The objective of this paper is to provide information on how to create a course that informs students how to secure a wireless local area network (WLAN) through the execution of laboratory exercises. The expectation is that students will work in teams and learn how to design, implement, and secure a wireless network. Students will be provided with different types of tools which will be used to audit and defend their WLANs from known exploits. This course will focus on the implementation strategies for wireless network security. The course will consist of ten laboratory exercises that focus on designing, implementing, auditing, and securing wireless local area networks.
In the past couple of years, wireless local area networks (WLANs) have become increasingly popular. The primary advantage of WLAN is that of not being tied down. “Wireless technology offers a more accessible means of connectivity but does not address the security concerns involved with offering this less restrained service.” (Boscia) The most significant concern in a wireless network is security; it is more susceptible to attacks than a wired network. Not only do WLANs have to deal with the same security problems of wired LANs, but they are also subjected to a new breed of security threats. Regardless of the network in question, wired or wireless, a totally secure network is simply an illusion. Wireless network vulnerabilities include but are not limited to, denial of service attacks (DOS), traffic redirection, eavesdropping, invasion and resource stealing. (Zahur) There are currently two types of solutions for wireless security, unencrypted and encrypted. (Allen) Unencrypted technologies include MAC authentication, firewalls, and wireless gateways. Encrypted technologies include wired equivalent privacy (WEP), virtual private networks (VPN), and 802.1x/802.11i. (Allen) A secure wireless network should implement both unencrypted and encrypted security technologies.
The purpose of this paper is to introduce laboratory objectives and methods for a wireless security course. This paper will describe the development of lab exercises, which will coincide with classroom lectures. This will be an undergraduate course worth 3-credit hours and will be 16 weeks in duration. There will be two hours of lecture and two hours of lab for this course for each week. The students will be expected to work in teams to complete the ten laboratory exercises. Some of these exercises will require an additional lab period for completion. The curriculum discussion begins with a description of the course, a brief overview of various wireless local area network technologies, and protocols. The lab exercises will teach students how to set up a WLAN and some ways to secure it. Then they will be taught to exploit the WLAN and see how each of the security implementations respond. The goal of this course is to teach students different types of wireless security methods and how to secure a wireless network.
There are two objectives to the following lab exercises: provide students hands-on experience based on what they learn in lecture and teach students how to design and implement secure wireless networks. The following are brief explanations of the content of the ten lab exercises. In order to successfully complete the laboratory exercises students will need an access point, wireless network interface cards (WNIC), cable, and hard drives with a dual boot of a Windows operating system and a Linux distribution.
Lab 01, Surveillance
Wireless communications are vulnerable to surveillance because the transmissions are not shielded; there are no firewalls or routers to protect the information. Eavesdropping is used to listen in and sniff packets on a WLAN. The objective of this lab is to demonstrate to students how vulnerable a wireless network is to surveillance and some methods that can be used to surveil a WLAN. Students will use NetStumbler, Kismet, and Ethereal programs to monitor wireless connections.
On the Windows operating system students will install NetStumbler and Ethereal. Kismet will be installed on the Linux platform. Student computers will be setup as clients and each student group should have an access point configured for this lab. Students will then use each of these auditing tools to sniff packets on the network. In order to capture packets students will need to surf the web, check email, and view different newsgroups. After the auditing tools have captured several different types of packets students will identify the transmission control protocol (TCP) streams.
Lab 02, Hardening an Access Point
Wireless local area networks are very easy to locate. “By necessity, wireless access points must announce themselves to the world.” (Gast) Access points (AP) transmit beacon frames which contain the necessary information the client needs to begin a session with the AP. Each AP has a Service Set Identifier (SSID) or Extended Service Set Identifier (ESSID), a unique number used to identify the access point. “By monitoring beacon frames, users with an 802.11 receiver can discover wireless networks in the area simply by putting up an antenna.” (Gast) An attacker can then use the information from the beacon frames to act like an authorized client. The purpose of this lab is to harden an access point against unauthorized users. Students will then try to perform an exploit known as “smurf attack” against a client. A smurf attack is a denial of service attack that overloads a network by sending spoofed broadcast messages. The attacker spoofs or forges a victim’s IP address and sends large amounts of ICMP echo (ping) traffic to the network’s broadcast address. All the other hosts on the network answer to this ping by sending an echo reply and overload the victim computer or network.
First, students will configure media access control (MAC) authentication on the access point. Second, students will configure the AP to stop broadcasting the ESSID. Finally, the students will try to perform a smurf attack against the network by spoofing the MAC and IP address of different clients. This will demonstrate to students the vulnerabilities of an access point.
Lab 03, Hacking WEP Part 1
Wireless networks are vulnerable to eavesdropping. Unauthorized users can intercept and read the transmissions. One way to protect against eavesdropping is to use the Wired Equivalency Privacy (WEP) protocol. WEP encrypts data by defining a set of instructions by which data can be transmitted. WEP provides 40-bit and 128-bit encryption mechanisms and is based on the RC4 algorithm. (Peikari) Although WEP is used to secure wireless communications, it has many vulnerabilities because it uses relatively short keys that remain static. Once an attacker collects enough frames on a wireless network s/he can determine the shared secret key. The objective of the WEP lab is to demonstrate to students how the wired equivalency privacy protocol can be used to secure wireless transmissions. Then they will try to exploit the WEP protocol by using AirSnort. AirSnort is an encryption-cracking program that exploits the weaknesses of WEP. (Peikari) AirSnort passively monitors wireless transmissions and once it gathers enough packets it can extract the secret key, also known as the encryption key. AirSnort is a free auditing tool. (Airsnort)
Students will install and configure the AP and client computers to use the WEP protocol. WEP will be configured on both the Windows operating system and the Linux distribution. They will install AirSnort on the Linux platform of the client computers and sniff the packets traveling through the wireless network. After gathering numerous packets students will attempt to crack WEP by decrypting the shared secret keys.
Lab 04, Hacking WEP Part B
Another way to exploit WEP is to use WEPCrack. WEPCrack is a script program used to crack WEP encryption keys but is only fully functional on Unix-Based systems. It uses several different scripts to capture, log, and crack RC-4 encrypted packets sent by hardware or software using the 802.11b standard. (Peikari) The objective of this lab is to demonstrate to students how WEPCrack operates and breaks encryption keys.
First, students will configure and install WEPCrack on the Linux distribution of their client computers. Second, they will attempt to crack WEP by sniffing wireless transmissions. After students receive numerous packets they will need to convert the files created by WEPCrack into hex or the ASCII equivalent before they can enter it into a wireless network interface card’s settings. (Peikari)
Lab 05, Configure a Denial of Service Scenario
Denial of Service (DOS) is another way to disrupt a wireless network. There are four types of wireless DOS attacks. In the first, an attacker causes excessive network interference, essentially crippling a network. (Zahur) The second is considered a session hijacking because the attacking station sends a disassociate message to a targeted station. (Zahur) Third, is to flood a computer or hardware device with so much information it becomes overwhelmed. (Peikari) The fourth method of DOS attacks crashes the targeted computer by sending a well-crafted command or piece of erroneous data. (Peikari)
In this lab students will utilize wireless packet injection software to execute a DOS attack. The purpose of this lab is to demonstrate to students how a DOS attack works and the different methods of performing one. Students will perform two DOS attacks: session hijacking and overloading the computer with too much information. The first DOS attack students will perform is a buffer overflow attack. Students will install and configure Nemesis, a command-line network program used to create and inject packets into a wireless network. (Nathan) Students will then create large packets and attempt to inject them into the network, to create a buffer overflow attack, which in turn, creates a denial of service. The second DOS attack students will perform is network interference. Students will install a 2.4GHz cordless phone in the same area that the WLAN is installed. Since each device, a wireless network and 2.4GHz phone, operate on the same frequencies they interfere with each other. The phone will have bad reception and the wireless network will go down frequently. Another way to perform a DOS attack is to use a 1000 watt transmitter and point it at the AP. (Sawicki) This attack cripples a wireless network because the radio signals are broadcast at the same frequency of the wireless network and it blocks all other transmissions. Bluetooth is another way to implement a wireless network; and it can also be used as a DOS attack. If a Bluetooth wireless network and a 802.11b wireless network are created around each other then they could cause interference on both networks and cause each other to go down.
Lab 06, Virtual Private Networks
One method of securing an access point is to use a Virtual Private Network (VPN). “VPNs create encrypted channels to protect private communication over existing public networks.” (Peikari) To secure wireless networks, VPNs use a combination of tunneling, encryption, authentication, and access control. Although it is important to use VPNs to safeguard a system, used alone they can be vulnerable to attack. VPNs can serve as a path through a firewall (Farrow).
The first objective of the VPN laboratory is to teach students how to configure a VPN server and client on a Windows based operating system. The second objective is to authenticate to the server using their clients. Students will first create and install a VPN server. Second, they will install VPN client software on a student’s computer. Third, students will authenticate the VPN client to the VPN server. Finally, they will sniff the wireless traffic to try to find vulnerabilities in the VPN tunneling.
Lab 07, Intrusion Detection Systems
Intrusion detection systems (IDS) are yet another form of security for a wireless network. An IDS monitors computer systems for intrusions and logs traffic patterns. (Vines) As with the previous security implementations, used alone IDS can be vulnerable. The most common exploit against IDS is fragmentation or packet splitting. (Peikari) Two other attack methods are spoofing and http mutation. The objective of the IDS lab is to install and configure IDS software. Students will then create detection rules for their IDS.
Students will begin this lab by installing Snort on their Windows operating system. Snort is a freeware signature-based IDS that consists of a packet decoder, a detection engine, and a logging and alerting subsystem. Then students will create detection rules to help safeguard their wireless network. Students will test the exploits of the IDS by using auditing tools.
Lab 08, Designing a Wireless Network
The purpose of this lab is for students design a totally hardened wireless network. They will use all of their previous knowledge and skills to try to design the most secure wireless network possible. Students will begin this lab with a clean dual install of a Windows operating system and a Linux distribution.
There are many factors that need to be considered when designing a wireless network. The first question that needs to be asked is what are the requirements of the users of an organization and does the current network meets these requirements. If it does not, the needs of the organization and its users need to be assessed. The administrator needs to define the current problems with the network, the requirements of the network, and solutions to the problems. The purpose of the organization, expected growth, size of the organization, types of users, and current layout of the network all need to be taken into consideration before deciding on designing a new wireless network. Second, the organization needs to decide what type of network they want, weighing the pros and cons of wired and wireless. Third, once they decide on the type of network, administrators need to determine if their current equipment is compatible with a wireless network and what protocol they will use. Fourth, the organization needs to create a network diagram of the current layout of the network and what they want the layout of the organization after the implementation of the new network. This will help the company decide of the types of APs. Fifth, an organization needs to create a budget for the upgrade and determine how much the upgrade will cost. The selection on wireless equipment will depend on what equipment is currently being used in the existing network. Sixth, the new wireless network should be designed. Included in this design should be: what mode is being used, peer-to-peer or infrastructure, where the APs will be located, where the users will be located, where the wiring closet will be located, and where the servers will be. Seventh, the organization needs to decide how they will secure their wireless network. Finally, the organization will have to create a training session to teach the users how to use the new network (Ciampa).
For this lab, students will take on the role of the Information Technology (IT) department of an organization. The students will design a secure wireless network based on the current and future needs of the organization and its users. They will create documentation on the requirements of the network, the current layout of the network, and the current problems of the network. Students will take into consideration the 8 factors listed above and develop and document a new wireless network.
Lab 09, Implementing a Wireless Network
The objective of this lab is for students to implement the wireless design they created in the previous lab. The students’ second task will use their existing knowledge of the different types of vulnerabilities in a wireless network to try to create a secure wireless network. Students should execute multiple layers of security to protect their networks.
First, students will install and configure the wireless network they designed. Second, they will document the entire setup of their wireless network and create a network diagram. Third, students will use a variety of security technologies to harden their network from vulnerabilities. An IDS should be installed, the access point should be secured, WEP encryption should be used, and a VPN server and client should be configured. Finally, students will ensure their network is secured against exploitation.
Lab 10, Attacking a Wireless Network
This laboratory exercise focuses on finding and exploiting wireless networks. Once found students will try to scan the network for vulnerabilities. They will then try to exploit any vulnerabilities found in the wireless network. This will demonstrate to students where the weaknesses in the wireless network are and give them a chance to correct the issues. They will use various attack methods such as auditing tools to break the network. The objective of this lab is to teach students how to locate and exploit vulnerabilities in a wireless network. This will illustrate to students what vulnerabilities exist, how they work, and how to secure against them.
First, students will install an intrusion detection system on their wireless network to log any attempts to exploit the network. Second, students will try to locate vulnerabilities in a network by scanning it with NetStumbler, Kismet, and Ethereal programs. Third, students will try to exploit access points using a smurf attack. Forth, student will try to exploit WEP by using AirSnort (Airsnort) to manipulate the encryption algorithm. Students will also use WEPCrack to crack WEP’s encryption keys. Finally, students will try to perform a DOS on the wireless network using a cordless telephone and Nemesis.
This sequence of labs will help students develop an enhanced awareness of wireless local area network security concerns. Students will learn how to take a proactive approach in preventing wireless network attacks. This course not only focuses on theories but practical implementations as well. Students will learn how to work together and brainstorm problems. The setup of this course will give students the ability to foster student-teacher interaction and student reflection. Upon completion of this course, students will be able to design, implement, and secure a WLAN.
Allen, J. & Wilson, J., (November 2002). “Securing a Wireless Network,” Proceedings of the 30th Annual ACM SIGUCCS Conference on User Services.
Boscia, N. & Shaw, D., (n.d.) “Wireless Firewall Gateway White Paper,” NASA Advanced Supercomputer Division, Retrieved October 30, 2004 from http://www.nas.nasa.gov/Groups/Networks/Projects/Wireless/
Ciampa, M., (2001) Guide to Designing and Implementing Wireless LANs. Boston: Course Technology.
Elorriaga, J., Gutierrez, J., Ibanez, J., Usandizaga, I., (June 1999). “A Proposal for a Computer Security Course,” ACM SIGCSE Bulletin, Volume 31, Issue 2.
Farrow, R., (June 2002). “VPN Vulnerabilities,” Network Magazine, Retrieved October 30, 2004 from http://www.networkmagazine.com/shared/article/showArticle.jhtml?articleId=8703359&classroom=
Gast, M., (April 2002). “Wireless LAN Security: A Short History,” O’Reilly Network, Retrieved October 30, 2004 from http://www.oreillynet.com/pub/a/wireless/2002/04/19/security.html
Geier, J., (June 2002). “802.11 WEP: Concepts and Vulnerability,” Wi-Fi Planet, Retrieved October 30, 2004 from http://www.wi-fiplanet.com/tutorials/article.php/1368661
Mateti, P., (January 2003). “A Laboratory-Based Course on Internet Security,” ACM SIGCSE Bulletin, Proceedings of the 34th SIGCSE Technical Symposium on Computer Science Education, Volume 35, Issue 1.
Nathan, J., (n.d). “Nemesis,” SourceForge.net, Retrieved October 30, 2004 from http://nemesis.sourceforge.net/.
Peikari, C. & Fogie, S., (2003). Wireless Maximum Security (chap. 4 & 5). Indianapolis: Sams Publishing.
(Project: Airsnort: Summary, 2001), Retrieved October 20, 2004 from http://sourceforge.net/projects/airsnort.
Sawicki, E., (Apri 2002). “Wireless and Denial of Service Attacks,” Biznix.org, Retrieved October 30, 2004 from http://www.biznix.org/articles/wirelessdos.html.
Sivalingam, K. & Rajaravivarma, V., (March 1999). “Education of Wireless and ATM Networking Concepts Using Hands-On Laboratory Experience,” ACM SIGSCE Bulletin, The Proceedings of the Thirtieth SIGCSE Technical Symposium on Computer Science Education, Volume 31, Issue 1.
Tikekar, R. & Bacon, T., (May 2003). “The Challenges of Designing Lab Exercises For a Curriculum in Computer Security,” Journal of Computing Sciences in College, Volume 18, Issue 5.
Uskela, S., (December 1997). Security in Wireless Local Area Networks (chap. 4). Retrieved October 30, 2004 from http://www.tml.hut.fi/Opinnot/Tik-110.501/1997/wireless_lan.html#Conclusions
Vines, R., (2002). Wireless Security Essentials (chap. 5). Indianapolis: Wiley Publishing, Inc.
Yates, R., (April 2000). “An Overview of the Wireless Information Network Laboratory (WINLAB) at Rutgers University, NJ, USA,” ACM SIGMOBILE Mobile Computing and Communications Review, Volume 4, Issue 2.
Zahur, Y. & Yang, A., (January 2004). “Wireless LAN Security and Laboratory Designs,” Journal of Computing Sciences in Colleges, Volume 19, Issue 3.