Wireless LAN Security

White Paper
Secure Solutions
Philippe Bouvier, Thales Security Systems
WIRELESS LAN SECURITY
1. INTRODUCTION
People today work as nomads and want to be always online, always connected. Technology that is in line with this desire also coincides with company needs. The purpose of this White Paper is to focus on one such technology, the wireless local area network (WLAN), and its security strengths and weaknesses. There are similarities between the explosive growth of the Internet and the rapid growth of WLAN. Like any new technology, WLAN has led to new needs and behaviours. Today WLAN is a de facto solution adopted by users around the world. However, just as security was not a top priority in the first decade of Internet use, so WLAN security has not been of utmost concern. Yet, as recent papers by security scientists make clear, some security criteria must be taken into account in order to prevent unauthorised exploitation of resources. WLAN allows a user with a laptop and a wireless card to access a network via radio communications media. Security is a concern in two main areas. First, the user needs to be sure he is connected to the appropriate network rather than a fake one, and he wants to assure the confidentiality of the data he transmits. Second, network administrators need to configure the WLAN for which they are responsible in a way that is meant to ensure that only authorised clients have access. However, such native security (included in WLAN technology) is not, in fact, secure enough. Thus the rise in popularity of WLAN has been accompanied by an equivalent increase in security concerns about the new technology. This paper first explains how it is possible for unauthorised users to breach security measures and gain access to a company network; it then recommends security techniques that may be added to the basic ones, and notes that an alternative is to wait for new standards to be approved and followed by vendors.
May 2003
It must be pointed out that, unfortunately, when it comes to security concerns, there is no absolute defence and the stronger the defence, the stronger the attacks will tend to be. Note: WLAN is based in a very fast growing technology. This White Paper is published in the second quarter of 2003, and may be outdated by the third quarter of 2003.
2. 802.11 WIRELESS LAN TECHNOLOGY TODAY 2.1. NEW NEEDS AND NEW THREATS
A number of standards exist in the marketplace today, and others are in development. This situation generates confusion inasmuch as vendors make technology choices that are not well understood by clients. As the process of developing standards is not yet complete, and gaps still exist in terms of security measures, vendors interpret the standards and complement them with their own technology. Vendors are thus committed to supporting a wide range of standards. Within this jungle of standards and vendor solutions, it is hard for customers to select one product or another with a genuine understanding of the implications of their choice. A WLAN is an extension of a wired network or standard LAN. A basic hardware installation involves connecting access points to the wired network and equipping personal computers and laptops with WLAN cards. Because of the explosive growth of the Internet, along with the security risks involved when a corporate network is connected to the Internet, network administrators have installed firewalls to protect local networks and act as security gates. In radio communications, however, frontiers are not easy to define and to protect, as they are virtual.
Solutions that can minimise risks of intrusion on a WLAN are not bullet-proof, as we will see. Among the many reasons for a company to choose a WLAN solution are that it does not require a cable plant, it enhances mobility and it facilitates ad-hoc relationships. Within a companys offices, people move from their desks to meeting areas, conference rooms, etc. Staying connected to voice mail, mailbox or intranet while moving around the company buildings is next to impossible with a system where staff members would always have to keep a LAN wire with them and expect a plug to be active near the place they are going to (sometimes it is necessary to ask the network administrator to activate a wall plug). Also, in old buildings or rented ones, considerable investment and time are required to cable the premises for a network. Compared to LAN, a WLAN can be installed quickly, and furthermore it is easily removed, so the investment stays in the hands of the company. A WLAN installation can be accomplished in days rather than weeks. Once the wireless access points are attached to wired high-speed networks, nomad users can connect to the corporate network, at broadband speeds, from a conference room, the cafeteria, or even a bench outside the building. For training courses or business meetings, ad-hoc wireless connections can be made, and removed afterwards. As far as security is concerned, WLAN standards will define some specific solutions (with robust security), but they are not yet on the market. Consequently major security problems have arisen in early WLAN installations. Vendor marketing leads many organisations to believe that the security provided by wireless access points can cope with the risks and prevent unauthorised access and use. Some companies installing WLAN do not apply the basic security features, and thus are vulnerable to unauthorised use of their internal system. As security test labs discover various types of vulnerability, they publish the information, so companies can become aware of the threats and risks they are exposed to. The basic areas of vulnerability are data encryption via a wired equivalent privacy (WEP) protocol; limitations and weaknesses in controlling access; and the broadcast nature of radio transmission. WLAN is just a new way of communicating with corporate networks. The security best practices learnt in the past should still be applied and a new security requirement should be added, given the absence of physical perimeter in radio broadcasting. Security officers must constantly be alert for intruders attempting to access the corporate network and applications. Any breach of the network weakens security and
thus overall network performance. The possible consequences include lower productivity, loss of confidential data and damage to company reputation.
2.2. WIRELESS LAN STANDARDS

The Institute of Electrical and Electronic Engineers is a professional association that sets standards. The IEEE 802 Standards Committee is the leader in local area network (LAN) and metropolitan area network (MAN) standards. The committee is divided into working groups, each responsible for a specific area. The 802.11 Working Group deals with the WLAN standard. This standard, approved in 1997 as IEEE 802.11, defines three different physical layers, a media access control (MAC) function and a management function. The data rate supported is 1 and 2Mbps. Quality of service, roaming and basic security are included. The three physical layers are DSSS (direct sequence spread spectrum radio) in the 2.4GHz band, FHSS (frequency hopping spread spectrum radio) in the 2.4GHz band and IrDA (infrared data association). The need for a higher data rate (5.5 and 11Mbps in the 2.4GHz band and 54Mbps in the 5GHz band) has led the 802.11 Working Group to organise task groups. Those concerning 802.11a, 802.11b and 802.11g, for instance, focus on air interface standards, while the 802.11i Task Group concentrates on security issues. The appendix details the standards developed by these groups.
2.3. THE RADIO DOMAIN

Wireless 802.11b networks operate in the UHF band (ultra high frequency, 328.6MHz to 2.9GHz) and more specifically in the 2.4GHz band, which is divided into 14 channels. In US and Europe the allowed bandwidth is 2.4000 to 2.4835GHz.
Channel Frequency (GHz)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 The United States 1 to 13.
2.412 2.417 2.422 2.427 2.432 2.437 2.442 2.447 2.452 2.457 2.462 2.467 2.472 2.484 uses channels 1 to 11 and Europe
May 2003
IEEE 802.11b employs DSSS to achieve 11Mbps. As the channel bandwidth for a DSSS signal is about 20MHz, the 2.4GHz band accepts up to three non-overlapping channels: 1, 6 and 11. Three access points can thus cover the same geographical zone, offering up to 33Mbps.
Depending on the country, different spectrums are allowed at 2.4GHz, so not all the channels are possible. The same kind of problems exist with the 5GHz band but the use of this band is not allowed in all countries. The radio frequencies used are 2.4 GHz for 802.11b and 802.11g, and 5 GHz for 802.11a. 802.11a supports 6, 12 and 24Mbps using OFDM modulation (orthogonal frequency division multiplexing) 802.11b supports 1, 2, 5.5 and 11Mbps using CCK (complementary code keying) 802.11g, still in the draft stage, will extend 802.11b to speeds up to 54Mbps; it will be backward compatible with 802.11b but will use OFDM Because of the higher modulation frequency used, 802.11a signals die out much faster than 802.11b. As a result, a wireless network interface card will capture a lower frequency wireless signal at a longer ranges than a higher frequency signal.
Figure 2.1: Wireless LAN connected to a wired ethernet LAN and roaming During this process the client will go through three different states: Unassociated and unauthenticated Unassociated and authenticated Associated and authenticated If either the association or the authentication is not performed successfully, the user cannot access the WLAN and consequently the LAN. A basic service set (BSS) is made of wireless stations that can communicate among themselves. Depending on the objectives to be served, a 802.11 wireless network can be configured in either of two modes. The IEEE standard defines the ad-hoc mode as independent basic service set (IBSS) and the infrastructure mode as BSS with APs.
2.4. WHAT IS WIRELESS NETWORKING?

A wireless local area network, as the name suggests, does not need wires for communication but instead uses radio technology to transmit and receive data. A typical WLAN has two main elements: the network interface card (NIC) and the access point (AP). The NIC is the interface between the operating system and the radio domain, through an antenna. The access point, a network device, forms a network bridge between the radio domain and the wired LAN through a standard Ethernet cable. It communicates with wireless clients by means of an antenna. One characteristic of wireless networks is that users can roam from one geographic area to another. Roaming is the ability to connect to multiple APs while maintaining the same authorised connexion. This is possible because a wireless client can be associated with more than one AP and still maintain its communications with the LAN servers (Figure 2.1). The connection of a wireless client with the LAN is simple. When a wireless client (a wireless NIC-equipped laptop) needs to connect to the LAN, it has to create a relationship with the AP: this is called the association process.
2.5. AD-HOC MODE

IBSS is designed so that each client can communicate directly with others within the network (Figure 2.2). This mode is very convenient because it is easy to set up no network administrator is needed. No AP is necessary, nor connection to a wired network; each client has an IP address through which to communicate. This type of network is designed to be temporary. The communications are made on a peer-to-peer basis.
Figure 2.2: Ad-hoc network

May 2003
2.6. INFRASTRUCTURE MODE

The infrastructure mode (a BSS with APs) is the most commonly used. Here the AP acts as the central node of the WLAN. Each user sends all communications to a central station. The AP is similar to an Ethernet bridge in a LAN. It relays communications from the WLAN to the LAN and vice versa. A set of two or more BSS forming a single sub-network is called an Extended Service Set (ESS). An ESS is a group of overlapping BSS connected together via a distribution system (DS) (in Figure 2.3 the DS is the LAN).
Figure 2.4 shows the main management and control frame types and layout.
2.7. NATIVE SECURITY MEASURES

To safeguard information travelling on WLANs, the 802.11 standard has defined basic methods for securing network accesses and radio communications.
2.7.1. SSID
The SSID is the first barrier against intrusion. Multiple SSIDs allow network administrators to define multiple BSS in the same geographic area. Each BSS has a unique SSID, which is stored in the APs. To connect to a BSS, the client must know its SSID (Figure 2.3). Note that some APs can disable the beacon default broadcast functionality (a beacon frame contains the SSID).
2.7.2. MAC address filtering

To further control access to a BSS, it is possible (but not necessary) to configure the APs with a list of allowed MAC addresses. This security measure is called MAC address filtering. Every wireless NIC has a unique MAC address based on an organisationally unique identifier (OUI) allocated to each hardware manufacturer. As this address is unique it is possible to use it in network access control. If a clients MAC address is not on the list, the AP will deny access.
Figure 2.3: Infrastructure network To communicate with the AP, the client needs to be authenticated and associated. This is accomplished by an exchange of messages called management frames, in the following process: The AP transmits a beacon management frame at fixed intervals. The frame is received by all clients within range of the AP radio broadcast. A beacon management frame contains a network name, or service set identifier (SSID). Depending on the SSID, a client can choose which BSS to connect to (BSS1 or BSS2 in Figure 2.3). If no beacon frame is broadcast, the client can send a probe request management frame to find the BSS it wants to connect to, and the AP responds with a beacon frame. After the client has selected the AP, both parties perform a mutual authentication using management frames. If it succeeds, the client then needs to be associated, by sending an association management frame. After the client is associated and authenticated, it needs an IP address to communicate with other clients. Many APs send their clients an IP address automatically (they act as a Dynamic Host Configuration Protocol (DHCP) server). Otherwise the network administrator needs to assign the client a valid IP address, which must be configured manually. After this, the client becomes a peer on the wireless network and can communicate with the LAN.
2.7.3. WEP
The WEP protocol, which is specified for encryption and authentication between clients and APs, is mainly used to increase the confidentiality of data during transmission between a client and an AP. There are two levels of WEP authentication: the open system and the shared or secret key. The default authentication protocol (the open system subtype) used in 802.11 is based on a null authentication process (i.e. it authenticates anyone who requests authentication). This allows any user to access the WLAN. An alternative authentication protocol (the shared key subtype) uses a shared key authentication process, which is based on a standard challenge-response along with a shared key. The shared key (also called secret key) is distributed by an external key management service. In the authentication request management frame, the client indicates to the AP that it uses shared key authentication. The AP responds by sending the client a nonce (a challenge text). The client copies the nonce into a new management frame and encrypts it with WEP, using the shared key. The AP then decrypts the frame and verifies that the challenge
May 2003
The main management frames types are: beacon frames: the AP broadcasts the frame regularly and frequently, announcing availability and capabilities of BSS probe request and response: the client sends a request for a WLAN, and the response is a beacon frame associate request and response: the client requests to be declared in the BSS disassociate (either the client or the AP) The main control frame types are RTS (request to send), CTS (clear to send) and ACK (acknowledge). Figure 2.4: 802.11 frame layout
text matches, in which case the authentication is successful (Figure 2.5). WEP is a symmetric algorithm (i.e. the same key is used for encryption and decryption). The standard only defines a 64-bit key (including initial vector or IV) but almost all vendors offer up to 128 bits (including IV).
bits (defined by 802.11b) or 128 bits (defined by vendors). This key must be shared by the client and the AP.
Figure 2.6: WEP encryption mechanism In WEP encryption, the shared key (40 or 104 bits long) is added to an IV (which changes periodically and is 24 bits long). The RC4 PRNG generates a pseudo-random key for the stream. To prevent data modification, an integrity check algorithm called CRC-32 operates on the plain text and produces an integrity check value (ICV). The cipher text is obtained by an XOR operation, which is a mathematical operation between the key stream and the concatenation of the plain text and the ICV. The 802.11 data frame is the concatenation of the IV and the cyphered text. The receiver follows the same algorithm in reverse to retrieve the original plain text.
Figure 2.5: Shared key authentication process Authentication may be used between two clients in an IBSS. In a shared key system, only clients configured with a secret key can be authenticated by the APs. WEP provides an encrypted channel for communications between the AP and the client. The encryption algorithm used is Rons Code 4 Pseudo Random Number Generator (RC4 PRNG), from RSA Data Security, Inc. The algorithm is based on a key (a sequence number) of 64
May 2003
WLAN bad practices keeping the default AP configuration enabling broadcast of SSID keeping the vendor SSID disabling WEP using null authentication broadcasting to a public area using only APs to connect the WLAN to the intranet
3. KNOWN WEAKNESSES IN 802.11 WLAN

Many organisations have deployed wireless infrastructure based on the IEEE 802.11 standard, and in the process a number of weaknesses have come to light. The sections below describe the main weaknesses discovered so far.
Another potential problem is that, while employees may enjoy working on their laptops outside the building, this practice can permit unauthorised people to access the network from the streets nearby. In addition, natural repeaters (e.g. nearby antennas or windows containing iron) can extend the radio signal beyond the desired geographic area. Furthermore, unlike in a LAN, where the physical layer and the communication layer of a network are typically protected by a cable (for example a category 6 shielded twisted pair, Cat 6 STP), in a WLAN the latter layer is exposed.
3.3. SSIDS ARE EASY TO FIND

A wireless laptop equipped with software readily available over the Internet can allow a user to capture the SSID. Such software can also tell if WEP is being used. If WEP is not enabled, the intruder need only configure its WNIC with the captured SSID to be associated with the AP and to communicate with the servers in the LAN. Related types of vulnerability include the following: SSIDs are broadcast in clear by the APs and the clients via beacon frames. It is easy to add a new client to the WLAN when WEP is not enabled. APs are configured by default to broadcast the SSID. It is possible to configure the SSID without broadcasting, but this would only slow down an intruder, who can send a probe request to the AP and get the SSID anyway. SSIDs are stored in clear in staff members wireless laptops. If a laptop is stolen or accessed by a would-be intruder, it is easy to locate and read the SSID. Some companies retain the default SSID used by the manufacturer. A database of default SSIDs can be easily found on the Internet. SSIDs must be manually configured on all clients. The beacon frame can be read in clear: there is no possible encryption of signals.
3.1. SIGNAL INTERFERENCE

Multiple methods of interference could break up the radio signals and render the WLAN traffic null: a microwave transmitter broadcasting a (bad) signal on the same frequency as the WLAN a Bluetooth device located a few metres from an AP certain cordless phones operating in the 2.4GHz band a jammer targeting channels 5, 6 and 7 (which can cause the maximum of interference) The 2.4GHz band is widely used and considered shared, unlike to the 5GHz band.
3.2. WLANS ARE EASY TO IDENTIFY

Anyone with a wireless-equipped laptop can walk or drive through a town and wait to receive an 802.11 radio signal. When a signal is received, it means a WLAN is accessible and potentially vulnerable. Since the radio environment has no physical frontiers, the radio signal can go far beyond the walls of the office, particularly if the antenna is not well positioned or the radio power too strong.
3.4. WIRELESS MAC ADDRESSES ARE EASY TO

FORGE
Figure 3.1: Outside radio propagation
Wireless MAC addresses can be changed at will and duplicated by any client. Wireless cards permit the changing of the WMAC address via easily available software. Moreover, WMAC addresses are easily sniffed out because they appear in clear in all 802.11 frames, even when WEP is enabled. As a result, a would-be intruder can easily determine the WMAC addresses used in the WLAN by eavesdropping, then change its internal WNIC MAC address to a valid address that is not filtered by the AP. WMAC address filtering requires the company to obtain
May 2003
the hardware addresses of all clients and to maintain this list on all its APs. But in wide distribution of wireless laptops, it is difficult for a company to enter all clients MAC addresses in all APs. Consequently this feature is limited to small WLANs.
3.5. LACK OF AUTHENTICATION FOR MANAGEMENT AND CONTROL FRAMES

No authentication is needed to send or receive management and control frames, nor is their content encrypted. As a result, information leakage is possible. Unencrypted WLAN sessions are subject to eavesdropping and hijacking, regardless of how the session is authenticated. The very objective of management frames (beacon, probe request/response, association request/response, reassociation request/response, disassociation, deauthentication), which is to control link characteristics and physical medium properties, increases the likelihood of an outsider getting control of APs or clients and carrying out such malicious actions as eavesdropping, spoofing, denial of service, flooding or client enumeration. Note that IEEE 802.1X pre-authentication enables authentication and key derivation prior to an exchange of management frames.
3.6. LACK OF MUTUAL AUTHENTICATION

Some implementations that predate the standards do not support mutual authentication. In such cases, there is no way for a client to know whether an AP can be trusted (or vice versa). Note that some methods using the extensible authentication protocol (EAP) allow for mutual authentication.
3.7. VULNERABILITIES WITH WEP

WEP was originally designed to combine access control, link privacy and message integrity for WLANs. Unfortunately, the result is much less secure than intended and many flaws have been exposed. WEP-RC4 weaknesses can be classified into two major categories: key size and weak initialisation vectors (IVs). In August 2001, Scott Fluhrer, Itsik Mantin and Adi Shamir demonstrated the weakness of the RC4-WEP cypher via a passive attack exploiting a defect in the key scheduling algorithm of RC4 to obtain the key stream (or network key). The WEP implementations use RC4 IV improperly in the following ways: Some PC cards reset IVs after each initialization, in which case the IV goes up by one. The space taken by the IV is too small for WLAN use (possible number combinations range from 0000 to 224).
As a consequence there is a high chance that an IV, and therefore the key stream, can be reused. This situation can lead to basic cryptanalytic attacks against the cipher and the decryption of data. In such cases, anyone with a wireless laptop could gain access to a WLAN within few hours or even at times within a few minutes. The theoretical calculation is this: a wireless client that sends 1500 bytes at 11Mbps (the effective data rate is 6Mbps) will use all the IV keys in (224*1500*8)/(6*106)= 35554 seconds, or about 9 hours. The time will be less if the packets are shorter than 1500 bytes. With the anniversary birthday assumption, there is a 50% chance of the key being reused after 4823 packets, 99% after 12430 packets (10 and 25 seconds, respectively, at 11Mbps). In practice, a key is usually reused in less than an hour (clients are not always sending data so the malicious user has to wait longer). Another possibility is that an eavesdropper captures two cyphered 802.11 data frames encrypted with the same key stream, from which it is possible to obtain the XOR of the two plain texts. The calculation is: C1 = P1 XOR RC4 (shared key, IV) C2 = P2 XOR RC4 (shared key, IV) C1 XOR C2 = P1 XOR P2 If the first plain text, P1, is known or predictable, P2 is too. When an intruder knows the data before it is sent (P), and captures the encrypted data (C), it is easy to XOR the two data sets to produce the key stream: RC4 (shared key, IV) = P XOR C Other WEP vulnerabilities: Sometimes WEP keys are stored in clear in the AP, the NIC RAM, the Windows registry or a file. WEP keys must be manually entered for all clients a difficult management task. The tendency, especially on larger networks, is to change keys as seldom as possible and avoid processing other key operations, such as revocation, distribution and rotation. Best practice, however, is to change keys regularly as an extra measure of security. WEP lacks support for per-packet integrity protection. Because WEP has so many imperfections, many companies do not even turn it on! A shared secret key can be recovered with easily available utilities, thus exposing the network to unauthorised use. Though the current version of WEP is crackable, WEP should be used: it will thwart would-be hackers (passersby, script kiddies) to the point where they will look for easier targets.
May 2003
3.8. NO AUTOMATIC SECRET KEY MANAGEMENT

The shared keys are usually the same for all users and the APs. Best practice is for each user to have his own secret key, and have it changed regularly, but in the WLAN context this is difficult for a company. The administrators should follow a secured key management process: Create secret keys. Define their lifetime. Distribute them among wireless users (one key per person). Archive them. Monitor the activity of the owner of each key. Revoke any compromised key. As there is no automatic key management process in WLAN, the problem grows in proportion with the number of users. It is difficult or impossible to store in each AP all activated secret keys.
new member. It is not possible for security officers to ensure that only authorised users are connected to an adhoc network. Any authorised user can transfer private corporate documents to unauthorised users without going through the corporate network. In addition, the authentication method used is based on weak security.
3.13. ROGUE WLANS

Rogue APs are those connected to a LAN without any permission from the network administrator. They are usually place by employees looking for more freedom to move. Because WLAN is so convenient, some users in companies that lack wireless access may decide to install their own illicit APs. When, as is usual, the rogue AP is improperly secured, using default configurations, the entire corporate LAN is effectively opened to the public. Employees who set up rogue WLANs usually do so without understanding the overall security risks. Hence the importance of security awareness programmes for all employees. Rogue APs can also be installed by outsiders, would-be hackers/crackers seeking access to the internal network whenever it suits them.
3.9. ICV WEAKNESS

The integrity check value is useless for detecting alteration of frames.
3.10. AP WEAKNESSES
AP equipment is shipped with encryption disabled. Many characteristics of APs need to be taken into account, including: the way the IP stack is implemented (implicated in denial of service) the different sizes of state tables (in cases of flooding) various sanity checks on frames/packets (fringe frames/ packets) the protocols supported (e.g. SNMP, telnet, HTTP, ICMP) undocumented back doors left for maintenance or management natural implementation vulnerabilities
4. WLAN HACKING TECHNIQUES

To get inside a LAN via its WLAN access is not a onestep procedure. The intruder will need several techniques to bypass all the security protection measures. The following sections show in more detail how the types of vulnerability described above can be exploited by an outsider in a WLAN environment. The attacks range from simple to very difficult, and some are impossible to detect. The better you know the attacks, the better you can defend your system against them.
4.1. SURVEILLANCE 3.11. ACCIDENTAL ASSOCIATIONS

In a more or less densely populated district, many WLANs can exist in the same geographic area. Accidental association may take place when an employee of one company associates his or her computer to another companys WLAN. This is more likely to happen when default AP installation has been carried out or when rogue, unsecured APs have been installed. Accidental association can even link two companies networks together through an end-user station, bypassing all internal security and controls. The most basic method is surveillance. The objective is simply to locate evidence of wireless activity. No specific hardware is used; the potential attacker just observes the environment. Evidence of wireless network use includes antennas, APs and network cables on walls, ceilings, shelves, hallways, roofs or windows, etc., and nomad users with personal digital assistants (PDAs) or laptops activated. After carrying out such reconnaissance, the would-be intruder can identify a place in which to discreetly operate later with a laptop equipped for wireless attacks. Another surveillance method is to use a handheld computing device or PDA. As such devices have grown in popularity, more wireless network auditing and management
3.12. AD-HOC NETWORKS

In ad-hoc mode, each member of a network accepts a
May 2003
applications have been developed for them. Someone looking to break into a network can do surveillance and sometimes more with these tiny but powerful computers, which are easy to hide.
4.2. PASSIVE LISTENING

Many passive attacks are based on eavesdropping. Sniffing tools are used to search for (sniff out) WLANs. This simple process can be carried out with any of several free tools that are downloadable from the Internet.
tioning system (GPS). War footing is the same method used while walking through streets. The hacker needs to be equipped with a wireless-enabled laptop or notebook. A variation is the parking lot attack, where the hacker sits in an organisations parking lot and accesses hosts in the internal network. War chalking is a related technique not an active attack but rather the marking of a special symbol on a sidewalk, building, etc., indicating the proximity of a WLAN.
4.2.1. Traffic analysis

It is very easy to listen to radio signals, and in WLAN 802.11, frames are easy to capture. The analysis is straightforward with tools available from the Internet. The information thus gained can help a hacker/cracker understand what the WLAN is for and how it is used and configured.
4.2.5. Unauthorised repeaters

Hackers can take advantage of natural radio repeaters (see section 3.2), or objects added to serve as repeaters, with the intention of extending the WLAN radio signal to a location where they can operate without being disturbed. With the same objective, an intruder can install a rogue WLAN on a company network to enable reception of LAN data from outside the building. The result is a wide-open entry point to the network. A rogue WLAN effectively extends an Ethernet connection to anyone inside or outside the building.
4.2.2. Getting SSIDs

Getting an SSID is easy, since under 802.11 a client can always receive an SSID. The only security measure that can be taken with an AP is not to broadcast the SSID regularly (by default, beacon frames are broadcast every 100 milliseconds). Even then, as noted earlier, a client can send a probe request to an AP and the response will be a beacon frame containing the SSID. Another technique is to use brute force to find the SSID with an SSID dictionary attack i.e. sending the AP many SSIDs until one turns out to be correct (in 802.11 FHSS, for example). It is also possible to get an SSID by force by sending a deauthenticate frame to the broadcast address, then listening and reading the SSID contained in the ensuing client probe request or AP probe response.
4.3. AP COUNTERFEITING
When a wireless client moves from one location to another, the WNIC keeps the connection with the AP that sends the highest signal. In some situations a counterfeit AP can attract a wireless client and download some of its wireless configuration. With open source software commonly available from the Internet, a hacker can transform a laptop into a fake AP, known as a soft AP. The laptop can then impersonate an authorised AP. Clients who mistake the soft AP for an authorised one may try to connect to it; and, as the fake AP is technically sophisticated, the client can be taken over.
4.2.3. WEP cracking

Tools available on the Internet can carry out WEP cracking in a few minutes when the key stream is only 64 bits long (40-bit shared key and 24-bit IV). Once the shared key is revealed the hacker can configure his or her NIC as needed. Another method, used in cryptanalysis techniques, is to trick the victim into sending an e-mail (or any known plain text), whereupon the AP creates the encrypted plain text.
4.4. MAN IN THE MIDDLE ATTACK

The concept of the man in the middle attack is not new to WLAN. In a wireless environment, the idea is to insert data within the communications between a victim and an AP. To do so, the attacker can either insert an attack machine between the victim and an AP in such a way that the communications go through it, or insert data frames into the data frame flow between the victim and an AP. To insert an attack machine, the attacker must first deauthenticate the victim by sending him or her deauthenticated frames using the APs MAC address as the
May 2003
4.2.4. War driving and war footing

In a war driving attack, the would-be intruder searches for WLANs while driving a car, in an effort to detect and map unsecured WLAN systems. This is possible in cities and towns around the world. This technique, popular since 2001, can be complemented with a global posi-
source. The victims 802.11 card will then scan channels to search for new APs, and will associate with the AP simulated by the attack machine as a soft AP. Next the attackers machine associates with the real AP, and can now act as an invisible bridge.
insufficient. All types of attack are then possible: DoS against the IP stack or clients, reconfiguration (including adding or deleting AP services), etc.
4.7. MAC ADDRESS SPOOFING

Each element connected to a LAN has a MAC address, which is a unique identifier based on what the hardware manufacturer uses. For this reason MAC addresses are used as a layer 2 (communications layer) network identification factor in the access control procedure. MAC address spoofing is a type of attack involving alteration of the manufacturer-assigned MAC address. This is possible on nearly all wireless NICs, given the use of vendor-supplied drivers, open-source drivers and various application programming frameworks. There can be many objectives in such an attack, but two key ones are: Obfuscating network presence: the attacker wants to hide his/her connexion on the WLAN by changing the MAC address regularly. For each different attack a new MAC address can be configured. This technique can be used, for example, to evade network intrusion detection systems (NIDS) in a DoS attack. Bypassing access control lists (ACLs) activated in APs: the attacker can passively monitor the network and identify MAC addresses that are authorised to communicate over the WLAN. Then he can change his MAC address to one that bypasses the AP security.
4.5. DENIAL OF SERVICE

Denial of service (DoS) attacks prevent the proper use of functions or services. They come in a seemingly unlimited number of varieties. Some of the key types are discussed here.
4.5.1. Jamming the airwaves

Jamming or flooding the airwaves between 2.4GHz and 2.5GHz causes WLAN signals to collide and forces stations to keep disconnecting from the APs. The result is that neither clients nor APs can receive an uncorrupted signal, causing them to hold their transmission until the corrupted signal has stopped or causing them to resend the frames over and over.
4.5.2. Management frames DoS

The lack of authentication of management frames makes many types of DoS possible. For instance, the attacker can simulate the AP by using its MAC address, then send deauthentication frames either to a broadcast address or to a specific client. If the phenomenon is periodic the client will be unable to reassociate with the AP. Another possibility is to send AP multiple authentication frames with different source MAC addresses. The AP will allocate memory to store the new connections, and at a certain point it will have to deny access to new clients. Such attacks shut down the wireless network in a way similar to that of DoS attacks on wired networks.
4.8. CLIENT TO CLIENT ATTACK

A laptop, with a wireless NIC activated and running in peer mode, sends out probe request frames in an attempt to connect to another client with the same SSID. Then the attacker can exploit any type of operating system vulnerability, thus gaining administration privilege on the victim laptop. If the victim is connected to the LAN, the attacker can further take control of internal LAN resources.
4.5.3. Physical access

APs are usually located in places where people are. Physically manipulating an AP - cutting the power, destroying the antenna, etc. - can slow traffic or make the AP unavailable to users.
4.9. EAP ATTACKS

Partly because of the heavy competition among vendors, but particularly because of market objectives, some pre-standard EAP implementations have weaknesses that can be exploited in certain types of attacks. Several kinds of DoS attacks exploit the absence of EAP frame authentication, including: Sending spoofed EAPOL logoff frames: this attack, using a client-authenticated MAC address, will log the client off the AP. Since EAPOL logoff frames are not authenticated, the sender can impersonate any authorised connected user. Flooding with EAPOL start frames: APs whose resources
4.6. LAN ATTACKS

Since APs are connected to a wired network, they have TCP/IP services (such as HTTP and telnet) and management protocols (such as ICMP and SNMP) activated for configuration and management purposes. The security problem arises when weak user authentication is needed to get access to the configuration panel (a feature that can be forgotten in the implementation). From the internal network (the LAN), it is possible to connect to APs services if the network segmentation is
10
May 2003
are excessively or entirely allocated to EAPOL start frames will no longer accept new requests from clients. Sending spoofed EAP failure packets: these could be interpreted by the receiver as implying DoS. Sending premature EAP success packets: some weak implementations allow the WLAN interface to be brought up before the mutual authentication is finished. An attacker could thus send premature EAP success packets, leading to DoS. Depending on the EAP method used, user identification can be read via network sniffing and the password recovered through a dictionary or brute force attack. Stronger EAP methods, such as EAP TLS, SRP, TTLS and PEAP, should be used. The EAP identifier can be anywhere from 0 to 255. The identifier must be unique for the AP in order to associate clients. In some implementations if the EAP identifier space is entirely allocated due to flooding, the AP can no longer accept new request from clients. An insufficient integrity check in EAP packet reception can cause the receiver to malfunction and lead to DoS.
rises, the beam width falls. Polarisation, or the physical orientation of the elements on the antenna. Changing the direction of the radio signal, as well as the AP power, can improve control of the radio broadcast perimeter. The signal range can be controlled by changing the shape of the physical antenna to alter the shape of the signal. Antennas can also be more directional to avoid signal leaks. Some AP vendors offer an option of completely turning off the signal on either the right or left antenna, which is a convenient way to restrict unneeded signals and control the range of the WLAN. The maximum power of APs varies by country, depending on local regulations. The site geography influences the type of antennas used (Figure 5.1). The nature of radio waves makes it easier to produce
4.10. AIRBORNE VIRUSES

As 802.11 is a new communication layer, viral software infection will also use this media to spread. Within a LAN, multiple types of anti-virus software are installed in the servers, minimizing the need for installation in each enduser device. With an ad-hoc network, however, people from outside the company can join the IBSS and send a virus. At the next connexion with the LAN or WLAN, the victim may contaminate the LAN. All wireless devices (laptop, PDA, etc.) should have up to date antivirus software installed.
Figure 5.1: Antenna shape and power directive antennas at 5GHz than at 2.4GHz. The higher the frequency, the more controlled the radiation zone. Note that a hacker can narrow the detection window and pick up signals from farther away than estimated.
5. WLAN SECURITY SOLUTIONS

In the area of security, solutions are best practices that help minimise risks. Though they do not get rid of all risks, they make it necessary for a would-be intruder to increase the attack level.
5.2. NETWORK SEGMENTATION

To secure a network it is important to define zones outside of which no element can communicate with elements inside the zone without prior authorisation. This not only helps keep non-authorised resources from communicating with secured resources, but can also help in detecting nonauthorised activity.
5.1. ANTENNA RADIATION ZONE

An antenna is an extension of a radio transmitter or receiver. As a signal is generated, it is passed from the radio to the antenna to be sent out over the air and received by another antenna, then passed to another radio. This signal is measured in hertz (Hz). Three key concepts about antenna technology are: Direction: the signal can be omnidirectional (360degree) or directional (limited angle direction). Gain (measured in dBi or dBd): when antenna gain
5.2.1. WLAN Demilitarised Zone (DMZ)

Because the WLANs geographic perimeter is often a public place, where both authorised and non-authorised users are located, the WLAN should be considered from
May 2003
11
the intranet to be as unsecured as the Internet. Thus it needs to be segmented, and protected as a demilitarised zone. The DMZ should be protected by a firewall or a network access control gateway (router). All the APs are connected to a wired network, so a network intrusion detection system (NIDS) should be installed to detect attacks based on TCP/IP (Internet protocol). A wireless IDS (WIDS) can be added to detect attacks based on the 802.11 protocol. In another segment, depending on how users are authenticated, authentication and accounting servers can be installed. The accounting server can be used for billable services, for instance in hot spots.
external attacks. If they use a virtual private network (VPN) over the WLAN, additional hardware may be added (such as a WNIC including both specific VPN hardware and an IP stack different from the operating system).
5.3. NETWORK ACCESS CONTROL

MAC address filtering, SSIDs and WEP are basic authentication methods used to control access to a WLAN. New access control solutions have been emerging to deal with major security weaknesses.
5.3.1. Port based network authentication

The port based authentication protocol was approved in June 2001 as an IEEE 802.1X standard. It was originally designed for all IEEE 802 networks (layer 2 authentication), but was extended to 802.11 WLAN. It enables authentication and key management for IEEE 802 LANs, including Ethernet, token ring and fibre distributed data interface. One job of IEEE 802.11 Task Group I is to define how 802.1X and 802.11 machines are to communicate. The objective of this standard in WLAN is to derive authentication and encryption keys for use with any cypher and to manage the keys. IEEE 802.1X is based on EAP as the authentication framework. Authentication methods include one-time passwords, smart cards, tokens and certificate-based authentication. RADIUS servers that support EAP are often used as authentication servers, since open standards for authentication, authorisation and accounting (including RADIUS and LDAP) combine well with IEEE 802.1X. EAP messages are encapsulated in 802.1X messages and are referred to as EAP Over LAN (EAPOL). 802.1X defines three roles in the authentication process: supplicant: a wireless device that, when authenticated, can send IP data to the LAN authenticator: an AP that keeps a port status for each supplicant it is controlling authentication server: often a RADIUS based server, though this not specifically required EAP is standardised for use within point-to-point protocol (RFC 2284), wired IEEE 802 networks (IEEE 802.1X) and virtual private networks (L2TP/IPsec and PIC). It offers
Figure 5.2: WLAN DMZ
5.2.2. WLAN honeynet

A WLAN honeynet is a WLAN based on APs connected together on the same LAN. As no activity should arrive in the wired part of the honeynet, any activity is considered an alert and automatically detected by the NIDS. The incident response team can then analyse the activity and locate the cause.
5.2.3. Wireless client protection

Wireless clients should have personal firewalls and antivirus software installed to directly protect them against
Figure 5.4: IEEE 802.1XEAP Figure 5.3: WLAN honeynet
12
May 2003
Figure 5.5: 802.1X/EAP authentication process a method allowing wireless work stations to create an encryption key for the authentication service. EAP acts as an authentication framework for several authentication types, including user name/password, smart cards, Kerberos, public key, one time password and biometrics. It allows many authentication methods to be implemented, such as: EAP MS-CHAP EAP TTLS (Tunnelled TLS) EAP GSS EAP SRP EAP TLS (RFC 2716) EAP MD5 Protected EAP (PEAP) Lightweight EAP (Cisco LEAP) EAP SIM (use of SIM card) EAP consists of several request/response pairs. A request to a client, sent by the network, starts with an EAP identity request sent by an AP and ends with an EAP success or EAP failure message, also sent by the AP. Advantages of 802.1X/EAP authentication are that it: provides user authentication/accounting provides encryption protects the infrastructure results in light network traffic, as there is no perpacket overhead, only periodic authentication transactions allows secured application level protocols, such as VPN, SSL and SSH, to be used Disadvantages of 802.1X/EAP authentication include the following: It is an evolving standard. It requires specific client software. At the moment, proprietary network equipment is required. Investment in new authentication infrastructure is necessary. EAP was designed for PPP, and was never meant to take wireless threat models into account. It is limited to one-way authentication: supplicants and
May 2003
13
authenticators should not send data traffic until mutual authentication is complete. It does not offer authentication of management frames. Traffic can be intercepted. Various types of attack, including hijacking and man in the middle, are possible. Authentication after association presents roaming problems because of the time needed, during which data transmission can be disrupted. If the RADIUS server fails, the WLAN becomes unavailable.
(Secure Shell) - encrypt data and can protect the data communication layer against eavesdropping.
5.3.4. Temporal Key Integrity Protocol (TKIP)

The discovery of the WEP-RC4 key recovery vulnerability resulted in a major effort to develop a method to change the WEP key more frequently so that an attacker has less chance of collecting enough data to work it out. TKIP is the current solution to this problem. This protocol is still RC4-based because it needs to be backwards compatible. But its strength is to force a new key stream to be generated frequently: the IV changes every 10,000 packets or 10 Kb, depending on the source. In the current WEP version, the IV is sent in clear in the 802.11 frame; with TKIP, the IV value is hashed before being sent. In addition, TKIP is based on a stronger method to verify the integrity of the data: the particular message integrity check (MIC) called Michael.
5.3.2. Remote Access Dial In User Service (RADIUS)

RADIUS is a common authentication, authorisation and accounting protocol; that is, for authenticating remote connections made to a system, providing authorisation for use of network resources, and logging for accountability purposes. It can be used in VPNs and WLANs, as it can control all aspects of a user connection. Its success is due to its simplicity: it is efficient and easy to implement. RADIUS is based on the user datagram protocol (UDP). No retransmission is possible, so accounting (RFC 2866) is unreliable, particularly when roaming from one AP to another, where substantial packet loss can take place. RADIUS authentication (RFC 2865) and authorisation are reliable. In terms of security, RFC 2869 (RADIUS/EAP) requires all messages involved in an EAP conversation to include authentication and integrity protection via the messageauthenticator attribute. To increase the level of security it is possible to abandon RADIUS application-layer security and run RADIUS over IPsec (RFC 3162).
5.3.5. CCMP-AES
In the future 802.11i standard, WEP-RC4 is to be replaced by a security algorithm called the advanced encryption standard (AES), which is intended as the encryption method for all wireless traffic. AES uses a robust algorithm known as Rijndael. The keys can be 128-bit, 192-bit or 256bit, depending on the security need. AES will be used in counter cypher-block chaining mode (CCM). TKIP and the CCM protocol use the same key management, and their implementation requires an authentication server for dynamic key change.
5.3.6. Wireless PKI

Public key infrastructure (PKI) provides the framework that allows a company to deploy security services based
5.3.3. Virtual Private Network (VPN)

A VPN extends the secured internal network out to remote users. As the communication layer is not trustable in the basic implementation of 802.11, VPN provides user authentication, network access control and encryption by creating a secure virtual "tunnel" from the end-user's computer through the WLAN, through the AP, all the way to the company VPN gateway. After the VPN gateway, the data (IP protocol packets) are decrypted and continue in clear to the internal servers and systems. The main disadvantage is that VPN architecture requires specific software installed on all clients, dedicated VPN gateway hardware at high traffic rates (because it funnels all traffic through the gateway) and an authentication server. In addition VPNs are not suitable when roaming: the connection is lost because the IP client address changes. Besides VPN, other types of solutions - e.g. the protocol SSL (Secure Socket Layer) or the application SSH
Figure 5.6: WEP, TKIP and CCMP key characteristics on encryption. With PKI, administrators can create the identities (and the associated trust) that the company needs for identification and authentication processes, and
14
May 2003
can manage the public/private key-based encryption. PKI is a system of digital certificates, certification authorities and registration authorities. WLANs may evolve to integrate PKI types of access gateways that allow selective access requiring special credentials. This type of access depends on granting a digital certificate to a user when he or she requests network access. Such a certificate will allow the user to access certain network resources. Wireless PKI access control can be supported by EAP.
In a large network, audits based on wireless scanners and sniffers are neither scalable nor repeatable, so daily security monitoring cannot be based on these techniques. They can be used for network or security troubleshooting, intrusion forensics and occasional security audits, however, as long as it is borne in mind that they may not be exhaustive and that such audits are time consuming if the physical area is large.
5.4.2. WLAN monitoring

Wireless intrusion detection consists of finding any unauthorised wireless clients or rogue APs. To a certain degree, it means identifying/locating intruders and recognising the type of attack taking place (e.g. DoS, man in the middle). Rogue APs and ad-hoc networks can appear anywhere on the overall network. Isolated WLAN sniffers may not be very efficient in detecting real time intrusions or anomalies on the corporate network. Hence, a complete WLAN monitoring solution should include: a centralised server managing WLAN sniffers a radio frequency survey of WLAN sniffers remote sensors (24-7 monitoring sniffers with a coverage area of about 300 metres around the premises) a secure connection between the sensors and the central server The solution should constantly monitor all activity on the WLAN, report any anomaly or possibly malicious activity (with customised alarms signalling the type/degree of intrusion or damage severity) and be integrated with the corporate network administration utility. After business hours, all the APs can be turned off (by software); any ensuing wireless activity (especially from rogue APs) is suspicious and easy to locate.
5.4. WLAN ANOMALY DETECTION AND INTRUSION

PREVENTION
Any solution aimed at detecting rogue WLANs must be able to detect APs in the vicinity of the company (to prevent accidental association) as well as all APs of the company network. Moreover, the solution must assure detection of soft APs as well as any ad-hoc network between authorised hosts of the company network. Anomaly detection and intrusion prevention in WLAN is much like that in LAN but must take into account additional challenges, such as locating traffic capture stations (to capture 802.11 traffic, the sensor must be in the geographic area of the WLAN being monitored) and identifying anomalous traffic (analysing 802.11 frames).
5.4.1. Wireless scanners and sniffers

Wireless scanners and wireless sniffers allow monitors to capture and analyse WLAN packets from the air. They also provide information on WLAN configuration as well as the type of security. It takes administrators with a high degree of skill in the 802.11 standard to analyse captured data correctly in terms of threats and risks for the company network. An administrator auditing network security has to walk outside the company buildings with a laptop equipped with a scanner or sniffer. For this reason, such applications are limited, since the geographic area defined by the AP radio broadcast signal may not be completely covered. In addition, some commercial products for this solution are expensive. Consequently, even though scanner and sniffer applications can identify WLAN vulnerabilities, they are not considered very effective. Furthermore, new threats and rogue APs can crop up in between audits, so that the company network is once again open to attack. This poses risks unacceptable for large companies, though smaller ones may be willing to accept the risk to a certain degree and so use scanner and sniffer applications, assuming they have access to experts who can understand the results of the audits.
5.4.3. Physical security

Physical monitoring, such as video cameras around the buildings, and physical security measures (e.g. guards and barriers) should also be put in place. The physical access to locations where APs are installed should be restricted so as to guard against physical damage or physical plug-in to local connexions. Only a limited number of authorised personnel should have access to the APs.
5.4.4. Detecting anomalous MAC addresses

One way to detect anomalous MAC addresses is to use the IEEEs list of official prefix allocations. There are more than 6,000 of these, and they are unique IDs. If a source MAC address on the network does not match any of the ones allocated by IEEE, this may indicate an anomalous
May 2003
15
MAC address and perhaps malicious activity. If the company has bought WLAN NIC cards from a single hardware manufacturer, it should be easy to detect any other type.
5.4.5. Geographic localisation and tracking

WLAN intrusion detection should not stop with detection of rogue APs and unauthorised clients, but should continue with localisation and tracking of the attacker. A typical method for pinpointing a radio signal source is to locate the intruders transmitter using directional techniques. The principle is to scan an area looking for the strongest signal, repeat the process farther away, and again, then triangulate to determine the position of the transmitter. It is necessary to take into consideration geography, atmosphere, reflections, temperatures, etc., as these bias the localisation estimation. Another method is based on the relative signal strength at various positions in the vicinity, plus the free-space propagation losses and the power of the intruders transmitter, if known. Due to the information required, this method is used much less than triangulation. Even if bias exists, bear in mind that, owing to the characteristics of the 802.11 standard, the transmitter will generally be within 300 metres of the target buildings.
vendors destination MAC addresses, because in a network discovery scan the destination MAC address is always FF:FF:FF:FF:FF (for broadcast) SSID, because in a probe request frame the SSID is set to a value of 0x00 MAC addresses, which, because they are based on public OUIs, are unique Other fields exist, such as the data payload, the LLC protocol type and the LLC protocol ID. Default values are defined by the standard, but they are not always implemented correctly on either the transmission or receiving end. Bad implementation implies risk of evasion or insertion of packets in the traffic and risk of not being detected by IDS.
5.5. WLAN SECURITY CONTROL MANAGEMENT

5.5.1. Security policies and awareness
The role of a security policy, which is based on risk analysis, is to define the security rules that the company must follow. Security policies should be completed with: security standards: definitions of how hardware and software products are to be used security procedures: definitions of how to follow the security policies security baselines: definitions of the minimum level of security necessary throughout an organisation security guidelines: recommendations of actions and operating procedures for users For example, in a company that has decided not to deploy a WLAN, the security policy must include a ban against employee-installed networks and procedures for enforcing the ban. A WLAN security policy can define the procedures to follow when installing, securing and using a laptop or PDA in a wireless environment: for instance, users must properly log out every time they disconnect; in public places users must be alert for unauthorised or curious people watching over their shoulder or trying to steal the wireless equipment; stolen or lost WLAN equipment must be reported immediately to the security officer and network manager. Even a well-defined WLAN security policy needs to be monitored to ensure that it is properly implemented and that all employees follow it. The users must be aware of the risks associated with WLAN, and agree to the WLAN security policy. The security officer should institute a security awareness programme for employees that includes WLAN risks and best practices.
5.4.6. Layer 2 analysis

Experience with analysis of IP, TCP and UDP has led to a realisation that 802.11 frames are susceptible to packet forgery or manipulation that is, some bytes or bits can be changed, and the consequence analysed. Some hacking tools, largely available from the Internet, are not powerful enough to control all the firmware functionality of wireless cards. As a result they cannot alter all the bytes of a 802.11 frame, or neglect to do so. For example, when an 802.11 frame is segmented, the sequence number is constant and the fragment number is increased for each segmented packet. When there is no fragmentation, the sequence number is an incremental number starting at zero modulo 4096. Therefore, to detect an attack (MAC address spoofing, for example), it is possible to analyse the sequence numbers, without relying on the MAC address. Because some hacking tools use always the same type of packets (pre-compiled field), the tools have a signature that can be identified. This information can be stored in intrusion detection tools capable of sending an alert. In part of the 802.11 frames, some fields can be used in WLAN attack prevention or detection. These include: sequence numbers, used in 802.11 frame fragmentation control types and subtypes, some of which are reserved for future use or are used but undocumented by
16
May 2003
5.5.2. External technical audits

Once a year the company should ask external auditors to evaluate the WLAN and analyse the configurations of all corporate WLAN elements. The results should be compared with the requirements defined in the security policy. Audits ensure that all components of a WLAN are secure and are being used in accordance with enterprise-specific policies. A lot of open source software is available from the Internet (see Appendix 6) and can be used for WLAN technical audits. An intruder can use the same tools to get into a LAN via the WLAN.
thorised ad-hoc networks. Vulnerability assessment goes no further than that, however, and thus poses less risk to the network than a full penetration test.
5.5.5. Wired-side network administration tools

Popular LAN or wired-side network administration tools use ICMP and SNMP polling to identify IP devices attached to the network and their key characteristics, such as IP and MAC addresses. Network scanners use TCP and UDP fingerprints to identify various types of open services. Usually such tools memorise the results and ring an alarm each time a new element is discovered or disappears. The results can help identify both rogue and authorised APs and wireless clients. Depending on the segmentation of the network, however, this solution can be difficult to implement. Furthermore, a rogue AP is not likely to have SNMP enabled, and an SNMP poll or a network scan against an authorised station operating as a soft AP would not detect WLAN activity. Nor would SNMP polling detect accidental associations or ad-hoc networking.
5.5.3. Penetration testing

To test the robustness of WLAN security, a specialised company can be hired to do penetration testing. The purpose of penetration testing is to assess the risk of an intruder being able to get into a companys internal computer system through the WLAN. The test is usually carried out without prior notification. Penetration testing consists of three main phases: 1. The first phase determines the extent of the area in which radio signals from the APs can be picked up. Using wireless-equipped laptops, this phase is carried out in a radius of about 300 metres from the companys offices. The goal is to identify the geographic boundaries of the WLAN, which determine the location from which the actual penetration testing will take place. 2. The objective of the next phase is to find a way to access the WLAN. The testers try a number of WNICs (802.11, 802.11a and 802.11b) by different manufacturers and use intrusive utilities that can penetrate the network by allowing eavesdropping on the WLAN, decrypt data if necessary and enable discovery of the authentication procedure (logins and passwords), so that the attacker can connect to the company network by masquerading as an authorised user. 3. The last phase is to identify the WLAN and LAN topology. From the illicit entry point obtained in phase 2, the testing team attempts to map the topology of the network being examined, using scanning and network mapping utilities. The aim is to determine the characteristics and roles of each part of the system, i.e. to figure out the topology of the whole network from the target elements that can be identified from the entry point.
6. 802.11 WLAN IN THE FUTURE

As of the first quarter of 2003, standard 802.11 security is unsatisfactory. Security objectives are not met, implementations vary from one vendor to another and standards are not all defined. Future solutions must address all these problems. Otherwise new attack tools will be developed to exploit remaining weaknesses such as replay, weak keys, IV collisions and frame management forgery.
6.1. WECA: THE WI-FI ALLIANCE

The Wireless Ethernet Compatibility Alliance (WECA), formed in 1999, is a nonprofit international association of leading wireless equipment and software providers. Its mission is to certify interoperability of WLAN products based on IEEE 802.11 specifications. The WECA term Wi-Fi stands for wireless fidelity. Wi-Fi certification assures tested and proven interoperability among types of wireless computer equipment.
5.5.4. Vulnerability assessment

The objective of scanning to assess network vulnerability is similar to that of the early phase of penetration testing: to discover areas of vulnerability and potential threats such as weak WLAN configuration, rogue APs and unau-
Figure 6.1: Wi-Fi logo Wi-Fi CERTIFIED products support a maximum data rate of 11 Mbps (802.11b).
May 2003
17
6.2. WI-FI PROTECTED ACCESS

Wireless equipment and software providers, seeking to bring to market an immediate solution to Wi-Fi security problems, have decided to deploy what is stable in 802.11i, but ahead of IEEE ratification. Thus, in the first half of 2003, Wi-Fi Alliance vendors are to begin shipping a new standards-based solution called WiFi Protected Access (WPA). Its main security features are: data encryption based on TKIP using RC4 WEP user authentication based on 802.1X EAP message integrity based on Michael Once the 802.11i standard is approved, WPA products are supposed to be compatible.
7. CONCLUSION
Recent demonstrations of multiple vulnerabilities make it clear that robust security solutions are required. Many tools exist to test the level of security of WLAN. Wireless networks are more susceptible to active attacks than wired networks. Though first implementations and standards in WLAN have been identified as unsecured, WPA provides an interim solution to the WEP problem and 802.11i will provide long-term support for secured legacy wireless infrastructure.
6.3. IEEE 802.11I: ENHANCED SECURITY NETWORKING
The 802.11i standard proposes long-term security solutions for 802.11 WLAN. The full implementation of 802.11i, known as WPA2, will upgrade the fundamental 802.11 WLAN encryption algorithm from TKIP/WEP to an AES based approach. The main security features are: data encryption based on TKIP using RC4 message integrity based on Michael encryption/message integrity based on AES-CCMP user authentication based on 802.1X EAP roaming/pre-authentication ad-hoc networking The processing requirements of AES mean that some Wi-Fi/WPA elements will require hardware upgrades. Products that are 802.11i compliant (WPA2 certified) are expected to be available in the first quarter of 2004.
Figure 6.2: Wi-Fi security, 1997-2004
Adopters of early implementations must strengthen the infrastructure to secure their wireless networks. Late adopters may wait for secure solutions (such as WPA and 802.11i) to evolve before deploying WLANs. Observations related to security design and security implementations indicate that companies are seeking more trustable WLAN components. They expect more secured out-of-the-box configurations, better multi-vendor interoperability, a long-term secured 802.11 standard, etc. If security problems are solved, they will then consider new services based on quality and billable services. To stimulate the market, WPA certification should be delivered as soon as possible, followed by WPA2, hopefully with no need to change hardware. It is also to be hoped that no major weaknesses are discovered in WPA or WPA2; so far the outlook is good, vendors say.
18
May 2003
WLAN best practices If you already have a WLAN: Disable broadcast of SSIDs. Define private SSIDs. Enable WEP 128 bits. Change shared key regularly. Use MAC address filtering. Where possible, use - VPN - client firewall - strong mutual authentication (AP and client) - restricted radiation zone - network segmentation and intrusion protection - TKIP and AES. If you plan to have a WLAN: Wait for WPA or IEEE 802.11i.
8. EXECUTIVE SUMMARY
Wireless local area networks (WLANs) make the concept of complete mobility a reality, providing new opportunities and challenges. WLAN has proved to be the next major evolution of technology for business. Its rise in popularity has been accompanied by an increase in security concerns. WLAN security, however, is also evolving. Because native security does not prevent attacks, additional security best practices should be followed. These include: assessing the risks before deployment listing and testing the latest wireless technologies and standards evaluating security features and designing a secured network topology defining administration and monitoring procedures planning deployment thoroughly With proper care, it is possible to design and implement a WLAN that is at least as secure as an equivalent wired network. Thales Security Systems helps companies manage WLAN projects to maximise their return on investment and minimise security risks. In a WLAN project, Thales Security Systems offers multiple services in the following areas: consulting - WLAN architecture design - penetration testing - technical and organisational audits - risk analysis - security policy - R&D assistance - WLAN project management - security awareness integration - hot spot package installation - WLAN deployment - product reselling managed services - WLAN monitoring - incident response team
May 2003
19
APPENDIX 1: GLOSSARY (Definitions of terms used in the context of the white paper)
Term
Access control Access point
Definition
Process of controlling use of system resources Entity connecting wireless client (qv) to LAN network. An AP is equivalent to a hub in a wired environment. It can be a hardware device or a softwareapplica tion running on a computer. Client configuration that provides peer-to-peer connexion. An ad hoc mode is an IBSS. Network composed of wireless entities communicating with each other using no AP Process of mapping a wireless client to an AP and enabling the client to invoke DS services Process of proving the identity of a station Set of 802.11-compliant stations controlled by one coordination function. A BSS is composed of wireless stations that can communicate with each other. Any 802.11-compliant entity connected to the WLAN and requesting services
Error detection function telling the NIC that data have been received with or without error. If an error exists the data are discarded; if not they are forwarded to upper levels.
Ad-hoc mode Ad-hoc network Association Authentication Basic service set Client Cyclical redundancy check Deauthentication Direct sequencing spread spectrum Disassociation Distribution system Extended service set Frequency hopping spread spectrum
Independent basic service set network Industrial, scientific and medicine bands Infrastructure mode Infrastructure network Internet protocol
Key Local area network MAC address Media access control Peer-to-peer Roaming Rogue AP Service set identifier Shared key authentication
Station Wired equivalent privacy
Process of closing an existing authentication relationship One of the three technologies defined in the 802.11 standard. DSSS uses a radio transmitter to spread data packets over a fixed range of the frequency band. Process of closing an existing association Connection between BSS. In infrastructure mode WLAN, the DS is often the LAN. Set of two or more BSS forming a single subnetwork. Note that each BSS in the ESS has the same SSID. One of the three technologies defined in the 802.11 standard. FHSS takes the data signal and modulates it with a carrier signal that hops from frequency to frequency, as a function of time, over a wide band of frequencies. Not used in 802.11a, b and g. A BSS with no DS; an ad hoc network in which communications are peer-to-peer Radio frequency bands that the US Federal Communications Commission authorised for wireless LANs. The ISM bands are at 902MHz, 2400GHz and 5.7GHz. A client setting providing connectivity to an AP A BSS with one or more APs Protocol by which data are sent from one computer to another on a LAN. In WLAN, data are sent with the 802.11 protocol. When the 802.11 frame packet contains data, they are probably IP type data. The IP is encapsulated in 802.11 protocol. A password or pass-phrase to cypher clear text or decypher encrypted text Communications network offering services for local clients Address unique to a WNIC, based on an OUI allocated to each hardware manufacturer. Radio controller protocol in a WNIC. IEEE 802.11 defines the MAC protocols for media sharing, packet formats and addressing and error detection. Referring to communications among independant stations Ability to connect to multiple APs while maintaining a single authorised connection. Roaming occurs in infrastructure networks built around multiple access points. AP connected to a LAN without permission from network administrator(s) Station network identifier that must be associated to a BSS (either an ESS or an IBSS). Each BSS has a unique SSID, which is a 32-byte string. An alternative WEP authentication type (shared key subtype) based on standard challenge-response along with a shared key. The shared key (also called secret key) is distributed by an external key management service. See glossary entry for Client Protocol specified for encryption and authentication between clients and APs, mainly used to increase confidentiality of data during transmission. There are two levels of WEP authentication: the open system and the shared/secret key.
20
May 2003
APPENDIX 2: ABBREVIATIONS
Abbreviation AES AP CRC-32 DS DSSS FHSS ICV IEEE IrDA IV LAN MAC MAN MIC NIC RC4 PRNG TKIP UHF WEP WLAN WNIC What it stands for Advanced encryption standard Access point Cyclical redundancy check Distribution system Direct sequence spread spectrum Frequency hopping spread spectrum Integrity check value Institute of Electrical and Electronic Engineers Infrared data association Initialisation vector Local area network Medium access control Metropolitan area network Message integrity check Network interface card Rons Code 4 Pseudo Random Number Generator Temporal key integrity protocol Ultra high frequency Wired equivalent privacy Wireless local area network Wireless network interface card
APPENDIX 3: IEEE WIRELESS GROUPS AND STANDARDS

IEEE 802.11 Working Group: Coordinates all the task groups. A task group is commissioned by the working group to write the standard or subsequent amendments to it. Standard Description IEEE 802.1X Security framework for IEEE 802 networks IEEE 802.11 Basic standard for WLAN (1 and 2Mbps) IEEE 802.11a High speed WLAN, extension of IEEE 802.11 specifications using speed of 6 to 54Mbps and operating at 5GHz IEEE 802.11b Extension of IEEE 802.11 specifications using speed of 1, 2, 5.5, and 11Mbps and operating at 2.4GHz IEEE 802.11d Complement to 802.11 MAC layer adding extra features and restrictions for use in foreign countries IEEE 802.11e Revision of 802.11 media access control standards including quality of service capabilities and multimedia traffic support IEEE 802.11g Extension of IEEE 802.11 specifications using speed greater than 20Mbps and operating at 2.4GHz IEEE 802.11i Not yet defined (expected Q1, 2004); should include security specifications in 802.11 WLANs
APPENDIX 4: WIRELESS POINTERS ON THE INTERNET

Standard IEEE 802.11 URL http://standards.ieee.org/wireless/ http://grouper.ieee.org/groups/802/11/index.html http://standards.ieee.org/wireless/overview.html#802.11 http://grouper.ieee.org/groups/802/1/pages/802.1x.html http://www.ietf.org/rfc/rfc2138.txt http://www.ietf.org/rfc/rfc2139.txt http://www.ietf.org/rfc/rfc2548.txt http://www.ietf.org/rfc/rfc2865.txt
IEEE 802.1X RADIUS
May 2003
21
EAP
AES Others
FAQ
http://www.ietf.org/internet-drafts/draft-ietf-radius-radius-v2-06.txt http://www.ietf.org/internet-drafts/draft-ietf-radius-accounting-v2-05.txt http://www.ietf.org/internet-drafts/draft-ietf-radius-ext-07.txt http://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-auth-09.txt http://www.ietf.org/internet-drafts/draft-ietf-radius-tunnel-acct-05.txt http://www.ietf.org/rfc/rfc2284.txt http://www.ietf.org/rfc/rfc2869.txt http://www.ietf.org/rfc/rfc2716.txt http://csrc.nist.gov/encryption/aes/ http://www.80211central.com/ http://www.80211central.com/glossary.html : Glossary http://www.internetnews.com/wireless/archives.php : Newspaper http://www.drizzle.com/~aboba/IEEE/ : The Unofficial 802.11 Security Web Page http://www.wirelessinternet.com/WLANS_Articles_Links.htm : Wireless LAArticles http://www.computerworld.com/mobiletopics/mobile : Computerworld http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/ : Wireless LAN resources for Linux http://www.iss.net/wireless/WLAN_FAQ.php http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html http://www.80211central.com/faqs.html http://www.sfwireless.net/moin/WlanFaq
APPENDIX 5: REFERENCES
Books WiFi Security Hotspot Networks: WiFi for Public Access Locations Wireless Maximum Security The Essential Guide to Wireless Communications Applications White papers An Initial Security Analysis of the IEEE 802.1X Standard Wireless Ethernet WLAN Standards and Wireless Gateways: Making the right choices to secure and manage your WLAN Intercepting Mobile Communications: The Insecurity of 802.11 Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection A Practical Approach to Identifying and Tracking Unauthorised 802.11 Cards and Access Points WEP2 Security Analysis, Bernard Aboba Enterprise Approaches to Detecting Rogue Wireless LANs Wireless LAN Policies for Security & Management WIRELESS LANs: Risks and Defenses Enterprise Solutions for Wireless LAN Security Stewart S. Miller, McGraw-Hill Networking Professional, 2003 Daniel Minoli, McGraw-Hill Networking Professional, 2002 Cyrus Peikari and Seth Fogie, SAMS, 2003 Andy Dornan, Prentice Hall PTR, 2002
Arunesh Mishra and William A. Arbaugh, University of Maryland, 6 Feb 2002 CISCO Symposium in Paris, Feb 2003 Bluesocket White Paper, 2002
N. Borisov, I. Goldberg, and D. Wagner, http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html Joshua Wright, GCIH, CCNA, 11 Aug 2002 Interlink Networks, Inc., 2002
Microsoft, IEEE 802.11-00/253, May 2001 AirDefense, 2002 AirDefense, 2003 AirDefense, 2002 Wi-Fi Alliance, 6 Feb 2003
22
May 2003
Issues in Wireless Security (WEP, WPA & 802.11i) Security Applications Conference, 11 Dec 2002, Pervasive (Ubiquitous) Computing: What it is, and how it may impact e-commerce Wireless LAN MAC Address Spoofing Weaknesses in the Key Scheduling Algorithm of RC4 Your 802.11 Wireless Network Has No Clothes
Brian R. Miller, Booz Allen Hamilton, 18th Annual Computer Efraim Turban, City University of Hong Kong, 2002 Joshua Wright, GCIH, CCNA, January 2003 Scott Fluhrer, Itsik Mantin, Adi Shamir, 2001 William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan, Department of Computer Science, University of Maryland, 30 Mar 2001
Conferences Black Hat 2002, Las Vegas NV, July 2002, http://www.blackhat.com Advanced 802.11 Attack Mike Lynn & Robert Baird 802.1x, What it is, How its broken, Bruce Potter, The Shmoo Group and How to fix it The Need for an 802.11 Mike Schiffman, @state Wireless Toolkit NIST 802.11 Wireless LAN Security Workshop, December 4-5, 2002, http://csrc.nist.gov/wireless/ WiFi Security Workshop NIST Opening Remarks, http://csrc.nist.gov/wireless/S02-Opening%20remarks-tg.pdf DOD Wireless Policies Timothy J. Havighurst, V34, NSA, and Requirements http://csrc.nist.gov/wireless/S04_DOD%20Wireless%20Requirements-th.pdf NIST Cryptographic Standards Bill Burr, NIST, Program http://csrc.nist.gov/wireless/S04_NIST_crypto_program_final-bb.pdf 802.11i: The User Perspective Stephen T. Whitlock and Paul Dodd, The User Perspective http://csrc.nist.gov/wireless/S06_Boeing-stw.pdf Wireless Networks: Can Security John Pescatore, VP, Internet Security Gartner, Inc., Catch Up With Business? http://csrc.nist.gov/wireless/S08_State%20of%20industry-jp.pdf Wi-Fi Protected Access Wi-Fi alliance, Media Briefing http://csrc.nist.gov/wireless/S09_WPA%20Analyst%20Briefing%2005-part1-ff.pdf Wi-Fi Alliance Overview http://csrc.nist.gov/wireless/S09_Wi-Fi%20Alliance%20Overview-01-part2-ff.pdf IEEE 802.11 Procedures Dave Halasz and Nancy Cam-Winget, CISCO, http://csrc.nist.gov/wireless/S09_IEEE802.11Procedures-ncwv2.pdf IEEE 802.11i Overview Nancy Cam-Winget (Cisco Systems), Tim Moore (Microsoft), Dorothy Stanley (Agere Systems), Jesse Walker (Intel Corporation) http://csrc.nist.gov/wireless/S10_802.11i%20Overview-jw1.pdf EAP and AAA Update Bernard Aboba (Microsoft) http://csrc.nist.gov/wireless/S12_NIST-IETFpart2--ba.pdf IETF/IEEE 802.11i Liason Report Bernard Aboba (Microsoft), NIST 802.11 Security Workshop, http://csrc.nist.gov/wireless/S12_NIST-Status-ba.pdf Wireless LAN Security: Where Do Michael Disabato (Burton Group), We Go From Here? http://csrc.nist.gov/wireless/S16_WPA%20Panel-md.pdf Wireless LAN Security Solution Russ Housley (Vigil Security), Motives and Rationale http://csrc.nist.gov/wireless/S17_WLAN-Security-Rationale1-rh.pdf Strategy Session Tim Grance Bill Burr, http://csrc.nist.gov/wireless/S19_StrategySession-lo.pdf Comparison of Cellular Industry (92) Leslie D. Owens, Booz Allen Hamilton, CTIA Critical Issues to WiFi Industry (02) Forum, 15 Nov 2002, http://csrc.nist.gov/wireless/S25_Comparison %20of%20cellular%20to%20WiFi-ldo.pdf NIST Wireless Security Guidance SP 800-48, 4 Dec 2002, http://csrc.nist.gov/wireless/S05_NIST-tk2.pdf
May 2003
23
APPENDIX 6: 802.11 NETWORK SECURITY AUDIT TOOLS

Name Air Defense Air Jack Function(s) Wireless IDS and monitoring MAC address setting/spoofing Send custom (forged) management frames AP forgery/fake AP Wireless analyser Wireless frame sniffer and analyser Wireless sniffer WEP key cracker Wireless sniffer / analyser URL http://www.airdefense.net http://802.11ninja.net
AirMagnet AiroPeek AirSnort AirTraf bsd-airtools
http://www.airmagnet.com/products.htm http://www.wikdpackets.com/products/airopeek http://airsnort.shmoo.com http://airtraf.sourceforge.net http://sourceforge.net/projects/airtraf http://www.dachb0den.com/projects/bsd-airtools.html
WEP key cracker 802.11b WLAN detection Access point enumeration FakeAP Multiple Access Points simulation HostAP Access Points simulation Isomair Management analysis ISS Wireless scanner Vulnerability scanner Kismet Mac Stumbler Mini Stumbler 802.11a/b WLAN detection 802.11b WLAN detection Access point enumeration Wireless Ethernet sniffer and analyser War driving and GPS Linux driver Host AP mode network monitoring, capturing, decoding discover AP and capture traffic import Network Stumbler's summary files into Microsoft's MapPoint maps network discovery tool WLAN monitoring application 802.11 network mapper 802.11b WLAN detection SSID Brute force WEP key cracker 802.11b WLAN detection
MogNet Net Stumbler Prism2 Sniffer Wireless SSIDsniff stumbverter
http://www.blackalchemy.to/Projects/fakeap/fake-ap.html http://hostip.epitest.fi http://www.isomair.com/products.html http://www.iss.net/products_services/enterprise_protection/ vulnerability_assessment/scanner_wireless.php http://www.kismetwireless.net http://homepage.mac.com/macstumbler/ http://wwwmacstumbler.com http://www.stumbler.org http://chocobospore.org/mognet/ http://www.netstumbler.org http://hostap.epitest.fi/ http://www.sniffer.com/products/wireless/default.asp?A=5 http://www.bastard.net/~kos/wifi/ http://www.sonar-security.com/
THC-RUT Wavemon wavestumbler Wellenreiter WepCrack WifiScanner
http://www.thehackerschoice.com/releases.php http://www.jm-music.de/projects.html http://www.cqure.net/tools08.html http://www.remote-exploit.org/ http://wepcrack.sourceforge.net/ http://sourceforge.net/projects/wifiscanner/ http://wifiscanner.sourceforge.net/
24
May 2003

Wireless LAN Security

Uploaded by

Copyright:

Available Formats

Wireless LAN Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wireless LAN Security

Uploaded by

Copyright:

Available Formats

White Paper

Philippe Bouvier, Thales Security Systems

WIRELESS LAN SECURITY

WIRELESS LAN SECURITY

2.2. WIRELESS LAN STANDARDS

2.3. THE RADIO DOMAIN

1 2 3 4 5 6 7 8 9 10 11 12 13 14 The United States 1 to 13.

WIRELESS LAN SECURITY

2.4. WHAT IS WIRELESS NETWORKING?

2.5. AD-HOC MODE

Figure 2.2: Ad-hoc network

WIRELESS LAN SECURITY

2.6. INFRASTRUCTURE MODE

2.7. NATIVE SECURITY MEASURES

2.7.2. MAC address filtering

WIRELESS LAN SECURITY

WIRELESS LAN SECURITY

3. KNOWN WEAKNESSES IN 802.11 WLAN

3.3. SSIDS ARE EASY TO FIND

3.1. SIGNAL INTERFERENCE

3.2. WLANS ARE EASY TO IDENTIFY

3.4. WIRELESS MAC ADDRESSES ARE EASY TO

Figure 3.1: Outside radio propagation

WIRELESS LAN SECURITY

3.5. LACK OF AUTHENTICATION FOR MANAGEMENT AND CONTROL FRAMES

3.6. LACK OF MUTUAL AUTHENTICATION

3.7. VULNERABILITIES WITH WEP

WIRELESS LAN SECURITY

3.8. NO AUTOMATIC SECRET KEY MANAGEMENT

3.13. ROGUE WLANS

3.9. ICV WEAKNESS

4. WLAN HACKING TECHNIQUES

4.1. SURVEILLANCE 3.11. ACCIDENTAL ASSOCIATIONS

3.12. AD-HOC NETWORKS

WIRELESS LAN SECURITY

4.2. PASSIVE LISTENING

4.2.1. Traffic analysis

4.2.5. Unauthorised repeaters

4.2.2. Getting SSIDs

4.2.3. WEP cracking

4.4. MAN IN THE MIDDLE ATTACK

4.2.4. War driving and war footing

WIRELESS LAN SECURITY

4.7. MAC ADDRESS SPOOFING

4.5. DENIAL OF SERVICE

4.5.1. Jamming the airwaves

4.5.2. Management frames DoS

4.8. CLIENT TO CLIENT ATTACK

4.5.3. Physical access

4.9. EAP ATTACKS

4.6. LAN ATTACKS

WIRELESS LAN SECURITY

4.10. AIRBORNE VIRUSES

5. WLAN SECURITY SOLUTIONS

5.2. NETWORK SEGMENTATION

5.1. ANTENNA RADIATION ZONE

5.2.1. WLAN Demilitarised Zone (DMZ)

WIRELESS LAN SECURITY

5.3. NETWORK ACCESS CONTROL

5.3.1. Port based network authentication