Hack proofing your wireless network
- 513 trang
- file .pdf
1 YEAR UPGRADE
BUYER PROTECTION PLAN
™
Protect Your Wireless Network From Attack
• Complete Coverage of Wireless Standards: IEEE 802.15,
HomeRF, IEEE 802.11, IEEE 802.16, Bluetooth,WEP, and WAP
• Hundreds of Damage & Defense, Tools & Traps, and Notes
Christian Barnes from the Underground Sidebars, Security Alerts, and FAQs
Tony Bautts
• Complete Case Studies: Using Closed Systems, Deploying
Donald Lloyd IP Over the WLAN, Utilizing a VPN, Filtering MAC
Eric Ouellet Addresses, and More!
Jeffrey Posluns
David M. Zendzian
Neal O’Farrell Technical Editor
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page i
[email protected]
With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we continue to look for ways we can better serve the
information needs of our readers. One way we do that is by listening.
Readers like yourself have been telling us they want an Internet-based ser-
vice that would extend and enhance the value of our books. Based on
reader feedback and our own strategic plan, we have created a Web site
that we hope will exceed your expectations.
[email protected] is an interactive treasure trove of useful infor-
mation focusing on our book topics and related technologies. The site
offers the following features:
■ One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any affected
chapters.
■ “Ask the Author” customer query forms that enable you to post
questions to our authors and editors.
■ Exclusive monthly mailings in which our experts provide answers to
reader queries and clear explanations of complex material.
■ Regularly updated links to sites specially selected by our editors for
readers desiring additional reliable information on key topics.
Best of all, the book you’re now holding is your key to this amazing site.
Just go to www.syngress.com/solutions, and keep this book handy when
you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be sure
to let us know if there’s anything else we can do to help you get the
maximum value from your investment. We’re listening.
www.syngress.com/solutions
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page ii
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page iii
1 YEAR UPGRADE
BUYER PROTECTION PLAN
Christian Barnes
Tony Bautts
Donald Lloyd
Eric Ouellet
Jeffrey Posluns
David M. Zendzian
Neal O'Farrell Technical Editor
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page iv
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or
production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results
to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work
is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state
to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or
other incidental or consequential damages arising out from the Work or its contents. Because some
states do not allow the exclusion or limitation of liability for consequential or incidental damages, the
above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when
working with computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” and “Ask the
Author UPDATE®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,”“Hack
Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress
Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of
their respective companies.
KEY SERIAL NUMBER
001 QJG4TY7UT5
002 KKLRT5W3E4
003 PMERL3SD6N
004 AGD34B3BH2
005 NLU8EVYN7H
006 ZFG4RN38R4
007 CWBV22YH6T
008 9PB9RGB7MR
009 R3N5M4PVS5
010 GW2EH22WF8
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Hack Proofing Your Wireless Network
Copyright © 2002 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings
may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-928994-59-8
Technical Editor: Neal O’Farrell Cover Designer: Michael Kavish
Technical Reviewer: Jeffrey Posluns Page Layout and Art by: Shannon Tozier
Acquisitions Editor: Catherine B. Nolan Copy Editor: Michael McGee
Developmental Editor: Kate Glennon Indexer: Ed Rush
Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page v
Acknowledgments
We would like to acknowledge the following people for their kindness and support
in making this book possible.
Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight
into the challenges of designing, deploying and supporting world-class enterprise
networks.
Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner,
Kevin Votel, Kent Anderson, and Frida Yara of Publishers Group West for sharing
their incredible marketing experience and expertise.
Jacquie Shanahan and AnnHelen Lindeholm of Elsevier Science for making certain
that our vision remains worldwide in scope.
Annabel Dent of Harcourt Australia for all her help.
David Buckland,Wendi Wong, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan,
and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive
our books.
Kwon Sung June at Acorn Publishing for his support.
Ethan Atkin at Cranbury International for his help in expanding the Syngress
program.
Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene
Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates
for all their help and enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell and the rest of the great folks at
Jaguar Book Group for their help with distribution of Syngress books in Canada.
v
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page vi
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page vii
Contributors
Donald Lloyd (CCNA, CCSE, CCSA), co-author of Designing a Wireless
Network (Syngress Publishing, ISBN: 1-928994-45-8), is a Senior
Consultant at Lucent Worldwide Services (Enhanced Services and Sales)
and a Regional Leader for their Fixed Wireless Practice. His specialties
include network security architecture and wireless network design, as well
as the implementation of Juniper routers. Donald’s background includes a
successful career with International Network Services, and now Lucent
Technologies. Besides “unwiring” corporate offices, Donald has spent
considerable time designing and deploying secure wireless networks in
remote oil and gas fields.These networks not only carry voice and data
traffic, but also help energy companies monitor the pipelines that carry
these commodities.
David M. Zendzian is CEO and High Programmer with DMZ
Services, Inc. He provides senior IT and security solutions to single
person startups and multi-national corporations “anywhere the Net
touches.” His specialties include large- and small-scale IT and security
designs, deployments, infrastructure audits, and complete managed sup-
port. David’s background includes positions with Wells Fargo Bank as a
Security Consultant where he developed and evaluated platform-specific
security standards, assisted with identification of security risks to applica-
tions, and designed bank interconnectivity projects that required firewalls,
VPNs, and other security devices. He was also a founding partner in one
of the first Internet service providers of South Carolina and founder of
the first wireless ISP in the Carolinas, Air Internet.
David is an active Debian Linux developer who maintains packages
for network audio streaming (icecast, liveice) and the PGP Public
Keyserver (pks). He has provided patches to several projects, most notably
to the Carnegie Mellon Simple Authentication and Security Layer
(SASL). David studied computer science at the oldest municipal college in
America,The College of Charleston in Charleston, SC. He currently lives
in the San Francisco area with his wife, Dana. David would like to thank
vii
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page viii
Change and N8 for providing support and critical commentary needed to
finish this work.
Eric Ouellet (CISSP) is a Senior Partner with Secure Systems Design
Group, a network design and security consultancy based in Ottawa,
Ontario, Canada. He specializes in the implementation of networks and
security infrastructures from both a design and a hands-on perspective.
Over his career, he has been responsible for designing, installing, and trou-
bleshooting WANs using CISCO, Nortel, and Alcatel equipment, config-
ured to support voice, data, and video conferencing services over
terrestrial, satellite relay, wireless, and trusted communication links. Eric
has also been responsible for designing some of the leading Public Key
Infrastructure deployments currently in use and for devising operational
policy and procedures to meet the Electronic Signature Act (E-Sign) and
the Health Insurance Portability and Accountability Act (HIPAA). He has
provided his services to financial, commercial, government, and military
customers including US Federal Government, Canadian Federal
Government, and NATO. He regularly speaks at leading security confer-
ences and teaches networking and CISSP classes. He is currently working
on two upcoming titles with Syngress Publishing, Building a Cisco Wireless
LAN (ISBN: 1-928994-58-X) and Sniffer Network Optimization and
Troubleshooting Handbook (ISBN: 1-931836-57-4). Eric would like to
acknowledge the understanding and support of his family and friends
during the writing of this book, and “The Boys” for being who they are.
Christian Barnes (CCNP, CCDA, MCSE, MCP+I, CNA, A+) is a
member of the Consulting Staff at Lucent Worldwide Services (Enhanced
Services and Sales). He is a contributing author to Designing a Wireless
Network (Syngress Publishing, ISBN: 1-928994-45-8) and he currently
provides technical consultation to clients in the South Central Region for
Lucent Technologies. His areas of expertise include Cisco routers and
switches, wide area network architecture, troubleshooting and optimiza-
tion, network security, wireless access, and Microsoft NT and 2000 net-
working design and support. Chris has worked with clients such as Birch
Telecom,Williams Energy, and the Cerner Corporation.
viii
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page ix
Randy Hiser is a Senior Network Engineer for Sprint’s Research,
Architecture and Design Group, with design responsibilities for home dis-
tribution and DSL self-installation services for Sprint’s Integrated On
Demand Network. He is knowledgeable in the area of multimedia ser-
vices and emerging technologies, has installed and operated fixed wireless
MMDS facilities in the Middle East, and has patented network communi-
cation device identification in a communication network for Sprint. He
lives with his wife, Deborah, and their children, Erin, Ryan, Megan, Jesse,
and Emily, in Overland Park, KS.
Andy McCullough (BSEE, CCNA, CCDA) has been in network con-
sulting for over seven years. He is currently a Distinguished Member of
the Consulting Staff at Lucent Worldwide Services (Enhanced Services
and Sales). Andy has done architecture and design work for several global
customers of Lucent Technologies including Level 3 Communications,
Sprint, MCI/WorldCom, the London Stock Exchange, and British
Telecom. His areas of expertise include network architecture and design,
IP routing and switching, and IP multicast. Prior to working for Lucent,
Andy ran a consulting company and a regional ISP.
Andy is co-author of Building Cisco Remote Access Networks (Syngress
Publishing, ISBN: 1-928994-13-X). He is also an Assistant Professor at a
community college in Overland Park, KS, where he teaches networking
classes.
Tony Bautts is a Senior Security Consultant with Astech Consulting. He
currently provides security advice and architecture for clients in the San
Francisco Bay area. His specialties include intrusion detection systems,
firewall design and integration, post-intrusion forensics, bastion hosting,
and secure infrastructure design.Tony’s security experience has led him to
work with Fortune 500 companies in the United States as well as two
years of security consulting in Japan. He is also involved with the
BerkeleyWireless.net project, which is working to build neighborhood
wireless networks for residents of Berkeley, CA.
ix
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page x
Jeffrey A. Wheat (Lucent WaveLAN Wireless Certification, FORE
ATM Certification) is a Principal Member of the Consulting Staff at
Lucent Worldwide Services. He currently provides strategic direction and
architectural design to Lucent Service Provider and Large Enterprise cus-
tomers. He is an ATM and Testing Methodology Subject Matter Expert
within Lucent, and his specialties include convergence architectures and
wireless architectures. Jeff ’s background with Lucent includes design
engagements with Metricom, Sprint ION, Sprint PCS, Raytheon, and
Marathon Oil. Prior to his employment with Lucent, Jeff spent 11 years
working for the U.S. Intelligence Agencies as a network architect and sys-
tems engineer. Jeff graduated from the University of Kansas in 1986 with
a bachelor’s of Science degree in Computer Science and currently resides
in Kansas City with his wife, Gabrielle, and their two children, Madison
and Brandon.
x
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page xi
Technical Editor
Neal O’Farrell is founder and CEO of security training firm
Hackademia Inc., where he oversees the development of more than 30
Web-based security training courses. Neal is a panel expert and regular
columnist on SearchSecurity.com and was recently elected Chair of the
first Cybercrime on Wall Street Conference. He has written more than
one hundred articles and three books, appearing in publications as diverse
as Business Week, Information Week, NetWorker, and Wireless Design News.
With a career in information security that spans nearly two decades, Neal
was recently described by the Institute for International Research as one
of the world’s top 20 security experts. Neal got his first taste of wireless
security in the mid-1980s when he was asked by the Irish government to
develop a security system for the nation’s fledgling cellular network.
In 1989 he co-hosted with IBM one of Europe’s first network secu-
rity conferences, and later helped Nokia incorporate security into their
first generation of cellular telephones. As the head of the European crypto
firm Intrepid, Neal leads the development of some of the world’s most
advanced voice, data, and fax encryption systems, including MilCode, a
European rival of the U.S. government’s Secure Telephone Unit (STU 3).
xi
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page xii
Technical Reviewer
Jeffrey Posluns (CISA, CISSP, CCNP, SSCP, GSEC) is an information
security specialist with over eight years of specialized experience in secu-
rity methodologies, audits, and controls. He has extensive expertise in the
analysis of hacker tools and techniques, intrusion detection, security poli-
cies, and incident response procedures.
Jeffrey has held the position of Chief Technology Officer of
SecureOps for the past three years, where he has the responsibility of
bringing technical vision and strategy to the company, overseeing the
development and implementation of all technological initiatives, and
being a key resource in the research and development of new practices,
methodologies, procedures, and information assets. Jeffrey is a regular
speaker at industry conferences organized by such groups as the
Information Systems Audit and Control Association (ISACA) and the
Association of Certified Fraud Examiners (ACFE). He also speaks regu-
larly for, and participates in, various panels and working groups promoting
information security awareness with the Canadian IT, government, and
law enforcement industries.
xii
182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xiii
Contents
Foreword xxvii
Chapter 1 The Wireless Challenge 1
Introduction 2
Wireless Technology Overview 2
Defining Cellular-based Wireless 3
Defining the Wireless LAN 3
The Convergence of Wireless Technologies 3
Trends and Statistics 4
Increasing Use of Information Appliances 5
Answers to Your
The Future of Wireless, circa 2005 6
Wireless Questions Understanding the Promise of Wireless 7
Wireless Networking 9
Q: Will i-Mode be Wireless Networking Applications for
available in North Business 9
America or Europe?
Wireless Networking Applications for
A: Although i-Mode Consumers 14
parent NTT DoCoMo
has ownership stakes Understanding the Benefits of Wireless 16
in several North Convenience 16
American and Flexibility 16
European cellular
operators, it is not
Roaming 18
expected that i-Mode, Mobility 21
as it currently exists, Affordability 22
will be offered in these
markets. This is
Speed 22
primarily due to the Aesthetics 24
limited 9.6 Kbps access Productivity 24
rates.
Facing the Reality of Wireless Today 24
Standards Conflicts 25
Commercial Conflicts 27
Market Adoption Challenges 27
The Limitations of “Radio” 27
Radio Range and Coverage 30
Use of Antennas 30
Interference and Coexistence 31
xiii
182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xiv
xiv Contents
The Limitations of Wireless Security 32
Cellular-based Wireless Networks
and WAP 34
Wireless LAN Networks and WEP 35
Examining the Wireless Standards 38
Cellular-based Wireless Networks 38
Communications Technologies 39
Wireless LAN Networks 46
802.11 WLAN 47
HomeRF 54
802.15 WPAN 57
802.16 WMAN 60
Understanding Public Key
Infrastructures and Wireless Networking 62
Overview of Cryptography 63
Summary 68
Solutions Fast Track 69
Frequently Asked Questions 73
Chapter 2 A Security Primer 75
Introduction 76
Understanding Security Fundamentals and
Principles of Protection 76
Ensuring Confidentiality 77
Ensuring Integrity 78
Ensuring Availability 80
Ensuring Privacy 81
Ensuring Authentication 81
Ensuring Authorization 85
Ensuring Non-repudiation 87
Accounting and Audit Trails 90
Using Encryption 92
Encrypting Voice Data 92
Encrypting Data Systems 93
Reviewing the Role of Policy 93
Identifying Resources 96
Understanding Classification Criteria 97
182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xv
Contents xv
Implementing Policy 98
Recognizing Accepted Security
and Privacy Standards 101
Reviewing Security Standards 101
Early Security Standards 102
Understanding the Common
Criteria Model 104
ISO 17799/BS 7799 104
ISO 7498-2 104
ISO 10164-8 104
ISO 13888 105
Reviewing Privacy Standards and
Tools & Traps…
Regulations 106
NAIC Model Act 106
Clear-text Authentication Gramm-Leach-Bliley Act 106
An example of a brute-
HIPAA 108
force password dictionary Electronic Signatures in the Global
generator that can and National Commerce Act 111
produce a brute-force
COPPA 112
dictionary from specific
character sets can be Civil Liability Law 112
found at www.dmzs.com/ Addressing Common Risks and Threats 113
tools/files. Other brute Experiencing Loss of Data 113
force crackers, including
POP, Telnet, FTP, Web and Loss of Data Scenario 113
others, can be found at Experiencing Denial and Disruption
http://packetstormsecurity of Service 114
.com/crackers.
Disruption of Service Scenario 114
Eavesdropping 115
Eavesdropping Scenario 117
Preempting the Consequences
of an Organization’s Loss 117
Security Breach Scenario 118
Summary 119
Solutions Fast Track 120
Frequently Asked Questions 123
182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xvi
xvi Contents
Chapter 3 Wireless Network
Architecture and Design 125
Introduction 126
Fixed Wireless Technologies 127
Multichannel Multipoint Distribution
Service 127
Local Multipoint Distribution Services 129
Wireless Local Loop 129
Point-to-Point Microwave 130
Wireless Local Area Networks 132
Why the Need for a Wireless LAN Standard? 132
What Exactly Does the 802.11
Standard Define? 134
Does the 802.11 Standard Guarantee
Fixed Wireless Compatibility across Different Vendors? 137
Technologies 802.11b 138
802.11a 139
In a fixed wireless 802.11e 140
network, both transmitter
and receiver are at fixed
Developing WLANs through the 802.11
locations, as opposed to Architecture 141
mobile. The network uses The Basic Service Set 141
utility power (AC). It can
be point-to-point or point-
The Extended Service Set 143
to-multipoint, and may Services to the 802.11 Architecture 143
use licensed or unlicensed The CSMA-CA Mechanism 145
spectrums.
The RTS/CTS Mechanism 146
Acknowledging the Data 146
Configuring Fragmentation 147
Using Power Management Options 147
Multicell Roaming 147
Security in the WLAN 148
Developing WPANs through the 802.15
Architecture 150
Bluetooth 150
HomeRF 153
High Performance Radio LAN 153
Mobile Wireless Technologies 154
First Generation Technologies 155
182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xvii
Contents xvii
Second Generation Technologies 156
2.5G Technology 156
Third Generation Technologies 156
Wireless Application Protocol 157
Global System for Mobile Communications 158
General Packet Radio Service 160
Short Message Service 160
Optical Wireless Technologies 160
Exploring the Design Process 161
Conducting the Preliminary Investigation 162
Performing Analysis of
the Existing Environment 162
Creating a Preliminary Design 163
Finalizing the Detailed Design 164
Executing the Implementation 164
Capturing the Documentation 165
Creating the Design Methodology 166
Creating the Network Plan 166
Gathering the Requirements 167
Baselining the Existing Network 168
Analyzing the Competitive Practices 169
Beginning the Operations Planning 169
Performing a Gap Analysis 169
Creating a Technology Plan 170
Creating an Integration Plan 171
Beginning the Collocation Planning 171
Performing a Risk Analysis 171
Creating an Action Plan 172
Preparing the Planning Deliverables 172
Developing the Network Architecture 173
Reviewing and Validating the Planning
Phase 173
Creating a High-Level Topology 173
Creating a Collocation Architecture 174
Defining the High-Level Services 174
Creating a High-Level Physical Design 175
182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xviii
xviii Contents
Defining the Operations Services 175
Creating a High-Level Operating Model 175
Evaluating the Products 176
Creating an Action Plan 177
Creating the Network Architecture
Deliverable 177
Formalizing the Detailed Design Phase 177
Reviewing and Validating the Network
Architecture 178
Creating the Detailed Topology 178
Creating a Detailed Service
Collocation Design 179
Creating the Detailed Services 179
Creating a Detailed Physical Design 180
Creating a Detailed Operations Design 181
Creating a Detailed Operating
Model Design 181
Creating a Training Plan 182
Developing a Maintenance Plan 182
Developing an Implementation Plan 182
Creating the Detailed Design Documents 183
Understanding Wireless Network Attributes
from a Design Perspective 183
Application Support 184
Subscriber Relationships 186
Physical Landscape 187
Network Topology 189
Summary 191
Solutions Fast Track 193
Frequently Asked Questions 198
Chapter 4 Common Attacks and
Vulnerabilities 201
Introduction 202
The Weaknesses in WEP 202
Criticisms of the Overall Design 203
Weaknesses in the Encryption Algorithm 205
182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xix
Contents xix
Weaknesses in Key Management 208
Weaknesses in User Behavior 211
Conducting Reconnaissance 213
Finding a Target 213
Finding Weaknesses in a Target 214
Exploiting Those Weaknesses 215
Notes from the Sniffing, Interception, and Eavesdropping 216
Underground…
Defining Sniffing 216
Sample Sniffing Tools 217
Lucent Gateways
broadcast SSID in clear Sniffing Case Scenario 217
on encrypted networks Protecting Against Sniffing and
It has been announced Eavesdropping 219
(www.securiteam.com/ Spoofing and Unauthorized Access 220
securitynews/5ZP0I154UG
.html) that the Lucent
Defining Spoofing 220
Gateway allows an Sample Spoofing Tools 221
attacker an easy way to Spoofing Case Scenario 221
join a closed network.
Protecting Against Spoofing and
Lucent has defined an
option to configure the Unauthorized Attacks 223
wireless network as Network Hijacking and Modification 223
“closed.” This option Defining Hijacking 223
requires that to associate
with the wireless network Sample Hijacking Tools 224
a client must know and Hijacking Case Scenario 225
present the SSID of the Protection against Network Hijacking
network. Even if the
network is protected by and Modification 225
WEP, part of the broadcast Denial of Service and Flooding Attacks 226
messages the gateway Defining DoS and Flooding 226
transmits in cleartext
includes the SSID. All an Sample DoS Tools 227
attacker need do is sniff DoS and Flooding Case Scenario 227
the network to acquire the Protecting Against DoS and Flooding
SSID, they are then able to
associate with the
Attacks 228
network. The Introduction of Malware 228
Stealing User Devices 230
Summary 232
Solutions Fast Track 232
Frequently Asked Questions 237
BUYER PROTECTION PLAN
™
Protect Your Wireless Network From Attack
• Complete Coverage of Wireless Standards: IEEE 802.15,
HomeRF, IEEE 802.11, IEEE 802.16, Bluetooth,WEP, and WAP
• Hundreds of Damage & Defense, Tools & Traps, and Notes
Christian Barnes from the Underground Sidebars, Security Alerts, and FAQs
Tony Bautts
• Complete Case Studies: Using Closed Systems, Deploying
Donald Lloyd IP Over the WLAN, Utilizing a VPN, Filtering MAC
Eric Ouellet Addresses, and More!
Jeffrey Posluns
David M. Zendzian
Neal O’Farrell Technical Editor
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page i
[email protected]
With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we continue to look for ways we can better serve the
information needs of our readers. One way we do that is by listening.
Readers like yourself have been telling us they want an Internet-based ser-
vice that would extend and enhance the value of our books. Based on
reader feedback and our own strategic plan, we have created a Web site
that we hope will exceed your expectations.
[email protected] is an interactive treasure trove of useful infor-
mation focusing on our book topics and related technologies. The site
offers the following features:
■ One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any affected
chapters.
■ “Ask the Author” customer query forms that enable you to post
questions to our authors and editors.
■ Exclusive monthly mailings in which our experts provide answers to
reader queries and clear explanations of complex material.
■ Regularly updated links to sites specially selected by our editors for
readers desiring additional reliable information on key topics.
Best of all, the book you’re now holding is your key to this amazing site.
Just go to www.syngress.com/solutions, and keep this book handy when
you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be sure
to let us know if there’s anything else we can do to help you get the
maximum value from your investment. We’re listening.
www.syngress.com/solutions
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page ii
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page iii
1 YEAR UPGRADE
BUYER PROTECTION PLAN
Christian Barnes
Tony Bautts
Donald Lloyd
Eric Ouellet
Jeffrey Posluns
David M. Zendzian
Neal O'Farrell Technical Editor
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page iv
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or
production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results
to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work
is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state
to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or
other incidental or consequential damages arising out from the Work or its contents. Because some
states do not allow the exclusion or limitation of liability for consequential or incidental damages, the
above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when
working with computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” and “Ask the
Author UPDATE®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,”“Hack
Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress
Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of
their respective companies.
KEY SERIAL NUMBER
001 QJG4TY7UT5
002 KKLRT5W3E4
003 PMERL3SD6N
004 AGD34B3BH2
005 NLU8EVYN7H
006 ZFG4RN38R4
007 CWBV22YH6T
008 9PB9RGB7MR
009 R3N5M4PVS5
010 GW2EH22WF8
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Hack Proofing Your Wireless Network
Copyright © 2002 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings
may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-928994-59-8
Technical Editor: Neal O’Farrell Cover Designer: Michael Kavish
Technical Reviewer: Jeffrey Posluns Page Layout and Art by: Shannon Tozier
Acquisitions Editor: Catherine B. Nolan Copy Editor: Michael McGee
Developmental Editor: Kate Glennon Indexer: Ed Rush
Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page v
Acknowledgments
We would like to acknowledge the following people for their kindness and support
in making this book possible.
Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight
into the challenges of designing, deploying and supporting world-class enterprise
networks.
Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner,
Kevin Votel, Kent Anderson, and Frida Yara of Publishers Group West for sharing
their incredible marketing experience and expertise.
Jacquie Shanahan and AnnHelen Lindeholm of Elsevier Science for making certain
that our vision remains worldwide in scope.
Annabel Dent of Harcourt Australia for all her help.
David Buckland,Wendi Wong, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan,
and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive
our books.
Kwon Sung June at Acorn Publishing for his support.
Ethan Atkin at Cranbury International for his help in expanding the Syngress
program.
Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene
Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates
for all their help and enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell and the rest of the great folks at
Jaguar Book Group for their help with distribution of Syngress books in Canada.
v
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page vi
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page vii
Contributors
Donald Lloyd (CCNA, CCSE, CCSA), co-author of Designing a Wireless
Network (Syngress Publishing, ISBN: 1-928994-45-8), is a Senior
Consultant at Lucent Worldwide Services (Enhanced Services and Sales)
and a Regional Leader for their Fixed Wireless Practice. His specialties
include network security architecture and wireless network design, as well
as the implementation of Juniper routers. Donald’s background includes a
successful career with International Network Services, and now Lucent
Technologies. Besides “unwiring” corporate offices, Donald has spent
considerable time designing and deploying secure wireless networks in
remote oil and gas fields.These networks not only carry voice and data
traffic, but also help energy companies monitor the pipelines that carry
these commodities.
David M. Zendzian is CEO and High Programmer with DMZ
Services, Inc. He provides senior IT and security solutions to single
person startups and multi-national corporations “anywhere the Net
touches.” His specialties include large- and small-scale IT and security
designs, deployments, infrastructure audits, and complete managed sup-
port. David’s background includes positions with Wells Fargo Bank as a
Security Consultant where he developed and evaluated platform-specific
security standards, assisted with identification of security risks to applica-
tions, and designed bank interconnectivity projects that required firewalls,
VPNs, and other security devices. He was also a founding partner in one
of the first Internet service providers of South Carolina and founder of
the first wireless ISP in the Carolinas, Air Internet.
David is an active Debian Linux developer who maintains packages
for network audio streaming (icecast, liveice) and the PGP Public
Keyserver (pks). He has provided patches to several projects, most notably
to the Carnegie Mellon Simple Authentication and Security Layer
(SASL). David studied computer science at the oldest municipal college in
America,The College of Charleston in Charleston, SC. He currently lives
in the San Francisco area with his wife, Dana. David would like to thank
vii
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page viii
Change and N8 for providing support and critical commentary needed to
finish this work.
Eric Ouellet (CISSP) is a Senior Partner with Secure Systems Design
Group, a network design and security consultancy based in Ottawa,
Ontario, Canada. He specializes in the implementation of networks and
security infrastructures from both a design and a hands-on perspective.
Over his career, he has been responsible for designing, installing, and trou-
bleshooting WANs using CISCO, Nortel, and Alcatel equipment, config-
ured to support voice, data, and video conferencing services over
terrestrial, satellite relay, wireless, and trusted communication links. Eric
has also been responsible for designing some of the leading Public Key
Infrastructure deployments currently in use and for devising operational
policy and procedures to meet the Electronic Signature Act (E-Sign) and
the Health Insurance Portability and Accountability Act (HIPAA). He has
provided his services to financial, commercial, government, and military
customers including US Federal Government, Canadian Federal
Government, and NATO. He regularly speaks at leading security confer-
ences and teaches networking and CISSP classes. He is currently working
on two upcoming titles with Syngress Publishing, Building a Cisco Wireless
LAN (ISBN: 1-928994-58-X) and Sniffer Network Optimization and
Troubleshooting Handbook (ISBN: 1-931836-57-4). Eric would like to
acknowledge the understanding and support of his family and friends
during the writing of this book, and “The Boys” for being who they are.
Christian Barnes (CCNP, CCDA, MCSE, MCP+I, CNA, A+) is a
member of the Consulting Staff at Lucent Worldwide Services (Enhanced
Services and Sales). He is a contributing author to Designing a Wireless
Network (Syngress Publishing, ISBN: 1-928994-45-8) and he currently
provides technical consultation to clients in the South Central Region for
Lucent Technologies. His areas of expertise include Cisco routers and
switches, wide area network architecture, troubleshooting and optimiza-
tion, network security, wireless access, and Microsoft NT and 2000 net-
working design and support. Chris has worked with clients such as Birch
Telecom,Williams Energy, and the Cerner Corporation.
viii
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page ix
Randy Hiser is a Senior Network Engineer for Sprint’s Research,
Architecture and Design Group, with design responsibilities for home dis-
tribution and DSL self-installation services for Sprint’s Integrated On
Demand Network. He is knowledgeable in the area of multimedia ser-
vices and emerging technologies, has installed and operated fixed wireless
MMDS facilities in the Middle East, and has patented network communi-
cation device identification in a communication network for Sprint. He
lives with his wife, Deborah, and their children, Erin, Ryan, Megan, Jesse,
and Emily, in Overland Park, KS.
Andy McCullough (BSEE, CCNA, CCDA) has been in network con-
sulting for over seven years. He is currently a Distinguished Member of
the Consulting Staff at Lucent Worldwide Services (Enhanced Services
and Sales). Andy has done architecture and design work for several global
customers of Lucent Technologies including Level 3 Communications,
Sprint, MCI/WorldCom, the London Stock Exchange, and British
Telecom. His areas of expertise include network architecture and design,
IP routing and switching, and IP multicast. Prior to working for Lucent,
Andy ran a consulting company and a regional ISP.
Andy is co-author of Building Cisco Remote Access Networks (Syngress
Publishing, ISBN: 1-928994-13-X). He is also an Assistant Professor at a
community college in Overland Park, KS, where he teaches networking
classes.
Tony Bautts is a Senior Security Consultant with Astech Consulting. He
currently provides security advice and architecture for clients in the San
Francisco Bay area. His specialties include intrusion detection systems,
firewall design and integration, post-intrusion forensics, bastion hosting,
and secure infrastructure design.Tony’s security experience has led him to
work with Fortune 500 companies in the United States as well as two
years of security consulting in Japan. He is also involved with the
BerkeleyWireless.net project, which is working to build neighborhood
wireless networks for residents of Berkeley, CA.
ix
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page x
Jeffrey A. Wheat (Lucent WaveLAN Wireless Certification, FORE
ATM Certification) is a Principal Member of the Consulting Staff at
Lucent Worldwide Services. He currently provides strategic direction and
architectural design to Lucent Service Provider and Large Enterprise cus-
tomers. He is an ATM and Testing Methodology Subject Matter Expert
within Lucent, and his specialties include convergence architectures and
wireless architectures. Jeff ’s background with Lucent includes design
engagements with Metricom, Sprint ION, Sprint PCS, Raytheon, and
Marathon Oil. Prior to his employment with Lucent, Jeff spent 11 years
working for the U.S. Intelligence Agencies as a network architect and sys-
tems engineer. Jeff graduated from the University of Kansas in 1986 with
a bachelor’s of Science degree in Computer Science and currently resides
in Kansas City with his wife, Gabrielle, and their two children, Madison
and Brandon.
x
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page xi
Technical Editor
Neal O’Farrell is founder and CEO of security training firm
Hackademia Inc., where he oversees the development of more than 30
Web-based security training courses. Neal is a panel expert and regular
columnist on SearchSecurity.com and was recently elected Chair of the
first Cybercrime on Wall Street Conference. He has written more than
one hundred articles and three books, appearing in publications as diverse
as Business Week, Information Week, NetWorker, and Wireless Design News.
With a career in information security that spans nearly two decades, Neal
was recently described by the Institute for International Research as one
of the world’s top 20 security experts. Neal got his first taste of wireless
security in the mid-1980s when he was asked by the Irish government to
develop a security system for the nation’s fledgling cellular network.
In 1989 he co-hosted with IBM one of Europe’s first network secu-
rity conferences, and later helped Nokia incorporate security into their
first generation of cellular telephones. As the head of the European crypto
firm Intrepid, Neal leads the development of some of the world’s most
advanced voice, data, and fax encryption systems, including MilCode, a
European rival of the U.S. government’s Secure Telephone Unit (STU 3).
xi
182_HPwireless_FM.qxd 2/6/02 12:43 PM Page xii
Technical Reviewer
Jeffrey Posluns (CISA, CISSP, CCNP, SSCP, GSEC) is an information
security specialist with over eight years of specialized experience in secu-
rity methodologies, audits, and controls. He has extensive expertise in the
analysis of hacker tools and techniques, intrusion detection, security poli-
cies, and incident response procedures.
Jeffrey has held the position of Chief Technology Officer of
SecureOps for the past three years, where he has the responsibility of
bringing technical vision and strategy to the company, overseeing the
development and implementation of all technological initiatives, and
being a key resource in the research and development of new practices,
methodologies, procedures, and information assets. Jeffrey is a regular
speaker at industry conferences organized by such groups as the
Information Systems Audit and Control Association (ISACA) and the
Association of Certified Fraud Examiners (ACFE). He also speaks regu-
larly for, and participates in, various panels and working groups promoting
information security awareness with the Canadian IT, government, and
law enforcement industries.
xii
182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xiii
Contents
Foreword xxvii
Chapter 1 The Wireless Challenge 1
Introduction 2
Wireless Technology Overview 2
Defining Cellular-based Wireless 3
Defining the Wireless LAN 3
The Convergence of Wireless Technologies 3
Trends and Statistics 4
Increasing Use of Information Appliances 5
Answers to Your
The Future of Wireless, circa 2005 6
Wireless Questions Understanding the Promise of Wireless 7
Wireless Networking 9
Q: Will i-Mode be Wireless Networking Applications for
available in North Business 9
America or Europe?
Wireless Networking Applications for
A: Although i-Mode Consumers 14
parent NTT DoCoMo
has ownership stakes Understanding the Benefits of Wireless 16
in several North Convenience 16
American and Flexibility 16
European cellular
operators, it is not
Roaming 18
expected that i-Mode, Mobility 21
as it currently exists, Affordability 22
will be offered in these
markets. This is
Speed 22
primarily due to the Aesthetics 24
limited 9.6 Kbps access Productivity 24
rates.
Facing the Reality of Wireless Today 24
Standards Conflicts 25
Commercial Conflicts 27
Market Adoption Challenges 27
The Limitations of “Radio” 27
Radio Range and Coverage 30
Use of Antennas 30
Interference and Coexistence 31
xiii
182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xiv
xiv Contents
The Limitations of Wireless Security 32
Cellular-based Wireless Networks
and WAP 34
Wireless LAN Networks and WEP 35
Examining the Wireless Standards 38
Cellular-based Wireless Networks 38
Communications Technologies 39
Wireless LAN Networks 46
802.11 WLAN 47
HomeRF 54
802.15 WPAN 57
802.16 WMAN 60
Understanding Public Key
Infrastructures and Wireless Networking 62
Overview of Cryptography 63
Summary 68
Solutions Fast Track 69
Frequently Asked Questions 73
Chapter 2 A Security Primer 75
Introduction 76
Understanding Security Fundamentals and
Principles of Protection 76
Ensuring Confidentiality 77
Ensuring Integrity 78
Ensuring Availability 80
Ensuring Privacy 81
Ensuring Authentication 81
Ensuring Authorization 85
Ensuring Non-repudiation 87
Accounting and Audit Trails 90
Using Encryption 92
Encrypting Voice Data 92
Encrypting Data Systems 93
Reviewing the Role of Policy 93
Identifying Resources 96
Understanding Classification Criteria 97
182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xv
Contents xv
Implementing Policy 98
Recognizing Accepted Security
and Privacy Standards 101
Reviewing Security Standards 101
Early Security Standards 102
Understanding the Common
Criteria Model 104
ISO 17799/BS 7799 104
ISO 7498-2 104
ISO 10164-8 104
ISO 13888 105
Reviewing Privacy Standards and
Tools & Traps…
Regulations 106
NAIC Model Act 106
Clear-text Authentication Gramm-Leach-Bliley Act 106
An example of a brute-
HIPAA 108
force password dictionary Electronic Signatures in the Global
generator that can and National Commerce Act 111
produce a brute-force
COPPA 112
dictionary from specific
character sets can be Civil Liability Law 112
found at www.dmzs.com/ Addressing Common Risks and Threats 113
tools/files. Other brute Experiencing Loss of Data 113
force crackers, including
POP, Telnet, FTP, Web and Loss of Data Scenario 113
others, can be found at Experiencing Denial and Disruption
http://packetstormsecurity of Service 114
.com/crackers.
Disruption of Service Scenario 114
Eavesdropping 115
Eavesdropping Scenario 117
Preempting the Consequences
of an Organization’s Loss 117
Security Breach Scenario 118
Summary 119
Solutions Fast Track 120
Frequently Asked Questions 123
182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xvi
xvi Contents
Chapter 3 Wireless Network
Architecture and Design 125
Introduction 126
Fixed Wireless Technologies 127
Multichannel Multipoint Distribution
Service 127
Local Multipoint Distribution Services 129
Wireless Local Loop 129
Point-to-Point Microwave 130
Wireless Local Area Networks 132
Why the Need for a Wireless LAN Standard? 132
What Exactly Does the 802.11
Standard Define? 134
Does the 802.11 Standard Guarantee
Fixed Wireless Compatibility across Different Vendors? 137
Technologies 802.11b 138
802.11a 139
In a fixed wireless 802.11e 140
network, both transmitter
and receiver are at fixed
Developing WLANs through the 802.11
locations, as opposed to Architecture 141
mobile. The network uses The Basic Service Set 141
utility power (AC). It can
be point-to-point or point-
The Extended Service Set 143
to-multipoint, and may Services to the 802.11 Architecture 143
use licensed or unlicensed The CSMA-CA Mechanism 145
spectrums.
The RTS/CTS Mechanism 146
Acknowledging the Data 146
Configuring Fragmentation 147
Using Power Management Options 147
Multicell Roaming 147
Security in the WLAN 148
Developing WPANs through the 802.15
Architecture 150
Bluetooth 150
HomeRF 153
High Performance Radio LAN 153
Mobile Wireless Technologies 154
First Generation Technologies 155
182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xvii
Contents xvii
Second Generation Technologies 156
2.5G Technology 156
Third Generation Technologies 156
Wireless Application Protocol 157
Global System for Mobile Communications 158
General Packet Radio Service 160
Short Message Service 160
Optical Wireless Technologies 160
Exploring the Design Process 161
Conducting the Preliminary Investigation 162
Performing Analysis of
the Existing Environment 162
Creating a Preliminary Design 163
Finalizing the Detailed Design 164
Executing the Implementation 164
Capturing the Documentation 165
Creating the Design Methodology 166
Creating the Network Plan 166
Gathering the Requirements 167
Baselining the Existing Network 168
Analyzing the Competitive Practices 169
Beginning the Operations Planning 169
Performing a Gap Analysis 169
Creating a Technology Plan 170
Creating an Integration Plan 171
Beginning the Collocation Planning 171
Performing a Risk Analysis 171
Creating an Action Plan 172
Preparing the Planning Deliverables 172
Developing the Network Architecture 173
Reviewing and Validating the Planning
Phase 173
Creating a High-Level Topology 173
Creating a Collocation Architecture 174
Defining the High-Level Services 174
Creating a High-Level Physical Design 175
182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xviii
xviii Contents
Defining the Operations Services 175
Creating a High-Level Operating Model 175
Evaluating the Products 176
Creating an Action Plan 177
Creating the Network Architecture
Deliverable 177
Formalizing the Detailed Design Phase 177
Reviewing and Validating the Network
Architecture 178
Creating the Detailed Topology 178
Creating a Detailed Service
Collocation Design 179
Creating the Detailed Services 179
Creating a Detailed Physical Design 180
Creating a Detailed Operations Design 181
Creating a Detailed Operating
Model Design 181
Creating a Training Plan 182
Developing a Maintenance Plan 182
Developing an Implementation Plan 182
Creating the Detailed Design Documents 183
Understanding Wireless Network Attributes
from a Design Perspective 183
Application Support 184
Subscriber Relationships 186
Physical Landscape 187
Network Topology 189
Summary 191
Solutions Fast Track 193
Frequently Asked Questions 198
Chapter 4 Common Attacks and
Vulnerabilities 201
Introduction 202
The Weaknesses in WEP 202
Criticisms of the Overall Design 203
Weaknesses in the Encryption Algorithm 205
182_HPwireless_TOC.qxd 2/6/02 11:46 AM Page xix
Contents xix
Weaknesses in Key Management 208
Weaknesses in User Behavior 211
Conducting Reconnaissance 213
Finding a Target 213
Finding Weaknesses in a Target 214
Exploiting Those Weaknesses 215
Notes from the Sniffing, Interception, and Eavesdropping 216
Underground…
Defining Sniffing 216
Sample Sniffing Tools 217
Lucent Gateways
broadcast SSID in clear Sniffing Case Scenario 217
on encrypted networks Protecting Against Sniffing and
It has been announced Eavesdropping 219
(www.securiteam.com/ Spoofing and Unauthorized Access 220
securitynews/5ZP0I154UG
.html) that the Lucent
Defining Spoofing 220
Gateway allows an Sample Spoofing Tools 221
attacker an easy way to Spoofing Case Scenario 221
join a closed network.
Protecting Against Spoofing and
Lucent has defined an
option to configure the Unauthorized Attacks 223
wireless network as Network Hijacking and Modification 223
“closed.” This option Defining Hijacking 223
requires that to associate
with the wireless network Sample Hijacking Tools 224
a client must know and Hijacking Case Scenario 225
present the SSID of the Protection against Network Hijacking
network. Even if the
network is protected by and Modification 225
WEP, part of the broadcast Denial of Service and Flooding Attacks 226
messages the gateway Defining DoS and Flooding 226
transmits in cleartext
includes the SSID. All an Sample DoS Tools 227
attacker need do is sniff DoS and Flooding Case Scenario 227
the network to acquire the Protecting Against DoS and Flooding
SSID, they are then able to
associate with the
Attacks 228
network. The Introduction of Malware 228
Stealing User Devices 230
Summary 232
Solutions Fast Track 232
Frequently Asked Questions 237