ask google for the best and precise info.
below is the stuff i wrote for my WLAN white papers some 7-8 months ago.
have a look
--------------------------------------------------------------
Adding a wireless network to an existing infrastructure offers several
advantages to an organization. For example, a wireless LAN user can save up
to eight hours per week compared with a wired LAN user, saving an
organization $260.50 per week on average (Source: "WLANs: Improving
Productivity and Quality of Life, " Sage Research, Inc.). While many
organizations want to reap these benefits, they should first understand how
wireless networks could be vulnerable to several types of intrusion methods.
Perhaps the most common form of intrusion is eavesdropping, or the
unauthorized interception of wireless transmissions. Eavesdropping is
possible for two reasons:
a.. Access Points use radio signals in the 2.4 Ghz range, a range
accessible to any computer with a wireless network interface card (NIC) or
frequency scanner.
b.. 802.11b standard requires that wireless NICs operate in full
promiscuous mode, resulting in continual network broadcasts.
Wireless networks are also prone to denial-of-service attacks. A
denial-of-service attack occurs when an unauthorized mobile device transmits
so much information to an Access Point that the Access Point cannot
function. Any network is also open to rogue Access Points-unauthorized
Access Points that offer open-door access for wireless devices to the
network.
Because of these security concerns, many network managers have been
reluctant or unwilling to deploy WLANs, especially in light of the
vulnerability of the Wired Equivalent Privacy (WEP) keys that are used to
encrypt and decrypt transmitted data. Several research papers and articles
have highlighted the potential vulnerabilities of static WEP keys. In
addition, hackers have ready access to tools for cracking WEP keys, such as
AirSnort, which enables an attacker to passively monitor and analyze packets
of data and then use this information to break the WEP key that encrypts the
packets. Network managers need reassurance that WLANs can provide the same
level of security, manageability, and scalability offered by wired LANs.
Type of threats and attacks:
Threat
What it does
Countermeasures
Decoy access points
Wireless LAN clients assume the decoy is a valid access point and
connect.
Mutual authentication.
Access point maps
Web sites record precise location of any unsecured access points and
directions to it.
Security architecture; smart deployment; authentication; encryption.
Invisible access points
Radios embedded in shipping, receiving and other systems create open
back door.
Security policies; intrusion detection.
Automated low-level attacks on WEP keys, passwords, addresses
Programs run repeatedly to ferret out and crack an array of weaknesses.
Intrusion detection; security architecture; access point configuration
management.
1.1 Traditional WLAN Security
As with other networks, security for WLANs focuses on access control and
privacy. Robust WLAN access control prevents unauthorized users from
communicating through APs, the WLAN endpoints on the Ethernet network that
link WLAN clients to the network. Strong WLAN access control ensures that
legitimate clients associate with trusted, rather than "rogue" APs. WLAN
privacy ensures that only the intended audience understands the transmitted
data. The privacy of transmitted WLAN data is protected only when that data
is encrypted with a key that can be used only by the intended recipient of
the data.
Traditional WLAN security includes the use of Service Set Identifiers
(SSIDs), open or shared-key authentication, static WEP keys and optional
Media Access Control (MAC) authentication. This combination offers a
rudimentary level of access control and privacy, but each element can be
compromised.
An SSID is a common network name for the devices in a WLAN subsystem; it
serves to logically segment that subsystem. An SSID prevents access by any
client device that does not have the SSID. By default, however, an AP
broadcasts its SSID in its beacon. Even if broadcasting of the SSID is
turned off, an intruder or hacker can detect the SSID through sniffing.
The 802.11 standard, supports two means of client authentication: open and
shared-key authentication. Open authentication involves little more than
supplying the correct SSID. With shared-key authentication, the AP sends the
client device a challenge text packet that the client must then encrypt with
the correct WEP key and return to the access point. If the client has the
wrong key or no key, authentication will fail and the client will not be
allowed to associate with the access point. Shared-key authentication is not
considered secure, because a hacker who detects both the clear-text
challenge and the same challenge encrypted with a WEP key can decipher the
WEP key.
With open authentication, even if a client can complete authentication and
associate with an AP, the use of WEP prevents the client from sending data
to and receiving data from the AP, unless the client has the correct WEP
key.
Another type of key that is often used, but is not considered secure, is a
"static" WEP key. A static WEP key is a key composed of either 40 or 128
bits that is statically defined by the network administrator on the AP and
all clients that communicate with the AP. When static WEP keys are used, a
network administrator must perform the time-consuming task of entering the
same keys on every device in the WLAN.
If a device that uses static WEP keys is lost or stolen, the possessor of
the stolen device can access the WLAN. An administrator won't be able to
detect that an unauthorized user has infiltrated the WLAN, until and unless
the theft is reported. The administrator must then change the WEP key on
every device that uses the same static WEP key used by the missing device.
In a large enterprise WLAN with hundreds or even thousands of users, this
can be a daunting task. Worse still, if a static WEP key is deciphered
through a tool like AirSnort, the administrator has no way of knowing that
the key has been compromised by a hacker.
Some WLAN vendors support authentication based on the physical address, or
MAC address, of the client Network Interface Card (NIC). An access point
will allow association by a client only if that client's MAC address matches
an address in an authentication table used by the access point. But MAC
authentication is an inadequate security measure, because MAC addresses can
be forged, or a NIC can be lost or stolen.
While traditional WLAN security that relies on SSIDs, open or shared-keys,
static WEP keys or MAC authentication is better than no security at all, it
is not sufficient for the enterprise organization. Only very small
businesses, or those that do not entrust mission-critical data to their WLAN
networks, can rely on these WLAN security types. All other enterprises and
organizations must invest in a robust, enterprise-class WLAN security
solution.
Below is some data from recent world war drives that raises the concern
about the security aspect of WLAN. The First WorldWide WarDrive took place
between 31 August and 7 September 2002.The Second WorldWide WarDrive took
place between 26 October and 2 November 2002
WWWD-2
CATEGORY
TOTAL
PERCENT
PERCENT CHANGE
TOTAL APs FOUND
24958
100
N/A
WEP Enabled
6970
27.92
-2.21
No WEP Enabled
17988
72.07
+2.21
Default SSID
8802
35.27
+5.74
Default SSID and No WEP Enabled
7847
31.44
+4.8
Most Common SSID
5310
21.28
+2.31
2nd Most Common SSID
2048
8.21
+1.56
WWWD-1
CATEGORY
TOTAL
PERCENT
TOTAL APs FOUND
9374
100
WEP Enabled
2825
30.13
No WEP Enabled
6549
69.86
Default SSID
2768
29.53
Default SSID and No WEP Enabled
2497
26.64
Unique SSIDs
3672
39.17
Most Common SSID
1778
18.97
2nd Most Common SSID
623
6.65
Though wireless data stream get more attention, the greatest risk to
wireless connectivity may be the handheld devices themselves.
Handheld computers and their applications were built for cool new functions,
not security. They lack the processing power for strong encryption, memory
management and solid password security. When they were just electronic
organizers, it didn't matter. Now, they're an open door to the network, and
that matters a lot.
Start with physical security. You can augment the security on handhelds, but
people can't prevent them from being lost and stolen from pockets, purses
and briefcases. The risk isn't trivial. Gartner Group estimates that more
than quarter million PDAs and mobile phones were lost or stolen in airports
worldwide in 2001.
Laptops and desktop systems have the resources-ample power, speedy
processors and lots of storage--to efficiently handle security-related
tasks, such as cryptographic calculations. In contrast, PDAs--with their low
power, relatively slow processors and limited storage capacity--were
intended to support personal applications that don't generally require
robust security. And while vendors have been quick to promote the devices
for a range of sensitive applications, such as finance and health care,
they've been slow to offer security capabilities commensurate with the
risks. The Palm OS, for example, has very weak password security, according
to an analysis conducted by Peiter "Mudge" Zatko and Joe "Kingpin" Grand of
@stake security (www.atstake.com). While the pair identified several
vulnerabilities specific to version 3.5 of the operating system, they raised
a number of broader concerns as well, such as the inability of the OS to
control an application's access to system resources, the possibility for
cross-system viruses and the potential for attacks related to
synchronization.
The @stake analysis, for example, revealed that the Palm OS (v3.5) doesn't
encrypt the password on the device. Instead, the password is encoded with a
known algorithm and stored in a location accessible to any application. An
attacker who captures the encoded block can quickly determine the password.
Microsoft's WinCE (now PocketPC) has also suffered password problems,
including a widely publicized exploit that allowed an attacker to learn an
individual's Windows NT password.
In each case, the OEM vendor has moved to correct the shortcoming, but the
problem points to the need for more robust protection of handheld devices,
such as multifactor authentication. People can use smart card that people
had to physically carry around with them, stick into the device and then
enter their password.
RSA Security (www.rsasecurity.com) is the de facto
choice for public-key cryptography. But is it the best choice for
power-challenged handhelds? The new partnership with Palm gives RSA a huge
boost in this space, despite its comparatively processor-intensive
algorithms.On the flip side, Certicom (www.certicom.com) and NTRU
(www.ntru.com) sell encryption technology using algorithms fundamentally
different from traditional crypto approaches. Certicom maintains that its
elliptical curve cryptography (ECC) is ideally suited for wireless devices,
with less computational overhead, smaller key size and lower bandwidth usage
than RSA's BSAFE.
Lack of memory management leaves another gaping security hole. Palm devices
have no capacity to mark sections of memory as read-only or limit access,
Zatko and Grand note. If a virus is introduced or the device is stolen, a
rogue application can read and write to memory or interact directly with the
system processor. At that point, the insecurity of the operating system
becomes academic. With free reign over system memory, rogue applications can
read records, erase data or programs, modify creator codes (used to
determine which program will execute) and physically damage the device
itself.
A poorly configured system will allow literally anyone to join the network.
And the usual type of black hat intrusions-vulnerability exploits, buffer
overflows, Web site defacements, malware attacks--are made all that much
easier because network penetration via dialing in or exploiting an open port
isn't required. While better than nothing, WEP isn't good enough for robust
security. WEP suffers from two critical flaws: vulnerable encryption and a
lack of key management. That means either manually changing keys or
individual vendor solutions, which in the best cases generate keys
dynamically.
War drivers use programs such as NetStumbler (www.netstumbler.com) to obtain
a wealth of detail from LAN-jacked transmissions. Cracker tools like
Airsnort (www.airsnort.net) and WEPCrack (http://wepcrack.sourceforge.net)
can begin decoding traffic in mere minutes.WEP supports both 64- and 128-bit
keys. Both are vulnerable, however, because the initialization vector (IV)
is only 24-bits long in each case. Its RC4 algorithm, which is used securely
in other implementations, such as SSL, is quite vulnerable in WEP.
The other 802.11b access security method uses a Service Set Identifier
(SSID), which is assigned to one or more APs to create a wireless network
segment. Wireless clients must be configured with the correct SSID to access
the network, providing very basic security. But even this security will be
useless if APs are enabled to "broadcast" their SSIDs. That allows any
computer that isn't configured with an SSID to receive it and access the AP.
Proprietary solutions. Wireless vendors address these problems with some
form of enhanced key management for both encryption and client
authentication. The tradeoff for better-than-WEP key management is locking
into a proprietary system. For example, Cisco Systems (www.cisco.com), Agere
Systems (www.agere.com), Enterasys Networks (www.enterasys.com) and Avaya
(www.avaya.com) have all put key management software in their systems.
Dynamic key management addresses the 802.11b administration headaches and
thwarts cracker efforts. Cisco, for example, uses a central key server that
creates, distributes and rotates RSA public/private key pairs at the client
level for authentication. The server also generates and distributes RC4 keys
for packet encryption.
Complex enterprises with large numbers of employees, business partners and a
wide range of applications and access methods--including wireless--require
an authentication server. For user-based authentication, RADIUS/AAA is
recommended. A RADIUS server can be employed to validate a client before
it's allowed to verify itself to an access point. It can be centrally
managed, which is important for large enterprises, and can be used to
authenticate VPN clients as well as other services.
Wireless network vendors implement RADIUS in a variety of ways. Avaya's
Wireless Access Server, for example, has a built-in RADIUS client. Agere, on
the other hand, stresses its compatibility with other vendors' RADIUS
servers.
Regardless of specific plans regarding WLANs, the pending 802.1x
authentication standard is worth evaluating because of the potential
benefits it can offer in both wired and wireless environments.
The standard makes it possible to require that an individual be
authenticated before he gains access to the network. This resolves the
problem of war driving, where anybody within range of your network can
easily gain access. Several companies, including Cisco, 3Com, Enterasys and
Microsoft (XP includes 802.1x support) are adopting the protocol, and Funk
Software (www.funk.com), developer of commercial RADIUS servers, announced
802.1x support in its latest release last October.
VPNs, the remote access choice for a growing number of enterprises, are
arguably the best way to thwart intrusions on wireless transmissions. A
number of vendors offer VPNs that are optimized for wireless security. VPNs,
in a securely architected enterprise, protect data transmissions and assure
strong authentication. Performance will slow, but protecting wireless
traffic is often worth the tradeoff.
War drivers will drive elsewhere, because IPSec--the encryption protocol
used in a lot of VPN applications--will thwart programs such as AirSnort. As
wireless LANs becomes more prevalent, vendors have begun to include VPN
support for the devices. Microsoft has added its own VPN client to the most
recent version of PocketPC 2002. Certicom offers movianVPN, a specialized
handheld solution that supports 802.11 networks and--unlike the Microsoft
offering--multiple gateways.
The best tool for finding unauthorized access points is the very same one
used by war drivers-a wireless sniffer. Options include NetStumbler,
AiroPeek from WildPackets (www.wildpackets.com), Network Associates'
(www.nai.com) Sniffer Wireless and "roll-your-own" solutions that build on
open-source cracking tools. In addition, a RADIUS/AAA server will ignore APs
that aren't registered with it, effectively cutting rogues out of the
network.
in addition of these Wi-Fi Alliance has launched Wi-Fi Protected Access
(WPA). Wi-Fi Protected Access is a specification of standards-based,
interoperable security enhancements that strongly increase the level of data
protection and access control for existing and future wireless LAN systems.
Designed to run on existing hardware as a software upgrade, Wi-Fi Protected
Access is derived from and will be forward compatible with the upcoming IEEE
802.11i standard. When properly installed, it will provide wireless LAN
users with a high level of assurance that their data will remain protected
and that only authorized network users can access the network. The Wi-Fi
Alliance plans to begin interoperability certification testing on Wi-Fi
Protected Access products starting in February 2003.
To meet these goals, two primary security enhancements are made. Wi-Fi
Protected Access was constructed to provide an improved data encryption
(Enhanced Data Encryption through TKIP), which was weak in WEP, and to
provide user authentication (Enterprise-level User Authentication via 802.1x
and EAP), which was largely missing in WEP.
For more info please visit http://www.wi-fi.org/
====================================================----------------
hope the above would have given u prepared u with some basics.
Puneet
----- Original Message -----
From: "vivek khurana" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; "The Linux-Delhi mailing list"
<[EMAIL PROTECTED]>
Sent: Sunday, December 14, 2003 7:05 PM
Subject: Re: [ilugd] how secure is 802.11b??
> Hi!
> --- umesh anand <[EMAIL PROTECTED]> wrote:
> > nothing is secure if u know how it works
> > that shud answer yr question??
> > umesh
> >
> This doesnot answer my question. I know how pgp works
> bit i still use it as i know that chances of breaking
> in are really low.
> Next time please add <snip> while writing funny
> replies
>
> with reagrds
> vivek
>
> =====
> When DESTINY has closed all the DOORS;
> Jump out of the WINDOW
>
> __________________________________
> Do you Yahoo!?
> New Yahoo! Photos - easier uploading and sharing.
> http://photos.yahoo.com/
>
> _______________________________________________
> ilugd mailing list
> [EMAIL PROTECTED]
> http://frodo.hserus.net/mailman/listinfo/ilugd
>
_______________________________________________
ilugd mailing list
[EMAIL PROTECTED]
http://frodo.hserus.net/mailman/listinfo/ilugd
