Security concerns continue to circle around WLAN systems. In Part 1 of this three-part set, we'll examine the security challenges faced by systems operating over a wireless medium.

By Praphul Chandra, Telogy Networks
CommsDesign Jul 16, 2002

Rate this article WORSE | BETTER 1 2 3 4 5

Security concerns continue to take center stage in the wireless local-area networking (WLAN) sector. With adoption of wireless LAN (WLAN) systems continuing to increase, the threat of people sniffing in on these networks grows. And with the world in an uproar, corporations, IT managers, and even end users are demanding better security functionality in 802.11-compliant systems.

Despite efforts by the IEEE 802.11 committee, major enhancements still have not occurred in the WLAN sector. In fact, the wireless medium is so open to attacks that today's WLAN networks can be accessed by using a laptop and an empty can of pringles chips (or a coffee can). This is not so surprising once you think about it. The pringles can acts as an antenna (amazingly it provides a gain of up to 15 dB) providing a "tap" (a wireless network scanner/sniffer) into the medium. Once the laptop gets access to the packets flowing through the network, it is an open world from there on.

In order to stop rogue attacks, such as the Pringles example above, WLAN designers must act today and build higher levels of security into their system architectures. This three-part tutorial is designed to help out.

In Part 1 of this article, we'll look at the security challenges created by the wireless medium and the impacts these security challenges have on end users and corpations. Part 2 will add to this discussion by looking at the particular security challenges that 802.11-complaint WLAN systems face. Part 3 will round out the series by delivering a look at several design solutions engineers can employ in order to enhance security in WLAN architectures.

Why all the Fuss
So, why is wireless security such a big issue? The answer is inherent in the question. The wireless nature of the network causes some inherent headaches that wireline designers never have to face. These include:

1. No Physical Boundaries
Accessing data on a network requires physical access to the network. Wired networks have the advantage that this physical access can be controlled by walls and access to buildings which house the network etc.On the other hand, data sent over the wireless medium cannot be constrained by walls or other physical boundaries.

2. Broadcast Medium
The wireless medium is inherently a broadcast medium. This feature combined with the lack of a physical boundary means that a wireless device transmitting data is in fact, broadcasting data in its vicinity. Therefore, any node within range of the WLAN system has full access to the data.

3. Bandwidth Constraints
Bandwidth is one of the most (if not the most) important considerations in wireless networks due to the limited spectrum available for communication. Every message sent over the medium increases the cost of the call. This is the reason why designers aim to minimize signaling messages used in wireless networks. This limitation extends itself to security. Security implementations in wireless networks should also keep to a minimum the amount of control data they exchange.

4. Device Theft
Wireless devices are designed to be small, lightweight, and portable. These are all desirable features to support mobility. However, these features make WLAN systems more susceptible to losses and theft. This means that a security implementation that assumes the person using the device is the authorized user is not completely secure. This case is equivalent to a person losing his credit card.

5. Battery Life
Reducing the size and weight of the devices takes a toll on the battery life available for the device. Since there is only a limited amount of battery life available in portable devices, security implementations cannot expect to have extensive computation on the end-point. This reduces the computational complexity of the algorithms executing at the customer end-point.

6. Limited Storage
Due to their limited size and weight, wireless access devices also have a limited amount of storage available to them. This means that only a limited amount of security-related data can be stored in the mobile devices. Therefore, security implementations must take into account that it may be infeasible to store or cache public-key certificates of other network entities to authorize them.

Wireless Network Threats
Wireless networks may be subject to different kind of attacks. These attacks are usually divided into two broad categories — passive and active. Passive attacks refer to attacks where an intruder gets access to the information that is being exchanged between communicating end-points. However, the intruder's intention is just that — getting access to the information. The more dangerous attacks are those wherein an intruder intends to alter/destroy the communication between the communicating parties. These are known as the active attacks since they require active participation on the intruder's behalf.

There are a host of specific attacks that designers need to contend with. These include eavesdropping, intrusion, hijacking, and denial of service. Let's look at each, starting with eavesdropping.

Since wireless is intrinsically a broadcast medium eavesdropping on information becomes much easier than in the wired world. Anyone equipped with a suitable transceiver in the range of transmission can eavesdrop on the wireless traffic. Eavesdropping is a passive attack. Note that the "range" of transmission can be extended by using multiple antennas at the receiver (eavesdropping) end. However this constitutes intrusion.

Since, in the wireless world, the transmitted information cannot be physically constrained by any practical means, wireless networks are highly susceptible to intrusions by attackers. Intrusion is a passive attack too.

The difference between eavesdropping and intrusion is subtle. The former refers to listening in (i.e. receiving) to data which happens to be in the environment whereas intrusion refers to a conscious part on the intruder's behalf to access data. Intrusion is midway between passive and active attacks.

The power at which a signal is transmitted at any given frequency is not policed by any single entity. Communication channels coexist in the same geographical area by co-operating and following some standards. However, there is no regulatory authority to enforce the power-level policy. This means that a rogue node can capture the channel at any time for long periods of time without letting a well-behaved authorized user to communicate on the channel. On the other hand, a rogue node may also pose as a base station and seduce mobiles to connect to it and collect data (passwords, secret keys logon names etc.) and information from these nodes. This is an example of an active attack.

Denial-of-service attacks are an extension of the active hijacking attacks. In denial-of-service attacks, a rogue node intends to disable all communication on the channel by capturing the channel or posing as a base station to collect node-specific information.

Denial-of-service attacks are destructive in nature and are meant to cause disruption of services. The attack may be launched in the wireless world by jamming the channel frequency. This means transmitting at a very high power at the channel frequency and occupying the whole channel spectrum. This implies that no other node (including the base station) can transmit on the channel.

Practical Considerations
Cryptography is but one part of security. A network is as secure as its network administrator wants it to be. If a network administrator deploys a wireless network and does not enable the security feature, all the hard work of cryptography goes down the drain.

One might wonder, why a network administrator would do such a thing? The answer lies in the real-world problems.

1. Default Settings
Most WLANs are developed around the 802.11 specification. The software developed for these systems comes with security turned off by default. Usually, a network administrator is told to get the network up and running yesterday. Under such deadlines, once the network is up and running, most network administrators prefer not to meddle with the set-up in any way unless it is absolutely necessary.

Since WLAN protocols come with security disabled by default, most organizations do not take the trouble of trying to switch on security once the system is up. Even if the software would have come with security enabled by default, network administrators would probably turn it off initially to get things working "for a start".

Since security adds another layer of complexity to the system, it makes sense to get bare bones wireless network working first. However, once the bare bones network starts working fine, network administrators should put in additional time and effort to enable security before opening up the network to the Internet. Unless corporate policies explicitly allocate time and resources for security, they cannot expect their wireless networks to be secure.

2. Default Passwords
Even in cases where the security option is turned on, many network administrators continue to use the default pre-configured password that is supplied by the vendor. Since the default password is pretty easily accessible, networks using default passwords have a big security loophole.

Network administrators should therefore ensure that passwords are unique and changed periodically. To some extent, equipment vendors can also help in this direction by enforcing that that the default password be changed the first time the security option is turned on.

3. Physical Location
There are other practical steps that network administrators can take to protect their networks. For example, the physical placement of the access point (AP) is an important consideration. Instinctively, APs are placed in a corner of the room to save space and for aesthetic reasons. Since APs are usually omni-directional broadcast devices, placing them in a corner means that the cell created by this AP has more than half the area outside the room. In other words, anyone outside the room within the cell area has as much access to the data as a person inside the room. This is definitely an invitation for intrusion.

4. Unsuspecting Victims
Let us go back to one of the basic questions: Why do we need security? To protect against intruders and rogue nodes.

So, who are these rogue nodes/intruders and why do they want to intrude into networks? Thanks to Hollywood, most people would picture network intruders/hackers as very specialized technical people sitting in dark rooms clicking away at their computers to steal millions of dollars from banks. Even though this is a valid security concern, this image overshadows some of the very real security concerns facing networks today.

Clearly, more people are banking from home. Therefore, if a hacker sniffs into a WLAN network, they do have the chance to steal bank account numbers and more.

However, an even bigger problem, especially for broadband service providers, is bandwidth stealing. A host of end users are combining a router with a WLAN system in order to distribute broadband connections among multiple users. But, since these routers use network address translation (NAT) features, a hacker can tap into the existing wireless network and access the internet or offering WLAN services without the end user of service provider knowing. This could lead to a big revenue hit for today's cash-strapped broadband operators.

This is but one example of how loopholes in wireless security can be exploited. There are numerous cases where corporations do not realize that lack of security is costing them or may cost them dearly.

On to Part 2
That wraps up our initial discussion on wireless security. Part 2 will explore the problems with the wireless encryption protocol (WEP). Note: To view Part 2, Click Here . To view Part 3, Click Here.

References

1. Applied Cryptography — Bruce Schneier.
2. Wireless Security — Randall Nicholas & Panos Lekkas.
3. Unsafe at any key size; An analysis of the WEP encapsulation — Jesse R. Walker (Intel)
4. (In)Security of the WEP algorithm — Nikita Borisov, Ian Goldberg, David Wagner (University of California, Berkeley).
5. Cisco's White Paper on IPSec.
6. Pesky Home Networks Trouble Cable Behemoths -- Steven M. Cherry (IEEE Spectrum, April 2002)
7. An Initial Security Analysis of the IEEE 802.11X standard — Arunesh Mishra, William A.Arbaugh (University of Maryland, College Park)
8. Making Unbreakable Code -- Justin Mullins (IEEE Spectrum, May 2002)