Chapter 13: Wireless Security
Wi-Fi networks have become a common connectivity tool in most corporate and many home environments. Unfortunately, a large percentage of users have installed Wi-Fi networking without any security defenses or with weak defenses. This chapter covers Wi-Fi terminology, threats to 802.11 wireless networks, and improvements in wireless for Vista. It also discusses the general and detailed steps needed to implement strong security on Windows wireless networks.
| Note |
Other wireless technologies that are normally used for other purposes-such as Bluetooth, cellular, and infrared-will not be covered.
|
Wi-Fi Terminology and Technologies
There are so many wireless networking terms and standards that it makes the normally acronym-obsessive computer world seem quaint. Many users get lost in the dizzying array of initials and definitions so that they aren't sure what any of the wireless protocols and acronyms mean.
Wi-Fi Standards
Wi-Fi networking refers to globally accepted, wireless communication protocols based on the 802.11 standards governing Wireless LANs (WLANs). Wi-Fi is a trademark of the Wi-Fi Alliance (http://www.wifialliance.com) and does not stand for Wireless Fidelity, as some people believe. Wi-Fi is most often used in local area networks but can be used for wide area networks, music players (Microsoft's Zune uses Wi-Fi for music trading), cell phones, gaming consoles, and automobiles.
A Wi-Fi network is composed of one or more access points and nodes (see Figure 1). An access point (AP) normally connects one or more wireless nodes (or clients) together using 802.1l technologies. Wireless APs normally broadcast beacon packets advertising their Service Set Identifier (SSID) (i.e., network name). Beacon packets advertising the SSID are normally transmitted so that listening nodes can connect to the AP, although this feature can be turned off. Wireless APs often connect a wireless network to a wired network (although that doesn't have to be the case), and it can function in bridged, Network Address Translation (NAT), or routing mode.
Infrastructure versus Ad-Hoc Mode
There are two access point modes: Infrastructure and Ad-Hoc. Infrastructure mode is when an AP is a terminating network device designed to support multiple wireless nodes at once (much like a wired hub). It often interfaces the wireless network to the wired network. Most APs are in Infrastructure mode by default.
Ad-hoc mode APs use peer-to-peer connections. Normally, every computer that has a wireless network card can act as an Ad-hoc mode AP. Prior to Vista, Windows clients would often connect to Ad-hoc mode APs if Infrastructure mode APs could not be found. This, despite the fact that most wireless users only intended to connect to preconfigured Infrastructure mode APs (called preferred networks). Malicious hackers have used rogue Ad-hoc nodes to attempt to compromise wireless nodes. Windows XP Pro (SP2 and later) and later Windows OSs will warn the user if the user attempts to connect to an Adhoc mode or unsecured AP.
If two or more APs with the same SSID are within range of the node, the node's software will normally choose the stronger signal (although it depends on the node's wireless network drivers). Access points normally have 11 or more channels that can be used, although many places outside the United States have more (Europe has 13, Japan has 14). Most APs can only use one channel at a time. However, many vendors, like Cisco, offer multi-channel APs for load balancing.
Each channel is a separate broadcast spectrum, although because of a wireless phenomena called harmonics, if multiple APs are in range of each other, channels that can be divided or multiplied by two to equal another channel should be avoided. Thus, you would not want one AP to use five and another to use ten. Traditionally, most administrators installing multiple wireless APs in the United States use channels 1, 6, and 11 to prevent unintended interference.
Wi-Fi uses Collision Avoidance (CA) to try and avoid network packet transmissions from client nodes. The practical effect is that every node on the same AP and channel can see all the traffic headed to and from every other node, just like legacy Ethernet hubs. Without protection, any node on the same channel can see everything the other node is transmitting and receiving.
Wi-Fi Standards
There are four main 802.11 Wi-Fi standards:
-
802.11a
-
802.11b
-
802.11g
-
802.11n
Regardless of its lettering, 802.11b was the first widespread Wi-Fi standard in use when wireless networking took off. It uses the 2.4 GHz spectrum, can transmit up to 11 Mbits/second (1 Mbits/sec is the minimum for all Wi-Fi connections) reliably up to 100 meters (physical infrastructure not withstanding). Inside maximum range is closer to 35 meters.
802.11a operates at the 5 GHz spectrum and can transmit data up to 54 Mbits/second up to 75 meters outdoors and 25 meters indoors.
802.11g operates at the same 2.4 GHz spectrum as 802.11b, but can send data up to 54 Mbits (like 802.11a), and for the same distances as 802.11a.
Because 802.11b and 802.11g share the same 2.4 GHz spectrum, many APs and nodes support them jointly (called 802.11b/g). Of course, maximum transmission distances must take into account physical surroundings and interference from other sources. They can be extended using specifically developed "extender" devices.
A new Wi-Fi standard, called 802.11n, is emerging to final approval in the 2007/2008 timeframe. 802.11n supports data rates up to 540 Mbits/second over 2.4 or the 5.0 GHz channels for indoor distances not to exceed 50 meters. 802.11n gets its incredible speed boost by using multiple transmitting and receiving antennas on each AP, known as Multimedia In Multimedia Out (MIMO) technology. Several vendors already support 802.11n and MIMO.
802.11n network equipment is expected to support one or more of the previous standards for backward compatibility, although if even a single node is running at a slower speed, it makes the AP and all attached nodes run at the same reduced speed. Additionally, the 2.4 GHz spectrum is licensed to HAM radio operators and is used by wireless telephones, baby monitors, and so on. Those devices may interfere with Wi-Fi networks operating in the same bands. Table 1 summarizes the various Wi-Fi transmission standards:
Table 1: Wi-Fi Technology Comparison
 Open table as spreadsheet
|
WI-FI STANDARD
|
CHANNEL BAND
|
MAX. SPEED
|
MAX. DISTANCE
|
|
802.11a
|
5.0 GHz
|
54 Mbits/second
|
75 meters
|
|
802.11b
|
2.4 GHz
|
11 Mbits/second
|
100 meters
|
|
802.11g
|
2.4 GHz
|
54 Mbits/second
|
75 meters
|
|
802.11n
|
2.4 or 5.0 GHz
|
540 Mbits/second
|
50 meters
|
| Note |
There are many other wireless standards, including 802.11p, for automobile and transportation Wi-Fi transmissions, and 802.16, WiMAX, for wireless metropolitan area networks. But 802.11a/b/g are by far the most popular computer wireless standards at the moment.
|
Wi-Fi Security Standards
Wi-Fi security standards have just as many acronyms. Each security standard refers to authentication (computer or user), data integrity, encryption, or all three. The following is a description of these standards. A further examination of their strengths and weakness and when to use each of them is covered at the end of this chapter.
Wired Equivalent Privacy
Wired Equivalent Privacy (WEP) was the first widespread encryption protocol for Wi-Fi networks. Developed in 1999 along with the initial 802.11b Wi-Fi explosion, WEP provides weak encryption and even weaker data integrity. While WEP was originally thought to provide good encryption, it was quickly found to have several flaws. Its encryption routine relied upon a weak RC4 encryption initialization vector (IV) and a short key length.
Several wireless cracking tools, such as Airsnort (http://www.airsnort.shmoo.com) or Chopchop (http://www.netstumbler.org/showthread.php?t=12489), make cracking WEP-encrypted packets take only seconds (after collecting the needed hundred thousand or so WEP packets). WEP's data integrity relies upon a very weak cyclical redundancy check (CRC) that in the crypto world gets no respect.
WEP comes in two default strengths, 64-bit (actually, it is 40-bit crypto strength with a 24-bit IV) and 128-bit, although a 256-bit version was later added in an attempt to extend WEP's useful life. WEP requires that the administrator input an identical, shared character string into the AP and all participating nodes. Figure 2 shows a 128-bit WEP key being inputted into Vista. Each inputted hexadecimal character added 4 bits of strength, which when added to the 24-bit IV made up the entire WEP encryption strength (weak as it was). Thus, 64-bit WEP required the administrator to type in 10 hexadecimal characters (10 characters × 4 bits − 40 bits + 24 bit IV = 64), 128-bit required 26 hexadecimal characters, and 256-bit WEP required 58 inputted hexadecimal characters.
Manually inputting the WEP keys can be a painstaking process. Most WEP vendors simply disabled WEP by default, so users could plug in their Wi-Fi equipment and get working. To this day, most wireless surveys reveal 40 to 50 percent of all Wi-Fi networks as unprotected.
Unfortunately, even if users enabled WEP, it is only to block the casual intruder. Today, WEP should only be used if that is all the legacy wireless components support. It's better than broadcasting in plain-text. Wi-Fi WEP users should consider upgrading their WEP-protected wireless networks to a newer security protocol or use an alternative end-to-end client protection protocol, such as IPsec or a proprietary VPN client.
Wi-Fi Protected Access/802.11i
Wi-Fi Protected Access (WPA) was an intermediate standard intended to correct WEP's deficiencies. WPA has now been replaced by a more mature version of the WPA standard, known as WPA2 or 802.11i. As with WEP before it, WPA (version 1) should not be used if WPA2/802.11i can be used. However, it should be considered over plain-text transmission and WEP.
WPA/WPA2 uses stronger cryptography. Data is encrypted using an improved RC4 cipher, with a minimum of a 128-bit key and a 48-bit IV. A new protocol called Temporal Key Integrity Protocol (TKIP) takes any original key used in the beginning of WPA/WPA2 transmissions and constantly updates it. The key used to encrypt data changes dynamically, and unpredictably, making WPA/WPA2 a much stronger Wi-Fi encryption protocol. WPA2 uses the Advanced Encryption Standard (AES) cipher for data confidentiality. Additionally, a new Message Integrity Code (MIC) is used as an authenticated hash for data integrity. It prevents undetected data manipulation and traffic replay.
WPA2 has two modes: Personal and Enterprise.
WPA Personal Mode
WPA Personal uses a Pre-Shared Key (PSK) similar to the shared, character string that WEP required (see Figure 3). The PSK can be from 8 to 63 ASCII characters long. The only difference is that if the user chooses a strong PSK (14 or longer random characters), the WPA2 standard is strong enough to withstand most cryptographic attacks. Unfortunately, sharing a PSK between the AP and the various nodes makes the PSK susceptible to unauthorized interception. The strength of your PSK might not be how long and random it is, but how securely you store the document you write the PSK down on.
Writing down PSKs is never a good security practice. Accordingly, the Wi-Fi Alliance approved a newer, easier method called Wi-Fi Protected Setup (WPS). It allows the initial PSK to be generated by the WPA2 participating equipment. The user can either press a physical button on the AP, and all wireless nodes within reach of the AP can join the WPA2 network (not that secure, but very easy), or type in a previously determined 4- or 8-character PIN as the initial negotiator.
Additional methods (not yet formally approved as this book goes to press) will include tokens, smart cards, and USB flash devices. Regardless of the "boot-strap" method, it allows WPS-enabled equipment to pass a PSK between the AP and listening node. Many vendors already support WPS or a similar method. You can get more information on WPS at http://www.wi-fi.org/news/010807-wifi-protected-setup/en.
| Note |
Earlier versions of Wi-Fi Protected Setup, before the standard and name was resolved, are known by many different names. For example, Dlink called it WPA2-Auto Wireless Security (Enhanced).
|
WPA2 Enterprise Mode
WPA2 Enterprise mode relies on an 802.1X authentication server (notice it is 802.1X, not 802.11x) and 802.1X clients. 802.1X is also known as a network access control protocol. It can be used for wired and wireless authentication, although its initial use has focused on WPA2 wireless client connections. Wired 802.1X connections are managed by a new Vista service called Wired AutoConfig.
Windows 2000 (fully service packed) and later supports WPA2 and 802.1X client authentication. Microsoft's Internet Authentication Service (IAS), or Longhorn's new Network Policy Server (replaces IAS), can be used as 802.1X servers for either wired or wireless networks.
| Note |
802.1X authentication is server and client node authentication only. If used alone, without WPA2/802.11i, there still could be data encryption and user authentication issues. If WPA2/802.11i is used, it includes both authentication and encryption.
|
The communication protocol between the client and the server is known as Extensible Authentication Protocol (EAP). And as the name correctly implies, it is extensible and comes in many versions, including:
EAP-TLS supports digital certificates and smart cards. EAP-TTLS/MSCHAPv2 supports user authentication, and PEAP-TLS supports a stronger, even more protected EAP protocol. PEAP (Protected EAP) establishes a secure channel before initiating the standard EAP protocol. Expect the future to bring many more EAP-related protocols and acronyms.
Enabling WPA2 Enterprise mode takes planning. In order for a wireless network to support a particular standard (for example, WPA2, or otherwise), the following components must support the desired protocol:
-
Access point
-
Wireless network interface card
-
Wireless network interface card drivers
-
Supporting operating system
It is not uncommon for one or more older components not to support the latest standards. Some components can be upgraded using software or firmware upgrades. Others have to be replaced completely. Check with your vendor on supported standards and updates.
WPA2 Enterprise mode requires the most setup and preparation of all the discussed wireless standards. The following tasks summarize enabling WPA2 Enterprise mode:
-
Decide on whether computer or user authentication or both, will be used to authenticate to the wireless network infrastructure.
-
Configure your Public Key Infrastructure (PKI) services, as can be provided by Microsoft Certificate Services, to create and distribute the appropriate digital certificates.
-
Install digital certificates on computer or smart cards.
-
Configure and enable a participating RADIUS or 802.1X authentication service. The authentication server must normally have its own identity digital certificate in order to authenticate to the connecting client and to securely transmit security information back and forth.
-
Configure wireless access point to accept WPA2 Enterprise authentication, pointing the access point to a valid RADIUS or 802.1X authentication server.
-
Configure wireless computers to use WPA2 Enterprise authentication, with the appropriate settings selected.
First, you must decide whether you want computers or users to authenticate. Computers authenticate using computer (also called machine) digital certificates. They must be requested and installed on the client computers that wish to communicate. Alternately, you can require users to authenticate instead of the computer. Users can authenticate to the authentication service using a digital certificate stored on a Smart card (EAP-TLS) or using a logon name and password (EAP-MSCHAPv2). Once the choice is made, a PKI service should be appropriately configured and the certificates generated and distributed.
Microsoft's Internet Authentication Service (IAS) or Network Policy Server (NPS) can be used for client authentication. The participating wireless access point must be configured for WPA2 authentication and pointed to the appropriate authentication services (see Figure 4 for an example access point configuration screen).
Next, the client has to be configured with a wireless WPA2 Enterprise connection. Figure 5 shows a Vista wireless connection being configured for WPA2-Enterprise. The Encryption type can be TKIP or stronger AES.
The network authentication method can be Protected EAP, smart card, or digital certificate. When Protected EAP is chosen, the user authentication can be confirmed using a user password (EAP-MSCHAPv2), as shown in Figure 6, or it can require a smart card or digital certificate. As Figure 7 shows, when EAP-MSCHAPv2 is chosen, you can configure Windows to automatically supply the user's logon name, password, and logon domain name as the default user authentication credentials.
"Validate server certificate" should also be chosen to make sure the remote server authenticates to the client, preventing man-in-the-middle attacks.
If the option Enable Quarantine checks is selected, the Vista client will participate in Network Access Protection (NAP), which can be delivered by Windows Server 2003's Network Access Quarantine Control/RRAS/IAS services or Longhorn's new Network Policy Server. Network Access Protection enables an administrator to verify that connecting clients have met various minimum standards (for example, up-to-date antivirus software installed, fully patched OS, and so on) before allowing access to any network resources beyond the limited quarantine area. See http://www.microsoft.com/technet/network/nap/default.mspx for more details.
If smart cards and certificates are chosen for WPA/WPA2 network authentication, you can choose between a smart card certificate or a computer digital certificate (see Figure 8). WPA2 and EAP are very versatile protocols.
In closing, all administrators should strive to be using WPA2/802.11i Wi-Fi security. It contains strong, examined, cryptographic encryption and authentication. Windows Vista and Windows Server supports 802.11 security. As you'll soon see there's a reason why you need wireless security.
|
