TechnicalInfoBannerA
TechnicalInfoBannerB
TechnicalInfoBannerC

Whitepapers

  Securing WLAN Technologies
Secure Configuration Advice on Wireless Network Setup

The Growth of Wireless LAN

In recent years, there have been a number of substantial developments in the acceptance and functionality of wireless networks. Contemporary organisations are finding their workforce increasingly more mobile, often equipped with notebook computers and spend more of their productive time working away from the standard office-desk or personal-computer environment. Wireless networks support mobile workers by providing the required freedom in their network access. Workers can thus access networked resources from any point within range of a wireless access point. For IT managers, the combination of lowering wireless hardware costs and the ease of implementation in to diverse office environments means that wireless deployment is actively promoted, for it provides the combination of wired network throughput with mobile access and configuration flexibility.

A wireless LAN (WLAN) provides location-independent network access over radio waves rather than traditional cable infrastructures (e.g. 10BaseT, Token Ring, etc.). For most organisations, the WLAN is implemented as the final link between the wired network and the mobile (or inaccessible) wireless devices, thus providing access to all resources and services normally accessible through the wired network.

Previously, WLAN’s were largely implemented in environments (such as warehouses, manufacturing facilities and retail environments) where flexibility of network access took precedence over costly vendor specific wireless implementations. Already, due to the lowering price of components and development of the IEEE 802.11 standards, there has been a large increase in the application of WLAN technology to the corporate enterprise and home environment. Future development areas are likely to include Healthcare equipment and street-wide home Internet access (along the lines of Cable and DSL).

Security often plays second-fiddle to ease-of-use and if security is not transparent to the application and easy to use, it will not be used. However, given the wireless medium, certain security considerations must be applied to protect both the transmitted data and connected hosts. This page aims to explain the current suite of security issues for the most popular WLAN standards and provide advice on the secure configuration of a wireless network.

Inherent Weaknesses in Wireless Networks

Wireless networks typically utilise radio frequency (RF) signals that are capable of passing through barriers such as cubicle partitions, glass and standard walls. Cement walls and metal tend to act as solid barriers, however due to the reflective nature of the RF signal, they can be received (bounced) around corners when a barrier cannot be penetrated. The signal range, and corresponding power, is thus dependant on intermediary barriers and signal reflections. An interesting exercise is to measure signal strength throughout a building and locating “sweet-spots” (where signal strength is greater than expected given the range from the wireless node). Conducting such an exercise outside of the building can also be highly enlightening.

It is important to understand that many of the security risks and issues associated with WLAN’s also apply to the wired LAN. The real difference between a wired LAN and a wireless LAN is at the physical layer. All other network services and vulnerabilities remain; these include:

  • Threats to the physical security of the network
  • Attacks from within by “authorised” users
  • Unauthorized access and eavesdropping

Often, organisations do not realise that wired LANs also have an unintended wireless component. Almost all types of LAN cabling radiate energy, particularly unshielded twisted pair; this radiation can be significant and detectable. Thus, with sufficient motivation and the right radio equipment, it is possible to intercept wired Ethernet data packets from a point external to most buildings, provided they were equipped with an appropriate antenna.

However, the fact remains that WLAN’s are designed to broadcast network traffic, and devices are readily available to receive and decode this traffic. As such, the current wireless standards were designed to include various methods of encryption and authentication from conception. Unfortunately, many of these security features have suffered from design or implementation flaws. It is important to note that the greater the level of security, the more complex the implementation can be. If network and security managers wish to implement a strong security policy, they will need to possess a reasonable knowledge of the security mechanisms inherent to the technology.

Current Wireless Standards

There are of course numerous standards in the world of wireless networking and it often appears that every vendor has their own. The WLAN market is comprised of many competing technologies, each with different operational characteristics. The most common WLAN standards include:

  • HomeRF and HomeRF 2.0 (Wide-band Frequency Hopping (WBFH))
  • IEEE 802.11 FH/DS
  • Wi-Fi (IEEE 802.11b)
  • IEEE 802.11gOFDM & 802.11gPBCC (Wi-Fi speed extension proposal)
  • MMAC (HiSWANa)
  • HiperLAN/2
  • IEEE 802.11a
  • Bluetooth

Of these WLAN standards, the most prevalent (and are commonly available at most High Street retailers) will adhere to one of following three standards:

  • Bluetooth
  • Home RF
  • Wi-Fi (Institute of Electrical and Electronics Engineers (IEEE) 802.11b)

Although each standard offers different technological advantages or disadvantages, all three mentioned above operate in the 2.4 GHz Industrial, Scientific & Medical (ISM) band. This band offers 83 MHz of spectrum for all wireless traffic and is currently shared with cordless phones, building-to-building transmissions, and microwave ovens.

An emerging fourth wireless standard is the IEEE 802.11a, operating at the higher 5 GHz U-NII band and offering 300 MHz of spectrum, is not currently certified in Europe although negotiations between IEEE and the European Telecommunications Standards Institute (ETSI) is currently underway.

Band WLAN Systems Other Communication SystemsNon-Communication Systems
2.4 GHz
2.4000-2.4835 US 2.4000-2.4835 EU
2.471-2.497 Japan 2.4465-2.4835 France
2.445-2.475 Spain
HomeRF
HomeRF 2.0 (WBFH)
Wi-Fi (802.11b)
Bluetooth
Proprietary cordless phones
802.11 FHSS (1997)
802.11 DSSS (1997)
Proprietary vertical applications
WLL (shared Internet access)
Microwave ovens
Microwave lighting
Marine weather radar
5 GHz
5.150-5.390
802.11a (US)
HiperLAN1 (Europe)
HiperLAN2 (Europe)
HiSWAN (Japan)
Mobile satellite systems (MSS)
Earth exploration satellite systems (ESSS)
Short range wireless systems
Radio Location
Electronic News Gathering
Proprietary vertical applications
WLL (shared Internet access)
Radar systems

 

 

 


Microwave ovens (future – upper band)

5.470-5.725HiperLAN1 (Europe)
HiperLAN2 (Europe)
5.725-5.875802.11a (US)

Table 1: Wireless Standards by Frequency Band

It is important to note that both Wi-Fi (802.11b) and 802.11a are service sub definitions of the overall IEEE 802.11 standard. The IEEE 802.11 defines a standard on wireless communications and is not limited to RF communications, but also supports methods such as diffused infrared (IR). IR wireless LANs are inherently more secure and are immune from electromagnetic radiation that can interfere with RF and cable based systems. IR based WLAN’s are often used in high-security applications because the signals are line-of-sight only and will not penetrate solid objects like walls.

The key difference between the Bluetooth and Wi-Fi standards is the expected operational range. Bluetooth’s native 1 Mbps data rate is designed to connect devices that are in close proximity, such as notebook computers to printers and PDA’s to mobile phones. This short-range network is often referred to as a Personal Area Network (PAN). Wi-Fi is designed to offer full LAN connectivity and support the full suite of networking protocols (i.e. TCP/IP).

Bluetooth was never originally designed for truly sensitive data transmission. It is not a true competitor of Wi-Fi, but rather Bluetooth was intended to form PANs, where security is desirable but not absolutely essential, as shown by Bluetooth's goal to facilitate for cordless applications instead of being used for networking purposes.

The Home RF and Wi-Fi technologies both provide very similar services to home users. In the highly competitive wireless market, only one of these standards is expected to survive longterm. Given the wider support from the development community, the greater uptake in the business environment, higher transmission rates, and the greater choice of vendor compatible products – the Wi-Fi standard is expected to win this battle.

Technology: Bluetooth

Developed by the Bluetooth Special Interest Group in May 1998, it was designed to provide short-range, low-cost, low-power wireless communications. The key uses for this technology were seen to be data synchronization between computers, hand-held devices, mobile phones and pagers. Bluetooth is ideally suited to devices that travel in and out of a home network, as opposed to remaining connected to a network for extended periods.

Version 1.0 of the Bluetooth specification was approved in the summer of 1999. The IEEE standards body is currently reviewing a faster successor to Bluetooth (IEEE 802.15.3), which will offer data transfer rates of 20 Mbps, while maintaining backward compatibility.

Key Features of Bluetooth:

  • Supports data rates of 1 Mbps to distances of up to 10 meters (Up to 20 Mbps if IEEE 802.15.3 is ratified).
  • Can support either one asynchronous data channel and up to three simultaneous synchronous speech channels, or one channel that transfers asynchronous data and synchronous speech simultaneously.
  • Supports up to eight wireless devices.
  • Frequency hopping to be implemented with Gaussian Frequency Shift Keying (GFSK).
  • Uses the Link Manager Protocol (LMP) to configure, authenticate and handle the connections between Bluetooth devices.
  • Supported by over 1,300 telecommunications, computing, and networking companies globally.

Technology: Home RF

Developed by the Home RF Working Group, it was designed as a lower-cost wireless network technology for use in the home.

Key Features of Home RF:

  • Supports data rates of up to 2 Mbps at distances of up to 130 meters. An FCC ruling last August let the group finish spec 2.0 which brought its speed from 2 Mbps up to 10 Mbps distances of up to 15 meters.
  • Supports up to three simultaneous voice channels.
  • Supports up to 128 network devices.
  • Security features include Blowfish encryption (up to 56 bit).
  • Supported by several large home computer/network manufacturers.

Technology: Wi-Fi

Wi-Fi is the friendlier name for devices adhering to the IEEE 802.11b High Rate wireless technology standard. It is hoped that IEEE 802.11b will become known as “Wi-Fi” just as IEEE 802.3 is currently known as “Ethernet”. Due to the current prevalence of the Wi-Fi standard and the large installed base of WLAN devices, this standard will be discussed in greater detail in a following section.

Key Features of Wi-Fi:

  • Supports data rates of up to 11 Mbps at distances of up to 150 meters. Although some vendors claim to have successfully operated their products to ranges of excess of 500 meters. This range is using an omnidirectional antenna. Using a 21 dB Yagi directional antenna, other people have built links as long as 14 kilometres. Interestingly, this sort of standards “hacking” does not appear to break any laws because the Effective Radiated Power of the Yagi is still under the maximum set by many country authorities.
  • Supports up to 128 network devices.
  • Security features include authentication and encryption.
  • Supports voice over IP (VoIP) data and voice networking capabilities.
  • Has widespread industry support.

The IEEE 802.11 Standard and Evolution of 802.11b

Proposed and ratified by the IEEE as 802.11 in 1997, the standard defines the specifications and services for wireless network communications such as:

  • Asynchronous and time-critical delivery service support
  • Service continuity in extended areas via a distributed system (e.g. Ethernet)
  • Network management services
  • Registration and authentication services
  • Support for standard applications and protocols (e.g. TCP/IP)

It allows for two different (and incompatible) methods of encoding RF signals, FHSS and DSSS. FHSS (Frequency Hopping Spread Spectrum) spreads the communications across 75 sub channels, each consisting of 1 MHz, and continually skipping between them. DSSS (Direct Sequence Spread Spectrum) divides the band into 14 overlapping 22 MHz channels which are utilised one at a time.

FHSS frequency-hopping cards were the first to arrive to the marketplace, as they were cheaper to produce and easier to implement than DSSS. However, as the technology matured and faster processors became available, it became cheaper to implement DSSS. DSSS was the preferred encoding scheme due to US government constraints on broadcasting in the ISM band.

In September 1999, the IEEE 802 committee extended the specification (802.11b) and decided to standardise on DSSS and utilised better encoding techniques. This in turn extended the data throughput from 1-2 Mbps to 5.5-11 Mbps, while allowing backwards compatibility with the older, slower, DSSS standard.

Due to speed and security considerations, various alternatives and extensions to 802.11b are currently under review or have been ratified by the IEEE.

WLAN Topologies

The 802.11 standard defines three basic topologies to be supported by the MAC layer implementation:

  • Independent Basic Service Set (IBSS)
  • Basic Service Set (BSS)
  • Extended Service Set (ESS)

The 802.11 standard further defines the following two modes:

  • Ad hoc
  • Infrastructure

Mode: Ad-Hoc

The Ad-hoc (sometimes referred to as IBSS topology) mode is analogous to a standard peer-to-peer office network in which no dedicated system is required to assume the role of a server. In WLAN terms, a number of wireless nodes or computers will communicate directly with one another in a mesh or partial-mesh topology (i.e. free-for-all). Typical instances of such an ad-hoc implementation would not connect to a larger network and cover only a limited area. If a client in an ah-hoc network wishes to communicate outside of the peer-to-peer cell, a member MUST operate as a gateway and perform routing.

Bluetooth devices can also form an ad-hoc network. In these networks, one Bluetooth device will act as a master and the others as slaves. The master defines the frequency-hopping behaviour of the network, and it is possible to connect up to 10 of these networks together.

Mode: Infrastructure

Utilising the Infrastructure mode of 802.11 devices requires the installation of at least one wireless Access Point (AP, but also often referred to as a base station) connected to the wired network infrastructure, and a set of wireless nodes or computers. This most basic configuration is referred to as a BSS topology in the 802.11 standard. Communication between wireless nodes, wireless computers and the wired network will be via the AP. Wireless computers conduct all communications through the AP, unlike the Ad hoc peer-to-peer communications.

Before being able to communicate data, wireless clients and AP’s must establish a relationship, or an association. Only after an association is established can the two wireless stations exchange data.

All AP’s transmit a beacon management frame at fixed intervals. To associate with an access point and join a BSS, a client listens for beacon messages to identify the access points within range. The client selection of which BSS to join is carried out in a vendor independent manner. A client may also send a probe request management frame to find an access point associated with the desired SSID (service set identifier).

It is possible to combine multiple wireless access points into a single sub network; this is referred to as an ESS topology. It is thus possible to expand the wireless network with multiple AP’s utilising the same channel or utilise different channels to boost aggregate throughput.

An Access Point acts as a bridge between the wired and wireless networks. The device consists of a radio, a wired network interface and bridging software. It thus acts as the base station for the wireless network, aggregating access for multiple wireless stations onto the wired network.

Roaming Techniques

Although the Wi-Fi standard defines how a wireless computer communicates with an AP, it does not define how roaming should be conducted and supported within an ESS topology network, in particular when a roaming user crosses a router boundary between subnets. Roaming between AP’s is largely reliant on vendor-specific implementations and management. Organisations should carefully evaluate vendors support for roaming and evaluate the ease of operation.

In theory it is possible to implement DHCP across the network and force users to release and renew their IP address as migrate from one subnet to another. However, this is not seen as a practical solution for non-technical staff or where continuous communications are required while roaming.

For environments where DCHP is not in use, Cisco offers a solution referred to as local-area mobility (LAM). Cisco’s LAM enables computers with static addresses to move from one subnet to another while maintaining transparent connectivity without software changes on the roaming host.

Compatibility between Wireless Networks

There has been a lot of talk about interoperation, backwards compatibility and interference between the various WLAN technologies.

The most prevalent WLAN technology, Wi-Fi, has several potential speed increases and security modifications in store from the IEEE 802.11 Task Force g. This yet to be ratified standard (IEEE 802.11g) is proposed to be backwardly compatible with Wi-Fi. It is likely that, in the very near future, wireless products adhering to this standard will replace current Wi-Fi equipment and will be produced by the same companies currently producing Wi-Fi chipsets.

Although sharing the 802.11 nomenclature, Wi-Fi (802.11b) and the faster 802.11a standard are incompatible. Companies with an existing Wi-Fi network cannot simply deploy a new 802.11a network on the Wi-Fi access points and expect to suddenly jump from 11 Mbps to 54 Mbps. The physics and operational characteristics simply do not work that way, and an 802.11a AP will only cover approximately a fourth of the area covered by a Wi-Fi AP. Thus, to cover a similarly sized area and all factors being equal, four 802.11a AP’s are required for every Wi-Fi AP. This is not to say that the two cannot be deployed together. In the near future, it is likely that WLAN access points will support both standards within a single device. Thus Wi-Fi’s range and sustainable 11 Mbps data rate could be complemented with 802.11a’s concentrated 54 Mbps.

Within the crowded 2.4 GHz ISM band, interference between devices can cause concern. Of primary concern has been the interference between Wi-Fi and Bluetooth. However, multiple companies have researched this interference issue and have concluded that, when separated by 2 metres or more, there is no significant interference. With separation distances less than 2 metres, the two technologies can interfere with each other and this can be severe when collocated within a single device (i.e. a combination PCMCIA card). Several solutions have already been proposed; ranging from modifications and extensions to the existing standards, through to recommended best practices and technological advances.

Security within the Standards

Wi-Fi

By default, Wi-Fi utilises open system authentication, and authenticates anyone who requests authentication. Wireless nodes perform a mutual authentication using this method when joining a network. In many cases the management authentication frames are sent in the clear even when WEP is enabled.

Until very recently, the law used to be that a manufacturer could only export up to 56-bit encryption. The Wi-Fi standard specified up to only 40-bit for export reasons. It is important to note that, with the 40-bit encryption option, a 24-bit initialisation vector is appended and all encryption is conducted with a 64-bit key length. While not officially part of the Wi-Fi standard, many vendors now implement 128-bit key lengths for encrypting data. This 128-bit key consists of the 24-bit initialisation vector and a 104-bit pseudo-random key.

Although the IEEE 802.11 standards body is currently working to improve the security of the standard, it is too late for deployed networks and those networks about to be deployed. Nether the less, Wi-Fi vendors have provided numerous mechanisms to help secure both communications and the operating environment:

Security Feature Details
Wi-Fi WEPThe Wired Equivalent Privacy (WEP) protocol is used to protect wireless communication from eavesdropping and prevent unauthorised access to the WLAN. WEP relies on a secret key that is shared between an AP and wireless node (e.g. notebook computer). The secret key is used to encrypt packets before they are transmitted, and an integrity check is used to ensure that packets are not modified in transit.

WEP utilises the established RC4 stream cipher to encrypt data. The stream cipher operates by expanding a short key into an infinite pseudo-random key stream. Although stream ciphers are commonly vulnerable to several attack methods, WEP was designed to overcome these failings. In particular, WEP uses an Integrity Check (IC) field within the data packet to ensure that it has not been modified in transit, and an Initialisation Vector (IV) is used to augment the shared secret key and produce a different RC4 key for each packet; thus avoiding encrypting two cipher texts with the same key. However, both of these security measures have been found to be implemented incorrectly:

  • The integrity check (which forms part of the encrypted payload of the packet) is implemented as a linear 32-bit checksum. Thus, it is possible to alter individual bits within the encrypted message and correctly adjust the checksum so that the resulting message appears valid. If an attacker has partial knowledge of the contents of the packet, it is possible to intercept and perform selective modification on it. The attacker could thus modify interactions with a file server. If the attacker is able to guess the headers of the data packet, it may be possible to alter the destination IP address and port. By resending this modified packet from a rogue wireless node, the AP will decrypt the packet and forward it on unencrypted to the modified destination. If the destination is Internet based, the attacker could remotely retrieve the plain test data.
  • The initialisation vector in WEP is a 24-bit field, and is sent in the clear text part of the message. Utilising such a small space of initialisation vectors guarantees the reuse of the same key string at a busy access point. This allows an attacker to collect two cipher texts that are encrypted with the same key stream and perform statistical attacks to recover the plain text. Once it is possible to recover the entire plain text for one of the messages, the plain text for all other messages with the same IV follows directly. The 802.11 standard specifies that changing the IV with each packet is optional; some wireless card vendors increment the IV by 1 each packet while others leave this value blank.
  • The result of these flaws in the Wi-Fi implementation of RC4 is that the encryption of data can be broken within 15 minutes. And, more importantly, the time to break the encryption scales linearly with the key length - thus a 128-bit key could be broken within 30 minutes.
Wi-Fi Shared Key AuthenticationShared key authentication uses a standard challenge and response along with a shared secret key to provide authentication. The challenge-response sequence utilises WEP to encrypt the data. Thus this authentication sequence is subject to the weaknesses of WEP.
Wi-Fi Closed Network AccessIn a closed network, only clients with knowledge of the network name, or SSID, can join. Essentially, the network name acts as a shared secret. However, the SSID is often transmitted in clear text within the management frames (even if WEP is enabled). Thus simple sniffing will rapidly enumerate the SSID
Wi-Fi Access Control Lists (ACL)Access to the wireless network can be controlled by limiting access to nodes defined in a central (or shared) list based upon the Ethernet MAC address. There are two problems with this method of control:
  • Loss of flexibility – The Network Administrator needs to maintain an up to date list of valid MAC addresses for every wireless node. Roaming or multi-site users would require changes to the ACL to access the network.
  • MAC Impersonation – Many wireless cards currently available allow the MAC address to be manually changed. MAC addresses are easily sniffed by an attacker as they must appear in the clear even if WEP is enabled.
Wi-Fi Key ManagementWi-Fi defines two methods for using WEP keys:
  • 4 Key Window – A wireless node or AP can decrypt packets enciphered with any of the four defined keys. However, transmission is limited to one of the four manually entered keys (a default key).
  • MAC Unique Key – Each MAC address may have a separate key. The standard recognises that the key mappings table should hold at least 10 entries.

As with the standard WEP failings, enforcing a reasonable key period remains a problem, as the keys need to be changed manually. Only a few major Wi-Fi vendors have implemented any form of key management or key agreement in their wireless products.

Future Development of the StandardThe IEEE is currently working on a new standard to address many of these security issues with 802.1x, for port-based authentication on wireless networks. This standard is likely to include:
  • An Extended Encapsulation Protocol (EEP) that allows various authentication protocols.
  • Enable WEP keys to be dynamically generated and sent out. Including multicast support for large organisations.
  • Centralised AP authentication, thus making roaming transparent.
  • Users will receive a logon dialog when roaming between VPN servers on a network, or when resuming from standby mode, if an AP requires alternate identification.

Table 2: 802.11b security measures

Bluetooth

Bluetooth technology provides three security attributes (authorisation, authentication and encryption), and three modes of security:

  • Security Mode 1 (non secure) – A device does not initiate any security procedure such as encryption or authentication.
  • Security Mode 2 (service-level enforcement security) – A device does not initiate security procedures before channel establishment at the service level.
  • Security Mode 3 (link-level enforced security) – A device allows only authenticated connections. The difference between Security Mode 2 and Security Mode 3 is that in Security Mode 3 the Bluetooth device initiates security procedures before the channel is established.

As there are numerous services that a Bluetooth device may have, a sizable database of services the device has authorisation to use is required. The user can choose to “auto” trust devices or “manually” trust devices.

Security FeatureDetails
Key Management The link key (a 128-bit random number) handles all security transactions between two or more parties. It is used in the authentication process and as a parameter when deriving the encryption key. The lifetime of a link key depends on whether it is a semi-permanent or a temporary key. A semi-permanent key can be used after the current session is over to authenticate Bluetooth units that share it. A temporary key lasts only until the current session is terminated and it cannot be reused. Temporary keys are commonly used in point-to-multipoint connections, where the same information is transmitted to several recipients.

There are several different types of keys defined in Bluetooth. Link keys can be combination keys, unit keys, master keys or initialization keys, depending on the type of application. In addition to link keys, there is the encryption key.

The length of the Personal Identification Number (PIN) code used in Bluetooth devices can vary between 1 and 16 octets. The regular 4-digit code is sufficient for some applications, but higher security applications may need longer codes. The PIN code of the device can be fixed, so that it needs to be entered only to the device wishing to connect. Another possibility is that the PIN code must be entered to the both devices during the initialization.

  • The major problem is likely to be a partial user one. The atypical 4-digit PIN code, is used in combination with other variables to generate the Link Key and Encryption Key. In fact it is the only truly secret key generation variable, the only one (a random number) is transmitted over the air. When using 4 digit PIN codes there are only 10,000 different possibilities. As the process of supplying PIN codes to devices often has to be repeated each time, it is common to set the value to "0000".

 

Encryption The Bluetooth encryption system encrypts the payloads of the packets. This is done with a stream cipher E0, which is re-synchronized for every payload. The E0 stream cipher consists of the payload key generator, the key stream generator and the encryption/decryption part.

Depending on whether a device uses a semi-permanent link key or a master key, there are several encryption modes available. If a unit key or a combination key is used, broadcast traffic is not encrypted. Individually addressed traffic can be either encrypted or not. If a master key is used, there are three possible modes.

  • Encryption mode 1 - nothing is encrypted.
  • Encryption mode 2 - broadcast traffic is not encrypted, but the individually addressed traffic is encrypted with the master key.
  • Encryption mode 3 - all traffic is encrypted with the master key.

 

Authentication The Bluetooth authentication scheme uses a challenge-response strategy, where a 2-move protocol is used to check whether the other party knows the secret key. The protocol uses symmetric keys, so a successful authentication is based on the fact that both participants share the same key. As a side product, the Authenticated Ciphering Offset (ACO) is computed and stored in both devices and is used for cipher key generation later on.

If the authentication fails, there is a period of time that must pass until a new attempt at authentication can be made. The period of time doubles for each subsequent failed attempt from the same address, until the maximum waiting time is reached. The waiting time decreases exponentially to a minimum when no failed authentication attempts are made during a time period.

  • Another problem arises with the use of the Link key. Authentication and encryption are based on the assumption that the link key is the participants' shared secret. All other information used in the procedures is generally public. However this can lead to fundamental problems:

    Assume that devices 1 and
    2 use 1's unit key as their link key.
    Later on, or at the same time, device
    3 may communicate with device 1 and use 1's unit key as the link key.
    2 uses 1's Link key to decrypt the communication between 1 & 3
    Device 2, having obtained 1's unit key earlier, can use the unit key with a faked Bluetooth Device Address to calculate the encryption key and therefore listen to the traffic. It can also authenticate itself to device 1 as device 3 and to device 3 as device 1.
     
  • The Bluetooth Device Address is unique to each and every Bluetooth device. However due to its uniqueness it introduces another problem. Once this ID is associated with a person, individuals can be traced and their activities easily logged, thus privacy is violated.

 

Table 3: Bluetooth security measures

Signals and Data Throughput

Although each of the technologies and standards specify maximum data rates for wireless communications, it is important to realise that these rates differ greatly from what an organisation can expect to achieve using real data in a live environment. Just as wired Ethernet is touted as 10 or 100 Mbps, the actual throughput maximum is roughly 85% of these values due to overheads inherent to the technology. For instance, with Ethernet, once the network traffic load reaches beyond 60%, the probability of network collisions is very high – at levels beyond, this collisions and retransmissions of data can cause the network to stall.

When securing the wireless network by utilising either the native encryption mechanisms or third-party products, actual data throughput can drop even further. Organisations should carefully review not only the strength of the encryption mechanism, but also the overhead to throughput. For instance, Wi-Fi’s highest data rate is 11 Mbps – this corresponds to approximately 7 Mbps actual throughput. Buy utilising WEP, it is not untypical for this rate to drop to 6 Mbps.

Technology Data RateActual ThroughputShared Among UsersEstimated Time to Download a 100 MB file (actual throughput)
56.6 Kbps Modem56.6 Kbps56.6 KbpsNo 4 hours
Dual channel ISDN128 Kbps128 Kbps No 1 hour 45 minutes
10/100 Ethernet 100 Mbps 85 MbpsYes 10 seconds
2Mb Leased Line2 Mbps2 MbpsYes 6 minutes 40 seconds
Wi-Fi11 Mbps5-7 MbpsYes 2 minutes 13 seconds
802.11gOFDM24 Mbps10-11 MbpsYes 1 minute 16 seconds
802.11gPBCC22 Mbps10-11 MbpsYes 1 minute 16 seconds
802.11a54 Mbps31 MbpsYes 26 seconds

Table 4: Transmission speed comparisons

Another important consideration is range. Due to the physics of wireless wave propagation, signal strength is inversely proportional to the range between devices. Thus, in real terms, range corresponds to maximum data rates. The maximum rate for Wi-Fi (11 Mbps) can only be achieved within a certain range of the transmitter. Moving further away from the transmitter causes the data rate to “step down” to 5.5 Mbps, 2 Mbps, 1 Mbps and finally no-signal. This range is dependant on the transmitter design and type of receiving antenna.

IEEE 802.11a provides a higher data transfer rate than Wi-Fi (36-54 Mbps versus 11 Mbps) when close to the WLAN access point (within 10-15 metres), making it more attractive for dense user environments that also require high throughput, but the data rate is closer to 9-12 Mbps at ranges over 30 metres.

A typical maximum range (at the lowest data rate of 1 Mbps) for standard Wi-Fi devices is 500 metres. However, utilising improved or specially designed receiving antennas, ranges in excess of 14 km have been achieved. The ranges achieved with standard external PCMCIA Wi-Fi cards are generally poor due to the antenna being in the worst possible orientation: sideways, and very close to the laptop (the radiation pattern is thus almost straight up and down). To address this, and offer greater ranges, many laptop vendors now build the Wi-Fi antennas into and around the screen.

WLAN Security Solutions

The omni directional broadcasting of WLAN traffic is of a primary security concern. Although various mechanisms for securing the data have been included within each of the established wireless standards, the nature of the media ensures that an anonymous attacker or interloper can easily monitor or collect traffic. Given the current range of security flaws within these security mechanisms, it is inevitable that the data content will be decoded or decrypted by those who have the time and tools to do so. Unfortunately, the tools required to sniff, decrypt and gain access to most wireless networks are freely available through numerous sites on the Internet.

While many of the security systems built into the various wireless standards have been proven to be flawed or open to abuse, there are numerous options that an organization may undertake to help deploy these technologies in a secure manner. These options may range from common-sense practices, to physical implementation, through to proven third-party products. Those members of a Corporation for the management of security and system integrity should review the following suggestions to aid their deployment of WLAN technologies

Default Settings

Almost all WLAN products come preconfigured with a suite of default settings, services and passwords. These defaults are well known and various lists exist on the Internet for ready inclusion in to tools designed expressly for compromising the security of your WLAN.

Always review the literature that comes with the WLAN components and be wary of all default settings. In particular, take note of the default security permissions for Bluetooth devices, and the default SSID and WEP keys for Wi-Fi. For AP’s, review the services utilized for remote management of the device (i.e. web admin and SNMP), decide whether these services can be made secure (through appropriate passwords and access controls or limitations), and whether such mechanisms are compatible or consistent with your corporations existing security management procedures.

The Value of the Data

Consider the value of the data that could be transmitted over the WLAN. The data will be broadcast and may be collected by an anonymous observer. Depending on the security settings and encryption levels used for the WLAN traffic, the difficulty in decoding or decrypting the data may range from trivial through to almost impossible. Beware though, if an observer is able to collect a sizable amount of data and is willing to invest the time and effort, almost all encrypted data can be decrypted.

Organizations should review the value of the data being broadcast and ascertain how important it is that an outsider should not be able to render it readable. For some organizations the value of the data may be best measured in time – consider competitive tender document that may have a life of a couple of months, a sensitive financial data that may have a life of several years, or private banking details that must be kept secret for decades. For some organizations the value of the data may be measured in reputation.

Even using the best commercial encryption algorithms, given the advances in computer processing power, it is unlikely that such confidential data will remain secret in several years should an observer choose to decrypt the data.

Treat as Untrusted

Do not inherently trust connections from the WLAN. Wireless AP’s should be handled similarly to Internet and Dial-in (e.g. RAS) connections. Best practices dictate that all AP’s should be located with separate firewall zones (i.e. DMZ) and similar access controls or filtering rules should be configured as for Internet access into the organization. This is not to say that the AP’s should be located outside the corporate firewall on the same network as the Internet, but on a separate untrusted segment controlled with appropriate rules and policies.

Just as external users may access an organizations LAN through the Internet or RAS services using technologies such as Radius, Kerberos, Secure Sockets Layer (SSL) encryption and virtual private networks (VPN’s) - an organization should extend these authentication and encryption techniques through to the WLAN and carefully examine all access procedures.

The most widely used mechanism for securing VPN traffic is the Internet Protocol Security (IPSec) specification, as defined by the IEEE. IPSec can use keyed hash algorithms (MD5, SHA, HMAC) for authenticating packets, DES, 3DES and other bulk algorithms for encrypting data, and digital certificates for validating public keys.

By employing this solution, WEP is no longer required (as all encryption is handled by the VPN channel) and should be disabled. The VPN server(s) provide the necessary authentication and full encryption over the WLAN. Utilising digital certificates at each wireless node helps ensure strong authentication.

As a more general policy, all organizations should be using secure communication methods all the time to transfer data, even internally. Consider utilizing SSL encryption for internal applications and Intranet components.

Fault Tolerance

Deploying multiple access points on the same frequency can increase the fault tolerance and adds range to a wireless segment, but won't increase your overall bandwidth. When one access point in a segment fails, the wireless clients seamlessly roam to the other access points without interrupting service, provided the appropriate roaming technologies have been configured. Not all vendor WLAN products may support seamless network roaming – choose carefully.

Be Capable of Monitoring the WLAN

Invest in appropriate network technologies to readily identify wireless AP’s or PC Card’s that may be misbehaving and cause a degradation of service. It is important to note that even a single PC Card can saturate a wireless segment. Whether an organization has just one user or 50 on a segment, each user will contend for the same amount of bandwidth. After all, a Wi-Fi network utilizes CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance), and like shared Ethernet, have a finite capacity and a certain amount of overhead associated with it. This is especially important given the threat from attackers who may purposefully seek to disrupt the WLAN services. Such an attack may cost less than £400 to an attacker (i.e. Palm computer and Wi-Fi PCMCIA card) and could be performed anywhere within range of the WLAN.

Be Capable of Detecting and Responding to Intruders

It is important not only to be able to monitor the WLAN, but also record and identify attacks. Modern Intrusion Detection Systems (IDS) are capable of identifying and responding to many of the most popular and dangerous attacks in an automated manner. Where possible, network IDS sensors should be placed on the WLAN DMZ segment, and the organizations wired LAN. Key hosts, particularly authentication servers on the wired LAN used to authorize access from the WLAN should utilize host based IDS sensors.

Having protected the organizations LAN and key authentication servers, ensure that the client WLAN devices (e.g. laptops, printers and access points) on the “dirty” side of the DMZ are also properly secured. As these devices are now likely to be primary targets of an attacker - ensure that each device has been hardened to appropriate security standards, have current anti-virus detection agents, and utilize updated personal IDS monitors.

Security Education

Ensure that both the WLAN end users and administrative staff understand the security limitations of the technology. It is vital that users be aware of the vulnerabilities of the data they may access or share over the WLAN to other users, and understand the secure access methods available to them. For administrative staff, it is equally important they understand the security configuration of the environment and have the skills to readily maintain and monitor the integrity of the WLAN.

All staff with access to WLAN components of an organisations infrastructure must understand and use good password policies. Almost all security mechanisms used by any organisation can be compromised or thwarted by poor passwords.

Be Aware of Country Specific Laws

Regulation of radio frequency bands is often country specific, and various laws exist controlling their usage. Additionally, many countries have specific laws relating to the monitoring of radio frequency data and the protection of personal data that may be observed and recorded.

Consider the following two wireless standards, 802.11b and 802.11a. 802.11b operates in the 2.4 GHz ISM band and defines a total of 14 frequency channels. Channels 1 through 11 are approved for use within the U.S.; whereas most of Europe can use channels 1 through 13, with the notable exception of France, where only channels 10 through 13 are available. 802.11a operates in the 5 GHz U-NII and, although approved for use in the U.S., is not currently approved for European.

Both suppliers and implementers of all WLAN technologies must carefully review the legal implications of installing and using such wireless technologies. Use of devices operating outside the approved radio frequency bands may interfere with 3rd-party devices, and is likely to lead to legal prosecution in most countries. Additionally, local laws relating to maximum encryption key length, radio broadcast power and range, reception and observation of unintended radio frequency data (e.g. the WLAN from across the road), and data protection regulations must also be carefully reviewed.

Understand the Operational Characteristics of the Technology

Focusing on 802.11b, an important concept to note regarding channel assignments is that the channel actually represents the centre frequency that the transceiver within the radio and access point uses (e.g., 2.412 GHz for channel 1 and 2.417 GHz for channel 2). There is only 5 MHz separation between the centre frequencies, and an 802.11b signal occupies approximately 30 MHz of the frequency spectrum. The signal falls within about 15 MHz of each side of the centre frequency.

As a result, an 802.11b signal overlaps with several adjacent channel frequencies. This leaves only three channels (channels 1, 6, and 11 for the U.S.) that can be used without causing interference between access points. For WLAN’s with only one access point, it is possible to set the access point to any one of the channels. Often, the default setting shipped by the vendor will be adequate. If there are two or three access points, assign any combination of channels 1, 6, and 11. Doing so will keep the signals far enough apart in the RF spectrum to avoid problems.

Channel Number Frequency (GHz) – Channels are 22MHz wide
1*2.412 (US FCC, Europe ETSI, Japan)
22.417 (US FCC, Europe ETSI, Japan)
32.422 (US FCC, Europe ETSI, Japan)
42.427 (US FCC, Europe ETSI, Japan)
52.432 (US FCC, Europe ETSI, Japan)
6*2.437 (US FCC, Europe ETSI, Japan)
72.442 (US FCC, Europe ETSI, Japan)
82.447 (US FCC, Europe ETSI, Japan)
92.452 (US FCC, Europe ETSI, Japan)
102.457 (US FCC, Europe ETSI, Japan, France)
11*2.462 (US FCC, Europe ETSI, Japan, France)
122.467 (Europe ETSI, Japan, France)
132.472 (Europe ETSI, Japan, France)
142.484 (Japan)

 Table 4: 802.11b channel median frequencies (* indicates non-overlapping channels)

     
    Copyright 2001-2007 © Gunter Ollmann