Page 255 - StudyBook.pdf
P. 255

Communication Security: Wireless • Chapter 4  239

                 attacks.That is, it is relatively easy for an attacker to figure out what the plaintext
                 traffic is (for example a DHCP exchange) and compare that with the ciphertext,
                 providing a powerful clue for cracking the encryption.
                    Another problem with WEP is that it uses a relatively short (24-bit) IV to
                 encrypt the traffic. Because each transmitted frame requires a new IV, it is possible
                 to exhaust the entire IV keyspace in a few hours on a busy network, resulting in
                 the reuse of IVs.This is known as IV collisions. IV collisions can also be used to
                 crack the encryption. Furthermore, IVs are sent in the clear with each frame, intro-
                 ducing another vulnerability.
                    The final stake in the heart of WEP is the fact that it uses RC4 as the encryp-
                 tion algorithm.The RC4 algorithm is well known and recently it was discovered
                 that it uses a number of weak keys.Airsnort and Wepcrack are two well-known
                 open-source tools that exploit the weak key vulnerability of WEP.
                    Although WEP is insecure, it does potentially provide a good barrier, and its
                 use will slow down determined and knowledgeable attackers.WEP should always
                 be implemented.The security of WEP is also dependent on how it is implemented.
                 Because the IV keyspace can be exhausted in a relatively short amount of time,
                 static WEP keys should be changed on a frequent basis.
                    The best defense for a wireless network involves the use of multiple security
                 mechanisms to provide multiple barriers that will slow down attackers, making it
                 easier to detect and respond to attacks.This strategy is known as defense-in-depth.
                    Securing a wireless network should begin with changing the default configura-
                 tions of the wireless network devices.These configurations include the default
                 administrative password and the default SSID on the AP.
                    The SSID is a kind of network name, analogous to a Simple Network
                 Management Protocol (SNMP) community name or a VLAN ID. For wireless
                 clients to authenticate and associate with an AP, they must use the same SSID as
                 the one in use on the AP. It should be changed to a unique value that does not
                 contain any information that could potentially be used to identify the company or
                 the kind of traffic on the network.
                    By default, SSIDs are broadcast in response to beacon probes and can be easily
                 discovered by site survey tools such as NetStumbler and Windows XP. It is possible
                 to turn off SSID on some APs. Disabling SSID broadcasts creates a “closed net-
                 work.” If possible, SSID broadcasts should be disabled, although this will interfere
                 with the ability of Windows XP to automatically discover wireless networks and
                 associate with them. However, even if SSID broadcasts are turned off, it is still pos-
                 sible to sniff the network traffic and see the SSID in the frames.




                                                                              www.syngress.com
   250   251   252   253   254   255   256   257   258   259   260