Wireless Security Primer 101

The first article in a two part series that serves as an introduction to wireless communication, as well as a description of wireless networks, protocols and security standards. Part 2 of this series will analyze the different ways in which a wireless network may be attacked. (If you would like to receive an email when Part 2 of this article is released, subscribe to the WindowSecurity.com Real-Time Article Updates from our Newsletter Subscriptions page).

Wireless Security Primer 101

“For a complete guide to security, check out ‘Security+ Study Guide and DVD Training System’ from Amazon.com“

Rob Shimonski would like to thank Martin Grasdal (contibuting author on the Security+ book) for original content creation. Martin has by far created one of the most outstanding and complete chapters on Wireless fundamentals and security in the Security+ book that you will find anywhere.

Overview of Wireless Communication in a Wireless Network

Wireless networks, like their wired counterparts, rely on the manipulation of electrical charge to enable communication between devices.  Changes or oscillations in signal strength from 0 to some maximum value (amplitude) and the rate of those oscillations (frequency) are used singularly or in combination with each other to encode and decode information. 

When two devices understand the method(s) used to encode and decode information contained in the changes to the electrical properties of the communications medium, they can communicate with each other.  A network adaptor is able to decode the changes in the electric current it senses on the wire and convert them to meaningful information (bits) that it can subsequently send to higher levels for processing.  Likewise, a network adaptor can encode information (bits) by manipulating the properties of the electric current for transmission on the communications medium (the cable, in the case of wired networks).

The obvious and primary difference between wired and wireless networks is that wireless networks use a special type of electric current, commonly known as Radio Frequency (RF), which is created by applying alternating current (AC) to an antenna to produce an electromagnetic field (EM).  The resulting RF field is used by devices for broadcast and reception.  In the case of wireless networks, the medium for communications is the EM field, the region of space that is influenced by the electromagnetic radiation (unlike audio waves, radio waves do not require a medium such as air or water to propagate).  As with wired networks, amplitude decreases with distance, resulting in the degradation of signal strength and the ability to communicate.   However, the EM field is also dispersed according to the properties of the transmitting antenna, and not tightly bounded as is the case with communication on a wire.  The area over which the radio waves propagate from an electromagnetic source is known as the Fresnel Zone.

Like the waves created by throwing a rock into a pool of water, radio waves are affected by the presence of obstructions and may be reflected, refracted, diffracted, or scattered, depending on the properties of the obstruction and its interaction with the radio waves.  Reflected radio waves can be a source of interference on wireless networks.  The interference created by bounced radio waves is called multipath interference. 

When radio waves are reflected, additional wave fronts are created. These different wave fronts may arrive at the receiver at different times and be in phase or out of phase with the main signal.  When the peak of a wave is added to another wave (in phase), the wave is amplified. When the peak of a wave meets a trough (out of phase), the wave is effectively cancelled.  Multipath interference can be the source of hard-to-troubleshoot problems.  In planning for a wireless network, administrators should consider the presence of common sources of multipath interference.  These include metal doors, metal roofs, water, metal vertical blinds, and any other source that is highly reflective to radio waves. Antennas may help to compensate for the effects of multipath interference, but these have to be carefully chosen. In fact, many wireless access points have two antennas for precisely this purpose. But, a single omni-directional antenna may be of no use at all for this kind of interference.

Another source of signal loss is the presence of obstacles.  While radio waves can travel through physical objects, they will be degraded according to the properties of the object they travel through.  A window, for example, is fairly transparent to radio waves, but may reduce the effective range of a wireless network by 50 – 70%, depending on the presence and nature of coatings on the glass.  A solid core wall can reduce the effective range of a wireless network by up to 90% or greater.

EM fields are also prone to interference and signal degradation by the presence of other EM fields. In particular, 802.11 wireless networks are prone to interference produced by cordless phones, microwave ovens, and a wide range of devices that use the same unlicensed Industrial, Scientific and Medical (ISM) or Unlicensed National Information Infrastructure (UNII) bands.  To mitigate the effects of interference from these devices and other sources of electromagnetic interference, RF-based wireless networks employ Spread Spectrum technologies. Spread spectrum provides a way to “share” bandwidth with other devices that may be operating in the same frequency range. Rather than operating on a single, dedicated frequency such as is the case with radio and television broadcasts, wireless networks use a “spectrum” of frequencies for communication. 

First conceived of by Hedy Lamarr and George Antheil (a Hollywood actress and composer respectively) in 1940 as a method to secure military communications from jamming and eavesdropping during WWII, spread spectrum defines methods for wireless devices to use a number of narrowband frequencies over a range of frequencies simultaneously for communication.  The narrowband frequencies used between devices change according to a random-appearing but defined pattern, allowing the use of individual frequencies to contain parts of the transmission. Someone listening to a transmission using spread spectrum would hear only noise, unless their device understood in advance what frequencies were used for the transmission and could synchronize with them.

Two methods to synchronize wireless devices are frequency hopping spread spectrum (FHSS) and direct sequence spread spectrum (DSSS).  As the name implies, FHSS works by quickly moving from one frequency to another according to a pseudo-random pattern. The frequency range used by the frequency hop is relatively large (83.5 MHz), providing excellent protection from interference. The amount of time spent on any given frequency is known as dwell time; the amount of time it takes to move from one frequency to another is known as hop time.  FHSS devices will begin their transmission on one frequency and move to other frequencies according to the pre-defined pseudo-random sequence and then repeat the sequence after reaching the final frequency in the pattern. Hop time is usually very short (200 – 300 ms) and not significant relative to the dwell time (100 – 200 ms). However, Bluetooth devices use very short dwell times, and the hop times in this case can be significant, resulting in lower throughput.  In general, the longer the dwell time, the greater the throughput and the more susceptible the transmission may be to narrowband interference.

The frequency hopping sequence creates the channel, allowing multiple channels to coexist in the same frequency range without interfering with one another. As many as 79 FCC-compliant FHSS devices using the 2.4 GHz ISM band may be co-located with each other.  However, the expense of implementing such a large number of systems limits the practical number of co-located devices to well below this number.  Wireless networks that use FHSS include HomeRF and Bluetooth, which both operate in the unlicensed 2.4GHz ISM band.  FHSS is less subject to EM interference than DSSS, but usually operates at lower rates of data transmission (usually 1.6Mbps, but can be as high as 10 Mbps) than networks that use DSSS.

DSSS works somewhat differently.  With DSSS, the data is divided and simultaneously transmitted on as many frequencies as possible within a particular frequency band (the channel). DSSS adds redundant bits of data known as chips to the data to represent binary 0s or 1s. The ratio of chips to data is known as the spreading ratio:  the higher the ratio, the more immune to interference the signal is because if part of the transmission is corrupted, the data can still be recovered from the remaining part of the chipping code. This method provides greater rates of transmission than FHSS, which uses a limited number of frequencies, but fewer channels in a given frequency range. And, it also protects against data loss through the redundant, simultaneous transmission of data.  However, because DSSS floods the channel it is using, it is also more vulnerable to interference from EM devices operating in the same range.  In the 2.4 – 2.4835 GHz frequency range employed by 802.11b, DSSS transmissions can be broadcast in any one of 14 22 MHz-wide channels.  The number of center-channel frequencies used by 802.11 DSSS devices depends on the country.  For example, North America allows 11 channels operating in the 2.4 – 2.4835 GHz range, Europe 13, and Japan 1.  Because each channel is 22 MHz wide, channels may overlap with each other.  With the 11 available channels available in North America, only a maximum of 3 channels (1, 6, and 11) may be used concurrently without the use of overlapping frequencies.

When comparing FHSS and DSSS technologies, it should be noted that FHSS networks are not inherently more secure than DSSS networks, contrary to popular belief.  Even if the relatively few manufacturers of FHSS devices were not to publish the hopping sequence used by their devices, a sophisticated hacker armed with a spectrum analyzer and a computer could easily determine this information and eavesdrop on the communications.

Wireless networks operate at the Physical and Data Link Layers of the OSI model.  The PHY layer is concerned with the physical connections between devices, such as the medium and how bits (0s and 1s) are encoded and decoded. Both FHSS and DSSS, for example, are implemented at the PHY layer.  The Data Link Layer is divided into two sub layers, the Media Access Control (MAC) and Logical Link Control (LLC) layers. The MAC layer is responsible for such things as the framing of data, error control, synchronization, and collision detection and avoidance. The Ethernet 802.3 standard, which defines the Carrier Sense Multiple Access with Collision Detection (CSMA/CD) method for protecting against data loss as result of data collisions on the cable, is defined at this layer. 

Wireless Local Area Networks

Wireless Local Area Networks (WLANs) are covered by the IEEE 802.11 standards.  The purpose of these standards is to provide a wireless equivalent to IEEE 802.3 Ethernet-based networks.  The IEEE 802.3 standard defines a method for dealing with collisions (CSMA/CD), speeds of operation (10 Mbps, 100 Mbps, and faster), and cabling types (Category 5 twisted pair and fiber).  The standard ensures the interoperability of various devices, despite different speeds and cabling types. 

As with the 802.3 standard, the 802.11 standard defines methods for dealing with collision and speeds of operation. However, because of the differences in the media (air as opposed to wires), the devices being used, the potential mobility of users connected to the network, and the possible wireless network topologies, the 802.11 standards differ significantly from the 802.3 standard.  As we mentioned earlier in this chapter, 802.11 networks use Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) as a method to deal with potential collisions, as opposed to CSMA/CD used by Ethernet networks, because not all stations on a wireless network may be able to hear collisions that can occur on the network. 

In addition to providing a solution to the problems created by collisions that occur on a wireless network, the 802.11 standard must deal with other issues specific to the nature of wireless devices and wireless communications in general.  For example, wireless devices need to be able to locate other wireless devices, such as access points, and be able to communicate with them.  Wireless users are mobile and therefore should be able to move seamlessly from one wireless zone to another.  Many wireless-enabled devices, such as laptops, use battery power and should be able to conserve power when they are not actively communicating with the network.  Wireless communication over the air needs to be secure to mitigate both passive and active attacks.

WAP

The Wireless Application Protocol (WAP) is an open specification designed to enable mobile wireless users to easily access and interact with information and services instantly.    WAP is designed for handheld digital wireless devices such as mobile phones, pagers, two-way radios, smartphones and other communicators.  It works over most wireless networks and can be built on many operating systems including PalmOS, Windows CE, JavaOS, and others.  The WAP operational model is built on the World Wide Web (WWW) programming model with a few enhancements.  This model is shown in Figure 1.

WAP 2.0 Architecture Programming Model

WAP browsers in the wireless client are analogous to the standard WWW browsers on computers.  WAP URIs are the same as those defined for traditional networks and are also used to identify local resources in the WAP enabled client.  The WAP specification added two significant enhancements to the above programming model : push and telephony support (Wireless Telephony Application – WTA).  WAP also provides for the use of proxy servers as well as supporting servers providing such functions as PKI support, user profile support, and provisioning support.

WTLS

The Wireless Transport Layer Security (WTLS) is an attempt by the WAP Forum to introduce a measure of security into the Wireless Access Protocol (WAP).  The WTLS protocol is based on the Transport Layer Security protocol (TLS) that is itself a derivative of the Secure Sockets Layer protocol (SSL).  However several changes were made to the protocols in order to adapt them to work within WAP.  These changes include:

• Support for both datagram as well as connection-oriented protocols

• Support for long round-trip times.

• Low-bandwidth, limited memory and processor capabilities.

WTLS is designed to provide privacy as well as reliability for both the client and the server over an insecure network.  It is specific to applications that utilize WAP.  These applications tend to be limited by memory, processor capabilities, and low bandwidth environments.

IEEE 802.11

The original 802.11 standard was developed in 1989 and defines the operation of wireless networks operating in the 2.4 GHz range using either DSSS or FHSS at the Physical layer of the OSI model. The standard also defines the use of Infrared for wireless communication.  The intent of the standard is to provide a wireless equivalent for standards, such as 802.3, that are used for wired networks.  DSSS devices that follow the 802.11 standard communicate at speeds of 1 and 2 Mbps and generally have a range of around 300 feet. Because of the need for higher rates of data transmission and the need to provide more functionality at the MAC layer, other standards were developed by the 802.11 Task Groups (or in some cases the 802.11 standards were developed from technologies that preceded them).

The IEEE 802.11 standard provides for all the necessary definitions and constructs for wireless networks.  Everything from the physical transmission specifications to the authentication negotiation is provided.  Wireless traffic, like its wired counterpart, consists of frames transmitted from one station to another.  The primary feature which sets wireless networks apart from wired networks is that one end of the communication pair is either another wireless client or a wireless access point.

IEEE 802.11b

The most common standard in use today for wireless networks, the 802.11b standard defines DSSS networks that use the 2.4GHz ISM band and communicate at speeds of 1, 2, 5.5 and 11 Mbps.  The 802.11b standard defines the operation of only DSSS devices and is backward compatible with 802.11 DSSS devices.  The standard is also concerned only with the PHY and MAC layers: Layer 3 and higher protocols are considered payload.  There is only one frame type used by 802.11b networks, and it is significantly different from Ethernet frames.  The 802.11b frame type has a maximum length of 2346 bytes, although it is often fragmented at 1518 bytes as it traverses an access point to communicate with Ethernet networks.  The frame type provides for 3 general categories of frames: management frames, control frames, and data.  In general, the frame type provides methods for wireless devices to discover, associate (or disassociate), and authenticate with one another; to shift data rates as signals become stronger or weaker; to conserve power by going into sleep mode; to handle collisions and fragmentation; and to enable encryption through WEP.  With regard to WEP, we should note that the standard defines the use of only 64-bit (also sometimes referred to as 40-bit to add to the confusion) encryption, which may cause issues of interoperability between devices from different vendors that use 128-bit or higher encryption.

Ad-Hoc and Infrastructure Network Configuration

The 802.11 standard provides for two modes for wireless clients to communicate: ad-hoc and infrastructure.  The ad-hoc mode is geared for a network of stations within communication range of each other.  Ad-hoc networks are created spontaneously between the network participants.  In infrastructure mode, access points (APs) provide for a more permanent structure for the network.  An infrastructure consists of one or more access points as well as a distribution system (i.e. wired network) behind the access points which tie the wireless network with the wired network.  Figures 2 and 3 show both an ad-hoc network as well as an infrastructure network respectively.

Ad-Hoc Network Configurations

 

Infrastructure Network Configurations

To distinguish different wireless networks the 802.11 standard defines the SSID (Service Set Identifier).  The SSID can be considered the identity element which “glues” various components of a wireless LAN together.  Traffic from wireless clients which use one SSID can be distinguished from other wireless traffic using a different SSID.  Using the SSID an access point can determine which traffic is meant for it and which is meant for other wireless networks.

802.11 traffic can be subdivided into three parts: control frames, management frames and data frames.  Control frames include such information as Request to Send (RTS), Clear to Send (CTS), and Acknowledgment (ACK) messages.  Management frames include beacon frames, probe request/response, authentication frames, and association frames.  Data frames are, as the name implies, 802.11 traffic that carries data.  That data is typically considered network traffic such as IP encapsulated frames.

WEP

The IEEE 802.11 standard covers the communication between WLAN components. RF poses challenges to privacy in that it travels through and around physical objects. Because of the nature of the 802.11 wireless LANs the IEEE working group implemented a mechanism to protect the privacy of the individual transmissions.  The intent was to mirror the privacy found on the wired LAN and the mechanism became known as Wired Equivalent Privacy or WEP. Because WEP utilizes a cryptographic security countermeasure for the fulfillment of its stated goal of privacy, it has the added benefit of becoming an authentication mechanism. This benefit is realized through a shared key authentication that allows the encryption and decryption of the wireless transmissions. Up to four keys can be defined on an AP or a client, and they can be rotated to add complexity for a higher security standard in the WLAN policy.

WEP was never intended to be the absolute authority in security.  The IEEE 802.11 standard states that WEP provides for protection from “casual eavesdropping”.  Instead, the driving force behind WEP was privacy. In cases that require high degrees of security, other mechanisms should be utilized, such as authentication, access control, password protection, and virtual private networks.

Despite its flaws, WEP still offers some level of security, provided that all its features are used properly. This means great care in key management, avoiding default options, and ensuring adequate encryption is enabled at every opportunity.

Proposed improvements in the standard should overcome many of the limitations of the original security options, and should make WEP more appealing as a security solution. Additionally, as WLAN technology gains popularity, and users clamor for functionality, both the standards committees as well as the hardware vendors will offer improvements. It is critically important to keep abreast of vendor-related software fixes and changes that improve the overall security posture a wireless LAN.

Most APs advertise that they support WEP in at least 40-bit encryption, but often the 128-bit option is also supported. For corporate networks, 128-bit encryption-capable devices should be considered as a minimum. With data security enabled in a closed network, the settings on the client for the SSID and the encryption keys have to match the AP when attempting to associate with the network, or it will fail. The next few paragraphs discuss WEP in its relation to the functionality of the 802.11 standard, including a standard definition of WEP, the privacy created, and the authentication.

WEP provides some security and privacy in transmissions to prevent curious or casual browsers from viewing the contents of the transmissions held between the AP and the clients. In order to gain access, the degree of sophistication of the intruder has to improve, and specific intent to gain access is required. Some of the other benefits of implementing WEP:

• All messages are encrypted using a CRC-32 checksum to provide some degree of integrity.

• Privacy is maintained via the RC4 encryption.  Without possession of the secret key the message cannot be easily decrypted.

• WEP is extremely easy to implement.  All that is required is to set the encryption key on the APs and on each client.

• WEP provides a very basic level of security for WLAN applications.

• WEP keys are user definable and unlimited (within limits).  They can, and should, be changed often.

Rob Shimonski would like to thank Martin Grasdal (contibuting author on the Security+ book) for original content creation. Martin has by far created one of the most outstanding and complete chapters on Wireless fundamentals and security in the Security+ book that you will find anywhere.

This article was written in two parts and is only complete when reading the following Part 2. (If you would like to receive an email when Part 2 of this article is released, subscribe to the WindowSecurity.com Real-Time Article Updates from our Newsletter subscriptions page).

Robert J. Shimonski (Truesecure TICSA, Cisco CCDP, CCNP, Nortel NNCSS, Microsoft MCSE, MCP+I, Novell Master CNE, CIP, CIBS, IWA CWP, DCSE, Prosoft MCIW, SANS GSEC, GCIH, CompTIA Server+, Network+, Inet+, A+, e-Biz+, Symantec SPS and NAI Sniffer SCP) is a Lead Network and Security Engineer for a leading manufacturer company. Robert’s specialties include network infrastructure design with the Cisco and Nortel product line, network security design and management with CiscoSecure and PIX firewalls, network management and troubleshooting with CiscoWorks, CiscoSecure, Sniffer-based technologies, and HPOV. Robert is the author of many security-related articles and published books, including the new Sniffer Network Optimization and Troubleshooting Handbook and the upcoming Security+ Study Guide and DVD Training System both from Syngress Media, Inc. You can contact Robert at [email protected]