 |
 |
 |
 |
 |
 |
Overview
Code Red's mission is to provide a comprehensive security management
solution for the IEEE 802.11 based Wireless LANs.
Therefore two goals are imperative:
1. To overcome as many security vulnerabilities as possible, as cited in research conducted by several institutions such as UC Berkeley (http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf) and by the University of Maryland (http://www.cs.umd.edu/~waa/wireless.pdf).
2. To minimize the user / IT effort that needs to be done when implementing and maintaining a software security system. Special consideration should be taken into account when evaluating IT capabilities in different environments such as SOHO, SMB, Retail, Industrial, Enterprise etc.
This document presents the security risks in a small office / home office (SOHO) environment, while discussing how these are addressed by the AirBlock™ system.
Security
In a SOHO environment we cannot assume the existence of any security package.
Actually, in many cases, the wireless equipment is installed according
to the out-of-the-box default installation, including the default SSID
(wireless network name), default IP address, default SNMP community string,
default non-encrypted communications (noWEP) etc. This is obviously causing
a tremendous security risk both in terms of eavesdropping and in openly
exposing resources such as Internet access, printers etc.
Ease of Use
Friendliness
In the SOHO environment ease of use is a key feature. These users are
less concerned with capabilities of the software, than they are with how
simple it is to install, configure and maintain it.
Simple Installation - Minimal Configuration
An SOHO user should be expected to know how to install software from a
CD-ROM and enter some basic information - and that's all. Anything beyond
that, may cause unnecessary tech support calls and in certain cases may
even prevent wider adoption.
Nothing to Remember
Anyone who has dealt with username/password management can confirm
that it is a serious challenge. Especially in dealing with users who have
forgotten their password. A good way to reduce this problem is to either
eliminate memory related input, such as passwords, or implement a "reminder
mechanism" which can assist the user to remember a password without
calling tech support. Forcing users to write down memos to keep for the
next time they install/reinstall a machine is a bad idea, from both security
and practical perspectives.
Problem Solving
A good software product will identify a problem as it occurs and suggest
to the user how to solve the problem. For example, if there is no wireless
access to the AP, good software will suggest turning on the AP. In case
there are several alternatives, it is recommended to provide a "Wizard"
mechanism to walk the user through the various options.
If the software is not aware of a problem, a help file should be the first place a user looks in order to solve the problem. If the answer is not found in the help file, they should then try looking at a list of Frequently Asked Questions, which should cover the basic problems encountered by most users. If that is not sufficient, then they should be given an email address for tech support. Only after these have been exhausted should telephone support be considered an option.
Security Risks
In a LAN environment there are several security problems that have to
be dealt with. In a wireless LAN (WLAN) environment, some security issues
are exactly the same as in the LAN environment (e.g. virus protection).
There are, however, some issues which are unique to WLANs. This is due
to the fact that WLANs use radio to access the network and therefore physical
barriers such as doors, walls and physical people who are watching and
preventing an intruder from accessing a network are no longer valid.
The most dangerous attack is eavesdropping as it exposes sensitive information to intruders and enables future active attacks. Therefore, eavesdropping will be widely discussed in this section.
Other issues in this section include some of the currently known active attacks:
Eavesdropping
Eavesdropping is the operation of capturing data by an unintended party.
Passive eavesdropping is very easy in the radio environment, when one
sends a message over the radio path, everyone equipped with a suitable
transceiver in the range of the transmission can eavesdrop on the message.
A standard wireless LAN modem equipped with special range-extender antenna
can be purchased at a very reasonable price. The sender or intended receiver
has no means of knowing if there is an eavesdropper or not, so this kind
of attack is undetectable.
The wide deployment of 802.11 already attracted the attention of the hacker
community. Several Web sites have now started documenting all the freely
available wireless connections nationwide. Most hackers are using these
connections as a means to get free Internet access or to hide their identity
when performing malicious actions. Many of them also see this situation
and start to use the same methods to break into corporate and private
networks that otherwise might have been difficult to attack from the Internet.
The air extends beyond the physical boundary of an organization and a
WLAN can reach well outside the buildings that it is designed for. This
scenario creates an "excellent" opportunity for hackers.
Eavesdropping is a very dangerous attack, in addition to invasion of privacy,
it may also lead to other active attacks such as impersonation, session
hijacking, packet spoofing and Internet sharing by unauthorized parties.
Impersonation
Impersonation is when a hacker pretends to be a valid user. The hacker
will use either unauthorized equipment (stolen, lost, or used when nobody
is looking) or authentication data (stolen, lost, or used without proper
permission) pretending to be an authorized user.
Impersonation may be used to hide the hacker's identity when performing malicious actions, usually via the Internet.
Transitive Trust
A Transitive Trust attack is a situation where a hostile node inside a
network is disguised as a trusted node, and therefore trusted by the other
nodes on the network.
When a wireless LAN is part of an enterprise network, it offers an interface
to attackers, which does not requiring any physical arrangements, in order
to hack the network. In wired networks one can always track the wire from
one network node to the next but in a wireless environment, there is no
such way to find out the physical location of the next node. That makes
efficient authentication mechanisms crucial for the security of the wireless
LAN. In all cases, both parties to the transmission should be able to
authenticate each other.
Potentially, the wireless LAN can be used as a launch pad for transitive
trust attacks. If the attacker can fool the wireless LAN to trust a mobile
device, then there is at least one hostile network node inside the firewall
of the enterprise network, which is very difficult to detect and therefore
opens the network to hostile actions and malicious activity. This kind
of attack can be done from outside of the site with standard wireless
LAN hardware. The only real protection against this kind of attacks is
a strong authentication mechanism for the devices accessing the wireless
LAN. The discovery of the unsuccessful attacks relies on recording the
instances of unsuccessful login. The difficulty is in attempting to differentiate
between real attacks and regular failed log-ins because in the normal
operation unsuccessful log-ins due to misspelled words, and forgotten
passwords, are quite common. The other kind of transitive trust attack,
particular to wireless networks, is fooling the device into trusting an
access point, which is really controlled by attacker. This type of attack
is also known as a rogue access point. When a wireless device is switched
on, it usually tries to first to login to the network with the strongest
signal and if that fails, then tries the rest, in the order of the signal
power. Now, if the attacker has an access point with high transmission
power, he may be able to fool the device by forcing it to login via the
rogue access point, rather than using a valid AP.
Once the rogue access point is in place, the attacker now has two possibilities:
The first possibility is to accept all the login information and pass
the communications on to the real network. In this way, the attacker collects
a large number of user names and passwords for later use. Alternatively,
the attacker may reject all login attempts, but record all the messages
used during the login process in order to find out the secret keys or
passwords used in the authentication process.
Infrastructure
Infrastructure attacks are based on built-in weaknesses in the system.
This may include: software bugs, configuration mistakes, hardware failure,
etc. These types of attacks occur in both wired and wireless LANs.
In terms of wireless environments, one of the most common infrastructure
attacks are mounted against wireless routers where hackers can gain access
to the network by using administrative rights and configuration parameters.
Denial of Service
Sinc Since the advent of the Internet, denial of service attacks (DOS) has become documented on many major web sites. This same principle can be applied to wireless traffic, where legitimate traffic gets jammed because illegitimate traffic overwhelms the frequencies, leaving very little, if any bandwidth for legitimate traffic.
Due the nature of the radio transmission, WLANs are quite vulnerable to denial of service attacks. If the attacker has a powerful enough transceiver, he can easily generate enough radio interference to jam the wireless access point. This kind of attack can be done from outside of the site, for example from a van parked across the street or from an apartment on the next floor.
The protection against this kind of attack is very difficult and expensive. The only total solution is to have the wireless network inside of a radio-proof Faraday Cage, but this is applicable only in very rare cases. Since it is relatively easy for the authorities to locate the transceiver used to generate the interference, in most cases the attacker has limited time before the transceiver is found.
On the other hand, wireless LANs are not as vulnerable as wired LANs when it comes to other kinds of denial of service attacks – such as damaging the infrastructure. For example, the wired LAN node can be isolated from the network by simple cutting the wire, which is not possible in a wireless environment. If the attacker cuts down the power of the whole site, then all wired networks are useless, but the wireless LANs can be used in an ad-hoc configuration with laptops or other UPS equipped computers.
Denial of service is currently less relevant for the SOHO environment as the attacker needs to be in the range of the target home or office and therefore must have a very good reason to to perpetrate the attack. As WLAN equipment becomes more popular, it is expected that such attacks will become a more serious threat.