Enhancing Security Performance in IEEE 802.11 Standard and Assessing Impacts of Encryption
Total Page:16
File Type:pdf, Size:1020Kb
Enhancing Security Performances in IEEE 802.11 Standard and Assessing Impacts of Encryption on Traffic Behavior
Naveen Kumar Shukla [email protected] IIT-Roorkee (India)
Abstract due considerations to the security mechanisms coupled with it. Various threats and vulnerabilities should be In a changing scenario of fast growing usage of properly assessed so that proper risk mitigation can be Information and Communication Technologies (ICT), carried out effectively. enhancement of Wireless LAN Security requires special attention for achieving greater reliability with better Security architecture is thus highly important in order to performance. As dependability on wireless LAN is mitigate the identified risks and security concerns [1]. enormously increasing, it is important to put forth due attention over the security concerns and the performance To minimize the level and magnitude of risks, related issues in a more robust environment. organizations are required to take into consideration several security measures and practices with proper For this purpose, suitable authentication procedures designed security policies for enhanced access control should be adopted through diverse mechanisms. In this mechanism. paper, we are proposing a multi-level authentication model for ensuring authorized access to the resources and This paper analyzes and evaluates the performance of various applications in a multi-client infrastructure IEEE 802.11 wireless LAN security implementation mode and assessing impacts of encryption on traffic with multi-user client architecture. It takes into account pattern. the various security mechanisms as specified under IEEE 802.1 xs and assesses its impact on network Keywords: WLAN, WEP, AES, Security, RADIUS performance and its reliability.
1. Introduction 2. Related Research Work In the recent past, dependability on wireless mode of Deploying security in a wireless LAN is an area of communication has experienced a phenomenal growth primary concern. Many researchers have suggested in an industry of Information Technology. Lot of various means for enhancing security and performance benefits is associated with wireless communications related issues. Previous research published was based technologies regarding its greater mobility and higher on taking into consideration of single client and basic flexibility level. Nowadays with advancement in the traffic models [2]. Although earlier research work has wireless architecture deployment, clients are analyzed TCP and UDP performance in a wireless experiencing greater ease in accessing various resources LANs [3, 4] but they have not concentrated over an and applications available at different locations in the impact of different security mechanism of IEEE 802.1x. architecture chosen as per the needs and requirements of any organization. Mobility which the wireless LANs This paper not only put emphasis over several security are providing is of great importance in switching mechanisms but also highlights the impacts of its towards this kind of communication. Such type of performance over the network. benefits which the client is deriving and enjoying through accessibility of various resources is associated 3. Overview of 802.11b with some security concerns which is undermined previously in different organizations. Any architecture IEEE 802.11b came into existence as a standard for of communication will not be reliable unless it gives wireless local area networks (WLAN). WLAN connects computers and various components to the specified necessary to be known. Broadly this seems to be network through different access points (AP). There are secured form of gaining access to the network but diversified versions of 802.11 which operate at different actually t is not so. Because the SSID is broadcasted by transmission speeds over a varying range of frequency an AP’s which can easily be sniffed and thus allowing bands. This 802.11b operates at the 2.4GHz band in access to an unauthorized STA’s which captures SSID radio frequency (RF) for high-speed data fraudulently. Thus, it is better not to broadcast the SSID communication. It provides data rate up to 11Mbps numbers in order to prevent unauthorized users. Thus, with an average throughput in the range varying STA’s have to search for SSID to be connected with between 4 to 6 Mbps on wireless medium using WLAN. complementary code keying(CCK) and direct sequence spread spectrum(DSSS) for the transmission purpose. 4.2 MAC-Address Filtering
For the purpose of security concerns, three different An alternative method adopted for the purpose of methods were deployed to implement security in a authentication is wireless stations MAC address wireless medium. They are basically Service Set information. Gaining an access to the WLAN depends Identifiers (SSID), MAC (Media Access Control) upon the MAC address of STA’s. Only those addresses address filtering and WEP (Wired Equivalent Privacy) which will be matched and verified by the list of AP’s [5] will be provided access to a WLAN. In this type of MAC address verification we can not say that it is a 4. Security Analysis of WLAN secure kind of mechanism. Any intruder can spoof the AP by the use of an authenticated MAC Address of One important aspect of security analysis is the method STA’s by monitoring the data traffic with the help of of authentication adopted by the network. For the various network monitoring tools. purpose of authentication in a wireless LAN, IEEE 802.11describes two different mechanism: Open System Authentication and Shared Key Authentication 4.3 Wired Equivalent Privacy (WEP) [6]. In an Open System Authentication, it is the Service Set Identifier which is utilized for the purpose of Wired Equivalent Privacy (WEP) originated as security authentication which lacks any vital role of key. But in standard when 802.11 with an objective of providing a shared key authentication method, AP sends a same magnitude of privacy in the wireless mode of challenge to the wireless stations (STA’s) where these communication as in a wired network [8]. challenges are encrypted through WEP keys and is In this, two main components involved are Network returned back to an AP. Here, AP decrypts the received client and Access point for the purpose of challenge and compares to the original one which is authentication, encryption and data-integrity. already in its hoard. In case this decrypted challenge is identical to the original challenge, it denotes that AP For strengthening security architecture of WLAN, it and STA are using same WEP key. Thus, wireless puts more emphasis over confidentiality and stations are authenticated. But in this authentication authenticity. It uses a symmetric cipher known as RC4 procedure there is chance that an illegitimate stations in its shared key mechanism. In this mechanism the key may connect to an AP which is the biggest vulnerability used for authentication and encryption of data by the that can be exploited [6]. Further, the data in the traffic client must be same as it is of AP’s. A 40-bit key is may be intercepted through different software tools for specified by the standard 802.11 but for enhancement the purpose of having access to the WEP keys. of security concern 104-bit key is widely applicable in real-time environment. Encryption of data provides 4.1 Service Set Identifiers (SSID) confidentiality to the data transmitted through the Service Set Identifier is a specific network identifier wireless LAN. Since symmetric cipher key is used, the number which is being broadcasted by an access point key for decryption is same as it is for encryption for a [7]. To gain access into the network, SSID numbers are successful data transmission. For wireless stations to be associated with a particular popularly known as WPA (Wi-Fi Protected Access) AP’s, proper authentication methodology is to be [13]. Robust Security Network (RSN) architecture is adopted for a secure connection. In Fig.@ shown below another development in this regard using stronger depicts various procedures of Authentication and encryption algorithm AES. Authorization between Mobile Client and Radius Server through different Access Points. One of the foremost security issues with WEP is the problem associated with distribution and management of encryption keys. To meet these challenges 802.1x standard is emerged in the scenario for rendering centralized authentication and dynamic key distribution system for the IEEE 802.11 architecture which is to be used with RADIUS [14].
5. Evaluating Performance Issues in WLAN
Fig. 1: Authentication between Server & Client There are various vulnerabilities present in the WLAN architecture of IEEE 802.11 standard which has to be WEP has several shortcomings regarding its key addressed properly to enhance security at all ends. The systems which can be easily compromised affecting purpose of this research paper is to evaluate and confidentiality and integrity. WEP is used for having analyze the performance of IEEE 802.11b WLANs with access control over WLAN but it is being experimented multi-clients coveted with different security that WEP fails on various grounds as a security mechanisms at various ends. protocol [9, 10]. Main issues to be resolved are impact over performance 4.4 IEEE 802.1x Security Protocol deployed with various security mechanisms in multi- client environment as well as other suitable measures to IEEE 802.1x authentication protocol is an enhancement be adopted for enhanced security at mobile user and of security features over the default WEP authentication client end to achieve greater reliability with mobility. protocol which provides security on a port-based network access control mechanism. In this system, There are various factors which affects the network communication is established between wireless STA’s performance. All these factors blend together and have and AP’s whereas in RADIUS (Remote Authentication their impact on the overall performance of network Dial-In-User Service) such communication is varying with the network topology and devices established between AP’s( Radius Client) and RADIUS deployed in our architecture. Performance basically Server for proper authentication. includes throughput, response time, mobility and radio signal strength etc. Security architecture designed in 802.11 including WEP and WEP based authentication is not reliable in a For depicting the network performance, we are taking large public network for the purpose of association Throughput and Response time for our experimental through AP’s [11]. It will be troublesome to handle purpose with taking into account different scenario of various users having same authentication credentials for traffic movement with encryption and without the same set of Access Points [12]. To manage such encryption. For this analysis, Colasoft Capsa Tool [15] kind of issues a Network Administrator is required is used for capturing the packet movements in different which handles with these issues effectively. conditions.
Thus, IEEE 802.1X security protocol is designed to meet the shortcomings of WEP by enhancing access control to the ports. In this area of concern, further 5.1 Experimental Model and Configuration improvements were introduced to the WEP with Temporal Key Integrity Protocol (TKIP), which is Our research and observations were based on Windows Table 2: User Descriptions 2007 and Windows Server 2003 which were well H/W Operating System Core 2 duo, 3 GB equipped with an authentication protocol. In our Windows 7 RAM experimental set-up, we are having four mobile users, i3,i5,i7 with 4 GB Vista, win-7, Linux etc three AP’s with one Advanced Server. Ram Apple Mac Based upon the following model as shown in fig. 2, the observations and analysis were made. Other Software: Colasoft Capsa, NetSurveyor [16]
Radius Client Specification
Table 3: Client Descriptions Name Descriptions D-Link 3200AP (powerful and reliable Access wireless access point for business-class Point enterprise environments) Standard IEEE 802.11G, IEEE 802.3af Data Rate For 802.11G 54 Mbps Wireless Freq. 2.4GHz to 2.4835GHz Range
PoE Des-1228p Web Smart 24-Port Poe 10/100 + (4)
Fig. 2: Experimental Model 1000base-T Ports + 2 Combo Ports Switch
All these devices used are deployed in a real-time network for our analysis purpose. Detailed specifications of the various devices used in our experimental model are as shown below: 5.2 Security Layers in WLAN
Server Hardware There are various security layers which are available in Table 1: Server Descriptions order to represent the hierarchal order of IEEE 802.11 H/W Specification and IEEE 802.1x standards from time to time. In brief two Quad-Core Intel Xeon 5300 Processor they are as follows: sequence processors at up to 3.0GHz Intel Xeon 5300 Sequence: Dual Front side Bus Independent 1066MHz or 1333MHz No Security layer which is a default security setting Cache Intel Xeon 5300 Sequence: 2x4MB given by vendors. MAC Address Authentication layer Chipset Intel 5000X verifies MAC addresses at AP’s. Hard Drive 2.5” SAS (10K RPM): 73GB Embedded Broadcom® NetXtreme II™ Network Interface WEP Authentication layer which uses shared key 5708 Gigabit2 Ethernet NIC with fail- Card mechanism for authentication to overcome traditional over and load Balancing. authentication shortcomings. WEP Authentication with Server Operating System 40-bit WEP encryption adds RC4 algorithm for better security. WEP Authentication with 128-bit WEP encryption exactly does the similar thing except using Microsoft® Windows Server 2003 R2, Standard, 128-bit keys. Enterprise and Web Edition, x64, Standard and Enterprise Edition; with SP1 EAP-TLS authentication is based on PKI which uses digital certificates to authenticate users. This is an User Hardware extended security over WEP encryptions. EAP-TLS with 40-bit WEP encryption uses per-session keys for encryption and authentication where as EAP- TLS with 128-bit WEP encryption uses 128-bit key for this purpose. WPA (Wi-Fi Protected Access) layer security tries to overcome the shortcomings of WEP by using TKIP, a dynamic key generated per packet of 128-bit. Further, WPA2 introduced in the security layers a new AES based encryption with TKIP to enhance security in wireless LAN.
The 802.1x standard introduced is not sufficient itself to have better authentication and efficient security systems. It has an asymmetric authentication protocol which is capable of authenticating mobile user (client) to get connected with the network but it lacks for the vice-versa authentication mechanism, so that a mobile user can also authenticates an Access point. In this situation a mobile user has no option to validate authentication of an AP except to get connected in order to access the network. This is the biggest flaw in this situation which is prone to different kinds of attacks such as Man-in-Middle attack and Traffic Hijacking. Fig. 3: Channel Analyzer Proper survey is carried out before deploying AP’s and 5.3 Designing secure Campus WLAN its installation. Security concerns were given due In the proposed architecture, we have designed a state- consideration in deployment of AP’s. In these AP’s, the of-art wireless LAN architecture by performing through SSID’s were not to be broadcasted in the network thus Radio Frequency survey in order to design and frame increasing the security feature by eliminating the threats the wireless network architecture. It has taken into associated with eavesdropping. consideration the various factors affecting the network Network in our proposed architecture is also design such as open-area, built-up area, green-area accompanying with greater level of security features by surrounding etc. the usage of Shared Secret between the Radius Client Channels available to our experimental purpose for the and Radius Server. traffic movements are segregated into 13 parts. AP’s are not providing IP addresses to the mobile users which are allotted through DHCP, thus greater scalability and mobility is available in WLAN. Channels here used are unlicensed spectrum varying from 2.4 to 2.48 GHz which is divided among various AP’s. This reduces the possibility of overlapping into the channel and paves the path for seamless Fig. 4: Shared Secret between server & Client transmission. In the Figure@ shown below, different Also, we are deploying an additional Server like AP’s are operating at different channels. RADIUS Server which is performing an Authentication, Authorization and Accounting mechanism at a single place, thus reducing the complexities of the network as well as deferring various vulnerabilities which arise during traffic flow for gaining access into the secure network. Figure@ shown user which wants to login from the different machine below describes the way in which a mobile user is will not be authenticated to access network. This kind authenticated and authorized to access resources. of practice will ensure an authorized access only to genuine users with an increased mobility. Thus, only registered user will be authenticated through AP’s (Radius Clients) by sending the credentials to the server which authenticates and validate the legitimate user.
Fig. 5: Authentication, Authorization & Accounting Sequence
6. Proposed Model and Solutions
To enhance the security concerns of 802.1x standard, we are proposing security architecture comprising of IEEE 802.1x and EAP/TLS security protocols with an additional Server responsible for Authentication, Authorization and Accounting (AAA) mechanism all at one end. In our proposed model mobile users equipped with various operating systems are freely moving to into the entire network to have an access into WLAN.
For getting connected into WLAN, every user has to register its credentials into a particular domain. Domain of the WLAN is issued a digital certificate from the Certifying Authority which is further used by any of the user registered in that particular domain. In this manner Fig. 6: Proposed Architecture with Security every individual who wants to be associated with the network need not to be authenticated separately every Different AP’s in the proposed model are operating at time. Active Directories storing all the credentials are different channels like channel 1, channel 6 and channel authenticated while mobile user attempts to connect 11 in the fig.3 which avoids the possibility of into the network. Every user also has to bind with its overlapping and facilitating an user to transmit its computer name and specifications through which it packets in a defined channel enhancing seamless wants to get connected with a particular domain. Any operability. To have a better reliability and accessibility for a longer duration can be achieved in our model transmitting the packets into the specific channels. since we have associated all the AP’s with a centrally Since channels for various AP’s are segregated managed power supply through PoE (Power on reducing the overlapping and AES encryption used Ethernet) switch. provides better utilization of channel in an efficient manner. To draw this inference we have validated our In this proposed architecture Server is behaving like a assumptions in a real-time environment by analyzing DHCP Server which allocates an IP address to the the network traffic flow in different time-slots. The different registered Client after authentication. IP behavior-pattern of the network traffic shown is addresses of Radius Server and Radius Clients are depicted below in the fig.7 and 8 which shows that excluded from the pool of distributing IP. They are kept while applying encryptions into the network reduces the separately to prevent an identity sniffing over the unwanted traffic and utilizing the channel more network, thus enhancing security. efficiently rather in a situation in which there is no encryption applied. This pattern has been observed by Server used behaves like a Radius Server by Colasoft Capsa Software Tool by analyzing the performing authentication, Authorization and broadcast of the traffic. Accounting mechanism for a user. For enhancing the security features AES encryption is used for
Fig. 7: Broadcast traffic Analysis without Encryption
In fig.7, Pattern of broadcast traffic is shown without encryption of 128-bit key, out of total traffic of taking any kind of encryption into the network. Data 545.995 MB only 782 packets are broadcasted into captured in a real-time environment shows that out of the network shown in fig.8. Comparatively, we have total traffic of 525.811MB, broadcast traffic amounts experienced that network utilization in encrypted to 86.531 KB for 1101 packets. But comparing this to environment is better as it reduces the unwanted an environment taking into consideration AES traffic in the WLAN. Fig. 8: Broadcast traffic Analysis with AES 128-bit Encryption
In this proposed set-up better security can be multiple AP’s reduces this extra burden and repetitive achieved as the user is having an option to make authentication process for establishing a seamless settings into the LAN Card manually. In Wi-Fi setup connection in a secure environment maintaining the file user can set SSID as well as security type like mobility without hindrances. WPA2 Enterprise etc. with various encryption keys. Also, the limitations of Class C IP address ends as we As the dependency increases from wireless LANs to are using IPaddress of Class B private network pool. wireless WANs because of mobility further research work is required to evaluate the status of maintaining 7. Conclusions and future work secure wireless connection without repetitive authentication mechanism. In addition, such In our proposed architecture of WLAN, we have architecture proposed is not applied in Ad hoc evaluated the security performance of 802.11 wireless networks which are a subject matter of standards inclusive of IEEE 802.11g and WPA (Wi- future research work. Fi Protected Access). References Roaming supports clients to move without restraint from one access point (one access point coverage [1] Karygiannis, T., and Owens, L., (2002). Draft: area) to other AP’s. During such movements Wireless NerworkSecurty)' -802.11, Bluetooth and transferring the credentials of a mobile user is HandheldDevices. USA. National Institute of Standards necessary for authentication in order to establish a and Technolaogy secure connection. Our proposed architecture of [2.] Hunt, R., Vargo, J., Wang, J., Impact of Security multi-users with similar SSID interacting with Architechlres on Wireless Nehvork Performance, 5lh IEEE Intemational Conference an Mobile and Wireless [14] Task Group i. (2002). TGi Securiy Overview, Communications Networks (MWCN 2003), Pages 331- IEEE, Inc. Document number lEEE 802.11-021114rl. 334, Singapore 27-29 October, 2003 [15] Colasoft Capsa http://www.colasoft.com / [16] NetSurveyor http://www.nutsaboutnets.com/ [3] Vasan,A and Shankar, A.U., An Empirical Charecterization of Instantaneous Throughput in802.11b WLANs, Dept. of Computer Scence, University of NAVEEN KUMAR SHUKLA B.Tech (E&C) is Maryland presently working as Scientific-Officer in Information Superhighway Centre at Indian http://www.cs.umd.edu/shankar/papers/802-11b-profile- Institute of Technology, Roorkee (India). He is 1.pdf having more than 10 years of experience in [4] Xylomenos, G., and Polyzos, G.C. (1999). TCP and the field of Network Administration. His areas of interest are UDP perfomonce over a wireless LAN. WFOCOM '99. Network Security, Database Management and Wireless Local Eighteenth Annual Joint Conference of the IEEE Computer Area Network Security. and Communications Societies.Proceedings. IEEE, Volume: 2, 21-25. Page(s): 439 446 vol.2. March
[5] Yasir, Z. and Yang. T., Wireless LAN security and laboratory designs. J. Comput. Small Coll., 2004. 19(3):p. 44-60.
[6] IEEE Standard for local and metropolitan area etworks, “ Wireless LAN Medium Access Control (MAC) and Physical Layer Specifications”, ANSI/IEEE Std 802.11, 1999 Edition (R2003).
[7] Matthew S. Gast, 802.11 Wireless Networks, O’REILLY,2002
[8] IEEE Standard for local and metropolitan area networks, “Wireless LAN Medium Access Control (MAC) and Physical Layer Specifications”, ANSI/IEEE Std 802.11, 1999 Edition (R2003).
[9] William A. Arbaugh, Narendar Shankar, Kan Zhang and Y. C. Justing Wan. “Your 802.11 Wireless network has no cloths". IEEE Wireless Communications, December 2002.
[10] Nikita Borisov, Ian Goldberg and David Wagner. "Intercepting Mobile Communications: The insecurity of IEEE802.11", 7th Annual International Conference on Mobile Computing and Networking. July 2001.
[11] P. Congdon, B. Aboba, A. Smith, " IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines" - RFC 3580 - September 2003
[12] B. Aboba, P. Calhoun, "RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)" - RFC 3579 - September 2003
[13] Wi-Fi Alliance. “Wi-Fi Protected Access (WPA)”, Version 2.0, April 2003.