July 2nd, 2004, 08:28 PM
Introduction to Securing a Wireless Network.
I tried to gear this towards someone that has absolutely zero computer knowledge, so bear with me… I have no idea what audience this would be most useful to (if any).
---How to Secure a Wireless Network
It’s amazing how many people assume that their network devices are totally secure right out of the box. In households especially, people hear that wireless routers work “just like firewalls” or “have a firewall built in”….but that’s not nearly enough security. Here's a great tutorial to explain the flip side of the coin.
First things first
I would still say that that a number one priority is to lock down each individual computer on any given network with the works (updated firewall and routine scans with updated AntiVirus, Anti-Trojan, and Anti-spyware/malware). Wireless networks are especially known for being vulnerable so just in case yours is penetrated – give ‘em a whole ‘nother layer to fight through.
SSID – Service Set Identifier
The SSID has been referred to as a password – which I believe to be somewhat inaccurate because the SSID’s primary purpose is to differentiate between WLANs (Wireless Local Area Networks). This is more like simply naming the networks than password protecting them. In fact, the SSID is sometimes called the “network name”. However! The SSID does have a part to play when it comes to the security of a wireless network. Without the SSID, no device (like the laptop in the hands of John Doe standing outside your building…) can connect to the network. The SSID is required to connect to any Access Point (AP). The problem is that this SSID is usually incredibly easy to get a hold of because simple devices (like netstumbler) can “sniff” or read the SSID from data packets in transit….the SSID is in plain text. Also, even if the network has been secured to the point where the SSID is not being transmitted or is encrypted, it is still easy to guess the SSID because all devices come with a default factory setting SSID and these factory default settings are known to people that wish to have access to your network… So what do you do with the SSID to make it work for you instead of against you? First – change it to anything other than the settings it came with. Next – keeping your network from broadcasting the SSID may be a good idea. The problem is that this will apparently cause the network to be less efficient and a dedicated attacker that has their sites set on your network will probably not be thwarted by this precaution. Last (and probably best) – use a reliable form of encryption to encrypt the SSID (for God’s sake don’t leave it in plain text), thus making it difficult to even interface with any AP on your wireless network. Also - anything that encrypts everything that is sent over the network should also encrypt the SSID. More on encryption in the next paragraph. Taking these simple steps will deter upwards of 90% of people trying to gain unauthorized access to your network because there are many networks out there that are easier to access and yours is not worth the trouble. ;D.
WEP- Wired Equivalent Privacy
Wireless networks are inherently less private than their wired counterparts, thus we have WEP. WEP is a security protocol designed specifically for wireless networks. It is designed to be a very effective deterrent against any attackers and it does so by encrypting all information that is sent from one place to another through the network. WEP is an excellent deterrent against the casual attacker and can keep a dedicated attacker busy for the better part of the day. (During this time, you have an opportunity to notice any vehicles with antenna sticking out of it like a porcupine sitting outside your building - or any people on the street with laptops that have been there for a long time). The problem with WEP is that it’s not the uncrackable protocol that it’s commonly advertised to be. Studies have proven that WEP in actuality is relatively easy to crack and any dedicated attack can break through the encryption. Also, the newer version with the so-called 128-bit encryption key does not quite live up to its claims (though the 128-bit is at least stronger than the 40-bit).
TKIP – Temporal Key Integrity Protocol
The problem with WEP is that since the same key was reused over and over again, an attacker had ample time to crack the encryption. TKIP is a temporary solution (like a patch) until something stronger and better is available.
(Source). The actual key used in this process is also changed automatically after every 10,000 packets sent. This makes the encryption substantially more difficult to crack and provides a smaller window of opportunity. This protocol is a direct upgrade to WEP and a WEP network with hardware that’s meant to only function with WEP will work with TKIP after some simple patches.
The TKIP process begins with a 128-bit "temporal key" shared among clients and access points. TKIP combines the temporal key with the client's MAC address and then adds a relatively large 16-octet initialization vector to produce the key that will encrypt the data. This procedure ensures that each station uses different key streams to encrypt the data.
WPA is the next step in security over WEP. WEP can be upgraded directly to Incorporate WPA with "firmware patches". TKIP is actually a part of WPA so refer back to that to see how it affects network encryption. WPA combines two protocols to provide dynamic key encryption (with TKIP) and mutual authentication (as opposed to one way) - something not found in WEP.
WPA also checks the integrity of all information sent over the network.
For authentication, WPA uses a combination of open system and 802.1x authentication. Initially, the wireless client authenticates with the access points, which authorizes the client to send frames to the access point. Next, WPA performs user-level authentication with 802.1x. WPA Interfaces to an authentication server, such as RADIUS or LDAP, in an enterprise environment. WPA is also capable of operating in what's known as "pre-shared key mode" if no external authentication server is available, such as in homes and small offices.
The biggest weakness with WPA is that it does nothing to defend against DoS attacks.
WPA implements the message integrity code (MIC), often referred to as "Michael," to guard against forgery attacks. WEP appends a 4-byte integrity check value (ICV) to the 802.11 payload. The receiver will calculate the ICV upon reception of the frame to determine whether it matches the one in the frame. If they match, then there is some assurance that there was no tampering. Although WEP encrypts the ICV, a hacker can change bits in the encrypted payload and update the encrypted ICV without being detected by the receiver. WPA solves this problem by calculating an 8-byte MIC that resides just before the ICV.
A firewall can be used as a seperate defense to work against DoS attacks.
An issue that WPA does not fix yet is potential denial of service (DoS) attacks. If someone, such as a hacker or disgruntled employee, sends at least two packets each second using an incorrect encryption key, then the access point will kill all user connections for one minute. This is a defense mechanism meant to thwart unauthorized access to the protected side of the network.
Much was quoted in this section b/c it was added spur-of-the moment. Still my fault for not putting it in originally...but here's the source. He worded stuff better than I would have anyway.
AES – Advanced Encryption Standard
The name explains a lot of what this is supposed to be. It was developed fairly recently by the government to replace “DES” which used only a 56-bit key…not secure at all by today’s standards. AES was proclaimed the standard for government encryption in May, 2002. AES is made to be flexible so it can be used for almost anything and will be useful for the business world. The problem is that it’s expensive...it’s especially costly to implement because all access points and NICs must be “upgraded” (probably replaced) just to be able to use it. It's also known to be a serious "resource hog". AES is designed to be an extremely efficient encryption system though. It’s designed to be able to handle more information faster – it can encrypt and decrypt quickly as well as change encryption keys without slowing the process. This baby uses true 128-bit encryption keys and is capable of using 192-bit or even 256-bit keys if needed – as of right now darned near impossible to crack (in theory). Then there's Moore's law... This is the new standard in encryption. The only foreseeable problem is that it is relatively new…and has yet to be tested against real world attacks. Of course it’s been tested with brute forcing tools of all kinds and some laboratory attempts at hacking it…but little is known about it’s real-world effectiveness. Anyway, if you can afford it, this is supposed to be the strongest data encryption system available for practical use.
This is an extremely effective protocol. It uses digital certificates to make authentication very effective and also dynamically assigns encryption keys to LAN devices to completely eliminate the problem with WEP reusing encryption keys. 802.11 Protocols
More on 802.11 (scroll halfway down page).
Make People Login
Set up the network so that everyone has to login with a valid username and password before they are allowed to do anything. This is probably the most ancient method of security on the web and continues to be effective. Everyone that is allowed access to the network will have their own username and password (preferably one that’s not easy to crack – no dictionary words, lowercase and capitol letters and a few numbers somewhere is not unreasonable. For an admin account – also throw in both regular symbols and special symbols). You can protect against brute force attacks by configuring any login prompt to lock a user out after 5 unsuccessful attempts in a row. The problem with this will be when somebody forgets their password they’ll have to come running to you and that’s one more thing to take care of.
Limit the Range of the Network
You’re just asking for an attack if someone can pick up your network signal from half a mile away, so try and confine the broadcast radius to just barely meet your needs. If someone has to sit up against the wall of your building just to get any kind of reading on your network, it becomes much less attractive and makes people trying to get into your network easier for anyone (you, security, or police) to spot.
Network Wide (outer) Firewall
A network’s firewall is capable of defending against attacks by limiting access (of anything) to only those ports and functions that are needed – eliminating vulnerabilities and thus making the network more secure. A good firewall should also be able to defend against those annoying DoS attacks. Another benefit is that any AP behind the firewall won’t announce itself to the world, making you even less likely to get hacked.
MAC – Media Access Control
MAC address uniquely identifies each piece of hardware that is connected to the network. It’s possible to disallow access to any piece of hardware with an unknown MAC address, thus making the network a little more secure. These are spoofable (tho not easily I’m told) but having this certainly can’t hurt.
DHCP (dynamic host configuration protocol) is what automatically assigns IP addresses to users that need one. A common “method of defense” is to configure your router to only allow certain IP addresses and use a static set of IP addresses (i.e. all nodes on the network already have a specifically assigned IP address), when all devices are on and all allowable IP addresses are being used, the router will not allow access to anything else. This is actually easy to get around (ie – a single inactive device frees up an IP for an attacker to use and all IP info is easily sniffed) but it’s an option. MAC is actually much more effective.
If anyone has links to other related and specifically more indepth tutorials on any specific subject I touched on, plz post them. I did not copy and paste this and the people I've been bugging for the past two days can vouch for me. You can probably tell anyway cuz I'm sure I said something in there somewhere that's kinda off... I did however get ideas for things in this tutorial from several other sources.
Same by SicyourIT
Here's a link to Wi-Fi terminology.
Please correct me if I'm wrong about anything and feel free to add stuff.