Wireless Security Mechanisms - Essay Example

Wireless Security Mechanisms It is significant to maintain the security aspects as more and more companies started to install wireless networking. Since the technology go on advancing, networking standards are taken up to make sure interoperability among vendors. Encouraged by both the demands of the users and the facilities offered by wireless networks, businesses began to organize wireless networking systems in places where wired networking topologies were employed. Because of the simplicity of wireless net working system use and the excitement of the new technology, many responsible people did not realize the risk involved in operating a wireless network. Wireless networks offer network connectivity in a wire-free setting where the physical limitation of a wired environment can be avoided. In other words the information being communicated with the help of network is absolutely without any of physical constraints. But this can create difficulties in controlling who is supposed to receive the data and who should not. Earlier, curious computer users followed a method called war dialling to identify latent vulnerable systems. The spiteful users can browse the log files and start hacking attacks at the computers that responded to the war dialling. As of the start of wireless networking, malicious users can move in the streets in their vehicles to carryout war driving to find out vulnerable wireless networks. Driving around business complex or a neighbourhood with a wireless-enabled laptop computer, help in connecting to and recording any number of corporate and private networks. This in effect gives the war driving hacker access to those secret resources with the same freedom as one of their employees, and remains hidden. Yet another common method is for an attacker to camp out at a public wireless execution, such as an airport. It may happen sometimes, a traveller may decide to check his email and transfer expense reports back to the home office while waiting for a flight. The attacker waits patiently, and gets all data transmitted from the traveller’s computer. Like this, an attacker may get passwords that would permit illegal access to a network, credit card information and possibly even proprietary information. A lot of methods to secure wireless networks exist today, each with their advantages and disadvantages (Klemencic, 2001). Wired Equivalent Privacy (WEP) The Wired Equivalent Privacy (WEP) algorithm is used to guard wireless communication from eavesdropping. One of the main purposes of WEP is to avert illegal access to a wireless network; this role is not an unequivocal goal in the 802.11 standard, however it is often considered to be an aspect of WEP. Wired Equivalent Privacy relies on a secret key that is common between a mobile station and an access point (i.e. a base station). The secret key is used to encrypt packets of information before transmission, and an integrity check is done to make sure that packets are not modified in transit. The standard does not talk about how the shared key is established. Usually, most setting up is use a single key that is shared between all mobile stations and access points (Borisov, et al 2001). WEP has been part of the 802.11 standard ever since early approval in September 1999. At that time, the 802.11 board was aware of some WEP restrictions; still, WEP was the top choice to make sure capable implementations worldwide. Even so, WEP has experienced a lot analysis and criticism over the past years. WEP is susceptible since the comparatively short IVs and keys that stay static. The subjects with WEP dont actually have much to do with the RC4 encryption algorithm. With only 24 bits, WEP in fact uses the same IV for diverse data packets. This recurrence of IVs results in the transmission of frames having key streams that is also similar. Suppose a hacker gathers enough frames based on the same IV, the individual can find out the shared values among them, i.e., the key stream or the shared secret key. This in turn helps the hacker decrypting any of the 802.11 frames. The fixed nature of the shared secret keys highlights this difficulty. Normally 802.11 dont supply any functions that support the exchange of keys among stations. Because of that, system administrators and users usually use the same keys for weeks, months, and even years. This gives malicious offenders ample of time to observe and hack into WEP-enabled networks (Geier, 2002). WiFi Protected Access (WPA) The Wireless Ethernet Compatibility Alliance (WECA) introduced WPA as a solution, based on the draft standard IEEE 802.11i for enhanced security in Wireless LANs. The authentication procedure of WPA and IEEE 802.11i accepted the three-entity model of IEEE 802.1x. IEEE 802.1x is the port-based access control protocol that was initially designed for the Point-to-Point Protocol (PPP), for example modem connections and wired LANs. The three units are the client, the AS, and the NAS (or in the case of WLANs, the AP). The AS exists in the network, and the client, who initially does not have access to the network, is connected to the NAS. The NAS is the unit that initially blocks the clients access to the network and also serves as an agent between the client and the AS during the authentication process. Thus, the NAS acts as a .security guard for the network, permitting only the authenticated by the AS that does the access choice. One of vital task of the authentication process is to establish a temporary secret that the client and the AP can use for message security. In short, the authentication process of WPA and IEEE 802.11i involves three entities: the client, the AP, and the AS. The client seeks access to the network. The AP protects the access to the network, permitting only the clients that the AS has authenticated. Lastly, the AS makes a decision whether the client is eligible for access to the network (Baek, et al 2004). 802.1x IEEE 802.1x is a specification for port-based authentication for wired networks. This also has been added for use in wireless networks. This offers user-based authentication, access control and a vital crucial element of transport. 802.1x is planned to be flexible and extensible. It depends on Extensible Authentication Protocol (EAP) for authentication that was initially intended for Point-to-Point Protocol (PPP) however was reused in 802.x. There are three types of entities in 802.1x: the client, the access controller and the authentication server1. Normally authentication server is a Remote Authentication Dial-In User Service (RADIUS) server which is connected to the wired network authentication. Since EAP is extensible it can use any authentication device. This can function at the network layer (layer 3) rather than the data link (layer 2) which adds to the flexibility of the protocol. 802.1x has few grave limitations for a wireless network. These are because of the reuse of security devices in a setting for which they were not intended. The difficulty in 802.1x is not the quality of the reused protocols, but the inadequate installation of the wired protocols to a wireless network. Actually 802.1x to function in a wireless setting, the access point/access controller must permit traffic to the authentication server prior to authentication. Both 802.11a WLAN protocol and 802.1x use state machines to operate properly. The adaptation of 802.1x to 802.11a left the two state machines loosely coupled. Because of the loose coupling between the state machine in the two protocols 802.1x is expose to session high-jacking attack from a stranger. 802.1x also is intended to give authentication of the client and not the access point. Mutual authentication is very important to protecting against man-in the- middle attacks. The inadequate key distribution makes it easier for an outside attacker to imitate an insider with all the linked vulnerabilities. Hence the 802.1x is to be attached to a device for blocking network access like inline authentication, so that unauthenticated clients cannot access the network. 802.1x, authenticate session stops the casual unauthorized user from accessing the WLAN. But, it does not stop a fairly expert attacker with few resources from successfully attacking the network (Welch, 2003). Remote Authentication Dial-In User Service (RADIUS) A Network Access Server (NAS) functions as a client of RADIUS. The client is accountable for passing user data to selected RADIUS servers, and then acting on the reply which comes back. RADIUS servers are responsible for getting user link requests, authenticating the user, and then returning all pattern information essential for the client to distribute service to the user. Communication between the client and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. Additionally, any user passwords are sent encrypted between the client and RADIUS server. The RADIUS server can support a variety of methods to authenticate a user. When user name and actual password given by the user, it can support authentication mechanism (Rigney, et al 1997). Virtual Private Network (VPN) A virtual private network (VPN) is the addition of a private network that includes links across common or public networks as the Internet. A VPN facilitates to send data between two computers across a shared or public internet in a manner that follow the properties of a point-to-point private link. The act of setting up and creating a virtual private network is known as virtual private networking. To attain a point-to-point link, data is encapsulated with a title that offers routing information letting it to pass through the shared or public transit internet to arrive at its intended place. To imitate a private connection, the data being sent is encrypted for secrecy. The data packets that are stopped on the shared or public network are unreadable without the encryption keys. The part of the link in which the private data is encapsulated is recognized as the tunnel. The portion of the link in which the private data is encrypted is identified as the virtual private network (VPN) connection. The VPN ensures privacy at the network layer. VPN is sharing out the Internet by permitting the internal use of private addressing systems (e.g. for Intranets). In contrast to present VPN implementations the VPN solution planned will support quality-of-service (e.g. assured bandwidth), thus removing the only real disadvantage of VPNs evaluated to actual private networks using leased lines (Braun, et al 1999). References Baek, K.H. et al (2004). A Survey of WPA and 802.11i RSN Authentication Protocols [Online] Dartmouth College Computer Science Technical Report TR2004-524 Available from [10 January 2008]. Borisov, et al (2001). Security of the WEP algorithm [Online] berkeley.edu. Available from < http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html > [10 January 2008]. Braun, T. et al (1999) Virtual Private Network Architecture [Online] CATI Charging and Accounting Technology for the Internet SNF SPP Projects 5003-054559/1 and 5003-054560/1 Available from [10 January 2008]. Geier, J. (2002) 802.11 WEP: Concepts and Vulnerability [Online] 80211Planet.com. Tutorials. Available from [10 January 2008] Klemencic, J. (2001) Basic Security Mechanisms for Wireless Networks [Online] Black Hat Europe Available from [10 January 2008]. Rigney, et al (1997). Remote Authentication Dial In User Service (RADIUS) [Online] Network Working Group. Available from [10 January 2008]. Welch, (2003) A Survey of 802.11a Wireless Security Threats and Security Mechanisms [Online] Information Technology and Operations Centre Department of Electrical Engineering and Computer Science United States Military Academy West Point, New York 10996. Technical Report ITOC-TR-2003-101 Available from [10 January 2008]. Read More