266 IntJ Mobile communications. Vol 4 No. 3. 2006 Corporate wireless lan security threats and an effective security assessment framework for wireless information assurance Young B Choi Department of Computer Information Systems and Management Science James Madison University 800 South main street Harrisonburg, VA 22807-0001, USA E-mail: choiyb@jmu. edu Corresponding author Jeffrey muller Integrated Science and Technology and School of Media Arts and Design James Madison University 800 South main Street Harrisonburg VA 22807-0001, USA E-mail: mullerjx@jmu.edu Christopher V Kopek and Jennifer M. Makarsky James Madison University 800 South main Street Harrisonburg VA 22807-0001, USA E-mail: kopekcv@jmu. E-mail: makarsjm@jmu edt Abstract: In this paper, we propose the necessary steps in implementing strong WLAn security for companies using our visual security assessment amework for wireless information assurance. Through real case studies on the organisations with various security measures and by showing complete execution paths of our framework, we suggest the importance of continual assessment of the WLAn for strong corporate security assurance using our Corporate WLAN Security Assessment Framework Keywords: Wireless Local Area Network(WLAN); corporate wireless LAN wireless LAN assessment framework: wireless information Privacy(WEP): WiFi Protected Access(WPA) Virtual Private N;802.11b;802.1li. Reference to this paper should be made as follows: Choi, Y B, Muller, J Kopek, C V. and Makarsky, J M.(2006)C m wireless LAN security threats and an effective security assessment fr for wireless information assurance.IntJ Mobile communications. V 3.pp.266-290. opyright o 2006 Inderscience Enterprises Ltd
266 Int. J. Mobile Communications, Vol. 4, No. 3, 2006 Copyright © 2006 Inderscience Enterprises Ltd. Corporate wireless LAN security: threats and an effective security assessment framework for wireless information assurance Young B. Choi* Department of Computer Information Systems and Management Science James Madison University 800 South Main Street Harrisonburg, VA 22807-0001, USA E-mail: choiyb@jmu.edu *Corresponding author Jeffrey Muller Integrated Science and Technology and School of Media Arts and Design James Madison University 800 South Main Street Harrisonburg, VA 22807-0001, USA E-mail: mullerjx@jmu.edu Christopher V. Kopek and Jennifer M. Makarsky James Madison University 800 South Main Street Harrisonburg, VA 22807-0001, USA E-mail: kopekcv@jmu.edu E-mail: makarsjm@jmu.edu Abstract: In this paper, we propose the necessary steps in implementing strong WLAN security for companies using our visual security assessment framework for wireless information assurance. Through real case studies on the organisations with various security measures and by showing complete execution paths of our framework, we suggest the importance of continual assessment of the WLAN for strong corporate security assurance using our Corporate WLAN Security Assessment Framework. Keywords: Wireless Local Area Network (WLAN); corporate wireless LAN; wireless LAN security; security assessment framework; wireless information assurance; Wired Equivalency Privacy (WEP); WiFi Protected Access (WPA); Virtual Private Network (VPN); 802.11b; 802.11i. Reference to this paper should be made as follows: Choi, Y.B., Muller, J., Kopek, C.V. and Makarsky, J.M. (2006) ‘Corporate wireless LAN security: threats and an effective security assessment framework for wireless information assurance’, Int. J. Mobile Communications, Vol. 4, No. 3, pp.266–290
Corporate wireless LAN security 267 Biographical notes: Dr. Young B. Choi is Assistant Professor of the Madison University in Harrisonburg, Virginia. His current research interests are human factors in telecommunications. wireless telecommunications service nanagement, security management in HIPAA, data mining and visualisation for telecommunications service delivery chain optimisation, and public healthcare. He has a diverse intemational experience of working in industry research and academia in telecommunications and computer networking since 1978. He received his interdisciplinary Phd degree in C networking and Telecommunications from the University of Missouri Jeffrey Muller is undergraduate scholar at James Madison University. He is ence and tec nation knowledge management and media arts and design and on digital ctive multimedia. His research interests are in telecommu security, bioterrorism defense and education using multimedia Christopher V. Kopek is undergraduate student at James Madison University and graduated in May 2005 with a Bs degree in Computer Science. His research interests are network technologies and database structures. Jennifer M. Makarsky is a student at James Madison University 1 Introduction "Today, end users have an increasing selection of different terminals and devices that support wireless access, as well as support for new technologies like 802.11 based WLANS"(Maunuksela and Nieminen, 2005 ) Wireless Local Area Network (WLAN) technology is an important method of extending corporate networks, but the new technology brings greater security risks. An understanding of the types of security risks and attacks as well as the developing security standards and how to implement them will enable firms to stay protected WLANs have the same risks and vulnerabilities that exist in a conventional wired network and there are also numerous other types of threats specific to them. Some examples of particular Wlan threats are passive attacks, active attacks, loss of confidentiality, loss of integrity and loss of network availability As todays technologies advance, so do the techniques and skills of hackers. New wireless security standards are now being created and released in order to stay one step ahead of hackers. The old Wired Equivalent Privacy (WEP) protocol has been proven to be insecure and does not protect WLANS efficiently. A new 802. 1li protocol is being released in 2005 that will protect corporations from WLAN attacks. In conjunction with 802. 1li, there are several other security standards that are being used such as WiFi Protected Access (WPA)and Virtual Private Network (VPN). With these new technologies, companies and firms can now have confidence that their WLaNs are secure. With wireless becoming such a mainstream technology, there is a growing interest creasing its usage in the enterprise environment (Varshney, 2003). However, all the standards and security techniques under development will be in vain unless they are
Corporate wireless LAN security 267 Biographical notes: Dr. Young B. Choi is Assistant Professor of the Information Technology and Management Science Programme at James Madison University in Harrisonburg, Virginia. His current research interests are human factors in telecommunications, wireless telecommunications service management, security management in HIPAA, data mining and visualisation for telecommunications service delivery chain optimisation, and public healthcare. He has a diverse international experience of working in industry, research and academia in telecommunications and computer networking fields since 1978. He received his interdisciplinary PhD degree in Computer Networking and Telecommunications from the University of Missouri-Kansas City in 1995. Jeffrey Muller is undergraduate scholar at James Madison University. He is double-majoring in Integrated Science and Technology with a concentration on information knowledge management and media arts and design and on digital interactive multimedia. His research interests are in telecommunications security, bioterrorism defense and education using multimedia. Christopher V. Kopek is undergraduate student at James Madison University and graduated in May 2005 with a BS degree in Computer Science. His research interests are network technologies and database structures. Jennifer M. Makarsky is a student at James Madison University. 1 Introduction “Today, end users have an increasing selection of different terminals and devices that support wireless access, as well as support for new technologies like 802.11 based WLANs” (Maunuksela and Nieminen, 2005). Wireless Local Area Network (WLAN) technology is an important method of extending corporate networks, but the new technology brings greater security risks. An understanding of the types of security risks and attacks as well as the developing security standards and how to implement them will enable firms to stay protected. WLANs have the same risks and vulnerabilities that exist in a conventional wired network and there are also numerous other types of threats specific to them. Some examples of particular WLAN threats are passive attacks, active attacks, loss of confidentiality, loss of integrity and loss of network availability. As today’s technologies advance, so do the techniques and skills of hackers. New wireless security standards are now being created and released in order to stay one step ahead of hackers. The old Wired Equivalent Privacy (WEP) protocol has been proven to be insecure and does not protect WLANs efficiently. A new 802.11i protocol is being released in 2005 that will protect corporations from WLAN attacks. In conjunction with 802.11i, there are several other security standards that are being used such as WiFi Protected Access (WPA) and Virtual Private Network (VPN). With these new technologies, companies and firms can now have confidence that their WLANs are secure. With wireless becoming such a mainstream technology, there is a growing interest in increasing its usage in the enterprise environment (Varshney, 2003). However, all the standards and security techniques under development will be in vain unless they are
268 Y.B. Choi, J. Muller, C.V. Kopek and J.M. Makarsky implemented vigilantly by companies. Companies developing a new wireless network need to design their network carefully, while those with existing wireless networks need to understand how to examine the costs and benefits of upgrading to more secure hardware and software The organisation of the paper is as follows. Section 2 introduces wired and wireless LAN architectures. In Sections 3 and 4, various threats and attacks in corporate wireless LAN and corresponding wireless LAN security standards and methods are described. In Section 5, emerging WLAN security technologies are introduced In Sections 6 and 7, are tackled. In Sections 8 and 9, our own Wireless LAN Security Framework and 1 corporate vigilance efforts to protect the companies and continual assessment of WLA applications on some real cases to verify its effectiveness and correctness in security assessment are explained in detail by showing all the possible execution paths of the framework. Finally, Section 10 provides the conclusion. 2 Wired and wireless lan architectures A Local Area Network (LAN) is a connection of multiple computers(called within a corporate site). The term'Wired LAN, refers to the traditional Lan where stations are connected to a switch with a cable and the switch is connected to other stations using the same method. There is typically a switch on every floor of the site(called workgroup switch)and a switch in the basement(called a 'core switch) that connects to all of the workgroup switches. This type of lan uses the IEEE 802.3 protocol, also called Ethernet, and is sometimes referred to as Ethernet LANs'" 802. 3 LANS,. The network topology for a corporate Ethernet Lan is usually hierarchical Switches branch off other switches to extend connections to various stations. Using this topology, there is only one possible path between two stations. Figure I shows the structure of wired Ethernet lan Figure 1 Structure of Ethernet LAN 2 Station 3 Station station 1 station 2 station 3 Station 4 Wireless LAN(WLAN uses the air to transmit data between stations. It uses access points to connect to the existing Wired LAN and to broadcast to stations with Wireless Network Interface Card(NC). In contrast to Wired LANS, Wireless LANs use a bus pology where one station broadcasts to all other stations. "Mobile devices in the IEEE
268 Y.B. Choi, J. Muller, C.V. Kopek and J.M. Makarsky implemented vigilantly by companies. Companies developing a new wireless network need to design their network carefully, while those with existing wireless networks need to understand how to examine the costs and benefits of upgrading to more secure hardware and software. The organisation of the paper is as follows. Section 2 introduces wired and wireless LAN architectures. In Sections 3 and 4, various threats and attacks in corporate wireless LAN and corresponding wireless LAN security standards and methods are described. In Section 5, emerging WLAN security technologies are introduced. In Sections 6 and 7, corporate vigilance efforts to protect the companies and continual assessment of WLAN are tackled. In Sections 8 and 9, our own Wireless LAN Security Framework and its applications on some real cases to verify its effectiveness and correctness in security assessment are explained in detail by showing all the possible execution paths of the framework. Finally, Section 10 provides the conclusion. 2 Wired and wireless LAN architectures A Local Area Network (LAN) is a connection of multiple computers (called within a corporate site). The term ‘Wired LAN’ refers to the traditional LAN where stations are connected to a switch with a cable and the switch is connected to other stations using the same method. There is typically a switch on every floor of the site (called a ‘workgroup switch’) and a switch in the basement (called a ‘core switch’) that connects to all of the workgroup switches. This type of LAN uses the IEEE 802.3 protocol, also called ‘Ethernet’ and is sometimes referred to as ‘Ethernet LANs’ or ‘802.3 LANs’. The network topology for a corporate Ethernet LAN is usually hierarchical. Switches branch off other switches to extend connections to various stations. Using this topology, there is only one possible path between two stations. Figure 1 shows the structure of wired Ethernet LAN. Figure 1 Structure of Ethernet LAN Wireless LAN (WLAN) uses the air to transmit data between stations. It uses access points to connect to the existing Wired LAN and to broadcast to stations with Wireless Network Interface Card (NIC). In contrast to Wired LANs, Wireless LANs use a bus topology where one station broadcasts to all other stations. “Mobile devices in the IEEE
Corporate wireless LAN security 802.11 Wireless Local Area Network(WLAN have the ability to transmit data frames at one of four transmission rates lMb/s, 2Mb/s, 5. 5Mb/s and 1 lMb/s"( Sheu et al., 2003) Each transmission rate is dant on which version of 802. 11 the system is Wireless LANS are not competing with traditional Ethernet LANS. They are used to extend the existing corporate network to mobile clients. Therefore, if the security is lax on a company's wireless LAN, it compromises the security of the wired LaN Figure 2 shows how the wireless network connects to the existing wired LAn using an access point Figure 2 Wireless LAN extending Ethernet LAN Wireless LAN Ethernet LAN Mobile Client Authenticate adio trane ohr Mobil 3 Threats and attacks in corporate wireless LaN Wireless lans have the same risks and vulnerabilities that exist in a conventional wired network. There are numerous other types of Wlan threats and attacks that need to be aken into consideration if a WLan is to be kept free of hackers and crackers. Some of these threats and attacks are passive attacks, active attacks, loss of confidentiality, loss of integrity and loss of network availability 3. Passive attacks a passive attack occurs when an unauthorised party gains access within the network but does not modify the content. There are two types of passive attacks: eavesdropping and traffic analysis or monitoring Eavesdropping is when an attacker, usually from within the perimeter of the business, monitors transmissions for message content by listening to the transmission between two workstations. Nothing is touched physically, but information and privacy is invaded. On the other hand, traffic analysis is typically performed by an intruder that is outside the perimeter of the business, monitoring the transmissions for patterns of co
Corporate wireless LAN security 269 802.11 Wireless Local Area Network (WLAN) have the ability to transmit data frames at one of four transmission rates 1Mb/s, 2Mb/s, 5.5Mb/s and 11Mb/s” (Sheu et al., 2003). Each transmission rate is dependant on which version of 802.11 the system is using. Wireless LANs are not competing with traditional Ethernet LANs. They are used to extend the existing corporate network to mobile clients. Therefore, if the security is lax on a company’s wireless LAN, it compromises the security of the wired LAN. Figure 2 shows how the wireless network connects to the existing wired LAN using an access point. Figure 2 Wireless LAN extending Ethernet LAN 3 Threats and attacks in corporate wireless LAN Wireless LANs have the same risks and vulnerabilities that exist in a conventional wired network. There are numerous other types of WLAN threats and attacks that need to be taken into consideration if a WLAN is to be kept free of hackers and crackers. Some of these threats and attacks are passive attacks, active attacks, loss of confidentiality, loss of integrity and loss of network availability. 3.1 Passive attacks A passive attack occurs when an unauthorised party gains access within the network but does not modify the content. There are two types of passive attacks: eavesdropping and traffic analysis or monitoring. Eavesdropping is when an attacker, usually from within the perimeter of the business, monitors transmissions for message content by listening to the transmission between two workstations. Nothing is touched physically, but information and privacy is invaded. On the other hand, traffic analysis is typically performed by an intruder that is outside the perimeter of the business, monitoring the transmissions for patterns of communication
270 Y.B. Choi, J. Muller, C.V. Kopek and J.M. Makarsky just like a traffic cop. The intruder typically observes and makes assessments about the nature of traffic, amount of traffic and the load on the network but again he/she does not physically alter the information 3.2 Active attacks An active attack is where an unauthorised party makes changes and alters information to a message or file. These types of attacks can be detected but may not be preventable Four types of active attacks are masquerading, replay, message modification and Denial-of-Service(Dos). Masquerading is when an attacker impersonates an authorised user and gains access to the network. The authorised user's identity is compromised and the attacker has full access to the authorised users network information. These attacks can range from very simple to complex based on the security in effect. When an attacker monitors transactions then retransmits the information as the authorised user, replay has occurred The attack starts off as a passive attack, but it eventually becomes an active attack when the attacker replies to the transmission. Meanwhile, message modification occurs when the attacker modifies a message by deleting, adding, changing or reordering the message. Any tampering of the message would be considered message modification. A Denial-of-Service(DoS)attack, on the other hand, is an assault that can cripple or disable a WLAN. It occurs when an attacker prevents or prohibits use of the network The attacker blocks the service or transmission and can slow the network to crawling speeds or actually force it to quit working. There are multiple Dos attacks, one of which is the 'brute force method This can come in one of two forms either a huge flood of packets that uses up all of the networks resources and forces it to shut down, or a very strong radio signal that totally dominates the airwaves and makes access points and radio cards useless 3.3 Loss of confidentiality Confidentiality is a major concern when dealing with any network. An organisation does not want its companys private information and investments open to competitors. With WLANS, an attacker does not need to tap into a network cable to access the network; they can go through radio and broadcast waves which make traditional security for LANs less fective. Passive attacks assault confidentiality just by listening to the transmissions; and due to the extended range of WLaNs, attackers can listen to transmissions outside of the organisation without the users knowing it. If the user has a hub, the chance of being attacked increases as hubs broadcast to the entire network and leaves traffic vulnerable 3.4 Loss of integrity In connection with loss of confidentiality, losses of integrity in WLANS are the same as those in LANS. Unfortunately, most companies do not have adequate protection, thus, integrity is difficult to achieve. If an attacker message modifies data, data integrity is lost through the alterations of the attacker. This can be devastating to an organisation if mportant information is lost or modified
270 Y.B. Choi, J. Muller, C.V. Kopek and J.M. Makarsky just like a traffic cop. The intruder typically observes and makes assessments about the nature of traffic, amount of traffic and the load on the network, but again, he/she does not physically alter the information. 3.2 Active attacks An active attack is where an unauthorised party makes changes and alters information to a message or file. These types of attacks can be detected but may not be preventable. Four types of active attacks are masquerading, replay, message modification and Denial-of-Service (DoS). Masquerading is when an attacker impersonates an authorised user and gains access to the network. The authorised user’s identity is compromised and the attacker has full access to the authorised user’s network information. These attacks can range from very simple to complex based on the security in effect. When an attacker monitors transactions then retransmits the information as the authorised user, replay has occurred. The attack starts off as a passive attack, but it eventually becomes an active attack when the attacker replies to the transmission. Meanwhile, message modification occurs when the attacker modifies a message by deleting, adding, changing or reordering the message. Any tampering of the message would be considered message modification. A Denial-of-Service (DoS) attack, on the other hand, is an assault that can cripple or disable a WLAN. It occurs when an attacker prevents or prohibits use of the network. The attacker blocks the service or transmission and can slow the network to crawling speeds or actually force it to quit working. There are multiple DoS attacks, one of which is the ‘brute force’ method. This can come in one of two forms: either a huge flood of packets that uses up all of the network's resources and forces it to shut down, or a very strong radio signal that totally dominates the airwaves and makes access points and radio cards useless. 3.3 Loss of confidentiality Confidentiality is a major concern when dealing with any network. An organisation does not want its company’s private information and investments open to competitors. With WLANs, an attacker does not need to tap into a network cable to access the network; they can go through radio and broadcast waves which make traditional security for LANs less effective. Passive attacks assault confidentiality just by listening to the transmissions; and due to the extended range of WLANs, attackers can listen to transmissions outside of the organisation without the users knowing it. If the user has a hub, the chance of being attacked increases as hubs broadcast to the entire network and leaves traffic vulnerable. 3.4 Loss of integrity In connection with loss of confidentiality, losses of integrity in WLANs are the same as those in LANs. Unfortunately, most companies do not have adequate protection, thus, integrity is difficult to achieve. If an attacker message modifies data, data integrity is lost through the alterations of the attacker. This can be devastating to an organisation if important information is lost or modified
Corporate wireless LAN security 3.5 Loss of network ability Loss of network ability goes along the same line as dos attacks, since loss of network is usually a result of a Dos attack like jamming, Jamming occurs when an attacker creates a signal that blocks the wireless signals, causing the entire network to be jammed -no information can go in or come out and users are unable to communicate on the network A user can inadvertently cause a jam by downloading a large file, thus causing everyone else on the network to be without access. Table I shows a summary of the types of attacks and risks in corporate WLANS. Table 1 Summary of types of attacks and risks in corporate wireless LAN Passive attacks Access to wlan. but no modification to content Eavesdropping - attacker monitors transmissions for message content Traffic analysis or monitoring -intruder monitors the transmissions for The risk of passive attacks Loss of confidentiality -attacker listens to transmissions and ompromises private information Active attacks Makes ch lasquerading-attacker impersonates an authorised user and gains Message modification- attacker modifies a message by deleting, adding changing or reordering the message A Denial-of-Service(DoS)-attacker prevents or prohibits use of ng -attacker creates a signal that blocks the wireless signals and auses the entire network to be jammed with no information going in or coming out Loss of integrity -attacker modifies data to the point where data Loss of network ability -network is no longer available to users 4 Wireless LAN security standards and methods Security remains one of the biggest challenges in wireless enterprise. Many ncidents(such as 250,000 devices in airports, most of which carried sensitive rporate data without even password protection), perceived and real wireless infrastructure attacks, and the lack of strong security in wireless technologies could adversely affect the wireless enterprise. (Varshney et al., 2004)
Corporate wireless LAN security 271 3.5 Loss of network ability Loss of network ability goes along the same line as DoS attacks, since loss of network is usually a result of a DoS attack like ‘jamming’. Jamming occurs when an attacker creates a signal that blocks the wireless signals, causing the entire network to be jammed – no information can go in or come out and users are unable to communicate on the network. A user can inadvertently cause a jam by downloading a large file, thus causing everyone else on the network to be without access. Table 1 shows a summary of the types of attacks and risks in corporate WLANs. Table 1 Summary of types of attacks and risks in corporate wireless LAN Attack type Description Passive attacks Access to WLAN, but no modification to content Eavesdropping – attacker monitors transmissions for message content Traffic analysis or monitoring – intruder monitors the transmissions for patterns of communication The risk of passive attacks Loss of confidentiality – attacker listens to transmissions and compromises private information Active attacks Makes changes and alters information to a message or file Masquerading – attacker impersonates an authorised user and gains access to the network Message modification – attacker modifies a message by deleting, adding, changing or reordering the message A Denial-of-Service (DoS) – attacker prevents or prohibits use of the network Jamming – attacker creates a signal that blocks the wireless signals and causes the entire network to be jammed with no information going in or coming out The risks of active attacks Loss of integrity – attacker modifies data to the point where data integrity is lost Loss of network ability – network is no longer available to users because of attacks 4 Wireless LAN security standards and methods “Security remains one of the biggest challenges in wireless enterprise. Many incidents (such as 250,000 devices in airports, most of which carried sensitive corporate data without even password protection), perceived and real wireless infrastructure attacks, and the lack of strong security in wireless technologies could adversely affect the wireless enterprise.” (Varshney et al., 2004)
72 Y.B. Choi, J. Muller, C.V. Kopek and J.M. Makarsky Currently, there are several security standards that are being used in wireless networks to help combat this security problem. These standards include: 802.11b, 802.1li, Wi-Fi Protected Access(WPA)and Virtual Private Network(VPN). Each of these standard has different levels and methods of protection, and this section describes the features of each 4.1802.llb Security threats and attacks have compromised WLANs for the past several years However, new emerging technologies allow WLANs to be secure and protected from most attacks. One recent step toward reducing WLAN attacks and threats is the security added to the 802. 1lb standard. The 802 1 lb uses the Wired Equivalent Privacy (WEP) protocol. WEP was designed to ensure both encryption and ease of use among wireless users.WEP encrypts the network packet with an encryption key. The encrypted packet is then sent to its destination and the destination must decrypt the packet to retrieve its contents. In theory, this sounds like a perfect way to encrypt packets and keep hackers from seeing the data, because no person or device knows the encryption key except the source and the destination. However, there is one inherent flaw in WEP that compromises its real security to any true hacker. With each packet, the WEp protocol sends a portion of the key in plain text, which hackers can use with a software to steal the encryption key and see the contents of the packets. The best and only way to ensure protection using the WEP protocol is to frequently change the key so that hackers cannot collect data on packets long enough to crack the key. Since WEP has widely known weaknesses, most major companies and firms have not implemented or have even abandoned the 802.11b wireless LAN. Another major problem with the 802.11b standard is that the WEF protection can be turned off. Most firms and companies know about WEP and they make sure they have it turned on. However, many home users are not educated enough to realise its benefits, leaving the WEP turned off. Since WEP is not even used by most home users, and firms have abandoned it for its lack of security features, the 802. 11b wireless security is a failure. Nonetheless, even though security in the 802 1 1b protocol is basically a failed method, it has started a wireless security revolution and has helped advance more current and future security methods. Table 2 describes a time line of the 802.1lb WEP security standard. Table 2 802. 11b WEP security timeline Event Ist half. 2000 802.11b and WEP introduced 2nd half. 2000 No one turns on WEP protection for their wireless network Ist quarter, 2001 WEP flaws are discovered More wep flaws are discovered 3rd quarter, 2001 Terrorist attacks cause fear Ist quarter, 2002 Mainstream press decides to brand WLAN security as a hot story
272 Y.B. Choi, J. Muller, C.V. Kopek and J.M. Makarsky Currently, there are several security standards that are being used in wireless networks to help combat this security problem. These standards include: 802.11b, 802.11i, Wi-Fi Protected Access (WPA) and Virtual Private Network (VPN). Each of these standards has different levels and methods of protection, and this section describes the features of each. 4.1 802.11b Security threats and attacks have compromised WLANs for the past several years. However, new emerging technologies allow WLANs to be secure and protected from most attacks. One recent step toward reducing WLAN attacks and threats is the security added to the 802.11b standard. The 802.11b uses the Wired Equivalent Privacy (WEP) protocol. WEP was designed to ensure both encryption and ease of use among wireless users. WEP encrypts the network packet with an encryption key. The encrypted packet is then sent to its destination and the destination must decrypt the packet to retrieve its contents. In theory, this sounds like a perfect way to encrypt packets and keep hackers from seeing the data, because no person or device knows the encryption key except the source and the destination. However, there is one inherent flaw in WEP that compromises its real security to any true hacker. With each packet, the WEP protocol sends a portion of the key in plain text, which hackers can use with a software to steal the encryption key and see the contents of the packets. The best and only way to ensure protection using the WEP protocol is to frequently change the key so that hackers cannot collect data on packets long enough to crack the key. Since WEP has widely known weaknesses, most major companies and firms have not implemented or have even abandoned the 802.11b wireless LAN. Another major problem with the 802.11b standard is that the WEP protection can be turned off. Most firms and companies know about WEP and they make sure they have it turned on. However, many home users are not educated enough to realise its benefits, leaving the WEP turned off. Since WEP is not even used by most home users, and firms have abandoned it for its lack of security features, the 802.11b wireless security is a failure. Nonetheless, even though security in the 802.11b protocol is basically a failed method, it has started a wireless security revolution and has helped advance more current and future security methods. Table 2 describes a time line of the 802.11b WEP security standard. Table 2 802.11b WEP security timeline Date Event 1st half, 2000 802.11b and WEP introduced. 2nd half, 2000 No one turns on WEP protection for their wireless network. 1st quarter, 2001 WEP flaws are discovered. 2nd quarter, 2001 More WEP flaws are discovered. 3rd quarter, 2001 Terrorist attacks cause fear. 1st quarter, 2002 Mainstream press decides to brand WLAN security as a hot story
Corporate wireless LAN security 4.2802.Ili With the failure of 802.1Ib WEP security, one of the newest technologies was developed the 802.1li, which adds protection using more secure keys and encryption. On June 24, 2004, the IEEE approved 802. 1li security standard for use in WLANS (Dulaney et aL., 2004). However, even though 802 1 li has been approved for use, it has not been released to the public yet. Hardware and software are currently being made and eleased to the public in anticipation of its release The 802. 1li standard uses one of two different security protocols: the"Counter Mode ith Cipher Block Chaining Message Authentication Code Protocol(CCMP)" and the "Temporary Key Integrity Protocol (TKIP). CCMP is the main method used for protecting wI ckets in the 802.1 li standard. One is that ccmp al ways has to be active, and this means protection will always be enabled even if the user does not know how to operate it or how it works. The CCMP uses a variation of the Advanced Encryption Standard (AES)encryption algorithm, which is a very secure and nearly impenetrable method. Protection begins by using a 128-bit key, and the packet is encrypted with this key. Not only is the message data encrypted, but the source destination and other data are encrypted as well. Since all this data is encrypted, a hacker cannot spoof a packet because he/she does not even know where to send the packet. Another important feature of CCMP is that a key does not need to be included in the packet. One fallback of WEP is that a portion of the key is included in the packet. This resulted in more packets being sent than were needed; and with each extra packet,a hacker has a higher chance of cracking the key. With CCMP, 802. 1li is secure against all known hacking attacks and will insure near flawless security protection. The only problem with CCMP is that it uses all new technology, which means that new hardware and software will have to be created and purchased for this method to work. Nonetheless it is a necessary step to ensure security protection in wireless networks. bela t he other encryption method used with the 802. 1li protocol is TKIP, and it is eficial because it was designed as a wrapper around the old WEP protocol. Compared with CCMP protocol where it is necessary to buy new hardware, old hardware and software that use WEP can be reused to comply with TKIP. The TKIP works similar to CCMP, except that it uses two more keys to encrypt the data and headers of the packet, and it includes the keys in the packet. Each packet is initially encrypted with a changing 64-bit encryption key, and then the packet is sent through a process and is encrypted by another 64-bit intermediate key. These keys encrypt the header and data of each packet and since these keys change with every packet, it is necessary to add these keys to the packet. Finally, the final 128-bit encryption key is used to encrypt the entire packet including the 64-bit keys. The entire TKIP encryption method works just as well as the CCMP, and both of these methods are part of the 802. 1li standard 4.3 Wi-Fi Protected Access ( WPA) Since 802. 1li requires new hardware and software, there is going to be a long crossover period where firms need to buy equipment to support the new technology. WPA was developed by the Wi-Fi Alliance as an interim technology to support wireless security until 802. 1li is released. WPA is not a protocol like 802.1l1, TKIP or CCMP. "lIt] is a specification of standards-based, interoperable security enhancements, which strongly increase the level of data protection(encryption) and access control (authentication)
Corporate wireless LAN security 273 4.2 802.11i With the failure of 802.11b WEP security, one of the newest technologies was developed – the 802.11i, which adds protection using more secure keys and encryption. On June 24, 2004, the IEEE approved 802.11i security standard for use in WLANs (Dulaney et al., 2004). However, even though 802.11i has been approved for use, it has not been released to the public yet. Hardware and software are currently being made and released to the public in anticipation of its release. The 802.11i standard uses one of two different security protocols: the ‘Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)’ and the ‘Temporary Key Integrity Protocol (TKIP)’. CCMP is the main method used for protecting wireless packets in the 802.11i standard. One great feature is that CCMP always has to be active, and this means protection will always be enabled even if the user does not know how to operate it or how it works. The CCMP uses a variation of the Advanced Encryption Standard (AES) encryption algorithm, which is a very secure and nearly impenetrable method. Protection begins by using a 128-bit key, and the packet is encrypted with this key. Not only is the message data encrypted, but the source, destination and other data are encrypted as well. Since all this data is encrypted, a hacker cannot spoof a packet because he/she does not even know where to send the packet. Another important feature of CCMP is that a key does not need to be included in the packet. One fallback of WEP is that a portion of the key is included in the packet. This resulted in more packets being sent than were needed; and with each extra packet, a hacker has a higher chance of cracking the key. With CCMP, 802.11i is secure against all known hacking attacks and will insure near flawless security protection. The only problem with CCMP is that it uses all new technology, which means that new hardware and software will have to be created and purchased for this method to work. Nonetheless, it is a necessary step to ensure security protection in wireless networks. The other encryption method used with the 802.11i protocol is TKIP, and it is beneficial because it was designed as a wrapper around the old WEP protocol. Compared with CCMP protocol where it is necessary to buy new hardware, old hardware and software that use WEP can be reused to comply with TKIP. The TKIP works similar to CCMP, except that it uses two more keys to encrypt the data and headers of the packet, and it includes the keys in the packet. Each packet is initially encrypted with a changing 64-bit encryption key, and then the packet is sent through a process and is encrypted by another 64-bit intermediate key. These keys encrypt the header and data of each packet, and since these keys change with every packet, it is necessary to add these keys to the packet. Finally, the final 128-bit encryption key is used to encrypt the entire packet including the 64-bit keys. The entire TKIP encryption method works just as well as the CCMP, and both of these methods are part of the 802.11i standard. 4.3 Wi-Fi Protected Access (WPA) Since 802.11i requires new hardware and software, there is going to be a long crossover period where firms need to buy equipment to support the new technology. WPA was developed by the Wi-Fi Alliance as an interim technology to support wireless security until 802.11i is released. WPA is not a protocol like 802.11i, TKIP or CCMP. “[It] is a specification of standards-based, interoperable security enhancements, which strongly increase the level of data protection (encryption) and access control (authentication)
274 Y.B. Choi, J. Muller, C.V. Kopek and J.M. Makarsky for existing and future Wi-Fi wireless LAN systems"( Grimm, 2003). This specification as released in 2003 and is in use today. The WPA specification uses TKIP (like the 02. 111)to ensure data encryption, and it uses Extensible Authentication Protocol(EAP) to ensure user authentication. EAP consists of three parts: the user, the access point and the authentication server. In order for the user to access the network. he/she must first authenticate himself/herself. once the user has entered his/her authentication data that data will be transmitted to the access point. The access point in return transmits the data to the authentication server: if that data is valid or invalid. the authentication server will accept or deny the user trying to access the system. Table 3 shows the steps of EAP connection Table 3 EAP authentication in Wi-Fi Protocol Access(WPA) Step Process Client associates their computer with the local access point. Access point blocks all user requests to access LAN User then authenticates an eap server via a digital certificate. EAP server authenticates user via a digital certificate Once both user and server are authenticated, they derive a unicast WEP key. Access p livers broadcast WEP key, encrypted with the unicast WEP key,to 8 Client and access point activate WEP key and use unicast and broadcast WEP keys for transmissio There are also various eap authentication protocols which include: Lightweight Extensible Authentication Protocol (LEAP) EAP-Transport Layer Security (EAP-TLS) Protected EAP(PEAP) EAP-Tunneled TLS (EAP-TTLS) EAP-Subscriber Identity Module(EAP-SIM) Due to the security weaknesses that exist in EAP, several companies formed to create a stronger and more secure variation. Cisco Systems, RSA Security and Microsoft developed the standard known as PEAP(Protected Extensible Authentication Protocol) PEAP uses Transaction Layer Security, which is a proven security method, to wrap EAP. PEAP has been a successful protocol; but since the IEEE takes long periods of time to approve a new protocol, some companies decided to create their own so they could immediately implement it. Cisco decided to create the Lightweight Extensible Authentication Protocol (LEAP)and Microsoft proceeded to create EAP-TLS. The two protocols are basically the same except for one major difference: LEAP uses passwords to ensure device authentication, while eap-tls uses digital certificates(pescatore et al. 2002). The next version of eaP, called Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS), was created to ensure better flexibility and integration with servers. EAP-TTLS adds an extra layer of security by ensuring protection before the exchange of keys begins( Girard et aL., 2003). The final type of EAP
274 Y.B. Choi, J. Muller, C.V. Kopek and J.M. Makarsky for existing and future Wi-Fi wireless LAN systems” (Grimm, 2003). This specification was released in 2003 and is in use today. The WPA specification uses TKIP (like the 802.11i) to ensure data encryption, and it uses Extensible Authentication Protocol (EAP) to ensure user authentication. EAP consists of three parts: the user, the access point and the authentication server. In order for the user to access the network, he/she must first authenticate himself/herself. Once the user has entered his/her authentication data, that data will be transmitted to the access point. The access point in return transmits the data to the authentication server; if that data is valid or invalid, the authentication server will accept or deny the user trying to access the system. Table 3 shows the steps of EAP connection. Table 3 EAP authentication in Wi-Fi Protocol Access (WPA) Step Process 1 Client associates their computer with the local access point. 2 Access point blocks all user requests to access LAN. 3 User then authenticates an EAP server via a digital certificate. 4 EAP server authenticates user via a digital certificate. 5 Once both user and server are authenticated, they derive a unicast WEP key. 6 EAP server delivers unicast WEP key to the access point. 7 Access point delivers broadcast WEP key, encrypted with the unicast WEP key, to the client. 8 Client and access point activate WEP key and use unicast and broadcast WEP keys for transmission. There are also various EAP Authentication Protocols, which include: • Lightweight Extensible Authentication Protocol (LEAP) • EAP-Transport Layer Security (EAP-TLS) • Protected EAP (PEAP) • EAP-Tunneled TLS (EAP-TTLS) • EAP-Subscriber Identity Module (EAP-SIM) Due to the security weaknesses that exist in EAP, several companies formed to create a stronger and more secure variation. Cisco Systems, RSA Security and Microsoft developed the standard known as PEAP (Protected Extensible Authentication Protocol). PEAP uses Transaction Layer Security, which is a proven security method, to wrap EAP. PEAP has been a successful protocol; but since the IEEE takes long periods of time to approve a new protocol, some companies decided to create their own so they could immediately implement it. Cisco decided to create the Lightweight Extensible Authentication Protocol (LEAP) and Microsoft proceeded to create EAP-TLS. The two protocols are basically the same except for one major difference: LEAP uses passwords to ensure device authentication, while EAP-TLS uses digital certificates (Pescatore et al., 2002). The next version of EAP, called Extensible Authentication Protocol-Tunneled Transport Layer Security (EAP-TTLS), was created to ensure better flexibility and integration with servers. EAP-TTLS adds an extra layer of security by ensuring protection before the exchange of keys begins (Girard et al., 2003). The final type of EAP
Corporate wireless LAN security is Extensible Authentication Protocol-Subscriber Identity Module(EAP-SIM). This method enables the user to gain access to the wireless network by using a SIM card to be authenticated through EAP. The card contains the key and/or passwords, granting access to the user once the card has been entered. Overall each variation of eap has its benefits however, the only newly approved standard is PEAP. It is likely that in the near future, each company will have to either convert to PEAP or enable their variation of EAPto work with other variations WPa was intended for short intermediate use. However. the 802.1 li release was delayed so a newer intermediate security method, called WPA2, is being released. The next edition of WPA is identical to the old version in every way, except that it uses AES encryption to ensure protection for firms where encryption is a must. Overall WPA/WPA2 is a temporary yet very secure solution for individuals and companies who cannot wait for the release of 802. 1li and need immediate security. 4.4 Virtual Private Networks(VPN A Virtual Private Network is a private network that uses a public network to connect emote users or sites together"(Tyson, 2001). VPNS, having extra security features, were created to make a way for users to connect to a network. There are four parts that make a VPN secure: " Firewalls, Encryption, IPSec, and AAA Server"(Tyson, 2001) A VPN firewall is the same as any other firewall- it is setup to block and allow only certain ports, and it is also designed to allow only packets which it does not think are malicious. This may sound trivial, but a firewall is a necessary entity in the VPN so that viruses and Trojan horses cannot compromise the VPN server. There is no specific encryption technique that is required in a VPN; however, three main techniques are used. The first technique is Symmetric Key Encryption, where each computer on the network has the key, enabling them to decrypt the packet when arrives.An identical symmetric key is used on each computer, which means that the key needs to be changed frequently so hackers will not be able to analyse packets and break into the network. The next method is Public Key Encryption, which uses a public key and a private key. The sender encrypts the packet with their private key(which they only know), and the receiver decrypts the packet with the senders public key. This system is similar to the Symmetric key, except that two different keys are used instead of only one. In order for this method to work, each user must have some way to securely get the public key from each sender. The last way to encrypt is with Pretty Good Privacy(PGP), which uses session keys to ensure protection. A new session key is created for one session per user, and with each new session or new user, a different session key is produced. The PGP system then becomes a public key system as it encrypts the packet and the session key to the users public key. These new encrypted packets and keys are sent to the receiver, who in turn uses his/her private key in decryption. These are the three widely used techniques; but because there is no encryption standard in VPN, any other type of encryption can be used or adopted to fit a VPN system Internet Protocol Security Protocol (IPSec) is another secure method used in VPNs to ensure privacy protection. IPSec is a simple system using two techniques to encrypt messages across the network. The first method is funnel, which means that the entire packet is encrypted with a key, including the header. The second method is transport, which only encrypts the data section of the packet and not the header Both of
Corporate wireless LAN security 275 is Extensible Authentication Protocol-Subscriber Identity Module (EAP-SIM). This method enables the user to gain access to the wireless network by using a SIM card to be authenticated through EAP. The card contains the key and/or passwords, granting access to the user once the card has been entered. Overall, each variation of EAP has its benefits; however, the only newly approved standard is PEAP. It is likely that in the near future, each company will have to either convert to PEAP or enable their variation of EAP to work with other variations. WPA was intended for short intermediate use. However, the 802.11i release was delayed so a newer intermediate security method, called WPA2, is being released. The next edition of WPA is identical to the old version in every way, except that it uses AES encryption to ensure protection for firms where encryption is a must. Overall, WPA/WPA2 is a temporary yet very secure solution for individuals and companies who cannot wait for the release of 802.11i and need immediate security. 4.4 Virtual Private Networks (VPN) “A Virtual Private Network is a private network that uses a public network to connect remote users or sites together” (Tyson, 2001). VPNs, having extra security features, were created to make a way for users to connect to a network. There are four parts that make a VPN secure: “Firewalls, Encryption, IPSec, and AAA Server” (Tyson, 2001). A VPN firewall is the same as any other firewall – it is setup to block and allow only certain ports, and it is also designed to allow only packets which it does not think are malicious. This may sound trivial, but a firewall is a necessary entity in the VPN so that viruses and Trojan horses cannot compromise the VPN server. There is no specific encryption technique that is required in a VPN; however, three main techniques are used. The first technique is Symmetric Key Encryption, where each computer on the network has the key, enabling them to decrypt the packet when it arrives. An identical symmetric key is used on each computer, which means that the key needs to be changed frequently so hackers will not be able to analyse packets and break into the network. The next method is Public Key Encryption, which uses a public key and a private key. The sender encrypts the packet with their private key (which they only know), and the receiver decrypts the packet with the sender's public key. This system is similar to the Symmetric key, except that two different keys are used instead of only one. In order for this method to work, each user must have some way to securely get the public key from each sender. The last way to encrypt is with Pretty Good Privacy (PGP), which uses session keys to ensure protection. A new session key is created for one session per user, and with each new session or new user, a different session key is produced. The PGP system then becomes a public key system as it encrypts the packet and the session key to the user’s public key. These new encrypted packets and keys are sent to the receiver, who in turn uses his/her private key in decryption. These are the three widely used techniques; but because there is no encryption standard in VPN, any other type of encryption can be used or adopted to fit a VPN system. Internet Protocol Security Protocol (IPSec) is another secure method used in VPNs to ensure privacy protection. IPSec is a simple system using two techniques to encrypt messages across the network. The first method is tunnel, which means that the entire packet is encrypted with a key, including the header. The second method is transport, which only encrypts the data section of the packet and not the header. Both of
