1 / 31

Wireless Security

Wireless Security. Cable Modem. Premises- based. Access Networks. LAN. Transit Net. LAN. LAN. Private Peering. Premises- based. Core Networks. Transit Net. WLAN. WLAN. NAP. Analog. WLAN. Transit Net. Public Peering. DSLAM. Operator- based. RAS. Regional. Wireline

brownr
Download Presentation

Wireless Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless Security

  2. Cable Modem Premises- based AccessNetworks LAN Transit Net LAN LAN Private Peering Premises- based Core Networks Transit Net WLAN WLAN NAP Analog WLAN Transit Net Public Peering DSLAM Operator- based RAS Regional Wireline Regional Cell H.323 Data Cell Data H.323 Cell PSTN Voice Voice The Current Internet: Connectivity and Processing

  3. How can it affect cell phones? • Cabir worm can infect a cell phone • Infect phones running Symbian OS • Started in Philippines at the end of 2004, surfaced in Asia, Latin America, Europe, and recently in US • Posing as a security management utility • Once infected, propagate itself to other phones via Bluetooth wireless connections • Symbian officials said security was a high priority of the latest software, Symbian OS Version 9. • With ubiquitous Internet connections, more severe viruses/worms for mobile devices will happen soon …

  4. Outlines • 802.11 Basics • Mobile link access: CDMA/CA • Security in 802.11b • Example and more attacks • Trend: 802.16 Wireless MAN

  5. 802.11b 2.4-5 GHz unlicensed radio spectrum up to 11 Mbps widely deployed, using base stations 802.11a 5-6 GHz range up to 54 Mbps 802.11g 2.4-5 GHz range up to 54 Mbps All use CSMA/CA for multiple access All have base-station and ad-hoc network versions IEEE 802.11 Wireless LAN

  6. Base station approch • Wireless host communicates with a base station • base station = access point (AP) • Basic Service Set (BSS) (a.k.a. “cell”) contains: • wireless hosts • access point (AP): base station • BSS’s combined to form distribution system (DS)

  7. Ad Hoc Network approach • No AP (i.e., base station) • wireless hosts communicate with each other • to get packet from wireless host A to B may need to route through wireless hosts X,Y,Z • Applications: • “laptop” meeting in conference room, car • interconnection of “personal” devices • battlefield

  8. CSMA (Carrier Sense Multiple Access) CSMA: listen before transmit: • If channel sensed idle: transmit entire frame • If channel sensed busy, defer transmission • Human analogy: don’t interrupt others!

  9. CSMA collisions spatial layout of nodes collisions can still occur: propagation delay means two nodes may not hear each other’s transmission collision: entire packet transmission time wasted note: role of distance & propagation delay in determining collision probability

  10. CSMA/CD (Collision Detection) CSMA/CD: carrier sensing, deferral as in CSMA • collisions detected within short time • colliding transmissions aborted, reducing channel wastage • collision detection: • easy in wired LANs: measure signal strengths, compare transmitted, received signals • difficult in wireless LANs: receiver shut off while transmitting • human analogy: the polite conversationalist

  11. CSMA/CD collision detection

  12. IEEE 802.11: multiple access • Collision if 2 or more nodes transmit at same time • CSMA makes sense: • get all the bandwidth if you’re the only one transmitting • shouldn’t cause a collision if you sense another transmission • Collision detection doesn’t work: hidden terminal problem

  13. IEEE 802.11 MAC Protocol: CSMA/CA 802.11 CSMA: sender - if sense channel idle for DISF sec. then transmit entire frame (no collision detection) -if sense channel busy then binary backoff 802.11 CSMA receiver - if received OK return ACK after SIFS (ACK is needed due to hidden terminal problem)

  14. Collision avoidance mechanisms • Problem: • two nodes, hidden from each other, transmit complete frames to base station • wasted bandwidth for long duration ! • Solution: • small reservation packets • nodes track reservation interval with internal “network allocation vector” (NAV)

  15. Collision Avoidance: RTS-CTS exchange • sender transmits short RTS (request to send) packet: indicates duration of transmission • receiver replies with short CTS (clear to send) packet • notifying (possibly hidden) nodes • hidden nodes will not transmit for specified duration: NAV

  16. Collision Avoidance: RTS-CTS exchange • RTS and CTS short: • collisions less likely, of shorter duration • end result similar to collision detection • IEEE 802.11 allows: • CSMA • CSMA/CA: reservations • polling from AP

  17. Outlines • 802.11 Basics • Mobile link access: CDMA/CA • Security in 802.11b • Example and more attacks • Trend: 802.16 Wireless MAN

  18. 802.11b: Built in Security Features • Service Set Identifier (SSID) • Differentiates one access point from another • SSID is cast in ‘beacon frames’ every few seconds. • Beacon frames are in plain text!

  19. Associating with the AP • Access points have two ways of initiating communication with a client • Shared Key or Open Key authentication • Open key: need to supply the correct SSID • Allow anyone to start a conversation with the AP • Shared Key is supposed to add an extra layer of security by requiring authentication info as soon as one associates

  20. How Shared Key Auth. works • Client begins by sending an association request to the AP • AP responds with a challenge text (unencrypted) • Client, using the proper WEP key, encrypts text and sends it back to the AP • If properly encrypted, AP allows communication with the client

  21. Wired Equivalent Protocol (WEP) • Primary built security for 802.11 protocol • Uses 40bit RC4 encryption • Intended to make wireless as secure as a wired network • Unfortunately, since ratification of the 802.11 standard, RC4 has been proven insecure, leaving the 802.11 protocol wide open for attack

  22. Case study of a non-trivial attack • Target Network: a large, very active university based WLAN • Tools used against network: • Laptop running Red Hat Linux v.7.3, • Orinoco chipset based 802.11b NIC card • Patched Orinoco drivers • Netstumbler • Netstumbler can not only monitor all active networks in the area, but it also integrates with a GPS to map AP’s • Airsnort • Passively listen to the traffic • NIC drivers MUST be patched to allow Monitor mode (listen to raw 802.11b packets)

  23. Assessing the Network • Using Netstumbler, the attacker locates a strong signal on the target WLAN • WLAN has no broadcasted SSID • Multiple access points • Many active users • Open authentication method • WLAN is encrypted with 40bit WEP

  24. Cracking the WEP key • Attacker sets NIC drivers to Monitor Mode • Begins capturing packets with Airsnort • Airsnort quickly determines the SSID • Sessions can be saved in Airsnort, and continued at a later date so you don’t have to stay in one place for hours • A few 1.5 hour sessions yield the encryption key • Once the WEP key is cracked and his NIC is configured appropriately, the attacker is assigned an IP, and can access the WLAN

  25. More Attacks in Wireless Networks • Rogue Access Point • Solution: Monitor the air space for unexpected AP • Radio Frequency (RF) Interference • AP Impersonation • Rogue AP spoofs its MAC address to the identity of an authorized AP • Man-in-the-middle attack • Denial of service attack

  26. Outlines • 802.11 Basics • Mobile link access: CDMA/CA • Security in 802.11b • Example and more attacks • Trend: 802.16 Wireless MAN

  27. IEEE 802.16 WirelessMAN Standard for Broadband Wireless Metropolitan Area Networks • Broad bandwidth • Up to 134 Mbps in 10-66 GHz band • Comprehensive and modern security • Packet data encryption • DES and AES used • Key management protocol • Use RSA to set up a shared secret between subscriber station and base station • Use the secret for subsequent exchange of traffic encryption keys (TEK)

  28. Backup Slides

  29. Summary of MAC protocols • What do you do with a shared media? • Channel Partitioning, by time, frequency or code • Time Division,Code Division, Frequency Division • Random partitioning (dynamic), • ALOHA, CSMA, CSMA/CD • carrier sensing: easy in some technologies (wire), hard in others (wireless) • CSMA/CD used in Ethernet

More Related