Master thesis Electrical Engineering November, 2007. Security for Broadband Metropolitan and Wide Area Network at the Access Interface Level Abdulazeez Olayinka and Adenuga Kehinde Department of Electrical Engineering School of Engineering Blekinge institute of technology Se-371 79 karlskrona Sweden. 1 This thesis is submitted to the Department of Electrical Engineering, School of Engineering at Blekinge Institute of Technology in partial fulfillment of the requirements for the degree of Master of Science in Electrical Engineering. Contact Information: Author(s): Abdulazeez Olayinka E-mail: [email protected] Adenuga Kehinde E-mail: [email protected] Advisor: Adrian Popescu E-mail: [email protected] Department of Electrical Engineering. Department of Internet: www.bth.se/tek Electrical Engineering Phone: +46 455 38 50 00 School of Engineering Fax: +46 455 38 50 57 Blekinge institute of technology Se-371 79 karlskrona Sweden. 2 Abstract These thesis report deals with a range of secure high-speed networking over a metropolitan or wide area. Since this is quite active research area, a full report is given of the interfaces that thrive in removing the bandwidth burden from long distance networks. Only those with the status or potential of a standard are taking into consideration. Next, the position of security is evaluated. It is recommended that the access Interface enjoys certain advantages over the upper layers. Hence, the results of this work are directly applicable to virtually any layered communication architecture Amongst the security protocols that are available, the IEEE802.11 represents the only viable solution to have the CLS service properly secured. This protocol is designed for a different type of environment and the implications of this are known. In the real sense, IEEE802.11 proves to be a very valuable tool to built multi-level secure private and public networks using the most recent MAN/WAN technologies. Furthermore, it shows how to enhance the security issues related to Metropolitan and Wide Area Network considering the required security services and mechanism. 3 CONTENTS Chapter one Introduction Chapter two Standardised High-Speed MAN/WAN Technologies 2.1 Introduction 2.2 Earlier Solutions 2.2.1 Use of an Analogue Telephone Line and a Modem. 2.2.2 Packet Switched Data Network. 2.3 New Ground Rules. 2.4 Synchronous Physical Layer Network Interfaces. 2.4.1 Leased Carrier Systems 2.4.2 The Evolution of SONET/SDH 2.5 Asynchronous Transfer Mode (ATM) 2.5.1 ATM Traffic Management 2.6 Wide Area Networks (WANs) 2.6.1 Narrowband Integrated Service Digital Network (N-ISDN) 2.6.2 Broadband Integrated Services Digital Network (B-ISDN) 4 2.7 Metropolitan Area Networking 2.7.1 FDDI 2.7.2 Frame Relay Technologies Chapter Three Security for High-Speed MANs/WANs. 3.1 Introduction 3.2 Security Threats 3.3 Threat Identification 3.4 Security Concerns and TCP/ IP 3.5 Physical Security 3.6 Security Services and Mechanisms 3.7 Why A New Approach Is Needed. Chapter Four Applying IEEE802.11 for Secure WLAN Connection. 4.1 Introduction 4.2 Wireless Local Area Network Topology 4.3 IEEE 802.11 Standards 4.4 Security Threats in Link Layer 4.4.1 Threats in IEEE 802.11 MAC 4.4.2 Threats in IEEE 802.11 WEP 4.5 Security Issues in IEEE 802.11b 4.5.1 Service Set Identifier 4.5.2 MAC-Address Access List 4.6 Wireless Equivalent Privacy 4.7 Deployment of Access Points 4.8 What Need To Be Done To Improve Security Of 802.11b? 5 LIST OF FIGURES 2.1 Typical ―mesh‖ connectivity of a Wide Area Network 2.2 Physical links forming a Ring for the FDDI physical medium. 2.3 The frame structure for frame relay. 3.1 layouts to breakup security threat into difference areas 4.1 An Infrastructure Mode Network 4.2 An Ad Hoc Network 6 List of Tables 2.1 Plesiochronous digital transmission hierarchies (in Mbit/s) 4.1 Summary of IEEE802.11 WLAN Technologies 7 Chapter one Introduction Networking is one of the terms that best manage to capture the fundamental nature and spirit of the present information age. The global interconnection of systems irrespective of their size, that we experience today, has been greatly promoted over the years, as it is of very important in both business and day-to-day activities. The internet has becomes well-known and the services it renders continues to develop. These developments in internet did not leave behind the security problems associated most especially in the wireless networks. Every user want his/her traffic flow to be protected more especially the vital information such as e-commerce and real-time traffics (voice and video traffics). At present, high-speed interconnection is the most active field in the networking arena; special emphasis is given to communication over metropolitan and wide areas. These types of networks are experiencing rapid development similar to what LAN technologies witnessed in the last decades. But what makes this effort so significant is not only that the user notices an enhancement in performance. Until recently network size represented the major bottleneck for further technological advances. It brings about the creation of several independent networks, covering the same wide areas, but addressing various user needs. Having each type of network turned to the provision of a particular service, duplication of network resources is to be anticipated and the user faces an unpleasant financial impact. To deal with these problems, advanced broadband MAN/WAN access interfaces have recently arrived to fill the existing gap in technology. Nowadays, even though the word network makes most people think of a computer network as something not directly touching their lives, whereas network services are used one way or other without realizing it. 8 In the future, any type of information is expected to be carried over a common network platform, as never experienced before. The user will be connected to this ultimate from of network by means of a single fiber, delivering any possible service. For the moment, BISDN is the goal, but there is always the option for it to be outdated by something else as the technology develops. Hence, our concept of networks will change dramatically as regards to the role these have to play in our lives. With the increase in the use of information Technology and communications, security becomes an important issue. As a result, the role of security needs to be re-evaluated, and approach taken in the past to achieve it should be reconsidered. Although security has always been an essential user requirement, only a small group of parties, primarily restricted to the military, banks, and other financial institutions, have presented a serious effort to achieve it. Most of these organizations seriously rely on privately run networks for security. Such a private network can be simply set up by leasing lines from one or more telecommunications companies. But a private network is not automatically a secure network. Hence, extra security mechanisms must be frequently engaged. Generally, it is the actual application that represents the most promising place for tailoring security to the user needs. One example is the Electronic Transfer Funds system in the banking community, where secure communications protocols and cryptographic techniques have been especially developed to protect efficiently sensitive materials, such as cryptographic keys and personal identification numbers (PINS). For the average user, security was always kept to a minimum. The two main reasons for these are: the security which is driven by economic cost and its negative impact on performance as it adds complexity and extra processing. For the most application in the past, this extra cost was simply unjustifiable. Until recently, the great bulk of sensitive information was primary passed over easily controllable local environments. Subsequently, the main concern was how to protect the machines from unlawful access rights to the files stored there and processes running. 9 Communication security was abandoned and this attitude toward security is reflected by the lack of security features that characterizes the early design phase of communication systems and protocols. When the connection with the outside world became necessary, bridges, routers and gateways were engaged not only to provide the required connectivity but also to safeguard the customer environment. The type of protection these devices offered initially was a simple access control mechanism based strictly on address monitoring. These front end security providers came to be known as firewalls, but the truth is that they could be bypass without much effort by a serious attackers. For this reason, sites with higher security requirements configure their networking devices to permit only for one – way establishment of connections (i.e. from the private to the public domain). Even communication protocols designed to provide connectivity over open environments, such as ftp, rlogin, and telnet, are biased towards the end system aim to ease their risk towards illegal access. These protocols do nothing, but to carry user security related information (i.e. passwords) in plaintext. By doing so, no protection whatsoever is offered over the network, and highly sensitive user information is exposed to an open environment. Recently, incidents involving tampered machines acting as servers have become routine in Internet, and the great number of compromised accounts that is made known in each case gives an indication of how serious is the problem. High – speed networking raises some very interesting questions from a security point of view. As described earlier in due course, the full spectrum of services will be offered to the user via a single interface. Most of these services will become available and it is predicted that the financial survival of many businesses will seriously depend on whether or not they will have access to those services.