Bill Ray

Ethernet has been with us for a while now, and setting up a network has passed from an arcane art to something most users are happy to do at home. Home-networking kits and improved operating systems (to be fair, I'm mainly referring to Microsoft Windows here) has made the process more or less idiot-proof, and even company networks just aren't very complicated any more.

This has led to a shift in emphasis. Where technical progress used to be concentrated on getting the physical side of the network right, now the concentration is on the applications being deployed on that standard network, and how they work. All of this is good, and has led to applications that are much more network-aware, rather than network-based. The argument about how much intelligence goes on the client will remain with us for a few years yet. The argument about what kind of cable to lay in your office is pretty much resolved (it's Cat 5, just in case you're not clear on that, though I've always preferred BNC).

When moving into a wireless world it was clear that some similar sort of standard would be useful, something as easy to use as a wired Ethernet network, that allows all the familiar networked applications to run without modification. So wireless Ethernet was born, known properly by the catchy name 802.11, designed to directly replace network cards and hubs with radio transmitters and base stations, and able to seamlessly integrate with the wired network already deployed.

Most people who have set up a wireless Ethernet would agree that the process is as easy, if not easier, than setting up a wired one. Much the same work is required (without the crawling around on the floor laying cable), and such networks have shown themselves to be reliable and able to add wireless connectivity to a network with very little effort. But to be truly like a wired network, there has to be not only the functionality of wires, but also the security. This is where the current incarnation of wireless Ethernet fails us badly.

Physical Barriers Aren't Enough
Most Ethernet networks aren't secured in the normal meaning of the word. Physical access to the network cables is normally considered to be secure enough for most purposes. The chance of someone breaking into your office and planting a listening device on your cables is unlikely, though not impossible, and most companies are happy to imagine that they would notice such an intrusion. But physical barriers don't limit wireless Ethernet, and an attacker within 100 meters of any base station is ideally positioned to launch an attack against your network. Add this to the fact that most wireless Ethernet cards make ideal platforms to launch such an attack from, and it becomes commercially very sensible to start listening in on your competition.

A great example of the possible subversion of wireless Ethernet is provided by the Driftnet application. This application, available from www.ex-parrot.com/~chris/driftnet, listens in to wireless Ethernet transmissions, and looks at each one to see if it's a graphic file. Any graphic files are then displayed on the screen, showing you what other people are looking at! To quote from the author's Web site: "Obviously, this is an invasion of privacy of a fairly blatant sort. Also, if you are possessed of Victorian sensibilities, and share an unswitched network with others who are not, you should probably not use it."

Clearly, transmitting wireless Ethernet in the same way as Ethernet is transmitted over Cat 5 is a mistake, leaving your network open to (literally) any passerby. The developers of 802.11 were well aware of this, and the protocol specifies an encryption standard that should provide a higher level of security. While not intended to be incredibly secure, the idea was to develop a security protocol that would provide a level of security about the same as that provided by the physical protection inherent in using wires. For this reason the security standard is known as WEP, or Wired Equivalent Privacy, though as we shall see, the level of security provided is considerably less than was intended.

There is also the issue of ease of use. Installing and setting up a wireless Ethernet network is, as already mentioned, very easy, and those doing it are not always aware of the security implications of such a network. WEP is not enabled by default, and must be turned on manually to provide any protection at all. It's not rare for someone installing a network to stop work the minute the network is operational, rarely returning to consider further configuration. Driftnet and other similar applications have shown that most wireless Ethernet networks are completely unprotected, sending corporate data out to anyone within 100 meters who's prepared to spend a few hundred dollars on listening in.

The Key Problem
WEP, when switched on, has several faults, which means even using it provides much less security than might be desired. The first, and most obvious, problem is the key-distribution system, which relies on the same key being manually entered into every device wishing to use the network. While this avoids keys being transmitted over the network, it does involve a large number of users having access to the same key, which is normally represented by a single English word for convenience.

Changing the key, essential to any security system, is therefore quite a project, with every user having to be informed of the new key and technically literate enough to change their network settings. The use of an English word to generate the key also makes guessing the key considerably easier. The knowledge that ASCII characters were used in the key creation considerably reduces the number of keys available. Key length is also limited by the amount of processing available on the wireless network card. While laptop computers may be able to take the load of additional encryption onto their own processors, wireless Ethernet is often used with handheld or embedded devices, which are less able to shoulder the burden.

Knowing that the key was generated from a password is only the first aid to the cryptoanalyzer; the fact that the type of traffic is known is also a big help. Packet type is not encrypted using WEP, so anyone looking at the network can easily tell what kind of packet is being transmitted. With a knowledge of what those packets look like, the cryptoanalysis becomes much easier. It's a fair bet that on any given wireless Ethernet network, a fair proportion of packets will be TCP/IP packets, and will increase in proportion as intranets become even more popular. As TCP/IP packets always start the same way, this provides a piece of encrypted data of which the plain-text (unencrypted version) is known. Through these mechanisms and a couple of others, WEP has now been comprehensively broken.

It was hoped that even if the encryption was insecure, the cost of such an attack would be prohibitive, but even this has turned out to be untrue.

While most wireless Ethernet cards will ignore encrypted packets not addressed to them (thus stopping the kind of trivial attack offered by Driftnet), it turns out that many of these cards use Flash to store their operating procedures. Flash allows the cards to be reprogrammed and updated by the manufacturer, or anyone else with the appropriate technical knowledge. While this may be rare at the moment, you can be sure that tools for such reprogramming will be commonly available very soon. This means that very soon anyone with a laptop computer, the appropriate tools, and a standard wireless Ethernet card will be able to break WEP encryption on your network within a few hours, from the parking lot outside!

While some companies have released enhanced security mechanisms, these are not yet standardized, which can lead to interoperability problems. At the time of writing, several such proprietary mechanisms have been shown to be equally flawed, and while new standards are on the way, it remains to be seen if these will prove more secure even once they're deployed.

How Paranoid Are You?
The amount of damage such an attack can cause depends on the kind of network applications you're using, and the level of paranoia already exhibited by your network administrator. Any services available on your network will become available to an attacker, coming from within your firewall. Services that already require additional passwords or security mechanisms should be secure, but public services will be open to abuse. This could be as basic as your router, allowing an attacker to make use of your Internet connection, or as complex as someone setting up a rival DHCP server and routing all TCP/IP network traffic via their own device. Once an attacker is loose behind your firewall, there are many systems open to attack, and securing them all was something the firewall was supposed to make unnecessary.

One possible solution to the lack of security in WEP should be obvious. Simply place your wireless Ethernet network outside your firewall. Wireless devices will then be treated as unauthenticated users and your applications will be protected by their own security mechanisms (hopefully, assuming such mechanisms are secure against external attack). By treating your wireless users as external threats, you may not gain any friends, and not every application will be suited to such a system. It's also worth remembering that most firewalls only carry TCP/IP packets, so any network application using another protocol won't operate (such as default network printing when using MS-Windows).

Another solution worthy of examination is that developed at Georgia Tech, which addresses many of the issues. Through the use of DHCP devices, an IP address is allocated upon connection to the wireless network, but all application servers are told not to accept connections from any IP address not approved. In order to use an application, the user must connect to an HTTPS server (using TLS encryption) where he or she can enter a username and password. The server then adds their IP address to the approved list, enabling them to use the network. Though this solution provides only authentication, not encryption, it could easily be extended to encrypt traffic on an application-by-application basis.

What should be clear is that to rely on WEP to secure your network is foolish for anything beyond the most trivial application. While the IEEE is working on enhancements for WEP and replacements for the authentication mechanism, it remains to be seen if these will offer significant improvements. There is also the question of deployment. While (as already mentioned) many wireless Ethernet cards have Flash memory for reprogramming, what proportion will be able to be upgraded to support more advanced cryptographic processes? For the moment, then, we're stuck with a security system that's becoming as much a false sense of security than anything tangible, and it may be that only by admitting that our wireless networks are completely insecure can we actually start to design secure ones.

Protocols like TLS and Kerboros are designed to work over insecure networks, and it's important to understand that until significant improvements are made, we must accept that wireless Ethernet comes under that heading.

Related Links

• Figure 1