WLAN Access Zones
Karri Huhtanen <karri.huhtanen@jippiigroup.com>

WLAN Access Network

... threats
eavesdropping
and recording radio traffic
and recording IP traffic / traffic on the MAC level (e.g. tcpdump)
denial of service
IP DoS attacks
Radio DoS attacks
Interference from other devices on unlicensed 2.4GHz band (e.g Bluetooth, microwave ovens, other links)
integrity / replay
MAC address forging, IP hijacking
replay registration attacks against WLAN access point
IP replay / integrity / man-in-the-middle attacks (e.g. forging email, capturing keys)

... solutions
WEP (Wireless Equivalent Privacy) encryption
unique and common shared secrets
changing the shared secret often, key exchange secured by vendor specific solution
IPSEC / VPN, encrypting traffic on IP level, the authentication of user to network and the network to user
MAC address access filtering in WLAN access point (AP)
Vendor specific solutions like Lucent’s ”closed network” setting.
Legislation concerning deliberate interference of telecommunications

... problems
There are several known weaknesses in the structure of WEP encryption
WEP shared secret is useless when it’s common knowledge
WEP key exchange is not yet a defined standard, different vendors have implemented their own solution that usually are not interoperable.
MAC address can be faked very easily => additional authentication is required
Radio DoS attacks may only be prevented by legislation, radio interference from other devices cannot be prevented, only avoided
The only methods to authenticate radio network on non-IP level to user are network id (essid) and the possible shared secret
Replay attacks may be prevented to some extent with WEP but the network is as vulnerable as every other IP network

Regional Access Zone

... network structure

... threats
Denial of service due to radio interference or malicious user
Unauthorized or unaccounted access to the network and Internet
Eavesdropping and recording other users’ traffic
Faked servers and networks, intercepting other users’ traffic
Network performance loss due to extensive traffic using private network addresses and bypassing the security gateway

... solutions
Network management that can determine overloaded access points and based on e.g. GPS coordinates of the access points also pinpoint the area where the disturbance is
Some radio interference can be avoided by careful radio network planning, using licensed frequencies,
VPN/IPSEC client and security gateway
IPSEC protected traffic between routers
Filters, firewall / class of service rules, traffic shaping in (wireless) routers
The selection of secure management / dynamic routing protocol
Filtering out routing/management protocols in routers that may be potentially dangerous

... problems
Most of the vendor products available on market today do not have the features needed to handle the threats or implement the solutions => need for customized/homemade network elements
VPN IPSEC implementations and their interoperability (key exchange and authentication)
Faked servers and services can still cause trouble within one cell => need for network elements that can handle also this kind of problems, and also need of user education
Double tunneling if two VPNs are used, one to secure access through radio way and other to connect for example company intranet
What if some devices / users do / can not have an interoperable VPN client installed?
How to create and combine public access to this scenario?

Public Access Zone

... network structure

... threats
Denial of service due to radio interference or malicious user
Unauthorized and unaccounted access to the network and Internet
Eavesdropping and recording other users’ traffic
Faked servers and networks, intercepting/diverting other users’ traffic
The lack of traceability if many-to-one NAT is used
Possible access to IP-level without authentication => better possibilities to eavesdrop traffic

... solutions
Denial of service attack sources are more easy to find as the average public access zone may be only one cell, network management also helps
Public Access Controller (PAC) and related vendor solutions
use WWW (https) secured authentication and MAC address based access filtering
the usage of VPN client for corporate access after the PAC has opened the hole to Internet
limit the access to Internet only to few ports (WWW, IMAP, etc.) => attacking hosts in Internet does not seem to be feasible
use real IP addresses if possible

... problems
WEP cannot be used
shared keys cannot be used
how to do the WEP key exchange with multiple vendor products
Authentication
WWW authentication may be the only feasible method
MAC address by itself is not reliable nor does every card have a smart card reader embedded into them => more authentication is needed
Accounting
how to bill random users (paying with credit card for access)?
combined GSM/WLAN billing is a pretty good idea, how to do it with every vendor’s card?
VPN trouble
with NAT
interoperability
key distribution is hard
for every terminal there’s not a client
users cannot be ”forced” to use just one single vendor solution

Corporate Access Zone

... network structure

... threats
Unauthorized and unaccounted access to the intranet
Eavesdropping and recording intranet / users’ traffic
Faked servers and networks, intercepting/diverting/modifying other users’ traffic
Denial of service attack threat is not in author’s opinion very likely. However denial of service of network elements may cause losses depending on the company

... solutions
IPSEC/VPN client
Also WEP encryption (helps in authenticating network to user and user to network)
Firewalls
Company policies / standards (client, software/hardware configuration, security)
Personnel security training
Careful selection of software/hardware solutions to minimize interoperability problems
Redundancy for high availability and load balancing

... problems
the different requirements of different users and business units (R&D requires more flexibility, but also more security, production may not need only standard solution etc.)
People and their attitudes towards security, company policies and standards. These must not feel like paper pushing because of the paper pushing.
Questions like:
can the service provider be trusted to terminate company user’s IPSEC tunnel and then create another one?
how can the user terminal be protected outside company network so that it won’t serve as a host for trojan horses or reveal sensitive data to non-employes about the network?
Creating the security policy and rules.

More Information
(In)Security of the WEP algorithm by Nikita Borisov, Ian Goldberg, and David Wagner (http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html)
Wireless LANs –course at Tampere University of Technology
http://www.cs.tut.fi/kurssit/83800/ and the seminar presentation there
About Access Zones and WLAN, check Nokia’s Operator WLAN concept as well as Cisco’s and Lucent’s WLAN pages and solutions and of course the author’s seminar report
About Wireless Network Services Oy (http://www.wnsonline.net/)

Mahdollisia koekysymyksiä
Esittele yksi WLAN-verkoissa käytettävän WEP-algoritmin heikkous ja sitä vastaan toimiva hyökkäys sekä niiden periaatteet. Miksi heikkous on heikkous ja kuinka hyökkäys käyttää heikkoutta hyväkseen?
Millä tavoin voit torjua WLAN-verkoissa radiotien salakuuntelun uhkaa?
Sinulle on annettu tehtäväksi suunnitella WLAN-pääsyalue yhtiön työntekijöille yhtiön sisäiseen verkkoon, minkälainen on suunnittelemasi verkon rakenne ja mitä ratkaisuja käytät tietoturvallisuuden varmistamiseen. Torjutut uhat ja perustelut ratkaisuille mukaan.
Julkisten pääsyalueiden suojaamisen IPSEC:llä ja muilla VPN-tekniikoilla liittyy useita ongelmia. Esittele näistä muutamia.
Tehtävänäsi on suunnitella julkinen WLAN-pääsyalue Internet-palveluntarjoajan käyttöön. Piirrä pääsyalueen verkon rakenne laitteineen ja analysoi mitkä turvallisuusuhat olet pystynyt välttämään, mitä et ja miksi?