sábado, 20 de marzo de 2010

Wireless LAN security


One issue with corporate wireless networks in general, and WLANs in particular, involves the need for security. Many early access points could not discern whether or not a particular user had authorization to access the network. Although this problem reflects issues that have long troubled many types of wired networks (it has been possible in the past for individuals to plug computers into randomly available Ethernet jacks and get access to a local network), this did not usually pose a significant problem, since many organizations had reasonably good physical security. However, the fact that radio signals bleed outside of buildings and across property lines makes physical security largely irrelevant to Piggybackers. Such corporate issues are covered in wireless security.
Anyone within the geographical network range of an open, unencrypted wireless network can 'sniff' or record the traffic, gain unauthorized access to internal network resources as well as to the internet, and then possibly sending spam or doing other illegal actions using the wireless network's IP address, all of which are rare for home routers but may be significant concerns for office networks.
If router security is not activated or if the owner deactivates it for convenience, it creates a free hotspot. Since most 21st century laptop PCs have wireless networking built in (cf. Intel 'Centrino' technology), they don't need a third-party adapter such as a PCMCIA Card or USB dongle. Built in wireless networking might be enabled by default, without the owner realizing it, thus broadcasting the laptop's accessibility to any computer nearby.
Modern operating systems such as Mac OS, or Microsoft Windows make it fairly easy to set up a PC as a wireless LAN 'base station' using Internet Connection Sharing, thus allowing all the PCs in the home to access the Internet via the 'base' PC. However, lack of knowledge about the security issues in setting up such systems often means that someone nearby may also use the connection. Such "piggybacking" is usually achieved without the wireless network operators knowledge; it may even be without the knowledge of the intruding user if their computer automatically selects a nearby unsecured wireless network to use as an access point.

Security options

There are three principal ways to secure a wireless network.
  • For closed networks (like home users and organizations) the most common way is to configure access restrictions in the access points. Those restrictions may include encryption and checks on MAC address. Another option is to disable ESSID broadcasting, making the access point difficult for outsiders to detect. Wireless Intrusion Prevention Systems can be used to provide wireless LAN security in this network model.
  • For commercial providers, hotspots, and large organizations, the preferred solution is often to have an open and unencrypted, but completely isolated wireless network. The users will at first have no access to the Internet nor to any local network resources. Commercial providers usually forward all web traffic to a captive portal which provides for payment and/or authorization. Another solution is to require the users to connect securely to a privileged network using VPN.
  • Wireless networks are less secure than wired ones; in many offices intruders can easily visit and hook up their own computer to the wired network without problems, gaining access to the network, and it's also often possible for remote intruders to gain access to the network through backdoors like Back Orifice. One general solution may be end-to-end encryption, with independent authentication on all resources that shouldn't be available to the public.

Access Control at the Access Point level

One of the simplest techniques is to only allow access from known, approved MAC addresses. However, this approach gives no security against sniffing, and client devices can easily spoof MAC addresses, leading to the need for more advanced security measures.
Another very simple technique is to have a secret ESSID (id/name of the wireless network), though anyone who studies the method will be able to sniff the ESSID.
Today all (or almost all) access points incorporate Wired Equivalent Privacy (WEP) encryption and most wireless routers are sold with WEP turned on. However, security analysts have criticized WEP's inadequacies, and the U.S. FBI has demonstrated the ability to break WEP protection in only three minutes using tools available to the general public (see aircrack).
The Wi-Fi Protected Access (WPA and WPA2) security protocols were later created to address these problems. If a weak password, such as a dictionary word or short character string is used, WPA and WPA2 can be cracked. Using a long enough random password (e.g. 14 random letters) or passphrase (e.g. 5 randomly chosen words) makes pre-shared key WPA virtually uncrackable. The second generation of the WPA security protocol (WPA2) is based on the final IEEE 802.11i amendment to the 802.11 standard and is eligible for FIPS 140-2 compliance. With all those encryption schemes, any client in the network that knows the keys can read all the traffic.

[edit] Restricted access networks

Solutions include a newer system for authentication, IEEE 802.1x, that promises to enhance security on both wired and wireless networks. Wireless access points that incorporate technologies like these often also have routers built in, thus becoming wireless gateways.

 

End-to-End encryption

One can argue that both layer 2 and layer 3 encryption methods are not good enough for protecting valuable data like passwords and personal emails. Those technologies add encryption only to parts of the communication path, still allowing people to spy on the traffic if they have gained access to the wired network somehow. The solution may be encryption and authorization in the application layer, using technologies like SSL, SSH, GnuPG, PGP and similar.
The disadvantage with the end to end method is, it may fail to cover all traffic. With encryption on the router level or VPN, a single switch encrypts all traffic, even UDP and DNS lookups. With end-to-end encryption on the other hand, each service to be secured must have its encryption "turned on," and often every connection must also be "turned on" separately. For sending emails, every recipient must support the encryption method, and must exchange keys correctly. For Web, not all web sites offer https, and even if they do, the browser sends out IP addresses in clear text.
The most prized resource is often access to Internet. An office LAN owner seeking to restrict such access will face the non trivial enforcement task of having each user authenticate himself for the router.

Open Access Points

Today, there is almost full wireless network coverage in many urban areas - the infrastructure for the wireless community network (which some consider to be the future of the internet) is already in place. One could roam around and always be connected to Internet if the nodes were open to the public, but due to security concerns, most nodes are encrypted and the users don't know how to disable encryption. Many people consider it proper etiquette to leave access points open to the public, allowing free access to Internet. Others think the default encryption provides substantial protection at small inconvenience, against dangers of open access that they fear may be substantial even on a home DSL router.
The density of access points can even be a problem - there are a limited number of channels available, and they partly overlap. Each channel can handle multiple networks, but places with many private wireless networks (for example, apartment complexes), the limited number of Wi-Fi radio channels might cause slowness and other problems.
According to the advocates of Open Access Points, it shouldn't involve any significant risks to open up wireless networks for the public:
  • The wireless network is after all confined to a small geographical area. A computer connected to the Internet and having improper configurations or other security problems can be exploited by anyone from anywhere in the world, while only clients in a small geographical range can exploit an open wireless access point. Thus the exposure is low with an open wireless access point, and the risks with having an open wireless network are small. However, one should be aware that an open wireless router will give access to the local network, often including access to file shares and printers.
  • The only way to keep communication truly secure is to use end-to-end encryption. For example, when accessing an internet bank, one would almost always use strong encryption from the web browser and all the way to the bank - thus it shouldn't be risky to do banking over an unencrypted wireless network. The argument is that anyone can sniff the traffic applies to wired networks too, where system administrators and possible crackers have access to the links and can read the traffic. Also, anyone knowing the keys for an encrypted wireless network can gain access to the data being transferred over the network.
  • If services like file shares, access to printers etc. are available on the local net, it is advisable to have authentication (i.e. by password) for accessing it (one should never assume that the private network is not accessible from the outside). Correctly set up, it should be safe to allow access to the local network to outsiders.
  • With the most popular encryption algorithms today, a sniffer will usually be able to compute the network key in a few minutes.
  • It is very common to pay a fixed monthly fee for the Internet connection, and not for the traffic - thus extra traffic will not hurt.
  • Where Internet connections are plentiful and cheap, freeloaders will seldom be a prominent nuisance.
On the other hand, in some countries including Germany [1], persons providing an open access point may be made (partially) liable for any illegal activity conduced via this access point.


Adrian E. Colmenares C.
Sistemas de Comunicaciones Opticos
Fuente:http://en.wikipedia.org/wiki/Wireless_LAN_security



No hay comentarios:

Publicar un comentario