IEEE 802.

11 SECURITY
What is security?
A primary purpose of security is to keep intruders out. For most of history, this meant building strong walls
and establishing small, well-guarded doors to provide secure access for a select group of people. This
strategy works better for wired LANs than WLANs. The rise of mobile commerce and wireless networks
make the old model unsuitable. Security solutions must be seamlessly integrated, more transparent,
flexible, and manageable.
Security usually refers to ensuring that users can perform only the tasks that they are authorized to do and
can obtain only the information that they are authorized to have. Security must ensure that users cannot
cause damage to the data, applications, or operating environment of a system. The word security involves
protection against malicious attacks. Security also involves controlling the effects of errors and equipment
failures. Anything that can protect against a wireless attack will probably prevent other types of trouble as
well. The balance between allowing authorized access and preventing unauthorized access is illustrated in
Figure 1

Figure 1

WLAN vulnerabilities

WLANs are vulnerable to specialized attacks. Many of these attacks exploit technology weaknesses since
802.11 WLAN security is relatively new. There are also many configuration weaknesses since some
companies are not using the security features of WLANs on all their equipment. Many devices are shipped
with default administrator passwords. Finally, there are policy weaknesses. When a company does not
have a clear wireless policy on wireless usage, employees may set up their own APs. An employee setup
AP is known as a rogue AP, which is rarely secure.

There are people eager, willing, and qualified to take advantage of WLAN vulnerabilities. They are
constantly trying to discover and exploit new vulnerabilities. Numerous papers have been written on the
topic of 802.11 security. The following major vulnerabilities are summarized:

 Weak device-only authentication - Client devices are authenticated. Users are not authenticated.
 Weak data encryption - Wired Equivalent Privacy (WEP) has been proven ineffective as a means
to encrypt data.
 No message integrity - The Integrity Check Value (ICV) has been proven ineffective as a means of
ensuring message integrity.

802.11 security vulnerabilities can be a barrier to enterprise WLAN deployment. To address these
vulnerabilities, Cisco has developed the Cisco Wireless Security Suite to provide robust enhancements to
WEP encryption and centralized, user-based authentication.

In this section, numerous activities demonstrate the multiple methods utilized in configuring Cisco wireless
security.

WLAN threats
There are four primary classes of threats to wireless security:

1. Unstructured threats
2. Structured threats
3. External threats
4. Internal threats

Unstructured threats consist of inexperienced individuals using easily available hacking tools such as shell
scripts and password crackers. Structured threats come from hackers who are more highly motivated and
technically competent. These people know wireless system vulnerabilities, and they can understand and
develop exploit-code, scripts, and programs. External threats are individuals or organizations working from
outside of the company. They do not have authorized access to the wireless network. They work their way
into a network mainly from outside the building such as parking lots, adjacent buildings or common areas.
These are the type of threats that people spend the most time and money protecting against. Internal threats
occur when someone has authorized access to the network with either an account on a server or physical
access to the wire. According to the FBI, internal access and misuse account for 60 to 80 percent of reported
incidents.

Wireless access can be a great threat to network security. Most WLANs have few or no restrictions. Once
associated to an access point, an attacker can freely roam an unsecured internal network.

ATTACKS

Wireless attack methods can be broken up into three categories:

1. Reconnaissance
2. Access attack
3. Denial of Service (DoS)

Reconnaissance
Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities. It is
also known as information gathering and it usually precedes an actual access or DoS attack.

Reconnaissance is similar to a thief scouting a neighborhood for unsecure homes. In many cases, the
intruders go as far as testing the door handle to discover vulnerable areas, which they can exploit at a later
time. Performing reconnaissance involves the use of common commands or utilities to learn as much as
possible about the victim site.

Wireless snooping and packet sniffing are common terms for eavesdropping. The information gathered by
eavesdropping can be used for future access or DoS attacks to the network. Using encryption and avoiding
protocols that are easily eavesdropped can combat eavesdropping. Commercial wireless protocol
analyzers like AiroPeek, AirMagnet, or Sniffer Wireless can be used to eavesdrop on WLANs. Free protocol
analyzers like Ethereal or tcpdump fully support wireless eavesdropping under Linux. Wireless
eavesdropping can be used to view network traffic and discover the SSIDs in use, validate MAC addresses,
or determine if encryption is being used.

Wireless reconnaissance is often called wardriving. Utilities used to scan for wireless networks can be
active or passive. Passive tools, like Kismet, transmit no information while they are detecting wireless
networks. Active utilities, like NetStumbler, transmit requests for additional information about a wireless
network, once it is discovered. The Windows XP operating system is wireless-aware. Windows XP performs
active scanning. It will try to automatically connect to a discovered WLAN. Some people using WLAN tools
are interested in collecting information about the use of wireless security. Others are interested in finding
WLANs that offer free Internet access or an easy backdoor into a corporate network.

Access

System access, in this context, is the ability for an unauthorized intruder to gain access to a device for
which the intruder does not have an account or password. Entering or accessing systems to which one
does not have authorized access usually involves running a hack script or tool that exploits a known
vulnerability of the system or application being attacked. Access is an all-encompassing term that refers
to unauthorized data manipulation, system access, or privileged escalation. Some examples of access
include the following:

 Exploitation of weak or non-existent passwords

 Exploitation of services such as HTTP, FTP, SNMP, CDP, and Telnet.

The easiest hack is called Social Engineering. It involves no computer skills at all. If an intruder can trick a
member of an organization into giving out valuable information such as locations of files and servers or
passwords, then the process of hacking is made much easier.

Rogue AP Attack
Most clients will associate to the access point with the strongest signal. If an unauthorized AP, which is
generally a rogue AP, has a strong signal, clients will associate to the rogue AP. The rogue AP will have
access to the network traffic of all associated clients. Therefore, the rogue AP can be used to perform
man-in-the-middle attacks against encrypted traffic like SSL or SSH. The rogue AP can also use ARP and
IP spoofing to trick clients into sending passwords and sensitive information. The rogue AP can also
request non-Wired Equivalent Privacy (WEP) protected sessions with clients during association.

Wired Equivalent Privacy (WEP) Attacks

Attacks against WEP include Bit Flipping, Replay Attacks, and Weak IV collection. Many WEP attacks
have not been released from the laboratory, but they are well documented. One utility, called AirSnort,
captures weak Initialization Vectors to determine the WEP key being used.

Denial of service

DoS is when an attacker disables or corrupts wireless networks, systems, or services, with the intent of
denying the service to authorized users. DoS attacks take many forms. In most cases, performing the
attack simply involves running a hack, script, or tool. The attacker does not need prior access to the
target, because all that is usually required is a way to access it. For these reasons and because of the
great damaging potential, DoS attacks are the most feared, since they are the most difficult to prevent.

The attacker may cause interference to the occurrence of many errors in transmission that speed drops to
unacceptably or ceases to operate the network at all.
The Other attacks: flooded with requests for authentication, user applications deauthentication legitimate
frames RTS / CTS to silence the network, etc.
Many DoS attacks against 802.11 wireless networks have been theorized. One utility, called Wlan Jack,
sends fake disassociation packets, which disconnect 802.11 clients from the access point. As long as the
attack utility runs, clients are unable to use the WLAN. In fact, any device operating at 2.4 GHz or 5 GHz
can be used as a DoS tool

The WLAN security wheel.

Most wireless security incidents occur because system administrators do not implement available
countermeasures. Therefore, the issue is not just one of confirming that a technical vulnerability exists and
finding a countermeasure that works. It is also critical to verify that the countermeasure is in place and
working properly.

This is where the WLAN Security Wheel, which is a continuous security process, is effective. The WLAN
Security Wheel not only promotes applying security measures to the network, but most importantly, it
promotes retesting and reapplying updated security measures on a continuous basis.

To begin the Security Wheel process, first develop a WLAN security policy that enables the application of
security measures. A security policy must accomplish the following tasks:

 Identify the wireless security objectives of the organization.

 Document the resources to be protected.
 Identify the network infrastructure with current maps and inventories.

Wireless security policies are worth the time and effort to develop because they provide many benefits. The
development of a good security policy accomplishes the following:

 Provides a process to audit existing wireless security

 Provides a general framework for implementing security
 Defines behavior that is allowed and that is not allowed
 Helps determine which tools and procedures are needed for the organization
 Helps communicate consensus among a group of key decision makers and defines responsibilities
of users and administrators
 Defines a process for handling wireless breaches
 Creates a basis for legal action, if necessary
An effective wireless security policy works to ensure that the network assets of the organization are
protected from sabotage and from inappropriate access, which includes both intentional and accidental
access. All wireless security features should be configured in compliance with the security policy of the
organization. If a security policy is not present, or if the policy is out of date, the policy should be created or
updated before deciding how to configure or deploy wireless devices.

MONITOR

TEST

IMPROVE

First generation wireless security

Security was not a big concern for early WLANs. The equipment was proprietary, expensive, and hard to
find. Many WLANs used the Service Set Identifier (SSID) as a basic form of security . Some WLANs
controlled access by entering the media access control (MAC) address of each client into the wireless
access points. Neither option was secure, since wireless sniffing could reveal both valid MAC addresses
and the SSID.

The SSID is a 1 to 32-character American Standard Code for Information Interchange (ASCII) string that
can be entered on the clients and access points. Most access points have options like "SSID broadcast"
and "Allow any SSID". These features are usually enabled by default and make it easy to set up a wireless
network. The "Allow any SSID" option permits the access point to allow access to a client with a blank SSID.
The "SSID broadcast" sends beacon packets that advertise the SSID. Disabling these two options does not
secure the network, since a wireless sniffer can easily capture a valid SSID from normal WLAN traffic.
SSIDs should not be considered a security feature.

MAC based authentication is not specified in the 802.11 specifications. However, many vendors have
implemented MAC based authentication. Most vendors simply require each access point to have a list of
valid MAC addresses. Some vendors also allow the access point to query a list of MAC addresses on a
centralized server.

Controlling wireless network access by using MAC addresses is tedious. Accurate inventory must be kept
and users must quickly report lost or stolen equipment. MAC addresses are not a real security mechanism,
since all MAC addresses are unencrypted when transmitted. An attacker would only need to capture a valid
MAC address to be able to access the network. In certain cases, MAC address authentication can
supplement security features, but this should never be the primary method of providing wireless security.