Wireless LAN Operational Security Requirements

Operational security of the wireless LANs deals with the security primitives that provide a flawless operation of a wireless LAN. Operational security must be implemented to avoid any threats that can affect the day−to−day operation of a wireless LAN.

Most such threats are possible due to poorly configured wireless LAN setup, the inherent radio frequency−based transmission medium, the technologies and the protocols used to transmit the data, or insufficient user authentication.

We'll look at the general security requirements that are necessary to ensure the operational security of a wireless LAN. We also examine the need for securing wireless access points (APs), the radio frequency (RF) methods that are used to transmit data over the airwaves, link−level security that allows wireless equipment to operate in a wireless LAN, and wireless LAN authentication. We also talk about the most common known attacks on wireless LANs.

Wireless Access Point (AP) Security

Most wireless LANs operate in infrastructure mode where a wireless access point (AP) coordinates communication among its users by acting as a hub and transmitting data received from one user to another.

For example, let's assume a wireless LAN that consists of two users (Alice and Bob) with computers equipped with wireless LAN adapters (along with necessary software and drivers) and an access point.

In this example, when user Alice sends a message to user Bob, Alice's wireless LAN adapter transmits the data to the AP, which in turn looks at the data packet that is intended for Bob, and transmits the data to Bob.

The use of APs to route all the traffic among its users makes a wireless LAN less reliable, as all the users on a given wireless LAN share the same AP. This may result in a single point of failure, where anything happens to the AP.

For example, if an AP gets too busy or it is hacked, it affects the performance of the entire network. In addition to the single−point−of−failure APs, most APs that are available today can be managed using a wireless connection.

This management feature, though extremely useful, allows an adversary to attempt to break into the security of an AP and possibly take over its operation. The number and types of attacks on wireless APs has been growing steadily, and will continue to do so as they become more popular and widespread in deployment.

These attacks are easy to launch and some can be difficult to detect on your network via traditional means. The most commonly known attack on an AP is conducted by a wireless LAN adapter that constantly sends messages to an AP, making it so busy that it cannot reply to the messages sent by real users of a network.

This attack is known as a denial−of−service (DoS) or flood attack, as the AP is flooded with bad requests from the rogue wireless LAN adapter making the AP too busy to service genuine requests from authorized users.

Besides flooding attacks, there are other attacks—for example, AP administration attacks, in which an AP is highjacked by an adversary who then controls all traffic through the AP.

In scenarios where an AP connects a wireless LAN to a wired LAN, more advanced attacks can be launched that target the wireless LAN as well as the wired LAN to which the wireless LAN is connected.

Therefore, it is important to use APs that include measures to defeat the known attacks. For example, a secured wireless LAN must contain APs that have built−in authentication mechanisms for authenticating both the network users and the users who are allowed to manage the AP features.

Carefully designed APs also contain primitives for securing against DoS. More advanced APs come with a built−in router and a firewall to prevent unauthorized traffic to enter the wireless LAN.

Radio Frequency (RF) Method

The data in a wireless LAN travels over the airwaves by using radio frequency as the carrier. Using radio frequency as the carrier means the transmitting LAN device.

For example, a wireless LAN adapter—superimposes the data on a predefined radio frequency and then transmits it over the air. The receiving LAN device separates the data from the carrier wave, converts it into digital signal, and interprets accordingly.

The security of the data transmitted over the air can be affected in many ways, some of which include: jamming the radio frequency, which makes a wireless LAN inoperable, and eavesdropping on the authentication of the data, which reveals the user information.

A typical wireless LAN has a range of up to 300 meters per AP. Under most circumstances and depending on the placement of the AP, just like cordless phones, the waves carrying the signals can easily penetrate through the walls.

It is, therefore, important that the APs be placed at or near the center of a wireless LAN site to reduce the distance that the airwaves can travel. The method used to transmit the data over the airwaves is also of prime importance when considering the security of a wireless LAN.

There are many different methods used today to transmit the data in a wireless LAN. The most common are direct−sequence spread spectrum (DSSS) and frequency−hopping spread spectrum (FHSS).

FHSS is considered more secure and resilient to attacks compared to DSSS. In FHSS, the channel at which data is transmitted keeps switching, whereas in DSSS the data is transmitted at a fixed channel.

When choosing a wireless technology, it is important to choose a technology that provides the best RF security primitives. The most current available wireless LAN equipment—for example, 802.11−standard devices—utilizes the DSSS method.

Link−Level or Network Adapter Authentication

Many wireless LANs authenticate users based on link−level authentication, in which a network adapter in a wireless LAN communicates with an AP or with another adapter that identifies itself using its media access control (MAC) address.

MAC addresses are 48 bits long, expressed as 12−hexadecimal digits (0 to 9, plus A to F, capitalized). These 12−hex digits consist of the first 6 digits (which should match the vendor of the Ethernet interface within the station) and the last 6 digits, which specify the interface serial number for that interface vendor.

These addresses are usually written hyphenated by octets (for example, 12−34−56−78−9A−BC). By industry standards, MAC addresses are burnt into and printed on the network adapters used to communicate in a wireless.

If configured properly, most wireless LAN APs are designed so that they can authenticate a user based on the MAC identifiers that are preprogrammed in the AP by the administrator.

That means that APs let in only those network adapters, and hence users, that identify themselves with known MAC addresses. The MAC−based authentication is considered complex and cumbersome because it requires every AP in a network to have the MAC address of every adapter that might use the AP services.

MAC−based authentication is also considered weak because of the availability of LAN adapters that can be reprogrammed to use a different MAC address.

In such a case, a hacker acquires a wireless LAN adapter that is programmable and reprograms the adapter to use a MAC address that is known by a network he or she wants to attack. The hacker then conducts an attack by bringing his or her computer equipped with a rouge LAN adapter within the radio range of the AP.

The LAN adapter with the forged MAC address leads the AP into believing that it is a previously authorized network adapter and successfully gains access to the LAN. MAC−based authentication should be used only as a supplementary authentication method.

If MAC−based authentication is used, the network becomes vulnerable to such rogue wireless LAN adapters, which may impersonate an authorized wireless LAN adapter to gain access to the network.

Network Authentication

If a communication link is successfully established between two wireless LAN devices (for example, an AP and an adapter), the next step by a user is to establish a network session by authenticating himself or herself to the network (AP or an authentication server that an AP uses).

Unfortunately, most currently available wireless LAN technologies do not include a robust mechanism for network authentication.

Most network technologies—for example, 802.11−standard devices—only allow a service set identifier (SSID)−based authentication, in which each AP is assigned a unique identifier consisting of letters and numbers and broadcasts this identifier to show its presence.

All wireless LAN devices use this identifier to communicate with the AP. The SSID−based authentication is extremely weak and only provides AP identification. The SSIDs are easily programmable on most APs.

An attack on APs, known as rogue AP attack, is the most popular attack that involves an adversary planting an AP in a wireless LAN with the SSID set to the one that is used by the network users.

If the network relies only on the SSID of an AP for its authentication, the rogue AP successfully gains access to all the incoming traffic from wireless LAN adapters that is addressed to the intended AP.