NETWORK SECURITY
WIRELESS SECURITY ISSUES
MAI Xuân Phú
1
CONTENT
2
Attacks on Wireless Networks
Wired Equivalent Privacy (WEP) Protocol
o
Mechanism
o
Weaknesses in the WEP Scheme
Wi-Fi Protected Access (WPA)
IEEE 802.11i/WPA2
Virtual Private Network (VPN)
o
Point-to-Point Tunneling Protocol (PPTP)
o
Layer-2 Transport Protocol (L2TP)
Internet Protocol Security (IPSec)
Thanks
Some contents of this course are referenced and copied
from:
o
J. Wang, Computer Network Security Theory and Practice.
Springer 2008
o
Pascal Meunier, Network Security, Section 7, May 2004, updated
July 30, 2004
o
K. Kothapalli & B. Bezawada, Security Issues and Challenges in
Wireless Networks
o
Randy H. Katz, Wireless Communications and Mobile
Computing, Berkeley
o
Jim Kurose & Keith Ross, “Computer Networking: A Top-Down
Approach”, 3th edition, 2004
3
Contents
4
Attacks on Wireless Networks
Wired Equivalent Privacy (WEP) Protocol
o
Mechanism
o
Weaknesses in the WEP Scheme
Wi-Fi Protected Access (WPA)
IEEE 802.11i/WPA2
Virtual Private Network (VPN)
o
Point-to-Point Tunneling Protocol (PPTP)
o
Layer-2 Transport Protocol (L2TP)
Internet Protocol Security (IPSec)
Internet security threats
Mapping:
o
before attacking: “case the joint” – find out what
services are implemented on network
o
Use ping to determine what hosts have addresses
on network
o
Port-scanning: try to establish TCP connection to
each port in sequence (see what happens)
o
nmap ( mapper:
“network exploration and security auditing”
Countermeasures?
5
Source: Jim Kurose & Keith Ross, Computer Networking: A Top Down Approach Featuring the Internet,
3rd edition, Chapter 8: Network Security
Internet security threats
Mapping: countermeasures
o
record traffic entering network
o
look for suspicious activity (IP addresses, pots
being scanned sequentially)
6
Source: Jim Kurose & Keith Ross, Computer Networking: A Top Down Approach Featuring the Internet,
3rd edition, Chapter 8: Network Security
Internet security threats
Packet sniffing:
o
broadcast media
o
promiscuous NIC reads all packets passing by
o
can read all unencrypted data (e.g. passwords)
o
e.g.: C sniffs B’s packets
A
B
C
src:B dest:A payload
Countermeasures?
7
Source: Jim Kurose & Keith Ross, Computer Networking: A Top Down Approach Featuring the Internet,
3rd edition, Chapter 8: Network Security
Internet security threats
Packet sniffing: countermeasures
o
all hosts in organization run software that checks periodically if host interface
in promiscuous mode.
o
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
src:B dest:A payload
8
Source: Jim Kurose & Keith Ross, Computer Networking: A Top Down Approach Featuring the Internet,
3rd edition, Chapter 8: Network Security
Internet security threats
IP Spoofing:
o
can generate “raw” IP packets directly from application, putting any value into IP source
address field
o
receiver can’t tell if source is spoofed
o
e.g.: C pretends to be B
A
B
C
src:B dest:A payload
Countermeasures?
9
Source: Jim Kurose & Keith Ross, Computer Networking: A Top Down Approach Featuring the Internet,
3rd edition, Chapter 8: Network Security
Internet security threats
IP Spoofing: ingress filtering
o
routers should not forward outgoing packets with invalid source
addresses (e.g., datagram source address not in router’s network)
o
great, but ingress filtering can not be mandated for all networks
A
B
C
src:B dest:A payload
10
Source: Jim Kurose & Keith Ross, Computer Networking: A Top Down Approach Featuring the Internet,
3rd edition, Chapter 8: Network Security
Internet security threats
Denial of service (DOS):
o
flood of maliciously generated packets “swamp” receiver
o
Distributed DOS (DDOS): multiple coordinated sources swamp receiver
o
e.g., C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures?
11
Source: Jim Kurose & Keith Ross, Computer Networking: A Top Down Approach Featuring the Internet,
3rd edition, Chapter 8: Network Security
Internet security threats
Denial of service (DOS): countermeasures
o
filter out flooded packets (e.g., SYN) before reaching host: throw out
good with bad
o
traceback to source of floods (most likely an innocent, compromised
machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
12
Source: Jim Kurose & Keith Ross, Computer Networking: A Top Down Approach Featuring the Internet,
3rd edition, Chapter 8: Network Security
Wireless Network Security
Wireless stations, or nodes, communicate over a
wireless medium
Security threats are imminent due to the open nature of
communication
o
Two main issues: authentication and privacy
o
Other serious issues: denial-of-service…
A categorization is required to understand the
issues in each situation
13
Source: K. Kothapalli & B. Bezawada, Security Issues and Challenges in Wireless Networks
Wireless Threats
Medium is open to most attackers in the neighborhood of a
wireless node
o
Near-impossibility of establishing a clear physical security boundary
•
Higher gain antennas can be used to overcome distance or a weak signal
Remote attackers can aim at:
o
The physical layer
o
The link layer
•
Media Access Control (MAC)
•
Logical link
o
The network layer
14
Source: Pascal Meunier, Network Security, Section 7
Threats
DoS attacks
o
Jamming
o
Fake collisions
o
Amplification
Integrity attacks
o
Packets captured, modified and re-injected
Confidentiality attacks
o
Capture passwords, authentication tokens, etc
Authentication and Accountability attacks
o
Anonymity for attacker
o
Reassign accountability to network or account owners
15
Source: Pascal Meunier, Network Security, Section 7
Threats in Present Solutions
MAC Layer
Denial of Service
o
Can hog the medium by sending noise continuously.
o
Can be done without draining the power of the adversary.
o
Depends on physical carrier sensing threshold.
16
z
A
Source: K. Kothapalli & B. Bezawada, Security Issues and Challenges in Wireless Networks
Threats in Present Solutions
MAC Layer
802.11 standard uses Access Control Lists for
admission control.
If MAC address not in the list, then the node is denied
access.
o
But easy to spoof MAC addresses.
00:1A:A0:FD:FF:2E
00:0C:76:7F:DF:49
00:13:D3:07:2F:A8
00:2F:B8:77:EA:B5
17
Source: K. Kothapalli & B. Bezawada, Security Issues and Challenges in Wireless Networks
Threats in Present Solutions
Network Layer
Ad hoc networks
o
Network layer
•
Denial-of-service attacks
•
Broadcast nature of communication
•
Packet dropping
•
Route discovery failure in ad hoc network
•
Packet rerouting
18
Source: K. Kothapalli & B. Bezawada, Security Issues and Challenges in Wireless Networks
Threats in Present Solutions
Network Layer
Denial-of-service
o
Easy to mount in wireless network protocols.
o
One strategically adversary can generally disable a
dense part of the network.
z
A
Nodes Disrupting Routes
Source
Source
Destination
19
Source: K. Kothapalli & B. Bezawada, Security Issues and Challenges in Wireless Networks
Can simply engage in conversation and drain battery
power of other nodes – power exhaustion attack
o
Send lot of RREQ messages but never use the routes.
z
A
RREQ(a)
RREQ(b)
RREQ(c)
….
Threats in Present Solutions
Network Layer
20
Source: K. Kothapalli & B. Bezawada, Security Issues and Challenges in Wireless Networks
Threats in Present Solutions
Network Layer
Broadcast nature of communication
o
Each message can be received by all nodes in the
transmission range
o
Packet sniffing is a lot easier than in wired networks.
o
Poses a data privacy issue
s
t
A
21
Source: K. Kothapalli & B. Bezawada, Security Issues and Challenges in Wireless Networks
Threats in Present Solutions
Network Layer
Route discovery in ad hoc networks
o
AODV discovers route by RREQ/RREP.
o
Few adversarial nodes can fail route discovery.
o
Difficult to detect route discovery failures.
o
Also vulnerable to RREP replays.
RREQ
RREQ
22
Source: K. Kothapalli & B. Bezawada, Security Issues and Challenges in Wireless Networks
Threats in Present Solutions
Network Layer
Packet dropping
o
Wired networks can monitor packet drops reasonably
o
Such mechanisms are resource intensive for wireless
networks
o
AODV has timeouts but no theoretical solutions
•
Difficult to distinguish packet drops, say RREQs, from non-
existence of route itself
o
Nodes some times behave selfishly to preserve
resources
23
Source: K. Kothapalli & B. Bezawada, Security Issues and Challenges in Wireless Networks
Threats in Present Solutions
Network Layer
Packet rerouting – also known as data plane
attacks.
Attacker reveals paths but does not forward data
along these paths.
Control plane measures do not suffice.
s
t
24
Source: K. Kothapalli & B. Bezawada, Security Issues and Challenges in Wireless Networks
Easy to infect mobile devices.
Rerouting content through the base station
poses privacy issues.
o
Bluetooth networks and ad hoc networks do not have
a base station facility.
Contrast with wired networks with firewalls,
filters, sandboxes.
Threats in Present Solutions
Application Layer
25
Source: K. Kothapalli & B. Bezawada, Security Issues and Challenges in Wireless Networks