webpointmorpheus Network Info
Wireless Network Technology

     Overview      Technologies      WAP      Security      WEP      WTLS
     Surveys      Vulnerabilities      Resources      Final Notes

©2005 - material compiled by Bob Carnaghi, www.webpointmorpheus.com

Overview of Wireless Network Technology     Top of Page

Wireless networking of computers is the current hotspot in computer technology. This new technology has shown to be attractive, useful, and popular. Using this technology, computers and/or hand-held devices are networked via radio frequency, microwave (satellite,) or the latest 'Bluetooth' technology. This document attempts to explain in a simple manner the position of wireless technology in the realm of computer networking.

Wireless devices are extremly flexible in terms of placement by not requiring the typical myriad of hard wires necessary in other types on network topology. The IEEE 802.11 standard specifies wireless Ethernet LAN technology with data transfer rates up to 11 MB/s. A more recent WLAN standard is 802.11a, which offers a maximum transmission speed of 54 Mbps. IEEE 802.11 devices operate in the 2.45 GHz range. The topology used in wireless networks is a typical star network. It is a wireless structure where stations send signals to each other via wireless hubs. Wireless connection to the Internet is possible through Wireless Access Points (WAP). The access method for IEEE 802.11b is CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance), which means that a node broadcasts a warning it is about to use the network. Before actually transmitting data, it senses whether the network is clear in order to avoid the collision.

Wireless technology utilizes several of the security measures of conventional networks as well as some aspects which are unique to the wireless technology. In a wired network, an attacker needs to physically connect to the network. Access in the conventional wired system is at a hub, switch, or through remote access. In a wireless network anyone with a device that has a wireless network card installed can intercept traffic using publicly available tools from within range of a wireless access point. In order to assure security, the network must require authentication, as well as encrypt the data which is being transmitted. Listed below are the popular wireless networking standards and technologies.

Wireless Technologies     Top of Page

   802.11

Modulation is the process of impressing a data stream onto a carrier frequency. The IEEE 802.11 standard defines the MAC and Physical layer specifications for Wireless LANs which operate at the 2.4 GHz frequecy range. The data rates supported by the 802.11 standard are 1 and 2 Mbps. The 802.11 standard was completely finalized around 1999. The MAC layer specifications determine how network devices access the media, which in wireless is the RF spectrum.

The 802.11a and 802.11b standards were subsequently developed and released. They improved the previous standard in speed and throughput.

   802.11b

The first wireless networking products that became widely available were based on the extended IEEE 802.11b standard. Because of the availability and affordability of 802.11b equipment, wireless use has grown in small offices. According to the 802.11b standard, data rates of 5.5 and 11Mbps are to be utilized. The standard calls for backwards compatibility with the 1 and 2 Mbps data rates of 802.11. 802.11b uses the 2.4 GHz frequency band. The Wireless Ethernet Compatibility Alliance (WECA) is concerned with the compatibility of 802.11b equipment from different manufacturers. Therefore, when products based upon the 802.11b standard pass the compatibility tests performed by WECA, they will be given the Wi-Fi (Wireless Fidelity) logo.

   802.11a

The 802.11a standard increases the maximum data throughput to 54 Mbps. 802.11a is not compatible with 802.11, 802.11b, or 802.11g because it uses the 5 GHz frequency band. 802.11a also uses a different modulation scheme (OFDM) than 802.11 and 802.11b.

   802.11g

The 802.11g standard allows for data transfer rates up to 54 Mbps. It is backward-compatible with with both 802.11 and 802.11b, thereby supporting both their data rates (1, 2, 5.5, and 11) and modulation scheme (QPSK). 802.11g also supports the modulation scheme used by 802.11a (OFDM). 802.11g is not compatible with 802.11a because 802.11g uses the 2.4 GHz frequency band.

   802.11x

The term 802.11x refers to the entire group of 802.11 WLAN standards. Some of these are still under development. All the standards outlined above are included, as well as several others which address speed, regional regulations, security, etc. Note the standard 802.1x, which minimizes wireless network security risks by using standard security protocols, such as RADIUS.

WAP     Top of Page

WAP - Wireless Application Protocol is a protocol developed for use with wireless devices: mobile phones, PDA, etc. These devices use what is called a microbrowser which allows them to display WML (Wireless Markup Language) pages. WML is a diminutive of HTML.

A WAP^a does not communicate directly with a content server. The client connects to a WAP gateway that is responsible for encoding and decoding requests from the client as well as the responses from the server. The gateway is also responsible for WML Script compiling and end-user authentication. The gateway server is typically located at the operator, and provides the mobile connection services.

WAP is a suite of protocols which are similar to the TCP/IP protocol stack. It provides different functions at each separate layer. Note the Wireless Transport Layer Security protocol, which resides at the Security layer of the WAP protocol stack.

802.11 (Wireless) Security     Top of Page

The following tasks are examples of measures that should be taken to secure 802.11 based wireless networks:

1. Change the default SSID in access points to something specific and limited to the particular network.
2. Locate the WAP in an area where the signal will not be picked by unauthorized clients. If possible, limit the AP's service area by reducing its power.
3. Disable sending the SSID in the AP's broadcast beacon. This prevents showing the SSID to unauthorized wireless clients.
4. Reserving MAC addresses (DHCP or WAP) to require a valid MAC address for clients may not be a secure solution by itself. MAC addresses can be easily spoofed, and are sent in clear-text even when WEP encryption is enabled.
5. Implement a firewall and intrusion detection system between the wireless and wired networks.
6. Disable the AP's DCHP feature and assign static IP addresses.
7. Configure strong administrative passwords. Turn off remote administration features.
8. Enable WEP (Wired Equivalent Privacy). Although it doesn't provide very strong security, it should be enabled nevertheless. Use 128-bit WEP encryption keys and rotate the keys often. Don't rely on WEP as your only means of encryption.
9. Use VPN technology, such as IPSec or L2TP. Note: the use of a VPN will greatly decrease the throughput of a wireless network.
10. Use the 802.1X port-based authentication protocol and EAP (Extended Authentication Protocol) to negotiate an authentication method. Use smartcards and a RADIUS server.
11. Use WPA (Wireless Protected Access) with TKIP in place of WEP.

WEP     Top of Page

The WEP - Wired Equivalent Privacy protocol is part of the 802.11 standard. It has been developed to increase wireless LAN security. WEP is an effort to provide privacy in wireless networks that is similar to privacy in wired networks. Intercepting traffic by eavesdropping on a wireless network is very easy, hence it is essential that the traffic be encrypted. If the reader finds this hard to believe, take a notebook with a wireless card to any 'Cyber Cafe' and turn it on. The resulting network connections shown as active can be impressive.

When a client boots and establishes a wireless connection, it must first be associated with an access point. When the client becomes associated, it will then attempt authentication. IEEE 802.11 standard provides for two types of authentication:

1. Open System Authentication: - The client broadcasts its MAC address to identify itself, an AP replies with an authentication verification frame. Although the name implies differently, no actual authentication occurs when Open System Authentication is used.
2. Shared Key Authentication: - The client will be authenticated only if it is configured with a preshared key. This means that the same key must be configured on both the client and AP. The AP sends a challenge to the client requesting authentication. The challenge is encrypted using WEP and the shared key at the client, then sent back to the AP where it is decrypted to see if it matches the original challenge.

The key used for authentication can also be used for data encryption using WEP. Although this produces a significant amount of overhead, which can be disastrous on low-speed wireless networks such as 802.11b, it should be enabled nevertheless. When WEP data encryption is enabled, secret shared encryption keys are generated based on those used by the source station and the destination station. The frame bits are altered and sent between two wireless stations/APs.

WTLS     Top of Page

The WTLS - Wireless Transport Layer Security - protocol provides privacy, data integrity and authentication security services between a mobile device and a WAP gateway. It is used for establishing an encrypted connection which prevents data from being tampered with or forged without the senders knowledge or consent. WTLS can also provide authentication services by using digital certificates. WTLS is based upon the Transport Layer Security (TLS) protocol, which itself is derived from the Secure Sockets Layer (SSL) protocol. WTLS is optimized for use with narrow-band low speed connections and low memory devices. It also supports dynamic key refreshing which ensures that the session key used to encrypt the data is updated frequently.

WTLS creates a secure connection between the client and the gateway. The gateway decrypts the data, then encrypts the data again using SSL/TLS for its connection to the content server.

The most vulnerable part of the WTLS system is the WAP gateway that performs the translation between WTLS and SSL traffic. For a few milliseconds the information resides in clear-text in the server's memory. This short period of time is referred to as the WAP gap. Because of this vulnerability, it is imperative that additional layers of security are implemented to protect the WAP gateway from being compromised. Some of the measures taken are hardening of the gateway server's OS, firewall protection, and disabling remote administration functions. It is also important that the translation process occur as quickly as possible, reducing the period of time the data is in its decrypted form.

WAP gateways are commonly used for other reasons, such as improved performance and backward compatibility. The latest version of the WAP specification, version 2.0, does not require a WAP gateway. The client can establish a connection directly to the application server using HTTP.

Site Surveys     Top of Page

The term 'site survey' has a double meaning. In a positive sense, a site survey will consist of a review of a network or potential network by professionals for determining the operational parameters of the network. In the sense of security, or an attack, a site survey means being 'cased out' by an attacker. Essentially, a site survey is an analysis of the network and its environment, and at a minimum will include the following tasks:

1. Measure and establish the coverage of WAP(s) to decide the best position(s) for the WAP(s).
2. Determine the need of an external boundary for the network.
3. Determine if there may be other WAPs already existing in the vicinity.
4. Locate and identify sources of natural and/or man-made interference that may degrade the performance of a wireless network.
5. One of the tools that can aid in the process of performing a site survey is an RF spectrum and protocol analyzer. The same tool can be used by attackers to gain important information about a target network: SSIDs, MAC addresses, protocols, etc.

Vulnerabilities     Top of Page

Wireless networks are susceptible to the same plagues as conventional networks, and some that are wierless-specific. A few of these are DoS, DDoS, spoofing, Man-in-the-Middle, hijacking, port scanning, etc. Eavesdropping is one of the most common wireless vulnerabilities. Listed below are other typical vulnerabilities suffered in wireless networks:

1. Man-in-the-middle attacks: - Wireless networks are particularly vulnerable to man-in-the-middle attacks. These attacks are similar to eavesdropping. A typical setup is a laptop and two wireless network cards which are used to reroute and capture traffic without a user's knowledge.
2. War driving: - This is an activity that is similar to war dialing. War dialing is the practice of dialing random phone numbers to determine if there may be a modem attached. War driving refers to the act of driving in a car which has a powerful antenna connected to a notebook that is using a wireless sniffer. Using a packet sniffer, such as NetStumbler, wireless networks can be detected.
3. Jamming: - A type of DoS attack whereby an attacker uses an RF signal generator to cause an unusually high noise level. This effectively disables an access point. Bluetooth devices can effectively jam 802.11 networks under certain circumstances.

   Related links:     Top of Page

• 802.11 Resource Center
• How Wi-Fi Works
• NetStumbler

   Footnotes:     Top of Page

1. Not to be confused with Wireless Access Point.
2. Wireless networks can run in two modes: ad-hoc and infrastructure mode. Ad-hoc mode directly connects two devices. Infrastructure mode connects devices through a WAP. This document speaks to infrastructure mode.
3. This document has endeavored to cover the material necessary to pass the CompTIA Network+ exam.
4. Wireless networking is a new and evolving technology. This document may quickly become outdated. See the last revision date, below.