Electronic Business: Concepts, Methodologies, Tools, and Applications (4-Volumes) P225

Wireless LAN Setup and Security Loopholes Most existing small deployments mapped by war drivers do not enable the security features on products, and many access points have had only minimal changes made to the default settings. Unfortunately, no good solution exists to this concern. Software tools like NetStumbler allow network administrators to wander their building looking for unauthorized access points, though it is quite an effort to wander in the building looking for new access points. Moreover, monitoring tools will also pick up other access points in the area, which may be a concern if two or more organi-]DWLRQVDUHVKDULQJWKHVDPHEXLOGLQJRUDÀRRU Access points from one organization may cover SDUWRIDQRWKHURUJDQL]DWLRQ¶VÀRRUVSDFH DoS (Denial of Service) Attacks Wireless networks based on 802.11b have a bit rate of 11 Mbps, and networks based on the newer 802.11a/g technology have bit rates of up to 54 Mbps. This capacity is shared between all the us-ers associated with an access point. Due to MAC layer overhead, the actual effective throughput tops at roughly half of the nominal bit rate. It is not hard to imagine how local area applications might overwhelm such limited capacity, or how an attacker might launch a denial of service attack on the limited resources. Radio capacity can be overwhelmed in several ways. It can be swamped E\WUDI¿FFRPLQJLQIURPWKHZLUHGQHWZRUNDWD rate greater than the radio channel can handle. If DQDWWDFNHUZHUHWRODXQFKDSLQJÀRRGDWWDFNLW could easily overwhelm the capacity of an access point. Depending on the deployment scenario, it might even be possible to overwhelm several access points by using a broadcast address as WKHGHVWLQDWLRQRIWKHSLQJÀRRG)LJXUHVKRZV a SLQJÀRRGDWWDFNDQGWKHQHWZRUNXWLOL]DWLRQ graph for a victim wireless node. $WWDFNHUVFRXOGDOVRLQMHFWWUDI¿FLQWRWKHUDGLR network without being attached to a wireless ac-cess point. The 802.11 MAC is designed to allow multiple networks to share the same space and radio channel. Attackers wishing to take out the ZLUHOHVVQHWZRUNFRXOGVHQGWKHLURZQWUDI¿FRQ the same radio channel, and the target network ZRXOGDFFRPPRGDWHWKHQHZWUDI¿FDVEHVWDVLW could. DoS attacks could, thus, be easily applied WR ZLUHOHVV QHWZRUNV ZKHUH OHJLWLPDWH WUDI¿F cannot reach clients or the access point because LOOHJLWLPDWHWUDI¿FRYHUZKHOPVWKHIUHTXHQFLHV Some other DoS attacks are 7&36<1ÀRRGLQJ Smurf attack, and fraggle attack. Distributed Figure 8. Network utilization (y-axis) vs. time (x-axis) graph that shows the target equipment status GXULQJDQGDIWHUWKHSLQJÀRRGDWWDFNQRWHWKDWWKHJUDSKGURSVDIWHUDWWDFN 2174 Wireless LAN Setup and Security Loopholes DoS attacks can do greater damage to network resources. Some performance complaints could EHDGGUHVVHGE\GHSOR\LQJDWUDI¿FVKDSHUDWWKH point at which a wireless LAN connects to the network backbone. While this will not defend against denial of service attacks, it may help prevent heavy users from monopolizing the radio resources in an area. 0$&6SRR¿QJ In 0$& VSRR¿QJ WKH DWWDFNHU FKDQJHV WKH manufacturer-assigned MAC address of a wireless adapter to the MAC address he wants to spoof, say by using tools like Mac Makeup software (Mac Makeup, 2005). Attackers can use spoofed IUDPHVWRUHGLUHFWWUDI¿FDQGFRUUXSW$53WDEOHV At a much simpler level, attackers can observe the MAC addresses of stations in use on the net-work, and adopt those addresses for malicious transmissions. To prevent this class of attacks, user authentication mechanisms are being devel-oped for 802.11 networks. By requiring mutual authentication by potential users, unauthorized users can be kept from accessing the network. Mac Makeup software can be used to do the MAC VSRR¿QJDVVKRZQLQ)LJXUH 7KH0$&VSRR¿QJDWWDFNFDQEHVKRZQDVLQ the outlined three steps in Figure 10. Attackers can use spoofed frames in active attacks as well. In addition to hijacking sessions, attackers can exploit the lack of authentication of access points. Figure 9. Mac Makeup software. One can enter the MAC address to spoof and press Change button to change the original MAC address. Later, by pressing the Remove button, the original MAC address can be restored. )LJXUH0$&VSRR¿QJDWWDFN6WHSVWRDUHIROORZHGE\WKHDWWDFNHU 2175 Wireless LAN Setup and Security Loopholes $FFHVVSRLQWVDUHLGHQWL¿HGE\WKHLUEURDGFDVWVRI Beacon frames. Any station that claims to be an access point and broadcasts the right service set LGHQWL¿HUZLOODSSHDUWREHSDUWRIDQDXWKRUL]HG network. Attackers can, however, easily pretend to be an access point because nothing in 802.11 requires an access point to prove that it really is an access point. At that point, the attacker could potentially steal credentials and use them to gain access to the network through a man-in-the-middle (MITM) attack. Fortunately, protocols that support mutual authentication are possible with 802.1x. Using methods based on transport layer security (TLS), access points will need to prove their identity before clients provide authen-tication credentials, and credentials are protected by strong cryptography for transmission over the air. Disassociation and Session Hijacking Attack %\FRQ¿JXULQJDZLUHOHVVVWDWLRQWRZRUNDVDQ access point, attackers can launch more effective `R6DWWDFNV7KH\FDQWKHÀRRGWKHDLUZDYHVZLWK continuous disassociate commands that compel all stations within range to disconnect from the wireless LAN. In another variation, the attacker’s malicious access point broadcasts periodic disas-sociate commands that cause a situation where stations are continually disassociated from the network, reconnected, and disassociated again. Session hijacking is said to occur when an attacker causes the user to lose his connection, and the attacker assumes his identity and privileges for a period. An attacker temporarily disables the user’s system, say by DoS attack or a buffer over-ÀRZH[SORLW7KHDWWDFNHUWKHQWDNHVWKHLGHQWLW\ of the user. The attacker now has all the access that the user has. When he is done, he stops the DoS attacks and lets the legitimate user resume. The user may not detect the interruption if the disruption lasts no more than a couple of seconds or few minutes. Such hijacking can be achieved by using a forged disassociation DoS attack, as explained above. 7UDI¿F$QDO\VLVDQGEavesdropping Unlike in wired networks, a major problem with wireless networks is the ease of signal interception. Signals are broadcast through the air, where any UHFHLYHUFDQLQWHUFHSW7UDI¿FFDQEHSDVVLYHO\ observed without any protection. The main risk is that 802.11 does not provide a way to secure data in transit against eavesdropping. Frame headers are always unencrypted and are visible to anyone with a wireless network analyzer. Security against eavesdropping was supposed to be provided by WEP (as discussed earlier). WEP protects only the initial association with the network and user data frames. Management and control frames are not encrypted or authenticated by WEP, leaving an attacker wide latitude to disrupt transmis-sions with spoofed frames. If the wireless LAN is being used for sensitive data, WEP may very ZHOOEHLQVXI¿FLHQW,WLVWKHUHIRUHUHFRPPHQGHG to employ strong cryptographic solutions like SSH, SSL and IPSec. These were designed to transmit data securely over public channels, and have proven resistant to attack over many years, and will almost certainly provide a higher level of security. However, even when data is encrypted, attacker can gain insight about the meaning of the data by observing some properties such as message sizes, communication parties, and sequence of encrypted back-and-forth conversa-WLRQ7KLVWHFKQLTXHLVFDOOHGWUDI¿FDQDO\VLV and can be effective (Frank, Sandeep, Golden, & Loren, 2005). ARP Poisoning In order to performARP poisoning, two desktop computers and one laptop can be used as shown in Figure 11. The two desktop computers (Computer A and Computer B) can act as the victims while the laptop (Computer C) can act as the attacker. 2176 Wireless LAN Setup and Security Loopholes Figure 11. ARP poisoning. The attacker C monitors the communication between Computer A and B by getting in between them. A can be the source while B can be the destina-tion. C can be equipped with the Ethereal (2005) packet capturing software and the ARP poisoning software known as Cain and Abel (2005). In ARP poisoning, an attacker can exploit $53FDFKHSRLVRQLQJWRLQWHUFHSWQHWZRUNWUDI¿F between two devices in the WLAN. For instance, OHWXVVD\WKHDWWDFNHUZDQWVWRVHHDOOWKHWUDI¿F between computer A and B. The attacker begins E\VHQGLQJDPDOLFLRXV$53³UHSO\´IRUZKLFK there was no previous request) to B, associating his computer’s MAC address with A’s IP address. Now B thinks that the attacker’s computer is A. Next, the attacker sends a malicious ARP reply to A, associating his MAC address with B’s IP address. Now A thinks that the hacker’s computer is B. Finally, the hacker turns on an operating system feature called IP forwarding. This feature enables the hacker’s machine to forward any network WUDI¿FLWUHFHLYHVIURP&RPSXWHU$WR%,QVWHDG of enabling IP forwarding, the attacker has the choice of drowning Computer B with any DoS at- tack, so that the communication actually happens between A and the attacker, whom A thinks to be Computer B (Mohammed & Issac, 2005). Operating System Weakness Another security problem lies in the operating system. For instance, NetBIOS and SMB services allow unauthenticated users to create NULL ses-sions, thus permitting attackers to gain access to information about the machines they exploit. These services are enabled by default on Windows systems. Windows 2000 and Windows XP use ports 135 through 139, and port 445. When im-SURSHUO\FRQ¿JXUHG1HW%,26VHUYLFHFDQH[SRVH FULWLFDOV\VWHP¿OHVRUJLYHIXOO¿OHV\VWHPDFFHVVWR any hostile party connected to the network. Many computer owners and administrators use these VHUYLFHVWRPDNHWKHLU¿OHV\VWHPVUHDGDEOHDQG writable, in an effort to improve the convenience RIGDWDDFFHVV:KHQ¿OHVKDULQJLVHQDEOHGRQ Windows machines, they become vulnerable to both information theft and certain types of quick- 2177 Wireless LAN Setup and Security Loopholes moving viruses. The same NetBIOS mechanisms WKDWSHUPLW:LQGRZV¿OHVKDULQJPD\DOVREHXVHG to enumerate sensitive system information from Windows NT systems. User and group informa-tion (usernames, last logon dates, password policy, etc.), system information, and certain registry keys may be accessed via a NULL session connection to the NetBIOS session service. This information is typically used to mount a password guessing or brute force password attack against a Windows NT target. Flipping Bits 5HVHDUFKKDVSURYHGWKDWDQDWWDFNHUFRXOGÀLS certain bits (ELWÀLSSLQJLQWKHIUDPHDQGFKDQJH the integrity check value without the knowledge of the user. At the receiving end, no error on tampering would then be reported. Though dif-¿FXOWWRFDUU\RXWWKLVDWWDFNLWLVSRVVLEOHWRGRLW and has been proved. Encrypt the 802.11 frames within layer 3 (network layer) wrappers, so that any tampering cannot go undetected. IPSec tunnel or TKIP (temporal key integrity protocol) can be used to thus strengthen the security. WLAN SECURITY SAFEGUARDS Wireless networks can never be security-risk free. Being risk free is an ideal concept that just does not exist. But we can try our best to minimize the possible attacks. Some security steps are listed here (Held, 2003; Hurton & Mugge, 2003; Issac et al., 2005). the weakness in the current 802.11b WLAN standard, IEEE Task Group i has come out with draft version of 802.11i standard. The 802.11i standard explains the usage of 48-bit IV in temporal key integrity protocol (TKIP) that helps to minimize cryptographic attacks against WEP key, brute force attack, and the weakness of static key. TKIP is a short-term solution to the WEP key (Walker, 2002). TKIP also helps to prevent undetected PRGL¿FDWLRQWRWKH:(3NH\E\SURYLGLQJ an 8-byte message integrity code (MIC). Furthermore, counter mode cipher block chaining with message authentication codes (counter mode CBC-MAC or CCMP), which will be the long term security solution intro-duced by 802.11i standard, uses advanced encryption standard (AES), which encrypts data in 128-bit chunks using cipher block chaining (CBC) mode, and provides data integrity checks via medium access control (MAC) (Vocal Tech. Ltd., 2003). However, the emergence of equipments bundled with the 802.11i standard has yet to step into the market. 2. Ensure that mutual authentication is done through IEEE802.1x protocol. Client and AP should both authenticate to each other. Implementing IEEE802.1x port based authentication with RADIUS server (with PEAP/MS-CHAPv2) can be a second level of defense. 3. Turn off the SSID broadcast by AP and FRQ¿JXUHWKH$3QRWWRUHVSRQGWRSUREH UHTXHVWVZLWK66,`³DQ\´E\VHWWLQJ\RXU own SSID. Knowledge of SSID can be a 1. To start with, WEP 104-bit encryption should be enabled, with possible rotation of keys. WPA, with TKIP/AES options, can EHHQDEOHG8SJUDGHWKH¿UPZDUHRQ$3WR prevent the use of weak IV WEP keys. This VWURQJHQFU\SWLRQLVWKH¿UVWOLQHRIGHIHQVH The WEP key shall be a very random alpha-numeric combination. In order to overcome stepping-stone to other attacks. 4. Change default WEP settings, if any. For example, Linksys AP WAP-11 comes with default WEP key one: 10 11 12 13 14 15, default WEP key two: 20 21 22 23 24 25, default WEP key three: 30 31 32 33 34 35 and default WEP key four: 40 41 42 43 44 45. 2178 ... - tailieumienphi.vn