User talk:Rukmannaik

Wireless security is the prevention of unauthorized access or damage to computers using wireless networks.

Wireless networks are very common, both for organizations and individuals. Many laptop computers have wireless cards pre-installed. The ability to enter a network while mobile has great benefits. However, wireless networking has many security issues.

The risks to users of wireless technology have increased as the service has become more popular. There were relatively few dangers when wireless technology was first introduced. Crackers had not yet had time to latch on to the new technology and wireless was not commonly found in the work place. However, there are a great number of security risks associated with the current wireless protocols and encryption methods, and in the carelessness and ignorance that exists at the user and corporate IT level. Cracking methods have become much more sophisticated and innovative with wireless. Cracking has also become much easier and more accessible with easy-to-use Windows or Linux-based tools being made available freely on the web.

As wireless devices become more and more common in today’s enterprise networks, now is the correct time for CTO and IT managers to plan their strategy for overall control, deployment, and management of this important technology. Security is one component of that strategy, and it is a big one. While a properly implemented wireless security policy makes wireless more secure than wired networks, an improperly implemented or insufficient plan can lead to disaster. The popularity of wireless technology and an increasingly mobile workforce are leading to a new connectivity model where users connect over wireless networks wherever they go – at the corporate office, staying at hotel or guest house, working from home, or traveling. Mobility, including wireless technology, has the greatest potential to expose corporate networks to intruders, leak sensitive data, and subject the enterprise network to virus and worm outbreaks. Proper planning avoids these issues without necessarily costing a lot of money to the company.

DoT (Department of Telecom, India) already has ordered ISP (Internet Service Providers) to ensure that details of customers using Wi-Fi should be maintained in a centralized server to prevent unauthorized persons from accessing the internet in a hotspot. The move follows recent incident of terrorists sending emails using Wi-Fi hotspot of an American citizen staying in New Mumbai. Consumers who do not register themselves will get disconnected by their ISPs. DoT has issued detailed guidelines for ISPs to enable secure use of Wi-Fi services under the de-licensed frequency band. “Insecure Wi-Fi networks are capable of being misused by anti-social elements without leaving any trail. Therefore, DoT has instructed ISPs to follow a procedure for securing Wi-Fi networks in the country,” said a DoT official. At the hotspot location once the guidelines are implemented then consumers will not be able to simply walk into hotel lobbies, restaurants, coffee shops or airport malls and start accessing the Internet using the Wi-Fi hotspot in that location. DoT has asked ISPs to enable such access by issuing bulk login IDs and passwords at each hotspot. Consumers will have to give ID proof for getting a temporary password and login ID before they can start surfing. For regular customers visiting these locations, DoT has allowed ISPs to issue password and login ID on the subscriber’s mobile phone, which can be used for a period of one year. DoT has, however, barred service providers from allowing simultaneous multiple login using a single password. No new Wi-Fi connections, corporate or individual, will be activated before the subscriber’s details are registered by the ISP. Even those customers who currently use Wi-Fi modems for limited mobility within their home, office or campus will have to get themselves registered. Define Security Policies

A proper IT security policy is necessary in any size organization, but it is meaningless without a way to check compliance. Too many companies write a security policy banning all wireless devices, then fail to monitor for their use. Users demand mobility, and experience shows that if wireless networks are not provided by the IT department, users will install consumer-grade equipment themselves. Typically this consumer grade equipment has no security turned on by default, and most users do not bother with additional configuration steps to turn on even basic security. These “rogue” access points (APs) effectively open an organization’s network to anyone in the parking lot.

Some organizations establish “no wireless” policies and do periodically scan for unauthorized equipment. However, this eats up valuable personnel time as a network administrator walks through the building with a laptop or other wireless scanner. If an AP is detected, the administrator must then spend additional time to determine if that AP is inside the building, or if it belongs to another nearby business.

Signal Engineering

A common question heard from organizations looking to deploy wireless is, “How do I ensure that the wireless signal doesn’t travel outside the building?” Some security analysts recommend using special directional antennas to accomplish this, or recommend using “decoy” access points with antennas pointed outside the building as a way to defeat would-be intruders. Both techniques are costly, complex, and do not work. Radio signals are invisible and travel in unpredictable ways after bouncing off reflective surfaces such as file cabinets and whiteboards. In addition, an attacker can use a high-gain directional antenna to transmit and receive signals from far away, even when a standard laptop wireless card does not detect a usable signal. Wireless networks should be installed with the assumption that anyone can be within radio range of the network, and security should be adjusted appropriately.

Hiding SSID (Service Set Identifier)

Service set identifier, or SSID, is a friendly name that identifies a particular 802.11 b/g/n wireless LAN. Unless disabled, a client device receives broadcast messages from all access points within range advertising their SSIDs. The client device can then either manually or automatically—based on configuration—select the network to associate. The SSID can be up to 32 characters long. As the SSID displays to users, it normally consists of human-readable ASCII characters. However, the standard does not require this. The SSID is defined as a sequence of 1–32 octets each of which may take any value.

It is legitimate for multiple access points to share the same SSID if they provide access to the same network as part of an extended service set.

Some wireless access points support broadcasting multiple SSIDs, allowing the creation of Virtual Access Points, partitioning a single physical access point into several logical access points, each of which can have a different set of security and network settings. This is not yet part of the 802.11 standard.

Some APs offer the ability to “hide” the broadcast of the SSID, also known as the “network name.” Some wireless security best practice guides in the past with the idea that the SSID can be used as a password. In theory, if an attacker doesn’t know the SSID name in advance, he can’t connect to the network. In reality, it is simple to learn the SID by simply monitoring the normal process of an authorized client joining the network. SSID cloaking is not harmful, but it should never be treated as a security technique.

Filtering MAC Address

MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists. While the restriction of network access through the use of lists is straightforward, an individual person is not identified by a MAC address, rather a device only, so an authorized person will need to have a whitelist entry for each device that he or she would use to access the network.

A common wireless practice for consumer-grade equipment is to turn on MAC address filtering. With this feature, only computers on the “approved” list are allowed on the wireless LAN. Unfortunately, MAC address filtering is ineffective because it is trivial for an attacker to impersonate a valid computer by changing the MAC address of his or her computer. MAC address filtering also does not scale in enterprise networks, since the address database must be updated each time a computer is bought, replaced, or eliminated.

WEP(Wired Equivalent Privacy)

WEP is the original wireless encryption standard provided for 802.11 wireless LANs. WEP is widely recognized as being ineffective as an encryption protocol on multiple fronts. Using modern attack tools, WEP can be cracked in one minute or less, rendering the interior network open to intruders. Two types of WEP networks may be deployed: static WEP with pre-configured keys, and dynamic WEP with 802.1x authentication. While dynamic WEP provides scalability benefits in an enterprise setting, both forms of WEP are equally weak and are unsuitable for use today. Where application needs require WEP to be used, network access should be extremely restricted using firewall policies to allow the minimum access required.

Recently some vendors have begun providing so-called “WEP cloaking” or “WEP shielding” products. These are designed to be used in conjunction with a WEP network to defeat attackers by injecting “decoy” traffic into the air that confuses WEP cracking tools, thus making WEP safer for use. Attack tools were quickly modified to defeat these products, and thus they do not measurably improve security of WEP networks.

LEAP(Lightweight Extensible Authentication Protocol)

The Lightweight Extensible Authentication Protocol (LEAP) is a proprietary wireless LAN authentication method developed by Cisco Systems. Important features of LEAP are dynamic WEP keys and mutual authentication (between a wireless client and a RADIUS server). LEAP allows for clients to reauthenticate frequently; upon each successful authentication, the clients acquire a new WEP key (with the hope that the WEP keys don't live long enough to be cracked).

Some 3rd party vendors also support LEAP through the Cisco Compatible Extensions Program.

Cisco LEAP, similar to WEP, has had well-known security weaknesses since 2003 involving offline password cracking. LEAP uses a modified version of MS-CHAP, an authentication protocol in which user credentials are not strongly protected. Stronger authentication protocols employ a salt to strengthen the credentials against eavesdropping during the authentication process. Cisco's response to the weaknesses of LEAP suggests that network administrators either force users to have stronger, more complicated passwords or move to another authentication protocol also developed by Cisco, EAP-FAST, to ensure security. Automated tools like ASLEAP demonstrate the simplicity of getting unauthorized access in networks protected by LEAP implementations.

WPA / WPA2 (Wi-Fi Protected Access)

Wi-Fi Protected Access (WPA and WPA2) is a certification program created by the Wi-Fi Alliance to indicate compliance with the security protocol created by the Wi-Fi Alliance to secure wireless computer networks. This protocol was created in response to several serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).

The protocol implements the majority of the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared. Specifically, the Temporal Key Integrity Protocol (TKIP), was brought into WPA. TKIP could be implemented on pre-WPA wireless network interface cards that began shipping as far back as 1999 through firmware upgrades. Because the changes required fewer modifications on the client than on the wireless access point, most pre-2003 APs could not be upgraded to support WPA with TKIP. Researchers have since discovered a flaw in TKIP that relied on older weaknesses to retrieve the keystream from short packets to use for re-injection and spoofing.

The later WPA2 certification mark indicates compliance with an advanced protocol that implements the full standard. This advanced protocol will not work with some older network cards. Products that have successfully completed testing by the Wi-Fi Alliance for compliance with the protocol can bear the WPA certification mark.

WPA2-

WPA2 replaced WPA; like WPA, WPA2 requires testing and certification by the Wi-Fi Alliance. WPA2 implements the mandatory elements of 802.11i. In particular, it introduces a new AES-based algorithm, CCMP, which is considered fully secure. Certification began in September, 2004; from March 13, 2006, WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark.

Security in pre-shared key mode-

Pre-shared key mode (PSK, also known as Personal mode) is designed for home and small office networks that don't require the complexity of an 802.1X authentication server. Each wireless network device encrypts the network traffic using a 256 bit key. This key may be entered either as a string of 64 hexadecimal digits, or as a passphrase of 8 to 63 printable ASCII characters. If ASCII characters are used, the 256 bit key is calculated by applying the PBKDF2 key derivation function to the passphrase, using the SSID as the salt and 4096 iterations of HMAC-SHA1.

Shared-key WPA is vulnerable to password cracking attacks if a weak passphrase is used. To protect against a brute force attack, a truly random passphrase of 13 characters (selected from the set of 95 permitted characters) is probably sufficient. Lookup tables have been computed by the Church of WiFi (a wireless security research group) for the top 1000 SSIDs for a million different WPA/WPA2 passphrases. To further protect against intrusion the network's SSID should not match any entry in the top 1000 SSIDs.

Weakness in TKIP-

A weakness was uncovered in November 2008 by researchers at two German technical universities (TU Dresden and TU Darmstadt), Erik Tews and Martin Beck, which relied on a previously known flaw in WEP that could be exploited only for the TKIP algorithm in WPA. The flaw can only decrypt short packets with mostly known contents, such as ARP messages, and 802.11e, which allows Quality of Service packet prioritization for voice calls and streaming media. The flaw does not lead to key recovery, but only a keystream that encrypted a particular packet, and which can be reused as many as seven times to inject arbitrary data of the same packet length to a wireless client. For example, this allows to inject faked ARP packets which makes the victim send packets to the open Internet.

EAP extensions under WPA and WPA2 Enterprise-

The Wi-Fi alliance has announced the inclusion of additional EAP (Extensible Authentication Protocol) types to its certification programs for WPA- and WPA2- Enterprise certification programs. This was to ensure that WPA-Enterprise certified products can interoperate with one another. Previously, only EAP-TLS (Transport Layer Security) was certified by the Wi-Fi alliance.

Hardware support-

Most newer Wi-Fi CERTIFIED devices support the security protocols discussed above, out-of-the-box, as compliance with this protocol has been required for a Wi-Fi certification since September 2003.[15]

The protocol certified through Wi-Fi Alliance's WPA program (and to a lesser extent WPA2) was specifically designed to also work with wireless hardware that was produced prior to the introduction of the protocol[2] which usually had only supported inadequate security through WEP. Many of these devices support the security protocol after a firmware upgrade. Firmware upgrades are not available for all legacy devices.

Furthermore, many consumer Wi-Fi device manufacturers have taken steps to eliminate the potential of weak passphrase choices by promoting an alternative method of automatically generating and distributing strong keys when adding a new wireless adapter or appliance to a network. The Wi-Fi Alliance has standardized these methods and certifies compliance with these standards through a program called Wi-Fi Protected Setup.

WiFi Network Architectures for Mobility

Wireless network can be arranged in one of these three logical configurations-

•	Point to Point •	Point to Multipoint •	Multipoint to Multipoint

For the purpose of security these three can be narrowed down to just two: Distributed and Centralized. A distributed architecture, as the name implies, distributes security functions to multiple devices while a centralized architecture collapses security functions into one device. A distributed architecture may consist of standalone “fat” access points, where the AP itself contains all functionality for wireless LAN operation. A distributed architecture may also consist of a controller with “thin” APs when the security functions of the wireless LAN are broken up between multiple devices. For example, if an AP performs encryption, the controller performs authentication, and an external firewall performs access control, this is a distributed system from a security standpoint. A centralized system, on the other hand, places all security functions in a single unit. In the example just given, encryption, authentication, and access control would all be done by a single controller in the centralized architecture. A centralized architecture is always made up of “thin” APs and a central controller. These architectures will be re-visited in each section below to provide comparison and contrast between the capabilities of each.

WiFonic Security Policy & Implementation

A.	Phase – I (Case Study)

Integrate a seamless WiFi solutions without disrupting the wired network, without digging the wall, destroying plaster of paris, ceiling with many more limitations.

Manage to support simultaneous 200 users or more than that using both LAN & WLAN.

Support VPN, Emails, VoIP, Video Conference at any corner of the office room, library, conference hall, laboratory, lobby area, restaurant, convocation centre etc.

Centralised wireless management and remote monitoring system.

Multi layered wireless security with centralized authentication, encryption and log maintenance.

Integrate a secured, high throughput, state of the art technologies with a supportive application for all next generations technologies like IP-Phone, IPBX, VoIP, SIP, Softphone, Video Conference etc.

Multiple ISP support, load balancing and rule based accessing.

Centralised policy management system.

Support VPN, IPSec, SSL VPN, SSL etc.

Support all OS like Mac, Macintosh, Vista, XP, Linux etc.

Support all hardware like Laptop, Desktop, PDA, iPhone, SIP, Softphone, Digital Camera, PCMCIA, USB WiFi etc.

Plug and play installation, no administrative help required.

Support all existing APs / Cabling should support.

Remote monitoring and trouble shooting.

Lower operation cost.

Support both Voice and Data simultaneously with maximum throughput.

Stateful Firewall or policy enforcement firewall and tunneling system.

Powerful QoS (Quality of Service).

Service Level Agreement (SLA).

Mesh Network, Outdoor Access Points to extend the coverage area.

Require less equipments with high class facilities.

Guest Access, Roaming Employees and On Demand Access

Flexible power options like PoE, PoE switches with UPS system.

Structured cabling with CAT6, Fibre optic, PoE, switches, patch panel with mountable rack.

Fiber optic data links provide backhaul in areas susceptible to lightning without external adapters.

3D planning tools calculate antenna coverage, signal strength, and ideal equipment placement, making for more stable and reliable communications.

Office Wireless LAN access everywhere in an office or campus with the industry's highest performance wireless LAN controllers.

Network rightsizing to reduce costs of building and running expensive wired networks by switching wireless-capable devices and temporary locations to wireless LAN as the least-cost access method.

Branch Office, Teleworker & Business Continuity for Cost-effectively extend a true desk-like experience to branch office, home office and temporary locations using remote access points.

Prevent accidental or unauthorized wireless networks from opening a back door into the enterprise network.

Walled Garden - You may wish not to require authorization for some services (for example to let clients access the web server of your company without registration), or even to require authorization only to a number of services (for example, for users to be allowed to access an internal file server or another restricted area). This can be done by setting up Walled Garden system. When a not logged-in user requests a service allowed in the Walled Garden configuration, the HotSpot gateway does not intercept it, or in case of HTTP, simply redirects the request to the original destination (or to a specified parent proxy). When a user is logged in, there is no effect of this table on him/her. Authentication, Authorisation, Adevertisement and Accounting (AAAA).

Configurable Portal Page for user access showing the providers  logos and links.

Reports on Bandwidth, Data Transfer, etc.

Bandwidth Limitation based on user account.

Web Based Administration, Viewing Reports and user support.

B.	Phase – II (Feasibility Study)

WiFonic makes an economic feasibility, technical feasibility, schedule feasibility and operational feasibility as per the requirement of the clients.

C.	Phase – III (Survey Work)

In this phase we work on Line of Sight (LoS), non line of sight (nLoS), ISP availability, selecting the ISP, uninterrupted power supply management, point to point or point to multipoint, Wireless Distribution System (WDS), bridging, cabling, maximum Data throughput possibility both for Voice and Data, better signal strength, deciding the indoor and outdoor access points. Mobility and Location Management is an important requirement that users will place on wireless networks is mobility, freedom for the wireless user to maintain a reliable wireless connection while moving about an area that is relevant to the application. Some times even more complex situations might be encountered, with various metal surfaces, manufacturing machinery, and so on, all affecting signal propagation throughout the building.

The goal of a WiFi site survey is to gather enough information and data to determine the number and placement of access points that will provide optimal wireless network coverage. That usually means the support of a minimum data rate in a given area. A site survey will also detect the presence of radio interference coming from other sources that could degrade the performance of the wireless LAN.

D.	Phase – IV (Wireless Network Layout Design)

This phase is often considered under the heading network engineering, as they are issues concerning the design and operation of the network as a whole. Signal coverage prediction models, usually based on a combination of radio-wave propagation theory and experimental measurements, provide the designer with a means of estimating the optimum placement of access points, sites for covering the intended area of user terminals with acceptable signal quality. Even in a small office layout, planning for a WLAN installation must take account of the types and locations of office furniture and equipment, office partitions, walls, doorways, and so on, all of which can affect signal coverage.

On-site wireless network layout design services can determine if wireless networking is a viable option for the location or can provide troubleshooting for problems with existing wireless networks. Common problems include lack of communication between mobile units and handhelds, or dead spots where the radios fail to work. WiFonic will send certified network engineers with all the test equipment necessary to evaluate or troubleshoot your situation. E.	Phase – V (Wireless Network Deployment Planning)

In this phase we define standard high level requirements for site installation then customized for site specific details. To provide a fall-back to cover the possibility that unexpected events cause the installation of the new network to fail, or the new network proves to be unusable after deployment. Determine the potential areas of failure and define alternative approaches to recovery for each area. Choose the best alternative for each potential failure area. Ensure that the best alternative does not adversely impact some other aspect of deployment. Look more fail over like equipment problems,        network problems, power supply problem, ISP backbone problem etc. Then we define procedures detailing the steps that must be followed to implement the contingency procedures to be used to restore the old network environment,  communications to affected staff during and after the implementation of the contingency, down time to be expected and the manual procedures to be used to continue service to customers during the down time, plans for redeploying resources made idle by the implementation of the contingency. After that we define Installation Strategy of the proposed technology as per the case study. For example, components may be received at a central site, staged, and then shipped to the final site. If equipment in use for development or training will be redeployed, define a strategy for the redeployment that minimizes disruption to development and production. F. Phase – VI (Implementation & Installation)

Installation phase is the most physically demanding phase of the project. Using the site survey report, the installation should be a smooth process. The access points and antennas will be installed in the facility using the marked up drawing made after the site survey. Usually, the higher the access points and antennas are mounted, the better the signal will propagate. This will require the installer to have the ability to reach the support joists for the ceiling or roof. Some of the activities that will take place during the installation include but are not limited to: Mounting of access points Installation of enclosures on case-by-case basis Mounting of antennas Connection of antennas to access points Connection of backbone LAN to access points Connection of power to access points Installation and connection of remote power system Verification of coverage Proper firmware level Radio information (system ID, channel, bit rate) IP addresses (provided by customer) Verification of backbone connectivity: Ping access points Ping host Cabling and power runs should be done and tested prior to the installation of the access points. G. Phase – VII (Testing )

After completing the installation, testing for proper operation and coverage may indicate the need to move access points and possibly use different settings. H. Phase – VIII (Documentation)

Documentation on all the system hardware list, software, web admin userid and password, ip address, WAN IP etc. will be provided to the IT staff as an aid to be used when supporting the operational system. I. Phase – IX (Demonstration)

As per the customer requirement and case study a demonstration phase is conducted before the last phase, so that all the staff will get an idea about the wireless security, voice & data, mobility of location etc. J. Phase – X (Training)

Explain both the documented and undocumented security vulnerabilities that are immediately created in every organisation when 802.11 wireless networks are introduced. Describe in detail the types of attacks that occur. Demonstrate practical 802.11 security vulnerabilities. Detect authorised and unauthorised 802.11 wireless networks and access points.

Summary

As per the report of WiFi Alliance, The overall Indian Wi-Fi market (including WLAN hardware, systems integration and software services, not including embedded devices, laptops) is predicted to grow from the current $41.57 million to exceed $744 million by 2012 (CAGR of 61.4%). The necessary market drivers are in place to propel the growth, development and deployment of Wi-Fi into a mainstream technology across the country. As broadband wireless access grows, the WLAN network gear sector will exceed $275 Million by 2011-12 (from the current $23.1 Million). The combined Wi-Fi market (described as consisting of WLAN networking gear, systems integration, professional services and not including embedded devices and laptops) is expected to exceed $744 million by 2012 (CAGR of 61.4%). As companies seek wireless solutions to gain a competitive edge, WiFi applications on the manufacturing shop-floor, in warehouses and points-of-sale will drive faster and more accurate transactions. Globally, organized retail sector is one of the largest consumers of enterprise wireless solutions. This sector is just opening up in India, as the global retail giants jostle for shelf-space to lure the massive middle class. These growth areas will drive up demand for Wi-Fi applications. The growing Managed Services sector will extend into wireless enterprise as centralized servers will manage distant wired and wireless devices and applications for better control and improved operational efficiencies. Vehicular and goods control for transport and logistics organizations will continue to adopt wireless applications, many of which will be WiFi powered. Wireless technology is a fact of life in today’s enterprise networks. The technology has been an area of rapid change over the past several years, which has led to confusion regarding best practices for deployment. As per the survey work made by Tonse Telecom the Laptops usage are growing very fast as compare with desktops. Again the next generation of mobile is like IPBX, MPBX, IPPhone, SIP, VoIP, iPhone etc. which will be depending on WiFi. But as enterprise people are mostly concerned about the security and the best security approach for wireless is a layered approach consisting of the following layers: Wireless intrusion protection Authentication Encryption Access control Client security Organizations implementing these best practices will be well protected against unauthorized and uncontrolled wireless as well as the malicious hacker bent on network intrusion. By implementing these best practices of the security policy, organizations will find that wireless networks provide stronger security protection than current wired networks, with the economic benefits brought about by mobility.