Todays View On Wireless Lan Security Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Abstract- Wireless Local Area Network (WLAN) has been used to a great extent in numerous Sectors. Due to its ubiquitous nature, flaws in WLAN have become evident especially in the area of security. Introductions to WLAN's concepts, components and architecture have been used to show this vulnerability and we look at how security issues has affected the wireless LAN network and the evolution of new standards that have being designed to salvage the security issues such as eavesdropping, Spied network communication, service denial and hijacking of session.

Keywords: WLAN, Network Security.


WLAN is ubiquitous because of its easy installation process, ability to connect mobile devices like laptops and smart phones, managing nodes with ease, and the ease of connecting devices built using varying technologies. WLANs provide communication over radio frequencies and this could in the form of infrared or other radio signals. Unlike cabled networks which have space restriction. WLAN does not require any physical connection. It basically requires a wireless network interface card (NIC) on the nodes and access point(s) to connect to a network.

Security in WLAN involves privacy and control of access. A key advantage of using WLAN components is its implementation; it also allows mobility and flexibility, though its primary back bone connection is still wired. A 25-mile range was set as the standard for bridging connections between buildings.

Two key components for every wireless network are the access and client adapters/network interface cards (NICs). The access point connects both wired network (via Ethernet cables) and wireless network (via antenna). Some access points are dual band which supports 2.4 and 5 GHZ Technologies and other support only single band. The NIC basically allow various wireless nodes to a wireless network.

WLAN Architecture

This Wireless Local Area Network (WLAN) architecture must closely integrate WLANs with the existing LAN architecture and must adhere to the architecture principles.

The WLAN architecture are classified into Wireless LAN Stations, Basic Service Set, Extended Service Set, Distributed Systems

Wireless LAN Stations

Wireless LAN Stations are referred to wireless medium in a network that connects all the components mentioned above. All Wireless LAN stations are equipped with wireless network interface cards (WNICs).Wireless stations are classified into two categories: access points and clients.

Basic-service set

The basic service set (BSS) - A set of stations that communicate with each other. Every BSS has identification (ID) called the BSSID and which is the MAC addressing of the access point servicing the BSS.

There are two types of BSS: Independent BSS and Infrastructure BSS.

1.1 Independent basic service set

An independent basic service set (BSS) is an ad-hoc network and it is the simplest WLAN configuration. And that contains no access points, which means they can not connect to any other basic service set. If two or more wireless adapters are within the same range then independent basic service set can be set up. Figure 1 shows the architecture of Independent WLAN.

Figure 1: Independent WLAN [12].

Infrastructure basic service set

An infrastructure basic service set BSS can communicate with other stations by means of access points. This architecture satisfies the Large Scale Networks need. Distribution System (such as Ethernet) combined with Access Points that enable roaming through out its service. Figure 2 shows the architecture of Infrastructure WLAN.

Figure 2: Infrastructure WLAN [12].

Extended Service Set

An extended service set (ESS) is a set of connected BSS's and Access points in an ESS are connected by a distribution system. Each ESS has an Identification (ID) called the SSID which is a 32-byte (maximum) character string.

Distribution System

A distribution system connects access points in an extended service set.

Types of wireless LANs:

Peer-to-Peer or ad-hoc wireless LAN


Wireless distribution system

WLAN Security Threats

Despite the Ease of Installation, Mobility, Owner-Ship Cost Reduction, Flexibility and Scalability advantage that WLAN offers, the data transmitted are broadcast over the air with radio waves this may cause risk where the network can be hacked. The three main threats are Denial of Service, Spoofing, and Eavesdropping.

1. Denial of Service

In this kind of attack, the intruder floods the network with either valid or invalid messages affecting the availability of the network resources. Due to the nature of the radio transmission, the WLAN are very vulnerable against denial of service attacks. The relatively low bit rates of WLAN can easily be overwhelmed and leave them open to denial of service attacks [9]. By using a powerful enough transceiver, radio interference can easily be generated that would unable WLAN to communicate using radio path.

2.Spoofing and Session Hijacking

This is where the attacker could gain access to privileged data and resources in the network by assuming the identity of a valid user. This happens because 802.11 networks do not authenticate the source address, which is Medium Access Control (MAC) address of the frames. Attackers may therefore spoof MAC addresses and hijack sessions.

Moreover, 802.11 does not require an Access Point to prove it is actually an AP. This facilitates attackers who may masquerade as AP's [9]. In eliminating spoofing, proper authentication and access control

mechanisms need to be placed in the WLAN.

3 Eavesdropping

This involves attack against the confidentiality of the data that is being transmitted across the network. By their nature, wireless LANs intentionally radiates network traffic into space. This makes it impossible

to control who can receive the signals in any wireless LAN installation. In the wireless network, eavesdropping by the third parties is the most

significant threat because the attacker can intercept the transmission over the air from a distance, away from the premise of the company.

Wired Equivalent Privacy

Wired Equivalent Privacy (WEP) is a standard encryption for wireless networking. It is a user authentication and data encryption system from IEEE 802.11 used to overcome the security threats. Basically, WEP provides security to WLAN by

encrypting the information transmitted over the air, so that only the receivers who have the correct encryption key can decrypt the information. The following section explains the technical functionality of WEP as the main security protocol

for WLAN.

How WEP Works?

When deploying WLAN, it is important to understand the ability of WEP to improve security. This section describes how WEP functions accomplish the level of privacy as in a wired LAN [16]. WEP uses a pre-established shared secret key called the base key, the RC4 encryption algorithm and the CRC-32 (Cyclic Redundancy Code) checksum algorithm as its basic building blocks. WEP supports up to four different base keys, identified by Key IDs 0 thorough 3. Each of these base keys is a group key called a default key, meaning that the base keys are shared among all the members of a particular wireless network. Some implementations also support a

set of nameless per-link keys called key-mapping keys. However, this is less common in first generation products, because it implies the existence of a key

management facility, which WEP does not define. The WEP specification does not permit the use of both key-mapping keys and default keys simultaneously,

and most deployments share a single default key across all of the 802.11 devices.

WEP tries to achieve its security goal in a very simple way. It operates on MAC Protocol Data Units (MPDUs), the 802.11 packet fragments. To protect the data in an MPDU, WEP first computes an integrity check value (ICV) over to the MPDU data. This is the CRC-32 of the data. WEP appends the ICV to the end of the data, growing this field by four bytes. The ICV allows the receiver to detect if

data has been corrupted in flight or the packet is an outright forgery. Next, WEP selects a base key and an initialization vector (IV), which is a 24-bit value. WEP constructs a per-packet RC4 key by concatenating the IV value and the selected shared base key. WEP then uses the per-packet key to RC4, and encrypt both the data and the ICV. The IV and KeyID identifying the selected key are encoded as a four-byte string and pre-pended to the encrypted data. Figure 4 depicts a WEP-encoded MPDU

Figure 4: WEP-encoded MPDU [16].

The IEEE 802.11 standard defines the WEP base key size as consisting of 40 bits, so the per-packet key consists of 64 bits once it is combined with the IV.

Many in the 802.11 community once believed that small key size was a security problem, so some vendors modified their products to support a 104-bit base key as well. This difference in key length does not make any different in the overall security. An attacker can compromise its privacy goals with comparable effort regardless of the key size used. This is due to the vulnerability of the WEP construction which will be discussed in the next section.

Weaknesses of WEP

WEP has undergone much scrutiny and criticism that it may be compromised.

What makes WEP vulnerable? The major WEP flaws can be summarized into three categories [17]:

1.No forgery protection

There is no forgery protection provided by WEP. Even without knowing the encryption key, an adversary can change 802.11 packets in arbitrary,

undetectable ways, deliver data to unauthorized parties, and masquerades an authorized user. Even worse, an adversary can also learn more about the encryption key with forgery attacks than with strictly passive attacks.

2 No protection against replays

WEP does not offer any protection again replays. An adversary can create forgeries without changing any data in an existing packet, simply by recording WEP packets and then retransmitting later. Replay, a special type of forgery attack, can be used to derive information about the encryption key and the data it protects.

3 Reusing initialization vectors

By reusing initialization vectors, WEP enables an attacker to decrypt the encrypted data without the need to learn the encryption key or even resorting to high-tech techniques. While often dismissed as too slow, a patient attacker can compromise the encryption of an entire network after only a few hours of data collection. A report done by a team at the University of California's computer science

Department [2] presented the insecurity of WEP which expose WLAN to several types of security breaches. The ISAAC (Internet Security, Applications,

Authentication and Cryptography) team which released the report quantifies two types of weaknesses in WEP. The first weakness emphasizes on limitations of the Initialization Vector (IV). The value of the IV often depends on how vendor chose to implement it because the original 802.11 protocol did not specify how this value is derived. The second weakness concerns on RC4's Integrity Check Value (ICV), a CRC-32 checksum that is used to verify whether the contents of a frame have been modified in transit. At the time of encryption, this value is added to the end of the frame. As the recipient decrypts the packet, the checksum is used to validate the data. Because the ICV is not encrypted, however, it is theoretically possible to change the data payload as long as you can derive the appropriate bits to change in the ICV as well. This means data can be tampered and falsified.

Practical Solutions for Securing WLAN

Despite the risks and vulnerabilities associated with wireless networking, there are certainly circumstances that demand their usage. Even with the WEP flaws, it is still possible for users to secure their WLAN to an acceptable level. This could be done by implementing the following actions to minimize attacks into the main networks [5]:

1.Changing Default SSID

Service Set Identifier (SSID) is a unique identifier attached to the header of packets sent over a WLAN that acts as a password when a mobile device tries to connect to a particular WLAN. The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. In fact, it is the only security mechanism that the access point requires to enable association in the absence of activating optional security features. Not changing the

default SSID is one of the most common security mistakes made by WLAN administrators. This is equivalent to leaving a default password in place.

2. Utilize VPN

A VPN is a much more comprehensive solution in a way that it authenticates users coming from an un trusted space and encrypts their communication so that someone listening cannot intercept it. Wireless AP is placed behind the corporate firewall within a typical wireless implementation. This type of implementation opens up a big hole within the trusted network space. A secure method of implementing a wireless AP is to place it behind a VPN server. This type of implementation provides high security for the wireless network implementation without

adding significant overhead to the users. If there is more than one wireless AP in the organization, it is recommended to run them all into a common switch, then connecting the VPN server to the same switch.

Then, the desktop users will not need to have multiple VPN dial-up connections configured on their desktops. They will always be authenticating to the same VPN server no matter which wireless AP they have associated with [10]. Figure 5 shows secure method of implementinga wireless AP.

Figure 5: Securing a wireless AP [10].

3. Utilize Static IP

By default, most wireless LANs utilize DHCP (Dynamic Host Configuration Protocol) to more efficiently assign IP addresses automatically to user

devices. A problem is that DHCP does not differentiate a legitimate user from a hacker. With a proper SSID, anyone implementing DHCP will obtain an IP address automatically and become a genuine node on the network. By disabling DHCP and assigning static IP addresses to all wireless users, you can minimize the possibility of the hacker obtaining a

valid IP address. This limits their ability to access network services. On the other hand, someone can use an 802.11 packet analyzer to sniff the exchange of frames over the network and learn what IP addresses are in use. This helps the intruder in guessing what IP address to use that falls within the range of ones in use. Thus, the use of static IP addresses is not

fool proof, but at least it is a deterrent. Also keep in mind that the use of static IP addresses in larger networks is very cumbersome, which may

prompt network managers to use DHCP to avoid support issues.

4. Access Point Placement

WLAN access points should be placed outside the firewall to protect intruders from accessing corporate network resources. Firewall can be configured to enable access only by legitimate users based on MAC and IP addresses. However, this is by no means a final or perfect solution because MAC and IP addresses can be spoofed even though this makes it difficult for a hacker to mimic.

5. Minimize radio wave propagation in non-user areas Try orienting antennas to avoid covering areas outside the physically controlled boundaries of the facility. By steering clear of public areas, such

as parking lots, lobbies, and adjacent offices, the ability for an intruder to participate on the wireless LAN can be significantly reduced. This will also

minimize the impact of someone disabling the wireless LAN with jammingtechniques.

New Standards for Improving WLAN Security

Apart from all of the actions in minimizing attacks to WLAN mentioned in the previous section, we will also look at some new standards that intend to improve

the security of WLAN. There are two important standards that will be discussed in this paper: 802.1x and 802.11i. 5.1 802.1x. One of the standards is 802.1x which was originally designed for wired Ethernet

networks. This standard is also part of the 802.11i standard that will be discussed later. The following discussion of 802.1x is divided into three parts, starting with the concept of Point-to-Point Protocol (PPP), followed by Extensible Authentication Protocol (EAP), and continues with the understanding of 802.1xitself.


The Point-to-Point Protocol (PPP) originally emerged as an encapsulation protocol for transporting IP traffic over point-to-point links. PPP also established a standard for the assignment and management of IP

addresses, asynchronous (start/stop) and bit-oriented synchronous encapsulation, network protocol multiplexing, link configuration, link quality testing, error detection, and option negotiation for such capabilities as network-layer address negotiation and data-compression negotiation [11]. By any measure, PPP is a good protocol. However, as PPP usage grew,

people quickly found its limitation in terms of security. Most corporate networks want to do more than simple usernames and passwords for secure access [13]. This leads to the designation of a new authentication protocol, called Extensible Authentication Protocol (EAP).

2. EAP

The Extensible Authentication Protocol (EAP) is a general authentication protocol defined in IETF (Internet Engineering Task Force) standards. It

was originally developed for use with PPP. It is an authentication protocol that provides a generalized framework for several authentication mechanisms [15]. These include Kerberos, public key, smart cards and one-time passwords. With a standardized EAP, interoperability and compatibility across authentication methods become simpler. For example, when user dials a remote access server (RAS) and use EAP as part of the PPP connection, the RAS does not need to know any of the details about the authentication system. Only the user and the authentication server have to be coordinated. By supporting EAP authentication, RAS server does not actively participate in the authentication dialog. Instead, RAS just re-packages EAP packets to hand

off to a RADIUS server to make the actual authentication decision [13].

How does EAP relate to 802.1x? The next section will explain the relation.5.1.3 802.1x IEEE 802.1x relates to EAP in a way that it is a standard for carrying EAP over a wired LAN or WLAN. There are four important entities that explain this standard [18].

i. Authenticator

Authenticator is the entity that requires the entity on the other end of the link to be authenticated. An example is wireless access points.

ii. Supplicant

Supplicant is the entity being authenticated by the Authenticator and desiring access to the services of the Authenticator.

iii. Port Access Entity (PAE)

It is the protocol entity associated with a port. It may support the functionality of Authenticator, Supplicant or both.

iv. Authentication Server

Authentication server is an entity that provides authentication service to the Authenticator. It maybe co-located with Authenticator, but it is most likely an external server. It is typically a RADIUS

(Remote Access Dial In User Service) server.

The supplicant and authentication server are the major parts of 802.1x.

Figure 6 below shows the general topology of the above mentioned entities:

Figure 6: General topology of 802.1x components [18].

EAP messages are encapsulated in Ethernet LAN packets (EAPOL) to allow communications between the supplicant and the authenticator. The following are the most common modes of operation in EAPOL [13]:

i. The authenticator sends an "EAP-Request/Identity" packet to the supplicant as soon as it detects that the link is active.

ii. Then, the supplicant sends an "EAP-Response/Identity" packet to the authenticator, which is then passed to the authentication (RADIUS) server.

iii. Next, the authentication server sends back a challenge to the authenticator, with a token password system. The authenticator unpacks this from IP and repackages it into EAPOL and sends it to the supplicant. Different authentication methods will vary this message and the total number of messages. EAP supports client-only authentication and strong mutual authentication. Only strong mutual authentication is considered appropriate for the

wireless case.

iv. The supplicant responds to the challenge via the

authenticator and passes the response onto the

authentication server. If the supplicant provides proper identity, the authentication server responds with a success message, which is then passed to the supplicant. The authenticator now allows access to the LAN, which possibly was restricted based on attributes that came back from the authentication server. 5.2 802.11i In addition to 802.1x standard created by IEEE, one up-and-coming 802.11x

specification, which is 802.11i, provides replacement technology for WEP security. 802.11i is still in the development and approval processes. In this paper,

the key technical elements that have been defined by the specification will be discussed. While these elements might change, the information provided will

provide insight into some of the changes that 802.11i promises to deliver to enhance the security features provided in a WLAN system. The 802.11i specification consists of three main pieces organized into two layers [4]. On the upper layer is the 802.1x, which has been discussed in the previous section. As used in 802.11i, 802.1x provides a framework for robust user authentication and encryption key distribution. On the lower layer are improved

encryption algorithms. The encryption algorithms are in the form of the TKIP(Temporal Key Integrity Protocol) and the CCMP (counter mode with CBC-MAC protocol). It is important to understand how all of these three pieces work to form the security mechanisms of 802.11i standard. Since the concept of 802.1x has been discussed in the previous section, the following section of this paper will only look at TKIP and CCMP. Both of these encryption protocols provide enhanced data integrity over WEP, with TKIP being targeted at legacy equipment, while CCMP is being targeted at future WLAN equipments. However, a true 802.11i system uses either the TKIP or CCMP protocol for all equipments. 5.2.1 TKIP

The temporal key integrity protocol (TKIP) which initially referred to as WEP2, was designed to address all the known attacks and deficiencies in the WEP algorithm. According to 802.11 Planet [6], the TKIP security process begins with a 128-bit temporal-key, which is shared among clients and access points. TKIP combines the temporal key with the client

machine's MAC address and then adds a relatively large 16-octet initialization vector to produce the key that will encrypt the data. Similar to WEP, TKIP also uses RC4 to perform the encryption. However, TKIP

changes temporal keys every 10,000 packets. This difference provides a dynamic distribution method that significantly enhances the security of the

network. TKIP is seen as a method that can quickly overcome the weaknesses in WEP security, especially the reuse of encryption keys. The following are four new algorithms and their function that TKIP adds to

WEP [17]:

i. A cryptographic message integrity code, or MIC, called Michael, to defeat forgeries.

ii. A new IV sequencing discipline, to remove replay attacks from the attacker's arsenal.

iii. A per-packet key mixing function, to de-correlate the public IVs from weak keys.

iv. A re-keying mechanism, to provide fresh encryption and integrity keys, undoing the threat of attacks stemming from key reuse.

5.2.2 CCMP

As explained previously, TKIP was designed to address deficiencies in WEP; however, TKIP is not viewed as a long-term solution for WLAN

security. In addition to TKIP encryption, the 802.11i draft defines a new encryption method based on the advanced encryption standard (AES). The AES algorithm is a symmetric block cipher that can encrypt and decrypt information. It is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits [3]. More robust than TKIP, the AES algorithm would replace WEP and RC4. AES based encryption can be used in many different modes or algorithms. The

mode that has been chosen for 802.11 is the counter mode with CBCMAC protocol (CCMP). The counter mode delivers data privacy while the CBC-MAC delivers data integrity and authentication. Unlike TKIP, CCMP is mandatory for anyone implementing 802.11i [4].

Tools for Protecting WLAN

There are some products that can minimize the security threats of WLAN suchas:


It is a commercial wireless LAN intrusion protection and management system that discovers network vulnerabilities, detects and protects a WLAN from intruders and attacks, and assists in the management of a WLAN. AirDefense also has the capability to discover vulnerabilities and threats in a WLAN such as rogue APs and ad hoc networks. Apart from

securing a WLAN from all the threats, it also provides a robust WLAN management functionality that allows users to understand their network,

monitor network performance and enforce network policies [1].

Isomair Wireless Sentry

This product from Isomair Ltd. automatically monitors the air space of the enterprise continuously using unique and sophisticated analysis technology to identify insecure access points, security threats and wireless network problems. This is a dedicated appliance employing an Intelligent Conveyor Engine (ICE) to passively monitor wireless networks for threats and inform the security managers when these occur. It is a completely automated system, centrally managed, and will integrate seamlessly with

existing security infrastructure. No additional man-time is required to operate the system [8].

Wireless Security Auditor (WSA)

It is an IBM research prototype of an 802.11 wireless LAN security auditor, running on Linux on an iPAQ PDA (Personal Digital Assistant). WSA helps

network administrators to close any vulnerabilities by automatically audits a wireless network for proper security configuration. While there are other

802.11 network analyzers such as Ethereal, Sniffer and Wlandump, WSA aims at protocol experts who want to capture wireless packets for detailed

analysis. Moreover, it is intended for the more general audience of network installers and administrators, who want a way to easily and

quickly verify the security configuration of their networks, without having tounderstand any of the details of the 802.11 protocols.


The general idea of WLAN was basically to provide a wireless network infrastructure comparable to the wired Ethernet networks in use. It has since evolved and is still currently evolving very rapidly towards offering fast connection capabilities within larger areas. However, this extension of physical boundaries

provides expanded access to both authorized and unauthorized users that make it inherently less secure than wired networks. WLAN vulnerabilities are mainly caused by WEP as its security protocol.

However, these problems can be solved with the new standards, such as 802.11i, which is planned to be released later this year. For the time being,

WLAN users can protect their networks by practicing the suggested actions thatare mentioned in this paper based on the cost and the level of security that they

wish. However, there will be no complete fix for the existing vulnerabilities. All in all, the very best way to secure WLAN is to have the security knowledge, properimplementation, and continued maintenance.