Thursday, October 22, 2009

LEC 7:: WIRELESS SECURITY


Wireless LANs
IEEE ratified 802.11 in 1997.
-Also known as Wi-Fi.
Wireless LAN at 1 Mbps & 2 Mbps.
WECA (Wireless Ethernet Compatibility Alliance) promoted Interoperability.
-Now Wi-Fi Alliance
802.11 focuses on Layer 1 & Layer 2 of OSI model.
-Physical layer
-Data link layer

A wireless local area network (WLAN) links two or more devices using some wireless distribution method (typically spread-spectrum or OFDM radio), and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network.

Wireless LANs have become popular in the home due to ease of installation, and the increasing popularity of laptop computers. Public businesses such as coffee shops and malls have begun to offer wireless access to their customers; sometimes for free.

Types of wireless lan

::Peer to peet::
An ad-hoc network is a network where stations communicate only peer to peer (P2P). There is no base and no one gives permission to talk. This is accomplished using the Independent Basic Service Set (IBSS).

A peer-to-peer (P2P) network allows wireless devices to directly communicate with each other. Wireless devices within range of each other can discover and communicate directly without involving central access points. This method is typically used by two computers so that they can connect to each other to form a network.

If a signal strength meter is used in this situation, it may not read the strength accurately and can be misleading, because it registers the strength of the strongest signal, which may be the closest computer.
IEEE 802.11 define the physical layer (PHY) and MAC (Media Access Control) layers based on CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance). The 802.11 specification includes provisions designed to minimize collisions, because two mobile units may both be in range of a common access point, but out of range of each other.

The 802.11 has two basic modes of operation: Ad hoc mode enables peer-to-peer transmission between mobile units. Infrastructure mode in which mobile units communicate through an access point that serves as a bridge to a wired network infrastructure is the more common wireless LAN application the one being covered. Since wireless communication uses a more open medium for communication in comparison to wired LANs, the 802.11 designers also included shared-key encryption mechanisms: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA, WPA2), to secure wireless computer networks.

::Bridge::

A bridge can be used to connect networks, typically of different types. A wireless Ethernet bridge allows the connection of devices on a wired Ethernet network to a wireless network. The bridge acts as the connection point to the Wireless LAN.

::Wireless distribution system::

A Wireless Distribution System is a system that enables the wireless interconnection of access points in an IEEE 802.11 network. It allows a wireless network to be expanded using multiple access points without the need for a wired backbone to link them, as is traditionally required. The notable advantage of WDS over other solutions is that it preserves the MAC addresses of client packets across links between access points.

An access point can be either a main, relay or remote base station. A main base station is typically connected to the wired Ethernet. A relay base station relays data between remote base stations, wireless clients or other relay stations to either a main or another relay base station. A remote base station accepts connections from wireless clients and passes them to relay or main stations. Connections between "clients" are made using MAC addresses rather than by specifying IP assignments.

All base stations in a Wireless Distribution System must be configured to use the same radio channel, and share WEP keys or WPA keys if they are used. They can be configured to different service set identifiers. WDS also requires that every base station be configured to forward to others in the system.

WDS may also be referred to as repeater mode because it appears to bridge and accept wireless clients at the same time (unlike traditional bridging). It should be noted, however, that throughput in this method is halved for all clients connected wirelessly.

When it is difficult to connect all of the access points in a network by wires, it is also possible to put up access points as repeaters.

WPA and WEP

WPA and WEP are technologies that "encrypt" the traffic on your network. That is, they scramble it so that an attacker can't make any sense of it. To unscramble it at the other end, all systems using it must know a "key" or password.

Note that WPA is now in a second generation, referred to as WPA2. Unless otherwise specified, this document uses "WPA" to refer to both.

WPA and WEP provide both access control and privacy. Privacy comes from the encryption. Access control comes from the fact that someone must know the password to use your network.

For this reason, for small networks, using WPA is enough to meet the requirements of the Wireless policy. However you will still want to make sure that any services that use a password or other private information use SSL or some other type of end to end encryption.

WEP is significantly less secure than WPA, but can be used until your equipment can be upgraded to support WPA. While WEP is widely regarded as insecure, it is still a lot better than nothing.

WPA has two modes, personal and enterprise. For small installations you'll want to use personal mode. It just requires a password. Enterprise mode is for larger installations, that have a Radius server that will support WPA.

The primary problem with WPA in personal mode is that it has a single password, which you must tell to all users. That becomes impractical for larger installations.

WPA in enterprise mode requires each user to login with their own username and password. That simplifies management in large installations, because you don't have to distribute a common password to all your users. However it is a bit more complex to implement:

* Each user's system must have special software to let the user login to the network. This software is referred to as an "802.1x supplicant".
* The access point must support WPA enterprise mode. The access point is configured to talk to a RADIUS server, which is a central server that actually checks the password.
* You must have a RADIUS server that supports WPA enterprise mode. While the RADIUS server may have its own list of usernames and passwords, it would be more common for it to talk to an LDAP or Active Directory server, so that users login to the network with the same password that they use for other services.

For this reason, most large implementations at Rutgers do not use enterprise mode. Instead they use separate gateway boxes for access control, and depend upon end to end encryption for privacy. One can argue that this is not as secure as WPA enterprise mode, but it avoids the support implications of requiring users to login to the network with an 802.1x supplicant.
Choosing a good password

It is critical to use a good password. There are attacks against WPA that will break your security if your password uses words or any other well-known sequences. WPA allows passwords as long as 63 characters. We strongly recommend using a long random password, or at the very least a long phrase (at least 20 characters, but preferably longer). The phrase should not be taken from any web site or published work. Most software saves the password, so you only need to type it once on each system.

Even better than a long phrase is a truly random password. For example, consider using http://rulink.rutgers.edu/random.php3. This generates a random 32-character hex string. You can combine two of them (and leave off one character) to get a 63-character password.

0 comments: