Security Definition and Analysis

Informally, data security is defined in terms of three attributes, all of which must be maintained to ensure security. My definition is not meant to be formal. In this section, I'm trying to take a fundamental approach to security by showing how wireless LAN security fails and how some of the failures can be solved by applying solutions the industry has already developed.

Integrity

Broadly speaking, integrity is compromised when data is modified by unauthorized users. ("Has somebody improperly changed the data?")

Secrecy

Of the three items, secrecy is perhaps the easiest to understand. We all have secrets and can easily understand the effect of a leak. ("Has the data been improperly disclosed?")

Availability

Data is only as good as your ability to use it. Denial-of-service attacks are the most common threat to availability. ("Can I read my data when I want to?")

Wireless LAN technology has taken a fair number of knocks for its failures in all three areas. Most of the notable stories have focused on the secrecy aspect, both in terms of the fundamental flaws in early encryption protocols that allowed relatively easy eavesdropping and the lack of strong user authentication. However, other flaws are present. Injecting traffic into wireless LANs has been difficult to prevent before recent protocol developments, and the lack of frame authentication has made service denial too easy.

Network and computer security is often an issue of risk management, and wireless security is no exception. There are many ways to bolster the security of your wireless network, and many products can help meet your needs. Before building anything, start with a roadmap of what you want to do. What network security issues are the most important for your network? Based on the risks that your hot-button issues pose, how much can be spent to mitigate them? This chapter provides a brief sketch of the issues you may wish to consider. More complete treatments can be found in some key government publications, including the National Institute of Standards and Technology's Special Publication series on computer security. Special Publication 800-48 discusses many of the issues related to wireless LANs, although it does not have a great deal of detail on 802.1X.[*] NIST is also responsible for producing Federal Information Processing Standards (FIPS); some FIPS publications address the challenges of building a secure network environment.

[*] NIST SP 800-48 can be found at http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf.

Wireless LAN Security Problems

A steady stream of security research and analysis followed the publication of the initial 802.11 standard. Security was not designed into the initial specification, which left networks open to unauthorized users and failed to protect data in flight over the network. By design, wireless LANs are flexible. Flexibility is often a boon; in the case of technology that can be deployed without proper security considerations, flexibility may also be a curse.

Your credentials, please: authentication

Authorizing users depends on identifying them. To make the distinction between people who should have access to data and those who should not, cryptography can be used to provide authentication. Only after the network has identified a user can it establish the cryptographic keys used for confidentiality protocols. One of the failings of early protocols is that they authenticated the hardware people used, rather than the users themselves. While there is often a tie between user and machine, it is not as consistent and predictable as it might seem at first glance.

Several approaches have been developed to improve on the initial 802.11 authentication types. One of the most common was to build a transparent proxy that would trap web requests and redirect them to a custom portal page for authentication purposes. Web authentication can successfully improve authentication by using encrypted pages, but it does not provide stronger encryption because it cannot be used to derive keys for link-layer security protocols.

Secrecy over the air: encryption

Keeping data traveling across a wireless link secret is the first challenge that wireless networks of any type must meet. Without physical boundaries, data will be present quite literally "in the air," readily available to anybody with the appropriate receiver equipment. In the case of 802.11 wireless LANs, the appropriate receiver is your favorite 802.11 network interface, perhaps bolstered by a high-gain external antenna.

Keeping data out of the hands of the "wrong" people requires cryptographic controls to keep data out of the wrong hands. Obviously, cryptography must be used to protect all data from interception by attackers passively listening for frames and analyzing data. Like a broad-spectrum antibiotic, cryptography can serve the goal of confidentiality by protecting data from everybody who should not have it. Data confidentiality is typically maintained by an encryption protocol that provides only authorized users with the keys to access the data, and ensures the data is not tampered with in-flight.

Secrecy and integrity of the whole network: rogue access points

If you mention the phrase "wireless security" to most network engineers, you will get a response that is heavily focused on securing the radio link by providing appropriate cryptographic operations to secure the link. Secrecy is also a matter of keeping unauthorized users off the network, whether it is the wired network or the wireless network.

Wireless networks have the potential to be a side door into the network that is not protected by appropriate security mechanisms. If access points are connected incorrectly to a secure internal network, they may afford a route into the network that bypasses the perimeter security that is in place. Many network managers also worry about unauthorized (or "rogue") access points that may be connected to the network without permission. Rogue devices are often consumer electronics, with all the security and reliability implied by that statement.

In the end, rogue devices are not a particularly interesting security problem. Every new wave in networking has brought risk, but ultimately, that risk has been addressed. Rogue devices are no different. The linchpin of a rogue strategy is to locate them and limit the damage they can do.

Locating unauthorized devices can be accomplished in several ways. The oldest and crudest location method is to use Netstumbler on a laptop and walk around looking for APs. When unauthorized devices are detected, the laptop carrier can take smaller steps in an attempt to pin down the physical location. Netstumbler is a simplistic tool, and most of the 802.11 interfaces can offer only a rough indication of signal strength. Wireless protocol analyzers offer a step up from simply walking around. Many analyzers offer additional features to help track down unauthorized access points, such as directional antennas to aid in the search, or specialized "find" modes that report the running signal strength in real-time. Even without directional antennas, a search mode that reports rapid change in signal strength can be quite effective in homing in on a device; I have been able to track down an AP in a few minutes using an AirMagnet analyzer.

Walking around to locate devices is problematic, especially since users eventually learn to recognize the AP hunters and turn off unauthorized devices. Rather than using a labor-intensive search process, network engineers are turning increasingly to network-based solutions. By placing radio probes strategically throughout an area, administrators can watch for devices as they are powered on. Multiple listeners can be used to locate devices based on their location and the received signal strength. Probe-based tools can be a special mode in a distributed analyzer, a specialized wireless IDS, or a feature in a centralized AP management system. Some network-based systems even offer the ability to respond to unauthorized devices by jamming or otherwise acting to deny service, but these abilities probably need to be refined before they can see widespread deployment.

Network integrity: traffic injection

As with wired Ethernet, frame spoofing is simple on 802.11. If no encryption protocols are used, a malicious user can simply assign a MAC address to an 802.11 interface and spoof away. Unlike Ethernet, however, 802.11 uses a physical medium that diffuses easily through space. Rather than attaching to the physical medium, 802.11 devices are immersed in it. Ensuring that frames in the air belong and are legitimately authorized network traffic is a difficult proposition that requires a whole suite of cryptographic protocols. In addition to improved encryption, WPA offers encryption protocols that allow each frame to be authenticated to prevent forgery and injection attacks.

As with many other problems, the risk of traffic injection depends may depend on several factors. Many enterprise networks are probably at higher risk for eavesdropping rather than traffic injection. Spoofing frames may be a major risk for service providers, however, because spoofed traffic does not generate revenue.

Network availability: denial of service

There are two major types of denial of service against 802.11 networks. At the radio layer, noise can severely disrupt communications. Any source of radio noise in the 802.11 frequency bands has the potential to interrupt communications. Attackers may use noise that is known to completely disrupt communications to prevent any data from flowing. Short of building a Faraday cage for an entire building, the best that can be done is to track down the noise source and shut it off. In most cases, noise sources are not operated maliciously, and it suffices to track them down. Some handheld devices can report noise levels, which can help to find noise sources.

Even with TKIP and CCMP, only frames that carry user data payloads will have proof of the transmitter address. Management and control frames are not authenticated, and can easily be spoofed. Denial-of-service attacks are trivial because an attacker need only learn the MAC address of an AP to begin sending Disassociation or Deauthentication messages. At some point, it is probably that important control messages will also be authenticated by the 802.11 protocol. Until that point, network administrators can either deploy a tool that will attempt to detect forged control frames, or live with the risk.

Network integrity and availability: rogue clients

Wireless security protocols are designed to authenticate and authorize users, but users often use different machines. Many users like to bring personal machines to the office and connect them to their employer's network. Personal machines usually do not have the full complement of protective software and configuration that employer-owned machines do. At home, personal machines may be connected directly to the unfiltered fury of the Internet and infected with all manner of viruses and worms. When a virus-laden machine is connected to the network, it can easily act as a vector to bypass strong perimeter security.

The "viral vector" often comes up when discussing wireless LAN security, even though it is a generic security problem. Any machine brought into the office and connected to the network can bring malware, whether it is connected to a copper network or a radio network. Two major threads are emerging to deal with viral vectors. One is to push virus scanning out to the edge of the network by incorporating virus scanners and similar tools into network switches. In the long term, this strategy may work; in the short term, I do not understand how the dissimilar requirements of virus scanning and malware detection (high CPU load, large memory requirements) can be reconciled with existing switch hardware, which is typically designed around a set of specialized packet-forwarding chips with only a limited general-purpose processor.

The second thread is now beginning to emerge. Many networks based on Microsoft technology are, practically speaking, required to use Microsoft's machine authentication. To ensure that a user is working with an authorized machine that has appropriate security protections, authentication servers need to tie the user authentication to the machine authentication. Some 802.1X authenticators offer the ability to tie the two authentications together, although doing so is not cryptographically sound because the two authentications are not strongly bound. RADIUS server vendors are beginning to implement similar methods of correlating the two authentications. It seems likely that if the authentication bonding approach is successful, new authentication protocols (or protocol options) will be devised to add proven cryptographic security to the bond.

Network integrity: traffic separation

Networks are usually built to serve multiple groups of users. The groups are often separate and should not share data. User group separation may be enforced on the backbone by VLANs, packet filters, and firewalls. Retaining user group separation on the wireless link requires giving different cryptographic keys to different groups. This concept was discussed in the previous chapter's virtual AP architecture.

Traffic separation works best when it can be enforced at the edge of the network. It is relatively rare for a service provider to be able to dictate software configuration to customers. Very few, if any, service providers could specify a particular vendor's VPN client for use on a public network. However, it is much easier to mandate the use of built-in 802.1X software to enforce privilege separation.

Traffic separation may not have a role in enterprise 802.11 networks, especially when they are new and relatively small. However, the definition of "service provider" can be quite expansive with a flexible network. Many colleges are interested in using 802.11 to save cabling cost in new construction or renovations, as well as enable a third party to sell Internet access to increase revenue. Many cities are working towards the same goal, especially at sites that already provide Internet access, such as libraries. Public users will be placed on an Internet-only network that is already made available to patrons, while a separate network may be used by city employees. It may be desirable to further separate municipal employees by department, especially if some of them handle protected data, such as election returns on public health information. Flexibility may also assist cities in accomplishing their social goals if existing venues such as libraries can be easily used by employees.

Категории