WISDOM Intermediate Security Measures

Password attack. An attacker who obtains some sensitive password-derived data, such as a hashed password, performs a series of computations using every possible guess for the password. Because passwords are typically small by cryptographic standards, the password can often be determined by brute force. Depending on the system, the password, and the skills of the attacker, such an attack can be completed in days, hours, or perhaps only a few seconds. A password database should always be kept secret to prevent a dictionary attack on the data. Obsolete password methods also permit dictionary attack by someone who eavesdrops on the network. Strong password policy enforcement methods prevent this occurrence.

Because LEAP does not support one-time passwords (OTPs), the user-authentication process is susceptible to password attacks.

Audit selected passwords for weakness and adherence to a good password usage policy that limits the number of tries for a logon before locking out the account.

WEP integrity and confidentiality attacks. WEP is designed to handle integrity and confidentiality through the Integrity Check Value (ICV), where both the frame and ICV are encrypted. Both the WEP ICV and its encryption algorithm are flawed and, hence, subject to exploitation.

WEP vulnerabilities result in WLAN susceptibility to integrity and confidentiality attacks.

Use RADIUS to mitigate or eliminate this vulnerability through the central management of MAC addresses and central database for authentication and key management.

Static MAC addresses.

MAC addresses are easily sniffed by an attacker because they must appear in the clear even when WEP is enabled, and wireless cards permit the changing of their MAC address via software.

Use RADIUS to avoid the need to manually program a static MAC address into each AP that processes user logon requests. This will centralize user management and domain/directory authentication, which makes it possible to create dynamic user-and session-specific keys instead of static keys for WEP encryption. Furthermore, it provides accounting reports that detail each user access and authentication attempt.

Unauthorized access. The very nature of wireless networks make them more susceptible to unauthorized access than wired networks. Because wireless is broadcast in nature, anyone within range of a wireless card can intercept the packets being sent out without interrupting the flow of data between wireless card and base station, which permits an attacker to gain access beyond the physical security perimeter.

Uncontrolled wireless access can allow attackers to read e-mail, sniff passwords, gain administrative access to machines, plant access to machines, plant Trojan horses or backdoors, and use wireless access points to launch other attacks.

Use RADIUS reports to assist in tracking user access to resources and attempts to gain unauthorized access.

Unauthenticated access. Authentication is a key element of network security control. Anonymous or unauthenticated access to a network can result in compromise, theft, or unauthorized destruction or modification of data.

Unauthenticated access can provide an opportunity for an unauthorized user to gain access to network, data, and resources.

1. Implement LEAP. LEAP only authenticates users who are authorized to access the wireless and wired network.

2. Implement optional access control on the Layer 3 switch, which limits wired network access.

AP User Password.

Login to the AP by unauthorized user is possible if no password is required. Although you must use the default password when you first open the configuration pages of the AP, immediately change the password to avoid a security breach because a default password is generally known or readily available.

Implement a strong AP user password with both alphanumeric and special characters and a minimum password length of eight characters. In addition, password expirations should be set at 30 days.

WEP IV weaknesses. To avoid encrypting two ciphertexts with the same key stream, an Initialization Vector (IV) is used to augment the shared secret key and to produce a different RC4 key for each packet. The IV is also included in the packet, but both of these measures are implemented incorrectly, resulting in poor security.

Attacks against WEP rely on exploiting multiple weak IVs in a stream of encrypted traffic.

Implement LEAP to enable WEP key hashing. The IV and WEP key are hashed to produce a unique packet key (called a temporal key), which is then combined with the IV and XORed with the plaintext. This scenario prevents the weak IVs from being used to derive the base WEP key because the weak IVs allow only you to derive the per-packet WEP key. In order to prevent attacks caused by IV collisions, the base key should be changed before the IVs repeat. Because IVs on a busy network can repeat in a matter of hours, mechanisms such as LEAP should be used to perform the rekey operation.

Static WEP key. The weakness of most WLANs is their use of a single static WEP key that is shared among more than one user. In practice, many installations use a single key that is shared between all mobile stations and access points for ease of administration. From a security point of view, this practice results in unnecessary risk and is an unacceptable security practice.

The use of a static WEP key results in many users in a wireless network potentially sharing the identical key for long periods because of the lack of any key management provisions in the WEP protocol. If a computer such as a laptop were lost or stolen, the key could become compromised along with all of the other computers sharing that key. Moreover, because every station uses the same key, a large amount of traffic may be rapidly available to an eavesdropper for analytic attacks.

Implement LEAP. By employing a dynamic WEP encryption key for every user and enabling that key to change frequently, the LEAP security solution greatly diminishes the risk from this vulnerability. LEAP augments 802.11b WEP by creating a per-user, per-session, dynamic WEP key tied to the network logon, thereby addressing the limitations of static WEP.

Cleartext WEP IV. The WEP IV is sent in cleartext and is subject to sniffer exploitation to determine the key stream and use it to decrypt the ciphertext.

The IV in WEP is a 24-bit field sent in the cleartext portion of a message. The 24-bit string, used to initialize the key stream generated by the RC4 algorithm, is a relatively small field when used for cryptographic purposes. Reuse of the same IV produces identical key streams for the protection of data, and the short IV guarantees that they will repeat after a relatively short time (typically 5 to 7 hours) in a busy network. Moreover, the 802.11 standard does not specify how the IVs are set or changed, and individual wireless NICs from the same vendor may all generate the same IV sequences, or some wireless NICs may possibly use a constant IV. As a result, hackers can record network traffic, determine the key stream, and use it to decrypt the ciphertext.

Implement LEAP. The LEAP security solution changes the IV on a per-packet basis so that hackers can find no predetermined sequence to exploit. This capability, coupled with the reduction in possible attack windows, greatly mitigates exposure to hacker attacks because of frequent key rotation. In particular, this makes it difficult to create table-based attacks based on the knowledge of the IVs seen on the wireless network.

IV and RC4 encryption key weaknesses. The RC4 algorithm and its implementation by the WEP protocol have weaknesses that can be exploited. There are several weaknesses in the algorithm: it contains a large number of inherently weak keys, part of the key can be exposed to attackers if they can observe enough encrypted traffic, and there is a random generation issue for the keys.

The ability of an eavesdropper knowing 24 bits of every packet key, combined with a weakness in the RC4 key schedule, leads to a deadly analytic attack that recovers the key after intercepting and analyzing only a relatively small amount of traffic. This attack has been perfected to the point that scripts are commonly available on the Internet for such purposes.

Implement LEAP. LEAP changes the IV on a per-packet basis so that hackers can find no predetermined sequence to exploit. This capability, coupled with the reduction in possible attack windows, greatly mitigates exposure to hacker attacks because of frequent key rotation. In particular, this makes it difficult to create table-based attacks based on the knowledge of the IVs seen on the wireless network. The original shared-secret secure-key derivation is used to construct responses to the mutual challenges. It undergoes irreversible one-way hashes that make password-replay attacks impossible. The hash values sent over the wire are valid for one-time use only at the start of the authentication process.

WEP cryptographic integrity. WEP provides no cryptographic integrity protection and uses a noncryptographic Cyclic Redundancy Check (CRC) to check the integrity of packets and acknowledges packets with the correct checksum. This can result in an unintended "side channel" attack and susceptibility to a specific CRC active attack.

WEP provides no cryptographic integrity protection, and the 802.11 MAC protocol uses a noncryptographic CRC to check the integrity of packets, and acknowledges packets with the correct checksum. The combination of noncryptographic checksums with stream ciphers is dangerous and often leads to unintended "side channel" attacks, as is the case for WEP. An active attack permits the attacker to decrypt any packet by systematically modifying the packet and CRC sending it to the AP, noting whether the packet is acknowledged or not.

Implement LEAP. LEAP changes the IV on a per-packet basis so that hackers can find no predetermined sequence to exploit. This capability, coupled with the reduction in possible attack windows, greatly mitigates exposure to hacker attacks because of frequent key rotation. In particular, this makes it difficult to create table-based attacks based on the knowledge of the IVs used on the wireless network. The original shared-secret secure-key derivation is used to construct responses to the mutual challenges. It undergoes irreversible one-way hashes.

Broadcast monitoring. If an access point is connected to a hub rather than a switch, any network traffic across that hub can potentially be broadcast over the wireless network.

802.11 WLANs are susceptible to broadcast monitoring. An unauthorized user can monitor traffic, using a laptop NIC in promiscuous mode when an access point is connected to a hub instead of a switch. Hubs generally broadcast all network traffic to all connected devices, which leaves the traffic vulnerable to unauthorized monitoring. For example, if a wireless access point were connected to an Ethernet hub, a device that was monitoring broadcast traffic could pick up data intended for wireless clients.

Ensure that switches are used instead of hubs for connections to wireless access points.

Replay attacks against WEP. WEP is susceptible to an IV replay attack where an attacker sends a known plaintext to an observable wireless client, then sniffs the wireless client for ciphertext and subsequently compares the plaintext and the ciphertext to derive the key system. On average, a random selection of IVs will lead to IV reuse in around 5,000 packets.

The message integrity check (MIC) protects WEP frames from tampering. The MIC is based on a seed value, destination MAC, source MAC, and payload (e.g., any changes to these will affect the MIC value). The MIC is included in the WEP-encrypted payload. MIC uses a hashing algorithm to derive the resulting value. This is an improvement of the CRC-32 checksum function that is performed by standards-based WEP. With CRC-32, it is possible to compute the bit difference of two CRCs based on the bit difference of the messages over which they are taken. In other words, flipping bit n in the message results in a deterministic set of bits in the CRC that must be flipped to produce a correct checksum on the modified message. Because flipping bits carries through after an RC4 decryption, this allows the attacker to flip arbitrary bits in an encrypted message and correctly adjust the checksum so that the resulting message appears valid.

Implement LEAP.

IP spoofing. The attack is based on the fact that Internet communication between distant computers is routinely handled by routers, which find the best route by examining the destination address, but generally ignore the origination address. The origination address is only used by the destination machine when it responds back to the source. In a spoofing attack, the intruder sends messages to a computer indicating that the message has come from a trusted system. To be successful, the intruder must first determine the IP address of a trusted system and then modify the packet headers so that it appears as if the packets are coming from the trusted system. The attacker is fooling (spoofing) the distant computer into believing that it is a legitimate member of the network. The goal of the attack is to establish a connection that will allow the attacker to gain root access to the host, allowing the creation of a backdoor entry path into the target system.

WLANs are susceptible to IP spoofing. A hacker can use IP spoofing to gain unauthorized access to the network and computers. The intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques, such as social engineering, to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host.

Implement RFC 2827 filtering on the Layer 3 switch. After authenticating with RFC 2827, filtering on the Layer 3 switch restricts any spoofing to the local subnet range. Hackers cannot perform IP spoofing without first authenticating to the WLAN.

Address Resolution Protocol (ARP) spoofing. ARP spoofing is a method of exploiting the interaction of IP and Ethernet protocols. It is only applicable to Ethernet networks supporting IP. It involves constructing forged ARP replies. By sending forged ARP replies, a target could be made to send frames destined for computer A to instead go to computer B. Computer A will have no idea this redirection took place. The process of updating a target computer's ARP cache with a forged entry is referred to as "poisoning."

ARP is a TCP/IP-based protocol used to convert an IP address into a physical address (called a Data Link Control [DLC]) such as an Ethernet address. A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. A host on the network that has the IP address in the request will reply with its physical hardware address. After authenticating, ARP spoofing attacks can be launched in the same manner as in a wired environment to intercept other users' data.

Implement LEAP for authentication control. Hackers cannot perform ARP spoofing without first authenticating to the WLAN.

Unauthorized network topology discovery. Network topology discovery is part of the reconnaissance process for an adversary planning for unauthorized access to a network or an attack.

Unauthorized topology discovery can occur in the same way that is possible in the wired network. Network topology can aid an adversary in the attack planning phase when this information is not otherwise available.

Implement LEAP. Unauthorized users cannot perform network discovery if they are unable to authenticate.

Wireless packet sniffers. The effort by which intruders can penetrate a wireless network is now being made easier with the release of several wireless sniffer software applications that allow intruders to passively collect data for real time or later analysis. Such analysis can lead to the compromise of the network. AirSNORT is an application that utilizes known WEP flaws to extract the WEP key and allow unauthorized network access. NetStumbler is a full-featured wireless sniffer that logs an extensive array of information about any wireless network it happens to encounter: the MAC address of the access point, network name, SSID, the manufacturer, channel in use, signal strength, and whether WEP is enabled, to name a few. An intruder looking to attack a target wireless network can use all of this information.

Wireless packet sniffers can take advantage of any of the known WEP attacks to derive the encryption key.

Implement LEAP. These threats are mitigated by the WEP enhancements and key rotation provided by LEAP.

Man-in-the-middle attacks. A man-in-the-middle attack security breach is when a malicious user intercepts, and possibly alters, data traveling along a network. Security auditing tools such as dsniff, sshmitm, and webmitm are capable of performing active man-in-themiddle attacks against encrypted SSH and HTTPS traffic. A rogue access point can utilize this default behavior to compel clients to connect to a node performing active man-in-the-middle attacks against sensitive traffic.

WLANs are susceptible to man-in-the-middle attacks. The man-in-the-middle or TCP hijacking attack is a well-known attack where an attacker sniffs packets from a network and modifies them. Next, the hacker inserts them back into the network traffic stream. There are a few programs/ source codes available for doing a TCP hijack. TCP hijacking is an exploit that targets the victim's TCP-based applications such as Telnet, rlogin, ftp, mail application, Web browser, etc. An attacker can grab unencrypted confidential information from a victim's network-based TCP application and can further degrade the authenticity and integrity of the data.

Implement LEAP. The mutual authentication nature of LEAP combined with the MIC prevents a hacker from inserting himself into the path of wireless communications. LEAP ensures mutual authentication between a wireless client and a back-end RADIUS server (Access Control Server 2000 v2.6). Communication between the access point and the RADIUS server is via a secure channel. This eliminates man-in-the-middle attacks by rogue access points and RADIUS servers.