WIRELESS NETWORK SECURITY (WIFI) - PART II
2007 /04 /16
FIRST STEPS TO SECURE A WIRELESS NETWORK
ADAPTED INFRASTRUCTURE
The first thing to do when installing a wireless network consists of intelligently positioning the access points according to the zone that you whish to cover. It is not however rare that the actual covered zone is largely greater than desired, in which case it is possible to reduce the power of the access terminal in order to adapt its range to the desired coverage zone.
AVOID DEFAULT VALUES
When installing an access point for the first time, it is automatically configured with default values, including the administrative password. A great number of administrators believe that from the moment the network is functional it is useless to modify the access points configurations. However the default settings have minimal security. So, it is imperative to connect to the administrative interface (generally via a Web interface on a specific port of the access terminal) to define a new administrative password.
In addition, in order to connect to an access point it is essential to know the networks identifier (SSID). Thus it is highly recommended to modify the networks name and stop any broadcastings along this network. Changing the network identifier is all the more significant as it can give hackers data elements on the brand or the model of the access point being used.
MAC address filtering
Each network adapter has a physical address (called MAC address). This address is represented by 12 hexadecimal digits grouped by pairs and separated by indents. An access points generally makes it possible from the internal configuration interface to manage a list of access rights (called ACL) based on the MAC addresses of the equipment authorized to connect to the wireless network.
This constraining precaution makes it possible to limit the network access to only a certain number of machines. On the other hand that doesn't resolve the confidentiality exchange problem.
WEP-WIRED EQUIVALENT PRIVACY
To cure comparable confidentiality problems on a wireless networks, the 802,11 standard integrated a simple mechanism of data coding, which is called WEP, (Wired equivalent privacy)
The WEP is a security protocol for wireless local area networks (WLAN) defined in the 802.11 standard. WEP uses a RC4 cipher stream generated by a 64 or 128-bit key. WEP consists of initially defining a secret key of 40 or 128 bits. WEP seeks to establish similar protection to that offered by the wired network's physical security measures by encrypting data transmitted over the WLAN. Data encryption protects the vulnerable wireless link between clients and access points; once this measure has been taken, other typical LAN security mechanisms such as password protection, end-to-end encryption, virtual private networks (VPNs), and authentication can be put in place to ensure privacy.
The session key is shared between all the stations and this can cause static, i.e. to deploy a large number of WiFi stations it is necessary to configure them by using the same session key. Thus the knowledge of the key is sufficient to decipher the communications.
The password you enter takes up either 40 or 104 bits, and in both cases a 24 bit random number is added, totaling 64 bit and 128 bit keys. You may see 40/64 and 104/128 used interchangeably as appropriate in context. The larger numbers refer to the total key and the smaller numbers to the actual password.
In the case of the 40 bits key length, an attack by brute force (i.e. by testing all the possibilities combinations) can very quickly lead the hacker to find the session key. Moreover one fault detected by Fluhrer, Mantin and Shamir concerning the generation of the random number chain make possible the discovery of the key of session by storing 100 Mo to 1 Go of traffic created intentionally.
WEP is not enough to guarantee data confidentiality. Even though, it is highly advised to implement at least a 128 bits WEP protection in order to ensure a minimum level of confidentiality and to avoid 90% of intrusion risks.
IMPROVING AUTHENTICATION
To effectively manage authentications, authorizations and accounting it is possible to resort to a RADIUS network (Remote Authentication Dial-In Using Service). The RADIUS protocol (defined by the RFC 2865 and 2866), is a client/server system allowing the proper management of user accounts and their associated access rights.
VPN INSTALLATION
For all communications requiring a high level of security, it is preferable to use to a good data coding by setting up a virtual private network (VPN).
Next articles:
May 2007 : WPA and WPA2 802.11i security
June 2007 : EAP - 802-1x security
July 2007 : VPN virtual private network
ADAPTED INFRASTRUCTURE
The first thing to do when installing a wireless network consists of intelligently positioning the access points according to the zone that you whish to cover. It is not however rare that the actual covered zone is largely greater than desired, in which case it is possible to reduce the power of the access terminal in order to adapt its range to the desired coverage zone.
AVOID DEFAULT VALUES
When installing an access point for the first time, it is automatically configured with default values, including the administrative password. A great number of administrators believe that from the moment the network is functional it is useless to modify the access points configurations. However the default settings have minimal security. So, it is imperative to connect to the administrative interface (generally via a Web interface on a specific port of the access terminal) to define a new administrative password.
In addition, in order to connect to an access point it is essential to know the networks identifier (SSID). Thus it is highly recommended to modify the networks name and stop any broadcastings along this network. Changing the network identifier is all the more significant as it can give hackers data elements on the brand or the model of the access point being used.
MAC address filtering
Each network adapter has a physical address (called MAC address). This address is represented by 12 hexadecimal digits grouped by pairs and separated by indents. An access points generally makes it possible from the internal configuration interface to manage a list of access rights (called ACL) based on the MAC addresses of the equipment authorized to connect to the wireless network.
This constraining precaution makes it possible to limit the network access to only a certain number of machines. On the other hand that doesn't resolve the confidentiality exchange problem.
WEP-WIRED EQUIVALENT PRIVACY
To cure comparable confidentiality problems on a wireless networks, the 802,11 standard integrated a simple mechanism of data coding, which is called WEP, (Wired equivalent privacy)
The WEP is a security protocol for wireless local area networks (WLAN) defined in the 802.11 standard. WEP uses a RC4 cipher stream generated by a 64 or 128-bit key. WEP consists of initially defining a secret key of 40 or 128 bits. WEP seeks to establish similar protection to that offered by the wired network's physical security measures by encrypting data transmitted over the WLAN. Data encryption protects the vulnerable wireless link between clients and access points; once this measure has been taken, other typical LAN security mechanisms such as password protection, end-to-end encryption, virtual private networks (VPNs), and authentication can be put in place to ensure privacy.
The session key is shared between all the stations and this can cause static, i.e. to deploy a large number of WiFi stations it is necessary to configure them by using the same session key. Thus the knowledge of the key is sufficient to decipher the communications.
The password you enter takes up either 40 or 104 bits, and in both cases a 24 bit random number is added, totaling 64 bit and 128 bit keys. You may see 40/64 and 104/128 used interchangeably as appropriate in context. The larger numbers refer to the total key and the smaller numbers to the actual password.
In the case of the 40 bits key length, an attack by brute force (i.e. by testing all the possibilities combinations) can very quickly lead the hacker to find the session key. Moreover one fault detected by Fluhrer, Mantin and Shamir concerning the generation of the random number chain make possible the discovery of the key of session by storing 100 Mo to 1 Go of traffic created intentionally.
WEP is not enough to guarantee data confidentiality. Even though, it is highly advised to implement at least a 128 bits WEP protection in order to ensure a minimum level of confidentiality and to avoid 90% of intrusion risks.
IMPROVING AUTHENTICATION
To effectively manage authentications, authorizations and accounting it is possible to resort to a RADIUS network (Remote Authentication Dial-In Using Service). The RADIUS protocol (defined by the RFC 2865 and 2866), is a client/server system allowing the proper management of user accounts and their associated access rights.
VPN INSTALLATION
For all communications requiring a high level of security, it is preferable to use to a good data coding by setting up a virtual private network (VPN).
Next articles:
May 2007 : WPA and WPA2 802.11i security
June 2007 : EAP - 802-1x security
July 2007 : VPN virtual private network