A Study of WLAN Security 1

A Study of Wireless Local Area Network Security

By: Adrian M. Mayers

CS 390 Local Area Networks

Professor Ron Price

March 12, 2004

 A Study of WLAN Security 2

A Study of Wireless Local Area Network Security

Local area networks (LANs) are the cornerstones of modern business

communications. The ability for workers to share resources and communicate with

each other seamlessly is truly a monumental leap forward in business operations.

Nevertheless, progress and innovation are not things that can be tamed or quelled.

They are constantly perpetuating themselves forward, but not without obstacles and

challenges. LAN technology is no different in this regard. The natural progression for

LAN technology to break its wire-based constraints has spawned a new form of

network technology called wireless local area networks (WLANs). The

implementation of WLANs has been limited due to challenges. The purpose of this

report is to review what types of security measures are available for WLANs in order

to determine if they are safe for home and business use. This will be accomplished

by analyzing the risks involved with using WLAN technology in a home or business

environment, identifying threats, observing the evolution of the 802.11 standard from

a security aspect, and cataloging security tips that can be applied to a WLAN in

order to mitigate security risks.

WLANs are based on the same fundamental principles of wired LAN

technology, but have ventured beyond by allowing devices and users to interoperate

without wire connections. WLANs use high frequency radio waves to transmit data

from one node to the next. This is accomplished by using access points that are

wired to an Ethernet LAN. Data travels at 2.4GHz from the access point to the node.

The high frequency radio waves can penetrate walls and floors up to 1000 feet from

the access point.

The standards that govern WLAN specifications are attributed to the

Institute of Electrical & Electronics Engineers better known as IEEE. The institute is a
 A Study of WLAN Security 3

non-profit organization with 360,000 members in 175 countries. “IEEE is a leading

authority in technical areas ranging from computer engineering, biomedical

technology and telecommunications, to electric power, aerospace and consumer

electronics, among others” (IEEE, 2004). The IEEE formed a workgroup dubbed

802.11 in 1972. The 802.11 standards are defined as, “ wireless standards that

specify an "over-the-air" interface between a wireless client and a base station or

access point, as well as among wireless clients. [The] specifications address both

the Physical (PHY) and Media Access Control (MAC) layers, and are tailored to

resolve compatibility issues between manufacturers of Wireless LAN equipment.”

(IEEE Wireless Standards Zone, 2004).

WLANs share other things with wired LANs besides fundamental

technology. They also share the unrelenting attacks from hackers and crackers.

They are well- trained individuals that reside in the dark shadows of the computer

technology world, and they thrive on infiltrating systems for fun, or for personal

financial gain. Their assortment of tricks includes, but is not limited to denial of

service (DoS) attacks, viruses, SPAM, and thefts of trade secrets. WLANs are just

the latest realm on which they can wreak havoc. “Because they use radio signals,

wireless networks are inherently vulnerable to hackers.” (Ellison, 2003). The radio

signals used in WLANs can permeate beyond the physical boundaries of a house or

an office, “"war drivers," who roam the streets with notebooks looking for "open" or

insecure networks” (Ellison, 2003) are simply mobile hackers looking for prey.

Unfortunately nowadays the tools required to hack are not hard to acquire. “All it

takes to breech an unsecured wireless network is a wireless-enabled notebook or

PDA, some free downloadable software and a bit of spare time. That's why any

wireless network, whether for Mom and Dad at home or an enterprise with
 A Study of WLAN Security 4

thousands of employees, needs to take wireless security seriously.”(Ellison, 2003).

No one is spared from the incessant attacks as Ellison points out. Blackwell

reiterates the point about WLAN vulnerabilities by saying that, “WLAN signals are

prone to being intercepted well outside the facility in which the network resides.”

(Blackwell, 2002). Once a hacker enters a WLAN it is similar to having a tapeworm in

your body. The hacker takes, and never gives anything positive in return. “With a

range of up to 300 feet or more, depending on the antenna, the transmissions can be

intercepted by anyone inside that radius with the proper equipment. And once

intruders attach to an unsecured access point, they have access to your network and

your Internet connection. They can potentially open or delete files or use your mail

servers to launch a spam or denial-of-service attack.” (Ellison, 2003).

IEEE took security into account when they were developing the

standards. It wouldn’t be fair to leave the consumer completely defenseless while

operating a WLAN. IEEE realized that the most vulnerable component in the WLAN

communication process was the data that was being transmitted by high frequency

radio waves. Their solution was to focus on an encryption scheme that would thwart

attackers from reading or altering transmitted data. “In 1997, the IEEE adopted the

encryption-based WEP (Wired Equivalent Privacy) standard as a means to ensure

wireless security”. (Ellison, 2003). WEP is defined as a standard that, “ allows the

administrator to define a set of respective "Keys" for each wireless network user

based on a "Key String" passed through the WEP encryption algorithm. Access is

denied by anyone who does not have an assigned key.” (Austin Wireless Net, 2002).

In turn the WLAN hardware manufacturers built these security measures into their

devices. The problem is that, “Virtually every wireless network product is shipped

with security features turned off, and most users never bother to turn them on.”
 A Study of WLAN Security 5

(Ellison, 2003). Consumers do not rectify the problem once they get the product

home or to the office; “ many people never return to their settings once they've

installed their wireless LANs. They either forget or avoid turning on WEP”. (Ellison,

2003). Business firms are also guilty of not enabling the security settings on their

WLAN equipment, “of 500 firms recently polled by Jupiter Research, less than half

have implemented security solutions for their wireless networks”. (Ellison, 2003).

Security settings can only work if they are turned on. However the WEP security

solution is not entirely effective. “Even if you've enabled WEP (Wired Equivalency

Protocol) encryption, the flaws in that standard are well-documented, and hackers

can pretty easily break into WEP-protected network. You need WPA (Wi-Fi

Protected Access), a far stronger protocol that fixes the weaknesses in WEP.”

(Ellison, 2003).

WPA was developed by the Wi-Fi Alliance who are a,” nonprofit trade

organization, the Wi-Fi Alliance has three purposes: To promote Wi-Fi worldwide by

encouraging manufacturers to use standardized 802.11 technologies in their wireless

networking products; to promote and market these technologies to consumers in the

home, SOHO and enterprise markets; and last but certainly not least, to test and

certify Wi-Fi product interoperability.” (Wi-Fi Alliance, 2004). Members of the Wi-Fi

Alliance decided to take security matters into their own hands and brought WPA to

the marketplace. A WPA definition is,” When WPA is enabled; a client card first tries

to associate with the access point (AP). The AP blocks access to the WLAN until the

user's credentials can be approved by the authentication server. After accepting a

user's credentials, the authentication server produces a unique 128-bit master

session key that TKIP distributes to the user and the AP. The user then joins the

WLAN, and WPA sets up a key management mechanism that automatically

 A Study of WLAN Security 6

generates a different key for each packet transmitted. The advantages of WPA over

WEP are considerable: industrial-strength authentication and encryption as well as

dynamic key allocation”. (Erlanger, 2003). Erlanger refers to TKIP (Temporal Key

Integrity Protocol), which can be defined as a protocol that, “can dynamically change

the encryption key used to send data across the network between authenticated

network nodes. It can even use a different key for every single packet of data sent.

The basic idea is simple: It's much harder to hit a moving target.” (Ellison, 2003). It is

clear that manufacturers would not be willing to invest capital into this technology if

they could not sell the end product to customers. With the well-publicized security

issues related to WLANs the Wi-Fi Alliance had no choice but to take action and

create a certification program called Wi-Fi Certification that would give consumers

peace of mind about purchasing WLAN hardware. Manufacturers agreed this was a

good move for the industry, and now, “all major manufacturers use WPA-compatible

chipsets, and all products submitted for Wi-Fi certification must also pass WPA

interoperability tests.” (Ellison, 2003). There is a definite strength in numbers. By all

interested parties collaborating on possible solutions WPA is a step in the right

direction towards securing WLANs. The ability to encrypt each packet is critical to

secure communications. The journey continues with the IEEE development of

802.11i security standard also known as WPA2.

802.11i was slated to be available in early 2004. This new security

standard has focused on the vulnerability of data packets being transmitted. WPA

laid a solid foundation for 802.11i to add an industrial strength encryption scheme

called Advanced Encryption Standard (AES). AES uses a longer encryption key for

data packets, which renders them virtually unhackable. AES will be the new

encryption standard used by organizations within the United States Federal

 A Study of WLAN Security 7

government for sensitive unclassified information. It will be referred to in the Federal

Information Processing Standard (FIPS) Publication as the recommended encryption

scheme. “This spec promises to improve the notoriously poor security for wireless

networks, with improvements coming in the area of authentication, encryption, and

message integrity.” (Salvator, 2003). AES will come at a price like all good things do

sometimes, “802.11i will probably require considerably more processing power.”

(Erlanger, 2003). 802.11i is yet another significant step towards secure WLAN

operations. “Wireless security based on this new standard will be essentially

bulletproof and will meet government standards for security.” (Ellison, 2003). Other

things can contribute to better security on a WLAN.

There are certain inherent security tips that should be followed when

operating a WLAN, “

• Change the default SSID (network name) on your router/AP. The default
SSIDs of commonly available hardware are well known to hackers. Your SSID
should not contain information that would give away your company name or
location.

• If your router/AP supports it, consider disabling the SSID broadcast. It will
prevent the casual war driver from detecting your network.

• Change the administrator's password on your router/AP. Hackers know the

default passwords for all of the major hardware brands and, with your
password, could reconfigure your router/AP, leaving you unable to access it.

• Turn on the highest level of security that your hardware supports. Even if you
have older equipment that supports only WEP, be sure to enable it, using the
128-bit setting. Despite its bad rap as an ineffective solution, it will still deter
most hackers.
 A Study of WLAN Security 8

• Check your hardware manufacturer's Web site for firmware and driver
upgrades. Most provide updates that include WPA support for recent
products.

• Consider implementing media-access control (MAC) filtering, which lets you

specify a list of MAC addresses for wireless network adapters allowed to
access the network; excluding all others Skillful hackers can "spoof" a valid
MAC address to gain entry to your network, but it's one more barrier to entry
that will make them move on to easier prey.

• If your router/AP supports SNMP, change the community names to non-

obvious choices. This will prevent hackers from managing your device using
standard community names and SNMP management software. If you don't
use SNMP, disable this feature (if you router allows you to).

• Carefully consider the placement of each router/AP. If you don't need wireless
access outside your building, place your APs toward the center of your home
or office to minimize how much signal radiates outside.

• If you have a limited number of wireless clients, consider providing them with
static IP addresses, and then disable DHCP on your router. This will make it
more difficult for a hacker to learn about your network.

• In an enterprise, consider placing your wireless LAN in a separate VLAN, and

have your wireless clients tunnel into your network using VPN software. This
approach is an especially good idea if your hardware doesn't support WPA
and cannot be upgraded to support it. VPNs provide secure, industry-standard
IP Layer 3 encryption. Small to midsize office products, such as the Netgear
FVM318 or SonicWall SOHO TZW, let you isolate your wireless LAN from
your wired LAN and use VPN technology for secure connections between the
two network segments.

• When using public hot spots, be aware that they are very insecure. All the
network traffic between your notebook or PDA and a hot spot's AP will be
unencrypted, since virtually no hot spot provider enables security. If you
frequently use public hot-spot services, run firewall software like Zone Alarm
and be sure to disable Windows file and print sharing.
 A Study of WLAN Security 9

• If you have VPN software, consider using it. That way, all of your network
traffic at the hot spot will be encrypted from your notebook to your VPN
endpoint.

• Turn off file and print sharing on your computer. Most hot-spot access points
do not prevent client-to-client traffic, so the person sitting across from you in
the coffeehouse could be poking around in your shared directories on his
notebook.” (Ellison, 2003)

Conclusions

With the new 802.11i security standard and security tips. A compelling

argument can be made for why WLANs should be used in the home and the office.

The concept of total mobility is not going away. The trend in the high technology

sector will continue towards access to information anywhere, anytime. Granted the

initial 802.11 standard had serious security issues, but the development of WEP was

a start in the right direction. WPA also made a strong push in the right direction. The

industry made a conscious effort to strengthen the weakest link. “Both WPA and

802.11i show that the wireless LAN industry is finally getting serious about security.

Whether you use a WLAN at home or in an enterprise, you should definitely take

advantage of the improved protection WPA has to offer.” (Erlanger, 2003).

When 802.11i becomes available many more people may consider WLANs as a

viable alternative to traditional wired LANs. The strong selling feature with 802.11i is

the fact that it uses an encryption scheme that is adequate for the United States

Federal government. It is clear that the government would not endorse AES if it were

not sound and effective. Thus with all the schemes and protocols like WEP, WPA,

TKIP, SSID, and AES it would be a hard case to state that WLANs are still insecure.

If no major threats against 802.11i are identified then I feel that WLANs are a

feasible option for home and office use. Ellison summarizes it best by writing, “The
 A Study of WLAN Security 10

most important point to take away from any discussion of WLAN security is that there

is a need for it.” (Ellison, 2003) The need for security may never disappear, but there

will always be groups working diligently to develop counter measures for hacking.
 A Study of WLAN Security 11

References

Austin Wireless Net (2003, October). Retrieved March 13, 2004 from the World Wide Web:

http://www.austinwireless.net/cgi-bin/index.cgi/Glossary

Blackwell, G. (2002, January). Serious WLAN Security Threats: Part 1. Wi-Fi Planet

Magazine, 2 paragraghs. Retrieved February 7, 2004 from the World Wide

Web:http://www .wi-fiplanet.com/columns/article.php/949891

Ellison, C. (2003, June). Removing Security Roadblocks. PC Magazine, 4 paragraphs.

Retrieved February 6, 2003 from the World Wide Web: http:

//www.pcmag.com/article2/0 ,4149, 1244281,00.asp

Ellison, C. (2003, October). Keeping your Wireless Network Secure. Extreme Tech

Magazine, 8 paragraphs. Retrieved February 7, 2004 from the World Wide Web:

http: //www. extremetech.com/article2/0,3973 ,1309268,00 .asp

Erlanger, L. (2003, August). Real Security for Wireless LANs. Extreme Tech Magazine, 2

paragraphs. Retrieved February 14, 2004 from the World Wide Web:

http://www.pcmag. com/article2/0,4149,1244262,00.asp

IEEE Wireless Standards Zone (2004, January). Retrieved February 6, 2004 from the

Internet: http://standards.ieee.org/wireless/overview.html#802.11

Institute of Electrical and Electronics Engineers, Inc. (2004, January). Retrieved February 6,

2004 from the World Wide Web: http://www.ieee.org/portal/index .jsp?

pageID=corp_level1&path=about&file=index.xml&xsl=generic.xsl

Salvator, D. (2003, September). Picking the Right Topology. Extreme Tech Magazine, 2

paragraphs. Retrieved February 14, 2003 from the World Wide Web: http://www.

extremetech.com/article2/0,3973,1259139,00.asp

Wi-Fi Alliance (2004, January). Retrieved February 6, 2004 from the World Wide Web:

http://www.wi-fi.org/OpenSection/FAQ.asp?TID=2#WECA