Mitigating Wireless Security Attacks Date:   Thursday , September 08, 2011 Wireless networks and WiFi based devices are growing rapidly. Enterprises are rolling out wireless LANs to cut costs and increase productivity. Today all laptops, PDAs, and smart phones have WiFi built in. Wireless LANs allows users to access their information while they move from one location to another. The freedom and mobility that WLANs promise, however, also present some serious security challenges. Wide usage of WLANs and increasing security threats require successful implementation of a robust and secure wireless network. This paper addresses known security threats to wireless networks. Not only the outsiders pose security threats to the wireless networks, but also the insiders, the valid users of the networks, can attack the network to gain access to critical information which they would not otherwise be entitled. We discuss various types of attacks on confidentiality, integrity of communication on the network and also the denial of service attacks, these are generally termed as CIA (Confidentiality, Integrity and Availability) attacks. Wireless Security Threats Traffic Sniffing: Traffic sniffing is a simple technique whereby the attacker captures and analyzes the wireless network traffic. The attacker only needs a wireless card operating in promiscuous mode and wireless packet sniffer to capture the packets. The attacker attempts to identify activity on the network and physical location of the AP(s) by using directional antenna with GPS system. An attacker may also learn of through traffic analysis is the type of protocols being used in the transmissions. This knowledge is obtained based on the size, type and the number of packets in transmission over a period of time. The information gathered by the attacker can be used subsequently to attack the wireless network. Eavesdropping: Eavesdropping attacks target confidentiality of data. There are two forms of attack – passive and active. In passive attack the attacker monitors the wireless session and the payload, breaks the encryption if the payload is encrypted. The information gleaned is an important precondition for other, more damaging attacks. In active mode, the attacker injects data into the communication to help decipher the payload. The attacker actively injects messages into the network in order to determine the contents of messages. The attacker can modify a packet or can inject complete packets into the data stream. The eavesdropping attacks can be avoided by using strong encryption algorithms and by changing the encryption key frequently. Unauthorized Access: This attack is not directed at any individual user, but by doing this, attacker gains unauthorized access to the whole network. He can then launch additional attacks or just enjoy free network use. Evidently the attacker will have access to the wireless component of the network (Figure 3), wired network may also become available to him. The attacker can defeat MAC filtering by spoofing the MAC address to gain access of the wired network. Man-in-the-middle: MITM attacks target the confidentiality and integrity of a user session. This is a real-time attack, meaning that the attack occurs during a target machine’s session. The attacker breaks the session and does not allow the target to re-associate with AP. While attempting re-association the target gets associated with the attacker’s machine which is mimicking the AP. Then the attacker associates with AP on behalf of the target. If an encrypted tunnel is in place the attacker establishes two encrypted tunnels target and the AP. In MITM attack based on ARP poisoning, the attacker sends a forged ARP reply that changes the mapping of the IP address to the given MAC address. After the successful attack the data between the two hosts pass through the attacker’s machine (Figure 5). Using this technique an attacker on a wireless client can access sessions between two wired hosts. ARP poisoning attack can be mitigated with strong encryption, so that it will become difficult to poison the ARP traffic. Session Hijacking: The attacker takes an authenticated session away from its proper owner. The target will think that the session is no longer in operation whatever the cause. This attack occurs in real-time but can continue long after the victim thinks the session is over. The attacker first performs successful eavesdropping to gather vital authentication data. He then uses this data to present himself as the target from which he is trying to own the session. The attacker forces the target to stop using the session by flooding it with disassociate messages. This attack is feasible in WEP-protected systems but becomes mitigated with the use of WPA and 802.11i. Replay: The objective of replay attack is same as that of MITM and session hijacking, but it is not real time. In this attack (Figure 7), the attacker performs passive eavesdropping on a session or group of sessions attempting to catch the authentication packets. After that the attacker replays the captured packets to establish a new session with AP. Again the replay attacks are feasible when used against a WEP network but become ineffective with 802.11i. Denial of Service: The aim of DoS attacks is to bring down the system so that it doesn’t respond to user requests. There are various ways of launching DoS attacks – 1. Attacker can send huge traffic to the AP. 2. Attacker may generate spoofed disassociation and de-authentication messages to get the clients disconnected from the AP. 3. Attacker can poll the clients messages buffered on AP, thus preventing client from receiving any data. 4. Attacker can send false TIM to client indicating no buffered data for the client. 5. The attacker can break the timing synchronization between AP and client by spoofing management frame with incorrect timestamp to deny client the access of the buffered data. 6. The attacker can generate RTS message with NAV set to its maximum value (32767) to bring down the wireless network for this much duration. 7. The attacker can introduce high level of noise in the wireless network using hardware devices. The attacks listed above are very serious and are possible even with WPA and RSN. Mitigating the Threats To mitigate the risk from the attacks explained above, security architecture must have five compulsory components – Strong authentication: It makes replay and session hijacking attacks nearly impossible. If client and AP both authenticate each other, MITM attacks can be successfully mitigated. Mutual authentication is generally achieved using certificates. However, due to requirement of PKI infrastructure, these methods are rarely used. WPA2 provides strong authentication mechanism for wireless networks including IEEE802.1x authentication which uses EAP framework. EAP-TLS method can provide mutual authentication. The methods like EAP-TTLS and PEAP are also strong as these methods provide an encrypted channel for authentication. Strong encryption using block cipher: Block cipher based encryption help mitigating the eavesdropping, session hijacking and replay attacks. If encryption is done at layer 2 then traffic analysis and eavesdropping become much more difficult. WPA2 introduces CCMP which is based on block cipher based AES algorithm. CCMP provides adequate security to protect against attacks on confidentiality of data. Strong cryptographic integrity protection: Strong cryptographic integrity verification helps stopping active eavesdropping, replay and session high-jacking attacks. CCMP produces a MIC that provides data origin authentication and data integrity to the wireless frames. A sequence number field is also used in WPA2 protected wireless frames, which is incorporated in encryption and MIC calculation to provide protection against replay attacks. Firewall between Wireless and Wired network: A firewall that stops all network traffic from unauthenticated clients from reaching the wired network is absolutely critical to a secure architecture. By not stopping unauthorized access ARP attacks are possible all the way back to the first router in the wired network. ARP attacks are a form of MITM attacks; as such they can affect the integrity of the information and are devastating. Wireless IDS: Wireless IDS systems monitor the wireless networks to identify rouge AP(s) and to detect other wireless attacks. Typically WIDS enables the administrator to get a list of AP(s) present in the network and their location. The administrator can identify and prevent unauthorized AP(s). WIDS analyzes the management frames in the network to identify various DoS, MAC spoofing, unauthorized access and MITM attacks. Conclusion Ignoring the specific requirements for securing their network and users against WiFi vulnerabilities, businesses risk loss of confidential data, legal fines and penalties, and brand erosion. Tech Mahindra’s iPolicy 500 is such a platform which provides different necessary components required to build a secure wireless network. The wireless security services offered by the device along with the network security services make it a viable option for ROBO and SOHO kind of wireless networks. The author is Delivery Manager, Tech Mahindra