many holes were discovered in the first version, WEP 2 has an improved encryption mechanism and support for Cerberus V.
- Open System Authentication – the default authentication system used in the 802.11 protocol. Actually, there is no system as such - anyone who requests is authenticated. In the case of OSA, even WEP does not help, because During the experiments, it was found that the authentication packet is sent unencrypted.
- Access Control List – not described in the protocol, but used by many as an addition to standard methods. The basis of this method is a client Ethernet MAC, unique for each card. The access point limits access to the network in accordance with its list of MAC addresses, there is a client in the list and access is allowed, no means no.
- Closed Network Access Control - it’s not much more complicated here: either the administrator allows any user to join the network, or only those who know its name and SSID can enter it. The network name in this case serves as a secret key.
Types of attacks on Wi-Fi networks.
Access Point Spoofing & Mac Sniffing - an access list is quite usable in conjunction with the correct identification of users in this list. In the case of the MAC address, the Access Control List is very easy to overcome, because such an address is very easy to change (wireless network cards allow you to programmatically change the MAC address) and even easier to intercept, since even in the case of WEP it is transmitted in clear text. Thus, it is easy to penetrate a network protected by the Access Control List and use all its advantages and resources.
If the intruder has his own access point in the stash, there is another option: installing an Access Point next to the existing network: if the hacker’s signal is stronger than the original one, then the client will connect to the hacker, and not to the network, transmitting not only the MAC address, but also password and other data.
- WEP Attacks – clean data undergoes integrity check and is issued check sum(integrity check value, ICV). The 802.11 protocol uses CRC-32 for this. The ICV is appended to the end of the data. A 24-bit initialization vector (IV) is generated and a secret key is “linked” to it. The resulting value is the initial value for generating a pseudorandom number. The generator produces a key sequence. The data is XORed with this key sequence. The initialization vector is added to the end and the whole thing is broadcast.
- Plaintext attack - in such a hack, the attacker knows the original message and has a copy of the encrypted response. The missing link is the key. To receive it, the attacker sends a small part of the data to the “target” and receives a response. Having received it, the hacker finds the 24-bit initialization vector used to generate the key: finding the key in this case is just a brute force task.
Another option is regular XOR. If a hacker has the sent plain text and its encrypted version, then he simply XORs the cipher and at the output receives a key, which, together with the vector, makes it possible to “load” packets into the network without authentication at the access point.
- Reuse cipher - the attacker extracts the key sequence from the packet. Since the WEP encryption algorithm allocates quite a bit of space per vector, an attacker can intercept the key stream using different IVs, creating a sequence of them for himself. Thus, a hacker can decrypt messages using the same XOR; when encrypted data flows over the network using previously generated key streams, it can be decrypted.
- Fluther-Mantin-Shamir attack - a hacker can exploit vulnerabilities using specialized software You can get both a 24-bit WEP key and a 128-bit WEP 2 key.
- Low-Hanging Fruit – this type of attack is designed to extract unprotected resources from unprotected networks. Most wireless networks are completely unsecured, they do not require authorization and do not even use WEP, so a person with a wireless network card and a scanner can easily connect to an Access Point and use all the resources it provides. Hence the name - low hanging fruit that is easy to pick.
How to protect networks? The main ways to protect networks include the following:
1. MAC address filtering: in this case, the administrator compiles a list of MAC addresses of client network cards. In the case of several APs, it is necessary to ensure that the client's MAC address exists on all of them so that it can move smoothly between them. However, this method is very easy to defeat, so it is not recommended to use it alone.
2. SSID (Network ID) – use of a network identifier system. When a client tries to connect to the AP, a seven-digit alphanumeric code is sent to it; By using the SSID tag, you can be sure that only clients who know it can connect to the network.
3. Firewall: access to the network must be done using IPSec, secure shell or VPN, the firewall must be configured to work specifically with these network connections.
4. AccessPoint – the access point must be configured to filter MAC addresses; in addition, the device itself must be physically isolated from others. It is also recommended to configure the point only via telnet, disabling the ability to configure via browser or SNMP.
Attack of a client device on Wi-Fi networks
Despite the fact that methods of protection in wireless networks exist, and administrators of this type of network must take preventive measures. It should be noted right away that hacking “head-on” such networks is practically impossible, unless one considers hacking a denial of service (DoS) attack at the first and second levels of the OSI model. However, there are still some types of attacks that wireless networks can be susceptible to. The most dangerous type of these "bypass attacks" are attacks against unassociated client hosts.
The general idea is this:
1. An unassociated client device is located, or the network is flooded with deassociation or deauthentication frames to obtain it.
2. An access point is specifically emulated to connect this host.
3. An IP address is issued, as well as the IP addresses of the fake gateway and DNS server via DHCP.
4. The device is being attacked.
5. If necessary and remote access was successfully received to the device, the host is “released” back to the “native” network, and a “Trojan” is first launched on it.
Starting next year, all manufactured laptops and notebooks will have built-in Wi-Fi support. And even now, many client devices already have built-in support for an enabled and constantly searching network for associations, often without the knowledge of their owner. This fact is ignored by most system administrators. Often, IT security professionals look exclusively for unauthorized access points and ad-hoc networks, without paying enough attention to Probe Request frames from “lost” clients.
It would seem, at first glance, that “catching” such clients is not particularly difficult. But a person engaged in this type of activity needs to have some information. What kind of this information– we’ll try to reveal it.
First, he needs to know according to what algorithm client devices automatically search for networks to connect to. Will they associate with any detected 802.11 network with a strong enough signal? What if there are several such networks? What will their choice be based on? What about networks with a "private" ESSID and networks secured with WEP or WPA? The answers to these questions depend both on the operating system of the client host and on the wireless hardware it uses, its drivers and user settings. Let's consider one of the most used operating systems of the Windows family today.
To establish a wireless connection in Windows XP and Windows Server 2003 uses the “Wireless Self-Configuration Algorithm” (WSA). This algorithm operates with two lists of 802.11 networks: the list of available networks (ALN) and the list of preferred networks (LPN). The SDS is a list of networks that responded to broadcast Probe Request frames during the last active scan. SPS is a list of networks to which a full connection was established in the past. The most recent networks with which the device was associated appear first in this list. The network description in both lists contains its ESSID, channel and encryption method - “plain text”, WEP or WPA. These lists are used as follows during the operation of the ABS:
1. The client device composes the VTS by sending broadcast Probe Request frames with an empty ESSID field, one to each of the used 802.11 channels and parallel processing of responses to these frames.
2. If networks located in the ATP are detected, then association occurs with such networks in the order of their location in this list. That is, the client device is associated with the topmost SPS network, which is present in the SDS.
3. If such networks are not detected, or successful association with them did not occur due to differences in 802.11 standards or authentication problems, the ABS “goes to the second round”, sending Probe Request frames specifically to search for networks listed in the ATP. In practice, this means that these frames are sent to the channels of the SPS networks and contain their ESSID. At the same time, the sending of these frames is absolutely independent of the content of the SDS. The point of having a “second circle” ABS is to search for networks with a “closed” ESSID.
4. If suitable Infrastructure networks are not found, the next stage of the search is to find ad-hoc networks. For this purpose, a comparison of the ad-hoc networks of the VTS and SPS is carried out.
5. If there is at least one ad-hop network in the SPS, but it is not found in the SDS, the ABS sets the client device to ad-hop mode and assigns an IP address to the wireless interface belonging to the 169.254.0.0/16 range (RFC 3330). Thus, the host becomes the first node of a potential new ad-hoc network and the algorithm ends its work.
6. If there are no ad-hock networks in the ATP, then the ABS checks the “Connect To Nonpreferred Networks” flag. If this flag is equal to one, then the client device will try to associate with each VTS network in the order of their order in the list. For attackers, this flag is zero by default.
7. If the above flag is not enabled by the user, then the wireless card is “parked” as a client with a pseudo-random 32-digit ESSID set. In this state, it operates for 60 seconds, after which the network search algorithm restarts.
Basically, hackers' attacks are always aimed at the ABS algorithm itself. Let's look at obvious weaknesses of this algorithm. First of all, during the “second round” of the ABS (point 3), the client device actually reveals the content of the ABS. If we imagine a situation where such a host is out of reach of its “native” network. For example, a corporate laptop is taken by an employee to his home or on a business trip (and is used at the airport, airplane, hotel, and so on). For an attacker who discovers such a laptop, it will not be difficult to determine the first network in the ATP based on the ESSID of the frames sent by the Probe Request device, and set exactly this ESSID value on his access point. The same applies to the search for ad-hock ATP networks. If the first SPS network is protected and requires a WEP or WPA key for connection, the attacker goes further down the list and searches in it open network, including ad-hoc WLANs. The probability of finding such a network is quite high. For example, most Wi-Fi hotspots use methods to protect wireless data transmission at higher levels of the OSI model, usually at the seventh level. Connecting to such networks will leave a description of the “unprotected” (at the 2nd level) network in the ATP, which an attacker can easily use.
This description leads to a second weakness. In the absence of such an ad-hock network nearby (an extremely likely scenario, given that ad-hock connections are usually made for short periods of time and often with a new ESSID each time), the Windows client will be installed in permanent mode as an ad-hock node, waiting for other clients (point 5). An attacker can easily become such a client, take one of the RFC 3330 addresses, and not conduct broadcast pings or send ARP requests to discover the victim’s IP address and carry out further attacks. Moreover, such a connection does not require any interaction from the user. It is fully automatic.
Finally, in the absence of unprotected and ad-hoc networks in the ATP and the “Connect to Non-Preferred Networks” flag is turned on, the algorithm will achieve setting the client card in “standby mode” with sending Probe Request frames with a long pseudo-random ESSID (point 7). The problem is that these "mysterious" ESSID values are quite "working". That is, it is enough to install an access point with such an ESSID in the neighborhood, and the “client” will happily “peck” at it in order to obtain an IP address via DHCP and be subject to further attacks. It should be said that this problem has already been eliminated in Longhorn, but before the total transition to this operating system still far. And now the most important thing: since a network with a long pseudo-random ESSID is not in the ATP, connecting to such a network not only does not require any interaction on the part of the attacked user, but will not even be shown as existing by the indicator wireless communication Windows XP. This indicator will indicate that the device is not associated with any Wi-Fi network, and only the Windows network options control panel will show the presence of a connection and the assigned IP address. It should be mentioned that latest versions Drivers for 802.11a/b/g cards with the Atheros chipset, although they send Probe Request frames with pseudo-random ESSIDs, do not support automatic connection to access points configured with such ESSID values.
What should an attacker do if, as was just mentioned, automatic association using pseudo-random ESSIDs is impossible, and the SPS does not contain networks that are not protected at the second level? If the networks to which the attacked device was connected are protected using non-dictionary WPA-PSK or WPA-802.1x using EAP-TLS, then this moment There are no prospects for a successful hack. If at least one such network was protected using WPA-802.1x using EAP-TTLS or EAP-PEAP, then it is possible to carry out attacks on these protocols according to the algorithms described by the hack group Shmoo "The Radical Realm of Radius, 802.1x , and You".
Speaking about outdated security mechanisms for 802.11 networks, it is impossible not to mention the well-worn WEP. Attacks against it can also be used against individual client devices, the networks of which are “protected” using WEP. If all ad-hock networks in the SPS have WEP in their settings, then an arbitrary ad-hock configuration with an RFC 3330 address, as described in point 5 above, will use WEP. The problem is that such an ad-hoc node will not “maintain silence” - just remember sending NetBIOS HELLO packets every 2 seconds. Accordingly, this kind of traffic can be successfully used to crack a WEP key using various methods, from simple dictionary brute force using WepAttack to accelerating hacking by injecting packets using Christopher Devine's aireplay (a modified false authentication attack or interactive reinjection of packets, with which you can force a single ad-hoc client to send an encrypted ARP packet for subsequent ARP reinjection).
An even more interesting example is clients with a pseudo-random ESSID (point 7) and WEP, which “appear” in cases where all the networks listed in the ATP are secure. The very fact that even though there are WPA-protected networks in this list, WEP is still used is already a vulnerability. But, moreover, since the settings of such a network are not defined anywhere and “self-configure” without user intervention, an attacking access point is able to impose on such clients an insecure 802.11 authentication method using a distributed WEP key. By imposing this method, the cracker can send a challenge string with known text to the client device and receive it back, XORED with part of the RC4 stream. Thus, by XORing what was received with the original text, the attacker learns 144 bytes of the RC4 stream for a given initialization vector (IV). This attack has many possible uses. In particular:
- you can send more and more challenge requests until the RC4 cipher stream is opened for all initialization vectors of the 24-bit WEP IV space
- you can attack the received response by brute force in the dictionary using WepAttack and similar utilities
- you can use the known 144 bytes of flow to reinject packets to the client device using Anton Rager's WepWedgie. A successful reinjection will force the attacked host to send an encrypted ARP packet, which is easy to intercept and use with aireplay.
In any of the above cases, a single client device requiring a WEP-protected connection can hardly be called invulnerable.
Conclusion
The security of wireless networks should be given special attention. After all, a wireless network has a long range. Accordingly, an attacker can intercept information or attack the network from a safe distance. Fortunately, there are now many in various ways protection and, if configured correctly, you can be confident that the required level of security will be provided.
In conclusion, I would like to note that the author of the article does not encourage readers to “actively take action” and attack the wireless resources of various companies. In this case, the purpose of this article was different, namely: to help system administrators IT companies secure company resources as reliably as possible from any type of unauthorized access and intrusion.
Bibliography
1. http://www.ferra.ru
2. http://www.denet.ru
3. http://www.cnews.ru
4. Andrey Vladimirov “Attacking client devices on Wi-Fi networks”, “Hacking and Protection”, 2006
At the moment, most firms and enterprises are paying more and more attention to the use of Wi-Fi networks directly. This is due to the convenience, mobility and relative cheapness of connecting individual offices and the ability to move them within the range of the equipment. Wi-Fi networks use complex algorithmic mathematical models for authentication, data encryption, and control of the integrity of their transmission - which will allow you to be relatively calm about the safety of data when using this technology.
Wireless network security analysis.
At the moment, most firms and enterprises are paying more and more attention to the use of Wi-Fi networks directly. This is due to the convenience, mobility and relative cheapness of connecting individual offices and the ability to move them within the range of the equipment. Wi-Fi networks use complex algorithmic mathematical models for authentication, data encryption, and control of the integrity of their transmission - which will allow you to be relatively calm about the safety of data when using this technology.
However, this security is relative if you do not pay due attention to setting up your wireless network. At this point, there is already a list of “standard” features that a hacker can get if they are negligent in setting up a wireless network:
Access to local network resources;
Listening, stealing (meaning Internet traffic directly) traffic;
Distortion of information passing through the network;
Introducing a fake access point;
A little theory.
1997 – the first IEEE 802.11 standard was published. Network access protection options:
1. A simple SSID (Server Set ID) password was used to access the local network. This option does not provide the required level of protection, especially for the current level of technology.
2. Using WEP (Wired Equivalent Privacy) – that is, using digital keys encryption of data streams using this function. The keys themselves are just ordinary passwords with a length of 5 to 13 ASCII characters, which corresponds to 40 or 104-bit encryption at the static level.
2001 - introduction of the new IEEE 802.1X standard. This standard uses dynamic 128-bit encryption keys, that is, periodically changing over time. The basic idea is that a network user works in sessions, upon completion of which they are sent a new key - the session time depends on the OS (Windows XP - by default the time of one session is 30 minutes).
Currently there are 802.11 standards:
802.11 - The original base standard. Supports data transmission over the radio channel at speeds of 1 and 2 Mbit/s.
802.11a - High-speed WLAN standard. Supports data transmission at speeds up to 54 Mbit/s over a radio channel in the range of about 5 GHz.
I802.11b - The most common standard. Supports data transmission at speeds up to 11 Mbit/s over a radio channel in the range of about 2.4 GHz.
802.11e - Request quality requirement required for all IEEE WLAN radio interfaces
802.11f - A standard that describes the order of communication between peer access points.
802.11g - Establishes an additional modulation technique for the 2.4 GHz frequency. Designed to provide data transmission rates of up to 54 Mbit/s over a radio channel in the range of about 2.4 GHz.
802.11h - A standard that describes the management of the 5 GHz spectrum for use in Europe and Asia.
802.11i (WPA2) - A standard that corrects existing security problems in the areas of authentication and encryption protocols. Affects 802.1X, TKIP and AES protocols.
At the moment, 4 standards are widely used: 802.11, 802.11a, 802.11b, 802.11g.
2003 - The WPA (Wi-Fi Protected Access) standard was introduced, which combines the benefits of dynamic key renewal of IEEE 802.1X with TKIP (Temporal Key Integrity Protocol) encoding, Extensible Authentication Protocol (EAP) and verification technology message integrity MIC (Message Integrity Check).
In addition, many independent security standards from various developers are being developed in parallel. The leaders are such giants as Intel and Cisco.
2004 - WPA2, or 802.11i, appears - the most secure standard at this time.
Technologies for protecting Fi-Wi networks.
WEP
This technology was developed specifically to encrypt the flow of transmitted data within a local network. The data is encrypted with a key of 40 to 104 bits. But this is not the whole key, but only its static component. To enhance security, the so-called initialization vector IV (Initialization Vector) is used, which is designed to randomize an additional part of the key, which provides different variations of the cipher for different data packets. This vector is 24-bit. Thus, as a result, we obtain a general encryption with a bit depth from 64 (40+24) to 128 (104+24) bits, which allows us to operate with both constant and randomly selected characters during encryption. But on the other hand, 24 bits are only ~16 million combinations (2 24 powers) - that is, after the key generation cycle expires, a new cycle begins. Hacking is done quite simply:
1) Finding a repeat (minimum time, for a key 40 bits long - from 10 minutes).
2) Hacking the rest of the part (essentially seconds)
3) You can infiltrate someone else's network.
At the same time, there are quite common utilities for cracking the key, such as WEPcrack.
802.1X
IEEE 802.1X is the foundational standard for wireless networks. It is currently supported by Windows XP and Windows Server 2003.
802.1X and 802.11 are compatible standards. 802.1X uses the same algorithm as WEP, namely RC4, but with some differences (greater “mobility”, i.e. it is possible to connect even a PDA device to the network) and corrections (WEP hacking, etc.). P.).
802.1X is based on the Extensible Authentication Protocol (EAP), Transport Layer Security (TLS), and RADIUS (Remote Access Dial-in User Service).
After the user has passed the authentication stage, he is sent a secret key in encrypted form for a certain short time - the time of the currently valid session. Upon completion of this session, a new key is generated and again sent to the user. The TLS transport layer security protocol provides mutual authentication and integrity of data transmission. All keys are 128-bit.
Separately, it is necessary to mention the security of RADIUS: it is based on the UDP protocol (and therefore is relatively fast), the authorization process occurs in the context of the authentication process (i.e., there is no authorization as such), the implementation of the RADIUS server is focused on single-process client servicing (although it is possible and multi-process - the question is still open), supports a fairly limited number of authentication types (cleartext and CHAP), and has an average degree of security. In RADIUS, only cleartext passwords are encrypted, the rest of the package remains “open” (from a security point of view, even the username is a very important parameter). But CHAP is a separate matter. The idea is that no cleartext password in any form would never be transmitted through the network. Namely: when authenticating a user, the client sends the user machine a certain Challenge (an arbitrary random sequence of characters), the user enters a password and with this Challenge the user machine performs certain encrypting actions using the entered password (usually this ordinary encryption using the MD5 algorithm (RFC-1321). The result is a Response. This Response is sent back to the client, and the client sends everything together (Challenge and Response) to the 3A server (Authentication, Authorization, Accounting) for authentication. That (also having on its side user password) performs the same actions with Challeng and compares its Response with the one received from the client: converges - the user is authenticated, no - refusal. Thus, only the user and the 3A server know the cleartext password, and the cleartext password does not “travel” through the network and cannot be hacked.
WPA
WPA (Wi-Fi Protected Access) is a temporary standard (technology for secure access to wireless networks), which is transitional to IEEE 802.11i. Essentially, WPA combines:
802.1X is the foundational standard for wireless networks;
EAP - Extensible Authentication Protocol;
TKIP - Temporal Key Integrity Protocol;
MIC is a technology for checking message integrity (Message Integrity Check).
The main modules are TKIP and MIC. The TKIP standard uses automatically selected 128-bit keys that are generated in an unpredictable manner and have approximately 500 billion variations. A complex hierarchical system of key selection algorithm and their dynamic replacement every 10 KB (10 thousand transmitted packets) make the system maximally secure. Message Integrity Check technology also protects against external penetration and changes in information. A fairly complex mathematical algorithm allows you to compare data sent at one point and received at another. If changes are noticed and the comparison result does not converge, such data is considered false and discarded.
True, TKIP is not currently the best at implementing encryption, due to new technology Advanced Encryption Standard (AES), previously used in VPNs.
VPN
VPN (Virtual Private Network) technology has been proposed by Intel to ensure secure connection between client systems and servers over public Internet channels. VPN is probably one of the most reliable in terms of encryption and authentication reliability.
There are several encryption technologies used in VPNs, the most popular of which are described by the PPTP, L2TP and IPSec protocols with DES, Triple DES, AES and MD5 encryption algorithms. IP Security (IPSec) is used approximately 65-70% of the time. With its help, almost maximum security of the communication line is ensured.
VPN technology was not designed specifically for Wi-Fi - it can be used for any type of network, but protecting wireless networks with its help is the most correct solution.
A fairly large amount of software (Windows NT/2000/XP, Sun Solaris, Linux) and hardware have already been released for VPN. To implement VPN protection within a network, you need to install a special VPN gateway (software or hardware), in which tunnels are created, one for each user. For example, for wireless networks, the gateway should be installed directly in front of the access point. And network users need to install special client programs, which in turn also work outside the wireless network and decryption is carried out beyond its boundaries. Although all this is quite cumbersome, it is very reliable. But like everything, it has its drawbacks, in this case there are two of them:
The need for fairly extensive administration;
Decrease bandwidth channel by 30-40%.
Other than that, a VPN is a pretty clear choice. Especially in Lately, the development of VPN equipment is precisely in the direction of improving security and mobility. Complete solution IPsec VPN The Cisco VPN 5000 series serves as a prime example. Moreover, this line currently includes only the only client-based VPN solution today that supports Windows 95/98/NT/2000, MacOS, Linux and Solaris. Besides free license for use of the brand and distribution software The IPsec VPN client comes with all VPN 5000 products, which is also important.
Key points about protecting an organization's Fi-Wi networks.
In light of all of the above, you can make sure that the currently available protection mechanisms and technologies allow you to ensure the security of your network, using Fi-Wi. Naturally, if administrators do not rely only on basic settings, but take care fine tuning. Of course, it cannot be said that in this way your network will turn into an impregnable bastion, but by allocating sufficiently significant funds for equipment, time for configuration and, of course, for constant monitoring, you can ensure security with a probability of approximately 95%.
Key points when organizing and Wi-Fi settings networks that should not be neglected:
- Selecting and installing an access point:
> before purchasing, carefully read the documentation and currently available information about holes in the software implementation for this class of equipment (the well-known example of a hole in the IOS of Cisco routers that allows an attacker to gain access to the config sheet). It might make sense to limit yourself to buying a cheaper option and updating the OS of the network device;
> explore supported protocols and encryption technologies;
> whenever possible, purchase devices that use WPA2 and 802.11i, as they use new technology for security - Advanced Encryption Standard (AES). At the moment, these can be dual-band access points (AP) to IEEE 802.11a/b/g networks Cisco Aironet 1130AG and 1230AG. These devices support the IEEE 802.11i security standard, Wi-Fi Protected Access 2 (WPA2) intrusion protection technology using Advanced Encryption Standard (AES) and guarantee capacity to meet the highest demands of wireless LAN users. New APs take advantage of dual-band IEEE 802.11a/b/g technologies and remain fully compatible with earlier versions of devices running IEEE 802.11b;
> pre-prepare client machines to work together with the purchased equipment. Some encryption technologies may not be supported by the OS or drivers at this time. This will help avoid wasting time when deploying the network;
> do not install an access point outside the firewall;
> Locate antennas inside the building walls and limit radio power to reduce the likelihood of connections from outside.
> use directional antennas, do not use the default radio channel.
- Access point setup:
> if the access point allows you to deny access to your settings using wireless connection, then use this opportunity. Initially, do not give the hacker the opportunity to control key nodes via radio when infiltrating your network. Disable radio broadcasting protocols such as SNMP, web administration interface and telnet;
> be sure(!) to use complex password to access the access point settings;
> if the access point allows you to control client access by MAC addresses, be sure to use this;
> if the equipment allows you to prohibit broadcasting of the SSID, be sure to do this. But at the same time, a hacker always has the opportunity to obtain the SSID when connecting as a legitimate client;
> the security policy should prohibit wireless clients from making ad-hoc connections (such networks allow two or more stations to connect directly to each other, bypassing the access points that route their traffic). Hackers can use several types of attacks against systems using ad-hoc connections. The primary problem with ad-hoc networks is lack of identification. These networks can allow a hacker to conduct man in the middle attacks, denial of service (DoS), and/or compromise systems.
- Selecting a setting depending on the technology:
> if possible, deny access for clients with SSID;
> if there is no other option, be sure to enable at least WEP, but not lower than 128bit.
> if, when installing network device drivers, you are offered a choice of three encryption technologies: WEP, WEP/WPA and WPA, then select WPA;
> if the device settings offer the choice: “Shared Key” (it is possible to intercept the WEP key, which is the same for all clients) and “Open System” (it is possible to integrate into the network if the SSID is known) - select “Shared Key”. In this case (if you use WEP authentication), it is most advisable to enable filtering by MAC address;
> if your network is not large, you can choose Pre-Shared Key (PSK).
> if it is possible to use 802.1X. However, when setting up a RADIUS server, it is advisable to select the CHAP authentication type;
> the maximum level of security at the moment is provided by the use of VPN - use this technology.
- Passwords and keys:
> when using an SSID, adhere to the same requirements as password protection - the SSID must be unique (do not forget that the SSID is not encrypted and can be easily intercepted!);
> always use the longest possible keys. Do not use keys smaller than 128 bits;
>don't forget about password protection– use a password generator, change passwords after a certain period of time, keep passwords secret;
> in the settings there is usually a choice of four predefined keys - use them all, changing according to a certain algorithm. If possible, focus not on the days of the week (there are always people in any organization who work on weekends - what prevents implementation of the network on these days?).
> try to use long, dynamically changing keys. If you use static keys and passwords, change your passwords after a certain period of time.
> instruct users to keep passwords and keys confidential. It is especially important if some people use laptops that they keep at home to log in.
- Network settings:
> use NetBEUI to organize shared resources. If this does not contradict the concept of your network, do not use the TCP/IP protocol on wireless networks to organize folders and printers public access.
> do not allow guest access to shared resources;
> try not to use DHCP on your wireless network - use static IP addresses;
> limit the number of protocols within the WLAN to only those necessary.
- General:
> use firewalls on all wireless network clients, or at least activate the firewall for XP;
> regularly monitor vulnerabilities, updates, firmware and drivers of your devices;
> use security scanners periodically to identify hidden problems;
> Determine the tools to perform wireless scanning and how often to perform these scans. Wireless scanning can help locate rogue access points.
> if your organization’s finances allow it, purchase intrusion detection systems (IDS, Intrusion Detection System), such as:
CiscoWorks Wireless LAN Solution Engine (WLSE), which includes several new features - self-healing, advanced tamper detection, automated site inspection, warm standby, client tracking with real-time reporting.
CiscoWorks WLSE is a centralized system-level solution for managing the entire wireless infrastructure based on Cisco Aironet products. The advanced radio and device management capabilities supported by CiscoWorks WLSE simplify ongoing wireless network operations, enable seamless deployment, enhance security, and ensure maximum availability while reducing deployment and operational costs.
The Hitachi AirLocation system uses an IEEE802.11b network and is capable of operating both indoors and outdoors. The accuracy of determining the coordinates of an object, according to the developers, is 1-3 m, which is somewhat more accurate than the similar characteristic of GPS systems. The system consists of a coordinate determination server, a control server, a set of several base stations, a set of WLAN equipment and specialized software. The minimum price of the kit is about $46.3 thousand. The system determines the location of the required device and the distance between it and each access point by calculating the terminal’s response time to signals sent by points connected to the network with a distance between nodes of 100-200 m. For a sufficiently precise location of the terminal, therefore, only three access points are sufficient.
Yes, the prices for such equipment are quite high, but any serious company can decide to spend this amount in order to be confident in the security of their wireless network.
Purpose: Bluetooth is a wireless technology that provides wireless transmission data over short distances between mobile personal computers, mobile phones and other devices in real time, both digital data and audio signals.
Principles of construction and operation of Bluetooth: Bluetooth technology is based on the combination of devices in piconets, which are wireless data networks that are small in number of elements (usually the network is built on the basis of two elements, a master and a slave) and the distance between them. The IEEE 802.15.1 standard is based on the Bluetooth specifications v . 1.x. Bluetooth is an inexpensive radio interface with low power consumption (about 1 mW). At first, the range of Bluetooth was within a radius of 10 m, later it increased to 100 m. To operate Bluetooth, the so-called lower 2.45 GHz ISM (industrial, scientific, medical) band is used, which is intended for the operation of industrial, scientific and medical devices.
The Bluetooth standard provides time division duplexing (TDD). The master device transmits packets in odd time segments, and the slave device transmits packets in even time segments (see Time Division Duplex Transmission). Packets, depending on their length, can occupy up to five time segments. In this case, the channel frequency does not change until the end of the packet transmission (see handout Transmitting packets of different lengths)
Package structure (see handout): Standard package consists of an access code, a header and an information field. The access code identifies packets belonging to the same piconet and is also used for synchronization and query procedures. It includes a preamble (4 bits), a sync word (64 bits) and a trailer - 4 bits of checksum.
The header contains information to control the communication and consists of six fields:
Address (3 bits) - address of the active element;
Type (4 bits) - data type code;
Flow (1 bit) - data flow control, indicates the device’s readiness to receive;
ARQ (1 bit) - confirmation of correct reception;
SEQN (1 bit) - used to determine the sequence of packets;
HEC (8 bits) - checksum.
The final part general format package is useful information. There are two types of fields in this part: voice field (synchronous) and data field (asynchronous). ACL packets have only a data field, and SCO packets have only a voice field. An exception is the Data Voice (DV) packet, which has both fields. The data field consists of three segments: header useful information, useful information body and possibly CRC (Cyclic Redundancy Check) code
Payload header (8 bits). Only data fields have a payload header. It defines a logical channel, flow control on logical channels, and also has a payload length indicator.
Body of useful information (0-2721 bits). The payload body includes user information. The length of this segment is specified in the payload header length field.
CRC (16 bits). A 16-bit cyclic redundancy code (CRC) is calculated from the transmitted information and then attached to the information. There are 4 types of control packets: NULL, POLL, FHS, ID. They are the same for both ACL and SCO.
ID packets are 68 bits long and are used for paging and querying. Consists of the Access Code field.
NULL packets (126 bits) consist only of the Access Code and Header fields, acting as confirmations of connection establishment or data receipt
The POLL type (126 bits) is similar to the previous one, except that POLL packets oblige the recipient to respond.
FHS packets (366 bits) contain information about the address, class of the device and the clock frequency of its transmitter
Security issue in Bluetooth networks: There are also 3 more Bluetooth-specific problems that have become very common lately: Bluejacking, Bluebugging and CarWhisperer. Bluejacking involves sending out a kind of “business cards” that offer to add a new device to the list of allowed ones. If the user does this without hesitation, the attackers will gain access to the desired object. Bluebugging is an even more dangerous problem that is based on finding security vulnerabilities in technology. If successful, the contents of the device can be accessed without the owner's knowledge. CarWhisperer involves the use of the car's standard audio system, which recently is often equipped with Bluetooth to eavesdrop on conversations inside the cabin.
Institute of Financial and Economic Security
ABSTRACT
Wireless Security
Completed:
Student of group U05-201
Mikhailov M.A.
Checked:
Associate Professor of the Department
Burtsev V.L.
Moscow
2010
Introduction
WEP security standard
WPA security standard
WPA2 security standard
Conclusion
Introduction
Story wireless technologies The transmission of information began at the end of the 19th century with the transmission of the first radio signal and the appearance in the 20s of the 20th century of the first radio receivers with amplitude modulation. In the 1930s, frequency modulation radio and television appeared. In the 70s, the first wireless telephone systems as a natural result of satisfying the need for mobile transmission vote. At first these were analogue networks, and in the early 80s it was developed GSM standard, which marked the beginning of the transition to digital standards, as providing better spectrum distribution, best quality signal, better security. Since the 90s of the twentieth century, the position of wireless networks has been strengthening. Wireless technologies are firmly entrenched in our lives. Developing at tremendous speed, they create new devices and services.
An abundance of new wireless technologies such as CDMA (Code Division Multiple Access), GSM (Global for Mobile Communications, a global system for mobile communications), TDMA (Time Division Multiple Access), 802.11, WAP (Wireless Application Protocol), 3G (third generation), GPRS (General Packet Radio Service, packet data service), Bluetooth (blue tooth, named after Harald Blue Tooth, a Viking leader who lived in the 10th century), EDGE (Enhanced Data Rates for GSM Evolution, increased transmission speeds are given for GSM), i-mode, etc. indicates that a revolution is beginning in this area.
The development of wireless local networks (WLAN), Bluetooth (medium and short distance networks) is also very promising. Wireless networks are deployed at airports, universities, hotels, restaurants, and businesses. The history of the development of wireless network standards began in 1990, when the 802.11 committee was formed by the global organization IEEE (Institute of Electrical and Electronics Engineers). The World Wide Web and the idea of working on the Internet using wireless devices gave a significant impetus to the development of wireless technologies. At the end of the 90s, users were offered a WAP service, which at first did not arouse much interest among the population. These were basic information services - news, weather, all kinds of schedules, etc. Also, both Bluetooth and WLAN were in very low demand at the beginning, mainly due to the high cost of these means of communication. However, as prices fell, so did public interest. By the middle of the first decade of the 21st century, the number of users of wireless Internet services reached tens of millions. With the advent wireless Internet- communications security issues came to the fore. The main problems when using wireless networks are interception of messages from intelligence services, commercial enterprises and individuals, interception of credit card numbers, theft of paid connection time, and interference with the work of communication centers.
Like any computer network, Wi-Fi is a source of increased risk of unauthorized access. In addition, it is much easier to penetrate a wireless network than a regular one - you do not need to connect to wires, you just need to be in the signal reception area.
Wireless networks differ from cable networks only at the first two - physical (Phy) and partly channel (MAC) - levels of the seven-level interaction model open systems. More high levels are implemented as in wired networks, and real network security is ensured precisely at these levels. Therefore, the difference in the security of these and other networks comes down to the difference in the security of the physical and MAC layers.
Although today the protection of Wi-Fi networks uses complex algorithmic mathematical models of authentication, data encryption and control of the integrity of their transmission, nevertheless, the probability of access to information by unauthorized persons is very significant. And if the network configuration is not given due attention, an attacker can:
· gain access to the resources and disks of Wi-Fi network users, and through it to LAN resources;
· eavesdrop on traffic, extract from it confidential information;
· distort information passing through the network;
· introduce fake access points;
· send spam and perform other illegal actions on behalf of your network.
But before you start protecting your wireless network, you need to understand the basic principles of its organization. Typically, wireless networks consist of access nodes and clients with wireless adapters. Access nodes and wireless adapters are equipped with transceivers to exchange data with each other. Each AP and wireless adapter is assigned a 48-bit MAC address, which is functionally equivalent to an Ethernet address. Access nodes connect wireless and wired networks, allowing wireless clients to access wired networks. Communication between wireless clients in ad hoc networks is possible without an AP, but this method is rarely used in institutions. Each wireless network is identified by an administrator-assigned SSID (Service Set Identifier). Wireless clients can communicate with the AP if they recognize the access node's SSID. If there are several access nodes in a wireless network with the same SSID (and the same authentication and encryption parameters), then it is possible to switch mobile wireless clients between them.
The most common wireless standards are 802.11 and its advanced variants. The 802.11 specification defines the characteristics of a network operating at speeds up to 2 Mbit/s. Improved versions provide more high speeds. The first, 802.11b, is the most widely used, but is quickly being replaced by the 802.11g standard. 802.11b wireless networks operate in the 2.4 GHz band and provide data transfer rates of up to 11 Mbps. An improved version, 802.11a, was ratified earlier than 802.11b, but came to market later. Devices of this standard operate in the 5.8 GHz band with typical speeds of 54 Mbps, but some vendors offer higher speeds of up to 108 Mbps in turbo mode. The third, improved version, 802.11g, operates in the 2.4 GHz band, like 802.11b, with a standard speed of 54 Mbit/s and a higher speed (up to 108 Mbit/s) in turbo mode. Most 802.11g wireless networks are capable of handling 802.11b clients thanks to backward compatibility 802.11g standard, but practical compatibility depends on the specific vendor implementation. Most modern wireless equipment supports two or more variants of 802.11. A new wireless standard, 802.16, called WiMAX, is being designed with the specific goal of providing wireless access to businesses and homes through stations similar to cellular communication. This technology is not discussed in this article.
The actual range of an AP depends on many factors, including the 802.11 variant and operating frequency of the equipment, manufacturer, power, antenna, external and internal walls, and network topology features. However wireless adapter with a highly directional, high-gain antenna can provide communication with the AP and wireless network over a considerable distance, up to about one and a half kilometers depending on conditions.
Due to the public nature of the radio spectrum, there are unique security concerns not present in wired networks. For example, to eavesdrop on communications on a wired network, you must have physical access to a network component such as the device's LAN connection, switch, router, firewall, or host computer. A wireless network only requires a receiver, such as a regular frequency scanner. Due to the openness of wireless networks, standard developers prepared the Wired Equivalent Privacy (WEP) specification, but made its use optional. WEP uses a shared key that is known to the wireless clients and the access nodes with which they communicate. The key can be used for both authentication and encryption. WEP uses the RC4 encryption algorithm. A 64-bit key consists of 40 user-defined bits and a 24-bit initialization vector. In an attempt to improve the security of wireless networks, some equipment manufacturers have developed advanced algorithms with 128-bit or longer WEP keys, consisting of a 104-bit or longer user portion and an initialization vector. WEP is used with 802.11a, 802.11b and 802.11g compatible equipment. However, despite the increased key length, WEP's flaws (particularly weak authentication mechanisms and encryption keys that can be revealed by cryptanalysis) are well documented, and WEP is not considered a reliable algorithm today.
In response to the shortcomings of WEP, the Wi-Fi Alliance decided to develop Wi-Fi standard Protected Access (WPA). WPA is superior to WEP by adding TKIP (Temporal Key Integrity Protocol) and a strong authentication mechanism based on 802.1x and EAP (Extensible Authentication Protocol). WPA was intended to become a working standard that could be submitted to the IEEE for approval as an extension to the 802.11 standards. The extension, 802.11i, was ratified in 2004, and WPA was updated to WPA2 to be compatible with the Advanced Encryption Standard (AES) instead of WEP and TKIP. WPA2 is backward compatible and can be used in conjunction with WPA. WPA was intended for enterprise networks with a RADIUS (Remote Authentication Dial-In User Service) authentication infrastructure, but a version of WPA called WPA Pre-Shared Key (WPAPSK) has received support from some manufacturers and is being prepared for use. in small enterprises. Like WEP, WPAPSK works with shared key, but WPAPSK is more reliable than WEP.
Loading...
