Securing wireless networks

11 Jun 2009
by: By John Adams
When you move away from cabling and start supporting electronic security systems with wireless networks, it’s important to ensure you maintain high levels of performance and network security.

BEFORE we get into this one, it’s worth recapping the sorts of wireless networks integrators and security managers are going to find themselves involved with. The most common RF designations include:

 

* 802.11: Applies to wireless LANs and provides 1 or 2 Mbps transmission in the 2.4 GHz band using either frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum (DSSS).

 

* 802.11a: An extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in the 5GHz band. 802.11a uses an orthogonal frequency division multiplexing encoding scheme called COFDM, rather than FHSS or DSSS.

 

* 802.11b (also referred to as 802.11 High Rate or Wi-Fi): An extension to 802.11 that applies to wireless LANS and provides 11 Mbps transmission (with a fallback to 5.5, 2 and 1 Mbps) in the 2.4 GHz band. 802.11b uses only DSSS. 802.11b was a 1999 ratification to the original 802.11 standard, allowing wireless functionality comparable to Ethernet.

 

* 802.11g: Applies to wireless LANs and provides 54Mbps in the 2.4 GHz band.

 

It’s worth noting that you’ll often read about 802.11b/g in relation to a product. Essentially the 2 are similar, with b offering 11Mbps and g giving 54Mbps and being backwards compatible with legacy WiFi installations. Importantly, 802.11g systems also benefit from the COFDM encoding scheme which makes their resistance to interference significantly better.

 

Security managers and installers should think about 802.11a LANs when they’re thinking about networking CCTV solutions. Of all the options, 802.11a networks give best performance and best resistance to interference. For performance-heavy applications, 802.11b won't be able to keep up unless you’re only supporting a camera or 2 or it’s an access link you’re building. 

 

Very important to take into account is that in most applications – especially in urban environments - there’s significant RF interference present in the 2.4 GHz band. Use of 2.4 GHz wireless phones and Bluetooth devices will fill the radio spectrum within your building and it can significantly decrease the performance of 802.11b wireless LANs. The use of 802.11a operating in the 5 GHz band will avoid this interference.

 

Along with 802.11a take-up, multi-band solutions that are able to support 802.11a/b/g at the same time are also something to seriously consider. Multi-band is popular because its flexibility justifies the added cost of hardware and installation but this extra cost can be as much as 30 per cent.

 

Lastly, wireless LANs are going to depend on encryption for optimizing secure comms. We all know what encryption does to a signal stream. The need for encryption means that installers and security managers who think wireless is the way to go need to think performance, performance, performance.

 

Security issues

 

Now we’ve brushed up on the fundamentals of wireless LANs, security people should have no doubt that commercial-grade wireless LANs are inherently insecure. This judgement covers both reliability and the ability to guarantee secure comms in shared air space. It’s this lack of security that underscores the 802.11a/b/g wireless LAN’s unsuitability for security communications of any sort.

 

It would be silly to suggest that Cat-5 LANs have vastly more security than wireless links but there’s an important difference with air-based comms – it relates to signal spill. Indoors, 802.11b is generally a point-to-multipoint set-up with a couple of omni-directional aerials.

 

You’d expect about 11Mbps at 30m and about 1Mbps at 90m, both in a field of 360 degrees. With the other technologies you get similar performance or less range (802.11a), along with a 54Mbps bandwidth.

If the site is larger or more challenging in terms of interference, systems people might wick up performance with high gain antennas. Using high gain gear, point-to-point and outdoors it’s possible to get 8km out of plain old 802.11b systems. In some line-of-sight applications 802.11b can support links of 120km.

 

The point of mentioning this is that your RF signal does not stop at the dividing walls of your office, nor at your perimeter fence. Cat-5 cables spill EMI in small amounts locally but clever software tools can pin down attempts to passively tap copper cable. With RF LANs, all you need is a wireless NIC and there’s no way to confirm an unauthorized station is not listening to LAN traffic.

 

 

“It would be silly to suggest that Cat-5 LANs have vastly more security than wireless links but there’s an important difference with air-based comms – it relates to signal spill”

 

 

Over the past couple of years there have been attempts to secure wireless LANs, some more successful than others. Early on, the Wired Equivalent Privacy standard was developed. Despite the hopeful title, WEP was always flawed. How? Because the unique identifiers the wireless LAN stations were exchanging were available for any station to receive and retransmit.

 

The idea was that WEP would authenticate any wireless station (NIC) looking to climb aboard the LAN using RC4 encryption. Access points on wireless LANs and remote stations – wireless NICs in workstations, DVRs/video servers, or access control machines – would exchange a series of management frames that allowed them to identify with each other.

 

The way it works is that every so often, access points fire out a beacon frame incorporating a BSS identifier. A NIC will pick up this beacon frame using a probe frame of its own – these are designed to find access points. When a probe finds an access point it requests a link and suggests a method of authentication. 

 

Making matters tough for WEP is that Open System Authentication can’t really be described as authentication at all because when a station requests connection to the BSS, it’s always given connection. Think of it like this. A wireless station – a local NIC or a hacker’s NIC in the next building – asks for association with the BSS. The access point comes up with a standard 128-bit challenge and the remote NIC is then required to comes back with a challenge of its own that’s encrypted with a shared key that’s been encrypted into the NIC and the access point during setup.

 

Once all this is done, the access point uses a basic cyclic redundancy check, a hash function used to produce a checksum in order to verify the integrity of a NIC’s response. The original challenge and the response are compared and if they match up then bingo, you’re in. This simple authentication process works both ways, depending on who is talking to whom.

 

As clever techs will have seen, the crushing disadvantage here is that anyone who receives the signals from this exchange will pick up the plaintext, ciphertext and initialization vector that will be used to convert the plaintext into ciphertext. Once you have all this it’s possible to calculate the RC4 keystream and then generate the necessary ciphertext to trick the access point into giving your NIC access to the LAN.

 

802.11 wireless LANs can use the MAC standards to increase security levels. MAC, which stands for Media Access Control, relates to a sublayer of the OSI data link layer. Don’t be scared off by the jargon – this is simply the interface between a node’s logical link control and the physical layer of a network – copper or wireless.

 

Among other things, the MAC detects transmission errors, controls access to physical transmission media. MAC can also be used to control which remote NICs are able to use the LAN and which are unauthorized and must be denied. This sounds great but it doesn’t really work because MAC addresses get sent in plaintext and a half competent hacker can trick an access point into providing info enough to break them.

 

Another attempt to secure WLANs was implementation of SSIDs. Essentially, SSIDs are simply case sensitive text strings - alphanumeric characters (letters or numbers) with a maximum length of 32 characters. The idea with these is that a particular SSID is associated with a LAN and all stations on the LAN must use this SSID to communicate.

 

Network administrators can set SSIDs manually or automatically – to do this the SSID is just left blank. The latter is not a great idea and newer WLANs disable the auto SSID feature to improve security levels. Why? You guessed it. SSIDs are sent in plaintext on 802.11b and we all now know how easy it is for a slightly skilled hacker to exploit plaintext.

 

A better idea all round is a combination of local station authentication and user level authentication. What this means is that the user is logging into the wireless network using a password or a biometric that an access point can check against a RADIUS server. Hitching station network access to a biometric is a nice idea, especially if you’re lucky enough to have a strong network access authentication technology in place.

 

Is secure RF possible?

 

IF you’re thinking there’s no reason to ever use basic wireless networking technology to support physical security transmissions, you’re mostly right. But if you need to use a wireless link and you have no choice but to go with an 802.11 technology then there are a number of things you can do to ensure maximum possible network security.

 

First up you need to change the access point’s default administrator password and secondly, switch off SSID broadcasting. The system will also benefit from MAC filtering and employ some form of wireless encryption. Yes, it will fatten up your signal stream and reduce performance but it will be worth it. Don’t go for WEP – think WPA.

 

Unveiled a few years ago, WPA is a new security standard developed by the Institute of Electrical and Electronics Engineers (IEEE) on the 802.11i wireless security standard. WPA was intended to replace Wired Equivalent Privacy (WEP).

 

However, we wouldn’t recommend V1 of the WPA wireless encryption standard, either. When it was released, papers written by security experts condemned the then new WPA security standard as a worse security option that WEP – which is no compliment.

 

In his paper "Weakness in Passphrase Choice in WPA Interface," Robert Moskowitz, who was a senior technical director at ICSA Labs, described problems with the WPA standard that included the fact it allowed attackers to "sniff" critical information from wireless traffic and to discover the value of a wireless network's security key.

 

Instead you should look at WPA2 (Wi-Fi Protected Access 2), which was released mid-2004 and is reputed to be a major improvement on all that came before. WPA2 incorporates Advanced Encryption Standard, which supports 128-bit, 192-bit and 256-bit keys. AES cryptography is based on the Rijndael (pronounced rain-dahl) algorithm, created by Belgian cryptographers, Joan Daemen and Vincent Rijmen. It’s solid stuff.

 

"WPA2 is ideally suited for enterprises in both the public and private sectors," says Frank Hanzlik, Wi-Fi Alliance managing director. "Products that are certified for WPA2 give IT managers the assurance that the technology meets interoperability standards and in turn helps them manage support and deployment costs."

 

All components of WPA2 are included in the 802.11i standard, which was developed by the Institute for Electrical and Electronics Engineers (IEEE). Importantly, a Wi-Fi Alliance spokesperson recently said WPA2 would be "the core from which other security measures emanate" in the future. That’s nice confidence for integrators and security managers looking to future proof their wireless security networks. 

 

Along with encryption, make sure any wireless network carrying security traffic is supported by a user access control policy. Probably the best way to do this is to build a wireless DMZ and keep it isolated from the copper LAN using a firewall. The system is configured so that only traffic that passes through the firewall is allowed access to the system.

Traversing the firewall requires that users are authenticated by a remote access server and/or a VPN. Going for a simpler option, you can just set the system up so the wireless access point is disconnected when the system is not being used. Sounds basic but it’s a very nice and low cost idea. This solution means that if a remote manager or gatehouse only wants occasional access to a wireless connected location, the attacker has to guess when that location might be accessed in order to undertake a sniffing operation.

 

Another good option is use of highly directional antennas. They might be more expensive but they’ll ensure your signals do not spill into areas to don’t want them to go. You can also use an 802.11a LAN and devices instead of b/g. You’ll get shorter range but because the majority of systems are longer range b/g, most attacks are perpetrated on that frequency, not on 5GHz. Another strong security feature of 5GHz signals is that they’re highly attenuated by walls and buildings. Where security is concerned, this is a very nice quality indeed, even if the short range drives installation teams nuts.

 

“Another good option is use of highly directional antennas. They might be more expensive but they’ll ensure your signals do not spill into areas to don’t want them to go”