WiFi and Remote Access

1) Wi-Fi Network Security and Non-PC Wireless Devices

a) Wireless Networking Standards and Security

IEE 802.11 standard:govern the most widely used wireless computer networking technology. They ensure that many devices that make up an Ethernet-based network – including wireless and wired devices can operate together despite different types of cables and speed. The IEEE 802.11 standards are defined at the Data Link and Physical Layer of OSI Reference Model. They operate in 2.4 to 5 GHz radio frequency (RF) band. A number of 802.11 standards have been ratified and most wireless systems support multiple standards.

The 802.11a standard uses Orthogonal Frequency Division Multiplexing (OFDM). This modulation technique is used for transmitting large amounts of digital data over radio waves. It has a capacity of 54Mbps per channel with real throughput at about 31Mbps. It operates at frequency of 5GHz that supports 8 overlapping channels. OFDM offers significant performance benefits over the more traditional spread-spectrum systems.

The 802.11b standard uses Direct Sequence Spread Spectrum (DSSS). It is one of the most popular 802.1x technologies and has a capacity of 11Mbps per channel, with real throughput at about 6Mbps. It operates at a frequency of 2.4GHz which supports three non-overlapping channels.

The 802.11d standard defined to produce versions of 802.11b that are compatible with other frequencies. Hence it can be used in countries where the 2.4GHz band is not available.

The 802.11F standard defined to improve the handover mechanism in 802.11 so that users can maintain a connection while roaming. Its objective is to give network users the same roaming freedom that cell phone users have.

The 802.11g standard is a combination of 802.11a and 802.11b, which can either use DSSS or OFDM. It has a capacity of 54Mbps per channel, with a real throughput at about 12Mbs. It operates at a frequency of 2.4GHz.

The 802.11.h standard attempts to improve on 802.11a by adding better control over radio channel selection and transmission power.

The 802.11i standard deals with security. On its release, it was an entirely new standard based on Advanced Encryption Standard (AES). This standard includes a feature called Robust Security Network (RSN), which definestwo security methodologies: the first is for legacy-based hardware using RC4 cipher and the second is for hardware based on AES.

The 802.11j standard enables 802.11a and HiperLAN2 networks to coexist in the same airwaves. 802.11j made changes to the 5GHz signalling capabilities to support regulatory requirements in Japan.

The 802.11n aims for significant improvements on previous standards with throughput of over 100Mbps.

To create a wireless LAN (WLAN), an access point and clients with wireless networking adapters supporting 802.11 standards are required. The 802.11 standard defines an access point as a device that functions as a transparent bridge between wireless clients and an existing wired network.

Access points often integrate other networking functions. Many include 10BaseT networking ports for connecting wired devices and also function as switches. They may also have routing capabilities and often include firewall functions. Linksys WRT wireless router is an example of multifunction access point.

When setting up an access point, a service set identifier (SSID) has to be assigned, which is essentially a name of the user’s/organisation’s wireless network. Access points typically broadcast their SSIDs. This way, clients can detect the presence of a nearby access point. These broadcasts usually identify their security mechanisms; enabling clients to auto configure connections.

Wireless network security: There are four security components on a wireless network:

  • Access control: involves controlling which clients can access an access point. The simplest but least effective to control access to an access point is to disable SSID broadcasts for hiding its presence. However, the access point’s SSID is included in routing client-to-access point traffic. Hence it is easy for appropriately configured devices to detect SSIDs that are not explicitly broadcast. A stronger means of access control is to enables Media Access Control (MAC) filter on an access point. The MAC address is the hardware-level address of a client’s network adapter. On most access points, a list of permitted or blocked MAC addresses is entered. However, a valid MAC addresses are transmitted across a wireless network which can be detected by a malicious user. The malicious user can then configure its computer to impersonate the specific MAC address and hence likely to gain access to an access point.

  • Encryption: involves encoding communications between an access point and clients so that can’t be read by unauthorized users. Various techniques can be used to encrypt communications between access points and clients. To make a connection, client must use the same encryption scheme that is used on the system and possess the appropriate encryption key. Once connected, either or a static or a dynamically-changing key provides ongoing encryption. Ideally, encryption blocks unauthorized connections to an access point and protects data streams from eavesdropping.

  • Authentication: involves verifying the identity of clients before granting the access rights they’ve been assigned for an access point. An access point can authenticate the identity of a client using a system similar to logon authentication using a username and password. Authentication typically requires the use of additional software or hardware devices such as a Remote Authentication Dial-in User Service (RADIUS) server.

  • Isolation: is a means of segregating network traffic. There are two types of isolation:

    • Wireless client isolation: is also called access point isolation, where wireless clients are put onto individual VLANs so that they cannot access each other. This is commonly used in public wireless networks to prevent one user from accessing another user’s computer.

    • Network isolation: enables to isolate a network from outside access but still grant client access to certain predefined parts of the network. For instance, a wireless client is permitted to access the Internet and the corporate mail server but prevent access from accessing other wired nodes such as a file server. Some access points offer network isolation through custom routing configurations. Network isolation can also be enabled through general network design and firewall configuration.

Access points introduce certain vulnerabilities to wireless networks. They are susceptible to:

  1. Physical security risks

  2. Firmware vulnerabilities

  3. Fraudulent use of default administrator accounts

Additional risks associated with wireless networks include their use of:

  • One-way authentication mechanism: wireless networks use one-way authentication mechanism. Here, once authentication is completed, an intruder can generate a signal that tricks the client to think it has disconnected from the access point. Meanwhile, the intruder begins to send data traffic to the server, pretending to be the original client.

  • One-way client connection requests: A client request for a wireless network is a one-way open broadcast. This gives an opportunity to an intruder to act as an access point to the client and pose them as real network access point. Consequently, the intruder can watch all data transactions between the client and the access point and then modify, insert or delete packets at will.

Data emanation can also be a security risk, although it can hardly be exploited. Almost all computing devices emit electromagnetic radiation. Unintentionally, such emanations can transmit data. It may be possible to capture and decode those emanations and reconstruct the data they represent. AS emanated signals are weak and don’t travel far, it requires eavesdropper to be very close to the leaky equipment. Moreover, it is computationally difficult to reconstruct data from electromagnetic nose. However, while designing an extremely secure network, the risk associated with data emanation should be considered.

Security is not configured in wireless access points, when setup right out of the box. By default, they broadcast their presence. Unsecured access points in an otherwise secured network are sometimes called rogue access points and represent a significant vulnerability.

Wi-Fi scanners can detect the presence of wireless signals within a given range. They indicate which security measures are in place on the network. There are also tools such as Airsnort, Aircrack or NetStumbler to scan for WLANs. Those tools are intended to find wireless networks for legitimate networking purposes. In many cities, free wireless networks are available for public use. However, those tools are often used to access unauthorized wireless networks.

Wi-Fi scanners are used for:

  • Wardriving: is the practice of scanning for open wireless access points in a region. Several websites provide detailed information locating unsecured networks.

  • Warchalking: is the process of marking building curbs and other landmarks to indicate the presence of available access points and their connection details.

b) Wireless Configurations and Transmission Encryption

Wireless configurations: WLANs links two or more computers or devices in a limited area without the devices being connected by cables. Users can thus move around freely within the coverage area and still remain connected to the network.

Wireless Application Protocol (WAP): is an open international standard for use with handheld digital devices. It was developed to enable mobile wireless users to connect to the Internet and other services. Handheld digital device support the services by running any of the various operating system such as PalmOS, Windows CE, JavaOS, Android, etc. The browsers used on WAP-enabled clients are similar to the standard Internet browsers on traditional computers, and the URLs for WAP are the same as on traditional networks. WAP URLs are also used to identify local resources in the WAP-enabled client.

WAP is supported by most wireless networks. The WWW architecture serves as its operational model. The main model of this architecture includes the client, gateway and original server that provide WAP service.

WAP Push – enables WAP content to be pushed to a mobile handset with a minimum intervention by the user and wireless telephony architecture (WTA) are enhancements that have been added to the WAP architecture.

As in traditional networks, proxy servers and supporting servers can be used in WAP network to provide PKI services, user profile support and provisioning support.

Wireless Transport Layer Security (WTLS) was developed to improve security and reliability for WAP clients and servers. It is based on TLS protocols which are based on SSL. As WAP applications normally have limited resources such as memory, bandwidth and processor capabilities, several changes have been added to the original protocols for WTLS. These changes include:

  • The use of datagram protocols and connection-oriented protocols

  • The use of extended round-trip times

  • Lower use of bandwidth and memory, and reduced requirements in terms of processor capabilities

The IEEE802.11 standards were developed as an equivalent to the 802.3 standards, but for wireless networks. However, the two sets of standards include significant differences. For instance, 802.11 standard deals with potential collisions using CSMA/CA, whereas the 802.3 standard use CSMA/CD.

Following are the reasons for developing a new standard for WLANs:

  • Wireless devices need to detect and communicate with each other

  • The absence of direct communications causes security risks

  • The connected users are mobile

  • Various topological possibilities exist

Wireless clients can communicate in the following modes supported by the 802.11 standards:

  • Ad-hoc mode: ad-hoc networks are usually created spontaneously and informally by users who are within communicating range of each other.

  • Infrastructure mode: networks in the infrastructure mode are more permanent and structured. This structure is provided by one or more access points that form part of a fixed wired network. Through the access points, wireless clients connect to the wired network.

When large-systems routers are purchased for a wireless network such as Cisco, a key feature is for the cost is the operating system for the device. Vendors spend considerable effort creating software that gives network professionals the tools need to fully configure every aspect of a device’s functions. But in case of small-networks routing devices, they typically provide basic software that offers only the most commonly needed functions.

Replacement firmware for managing routers typically adds features and capabilities not included in the original software supplied by the vendors. Examples of these features are IPv6 support, RADIUS authentication or QoS preferences. Here is some of the replacement third-party router management firmware:

  • DD-WRT: is the most widely used. It offers a huge range of features and boasts support for a variety of routers.

  • Openwork: is completely command-line based and hence is small and fast with little overhead but if more difficult to use.

  • Tomato: features informative graphics and the core add-on features needed by most home and small business users.

  • FreeWRT

  • HyperWRT

It should be noted that before installing third-party router management firmware, it is important to check that the firmware is compatible with the router. Depending on the router and the firmware chosen for installation, various additional features and configuration options has to be chosen. Some of the most common security-enabled options that could be enabled are:

  • Access point isolation: enabling access point isolation enhances the security of clients in a wireless network. It prevents wireless clients from communicating with each other via the wireless router.

  • Maximum client settings: used for limiting the number of wireless clients that can connect through the router.

  • SSH settings: ssh encrypt connection sessions which provides more secure channel than an open, unencrypted HTTP or telnet session.

  • Telnet settings: offers terminal or command-line means of managing router.

  • Management access settings: defines the network connections to the router. For instance, management access over a wireless connection can be disabled so that a hacker who isn’t connected to the WLAN is prevented from attempting to reconfigure the router.

  • Settings for blocking ActiveX, Java and peer-to-peer (P2P) content: enables to control bandwidth usage and control common entry points for malicious software.

Transmission encryption techniques: Transmission encryption limits which clients can connect to the access point and protects data from eavesdropping during transmissions. Methods for transmission encryption include:

  • Wired Equivalent Privacy (WEP): WEP uses 64-bit or 128-bit symmetric encryption cipher. This is the least secure method. However, it is only viable option for clients using the 802.11b standard and older wireless clients. There are various widely published security weaknesses in WEP.

  • Wi-Fi Protected Access (WPA) Personal: WPA was developed to overcome the weaknesses in WEP. It uses RC4 symmetric cipher with a 128-bit key. WPA uses a pre-shared key (PSK) in which a passphrase must be entered on the access point and clients. The actual encryption is built from the entered passphrase and various other data, such as the sending node’s MAC address. With the Temporary Key Integrity Protocol (TKIP) option, the full encryption key changes for each packet.

  • WPA2: is based on WPA and includes more features from 802.11i standard. Notably, WPA2 uses AES cipher for stronger encryption.

  • WPA Enterprise: works in conjunction with an 802.1X authentication server, which distributes unique keys to each individual. Communications between the client and access point are encrypted using the individual’s key.

  • RADIUS: uses a specialized server for authentication and WEP for data encryption.

  • 802.11i: standard defines security mechanisms including encryption methods, for wireless networks.

The WEP protocol was introduced by the IEEE as a security measure for individual transmissions over WLANs. The objective of WEP is to provide privacy by encrypting and decrypting wireless transmission with a shared key. It also offers authentication. Up to 4 keys can be defined on an access point and client. These keys can then be rotated for extra security. The benefits of using WEP include

  • Data integrity: WEP provides a degree of data integrity by encrypting transferred data through a CRC-32 checksum.

  • Privacy: with WEP is provided through the use of RC4 stream cipher. Encrypted messages cannot be decrypted without possession of the secret key.

  • Easy implementation: for implementing WEP, the encryption key has to be set on the access point and on each of the clients.

  • Unlimited keys

  • Basic security

The WEP encryption process involves the following steps:

  1. Performing an integrity check: an integrity check algorithm is first run on a plaintext message in order to guarantee the integrity of messages. This creates an integrity check values (ICV). The 32-bit cyclic redundancy check (CRC-32) is specified by 802.11 standards for this function.

  2. Adding an integrity check value (ICV): ICV is then added to the end of the original plaintext message.

  3. Generating an initialisation vector (IV) and running the Key Scheduling Algorithm (KSA): a random 24-bit IV is generated and added to the beginning of the 40-bit or 128-bit secret key. The secret key is distributed through out-of-band method. The chain formed by the IV and secret key is then fed through RC4 KSA.

  4. Creating a seed value for the pseudo-random number generator (PRNG): the RC4 KSA generates a seed value for the WEP PRNG, which in turn puts out the encrypting cipher stream.

  5. Producing cipher text: the plaintext/ICV combination is combined with the cipher stream through the exclusive (XOR) logical disjunction. This produces the WEP cipher text.

  6. Transmitting the cipher text messages: finally, IV is added to the beginning of the cipher text. This combination is encapsulated and then transmitted.

To strengthen the encryption, a new IV is used for each frame, which means the RC4 value will change for each string that is generated. But the problem is that the IV is only a 24-bit space and soon all the options are used. They will then be resued, making it possible that two messages will be encrypted with the same IV and key. Attackers can use an exclusive (XOR) operation against the two messages to cancel out the key stream. And if they know the contents of one message, they can easily deduce the contents of the other.

WEP strengthens security by placing a checksum in each frame. This defends against attacks where a known piece of known text is inserted to try and reveal the key stream. The checksum will discard any such frames that have been tampered with.

 c) Non-PC Wireless Devices

There are security implications involved when using system hardware and wireless non-PC peripherals such as USB devices, cell phones and removable storage devices. If network connectivity is enabled for non-PC devices without considering the security threats to which they are vulnerable, these portable devices might provide attackers with a means to compromise system’s security.

Device-to-device issues: are the security risks involved when one mobile device accesses another. Common security risks of device-to-device communications:

Vulnerability

Descriptions

Security risk

Bluejacking

Users send unsolicited messages over Bluetooth wireless links to other devices. Typically these messages are harmless advertising, spam-like messages.

Generally there is no risk beyond user confusion as to why some message appears on their phone.

Bluesnarfing

It is a form of unauthorized access of a device over a Bluetooth connection. Ideally, hackers can obtain address books, files, call records, over a Bluetooth link. Additionally, hacker could also install a virus on an unsuspected user’s device, perhaps even turning the device into zombie so that it propagates the virus to other devices.

Generally, the risk is low as devices must be paired in order for bluesnarfing to work. Known flaws in Bluetooth protocol have been patched to prevent unauthorized pairing.

Bluebugging

A hacker takes control of a victim’s phone to make calls and perform other functions as if the hacker had physical possession of the device. Hackers can also bluebug to eavesdrop on an existing call.

The risk is modest where the hacker could incur usage or other charges without the victim’s knowledge or consent.

 Most Bluetooth-related attacks can be prevented through prudent device configuration. Bluetooth on user’s phone should be disabled unless it is necessary to connect to Bluetooth devices such as a hands-free headset. Furthermore, auto-discovery and auto-pairing should also be disabled as they make wireless devices more susceptible to security attacks. With auto-discovery enabled, Bluetooth devices can learn of their presence to each other. Devices broadcast their availability. Bluetooth has a range of about 10meters although some laptops and PCs can have even further each.

If an auto-discovery is enabled, a phone or other wireless device is more susceptible to bluehjacking attacks although it is unlikely to be vulnerable to bluensnarfing and bluebugging attack as both attacks exploit auto-pairing.

If an auto-pairing is enabled, nearby Bluetooth devices can automatically connect to the user’s phone which makes them vulnerable for bluesnarfing or bluebugging.

Infrastructure issues: are security threats caused by an improperly configured peripheral or mobile device that connects to the organisation’s network and consequently pose a security risk. Common security vulnerabilities caused by infrastructure issues are as follows:

Vulnerability

Description

Security Risk

Airsnarfing

A hacker configures their computer to masquerade as an access point. Victims connect to airsnarf AP instead of real AP.

When victims connect, their usernames and passwords can be captured. Furthermore, the hacker could potentially access local resources on the victim’s computer. Hence the potential of damage is high.

Slurping

An attacker uses a removable storage device to steal data.

Both the risk and consequences of slurping can be high.

Pod slurping

Slurping using a wireless mobile device such as an iPod.

Same risk and consequences as that of slurping.

 2) Remote Access and VPNs

a) RADIUS, Diameter and LDAP Remote Access

Telecommuters and travelling employees often need network access beyond a basic Internet connection. They might for instance require an access internal file server, application server or printer. In those situations remote access solutions such as Remote Authentication Dial-in User Service (RADIUS), Diameter and Lightweight Directory Access Protocol (LDAP) might enable to provide the necessary connectivity solutions.

Access security is implemented in three phases, known as AAA:

  1. Authentication: is the stage in which a user’s identity is verified. This could be done using a username and password, smartcard or biometric scan.

  2. Authorization: is the stage after success authentication in which the user is granted the permissions necessary to access network resources.

  3. Accounting: is the final stage that involves tracking the user’s actions. This includes the time duration for the user connected to the network, the systems/resources accessed or the amount of data transferred.

RADIUS: is a client/server system that provides centralized AAA remote access services. Although originally developed for dial-in user authentication, RADIUS is often applied to wireless and VPN connections. RADIUS has two server roles:

  • RADIUS client: this role is provided by the Network Access Server (NAS), also called as the Remote Access Server (RAS). The RADIUS client accepts user connections and passes authentication requests to the RADIUS server. Once connections are authenticated, the RADIUS client acts as a middleman between the user’s system and the RADIUS server for authorisation and accounting functions. The RADIUS client could be located on the corporate LAN or at a remote site.

  • RADIUS server: provides all AAA services but communicates with RADIUS client rather than directly with the end user’s system. A RADIUS server can authenticate connections against a variety of information stores. These include a flat file, a proprietary RADIUS database, and a UNIX password file, a Network Information Service (NIS) or Active Directory (AD). The RADIUS server is located on the corporate LAN.

The RADIUS authentication process involves actions by the user; RADIUS client and RADIUS sever and follows a specific process:

  1. The user connects to the RADIUS client.

  2. The RADIUS client requests authentication information via a username/password or Challenge-Handshake Authentication Protocol (CHAP) challenge.

  3. The user supplies their logon credentials.

  4. The RADIUS client encrypts the password if necessary and forwards the credentials to the RADIUS server.

  5. The RADIUS server authenticates the user and replies with an Accept, Reject or Challenge message.

  6. The RADIUS client receives the message and acts accordingly. If accepted, the user’s connection is finalised. If rejected, the user will either be re-prompted for their credentials or if the maximum number of requests is reached, the user is disconnected. If challenged, the user is prompted for further credentials, which are used to further tailor their connection and the services to which they have access.

In RADIUS, a realm defines a namespace. It also determines which server should be used to authenticate a connection request. Realm names are formatted like Internet domain names, although they have no actual relation to domains. For instance a user’s full RADIUS name might be user@radiusserver.com, where radiusserver.com is the realm. RADIUS defines three types of realms, which essentially define three configuration possibilities at the RADIUS client. The realm types include:

  • Named realms: refers configuring the client to use a specific RADIUS server for the give named realm. For instance, authentications for abc.com to RadServerA, whereas those for xyz.com to RadServerB.

  • Default realms: refers defining the server to use authentication of realms not listed explicitly in the client configuration. In other words, the user logon name contains a realm that is not listed in client configuration.

  • Empty realms: refers defining an empty realm to use i.e. when a customer’s login doesn’t contain a named realm.

Named realms can be cascaded or joined in a chain. For example, user1@abc.com@xyz.com describes a cascade. Authentication requests are sent to the cascaded server in order. A request is first sent to the server configured to authenticate for the abc.com realm and then to the next server for xyz.com realm.

RADIUS authentication and authorization functions are described by RFC 2865, whereas its accounting functions are described by RFC 2866. The RFCs defined UDP ports 1645 and 1646 for those traffic streams. These are the defaults used by Cisco and Juniper Network products. Prior to those standards, RADIUS authentication and authorization traffic used UDP port 1812 and RADIUS accounting used port 1813. But most RADIUS products can use either set of ports.

The RADIUS client and server communicate over a channel that is secured via a shared secret key, which is never sent over the network. Instead, the installer must configure each system with the key prior to deployment. Moreover, a client’s authentication messages which are ultimately forwarded to the RADIUS server are encrypted via the Extensible Authentication Protocol (EAP).

There are five guidelines for RADIUS communication security:

  • While configuring multiple RADIUS client server pairs, a unique secret key should be used for each pair to reduce the opportunity for spoofing attacks.

  • A long secret key should be used. RFC 2865 recommends at least 16 characters long. Keys over 22 characters are required to provide sufficient complexity to thwart most dictionary-based attacks.

  • The RADIUS server doesn’t authenticate message from the client and is therefore open to IP-spoofing attacks. To prevent such attacks, systems are to be configured to use MD5-hash Message-Authenticator attribute in all Access-Request messages.

  • Authentication attempt limits should be enables which refers to the number of times a user can attempt to authenticate before being locked out – to prevent brute-force and dictionary-based attacks.

  • By default, RADIUS uses a relatively weak stream cipher with MD5-based hashing for user passwords. Hence IPSec with Encapsulating Security Payload (ESP) is recommended to use in order to provide more secure transport of RADIUS messages.

The distributed client/server architecture of RADIUS provides the following benefits:

  • Improved security: authentication is centralised at the RADIUS server and may be integrated with the core network’s authentication system. This eliminates the need to configure each remote-access connection point. It also eliminates potential duplicates and reduces opportunities for insecure configurations like short or empty passwords.

  • Scalable architecture: since a single RADIUS server can authenticate requests for many RADIUS clients, users can connect to various resources as they travel while still being authenticated by the same server.

  • Interoperability: the RADIUS architecture is defined by widely accepted and long-established Internet standard. Hence it can be integrated and compared with products from various vendors. Moreover, vendor-specific customisations can be made without breaking its core functionality. For instance, a product can be integrated with Active Directory that authenticates Windows, Macintosh and Linux workstations.

Diameter: Diameter is a new protocol designed as a successor to RADIUS with backward compatibility. It is defined by RFC 3588 and specifies a minimum set of AAA services and functionality that must be provided. Vendors can extend Diameter to provide additional functionality by creating a Diameter application, which refers to a protocol that works within the Diameter framework.

Diameter provides the following improvements over RADIUS

  • Regulated data flow: Diameter uses a windowing scheme to regulate the flow of UDP packets.

  • Error notification: A server can be configured to notify clients of problems by sending it error notification messages.

  • Message acknowledgement: A server can be configured to send message acknowledgements to inform clients that data has been received properly.

  • Reduced processing requirements: Diameter uses a 32-bit alignment scheme that can be more efficiently handled by most devices.

  • Improved security: Diameter supports end-to-end security through IPSec, TLS or both. Message tampering can be detected and handled. Diameter also supports challenge/response attributes which can be used to prevent authentication replay attacks. Moreover, Diameter supports mutual authentication through which the client ensures that it has connected with a legitimate server.

LDAP: Lightweight Directory Access Protocol is the industry-standard protocol for network directory services. LDAP systems store information about users, network resources, file systems and applications. Applications and services can use LDAP data repository to locate and store such configuration information.

Most of the RADIUS and Diameter servers support using LDAP as a remote access configuration repository. FreeRADIUS is an example of a RADIUS server solution that features LDAP integration.

LDAP is a critical network service and is hence a prime target for internal and external attacks. Such attacks can be categorised in a number of ways. But the main point is to consider attacks again the data catalogued within the LDAP database and attack against the LDAP system itself, typically for the purpose of shutting down or destroying the services.

A successful attack against an LDAP database would enable a hacker to

  • Gain unauthorized access to data.

  • Gain unauthorized access to network resources.

  • Modify or delete the LDAP data.

  • Impersonate LDAP functions to gain further and more privileged access to the network or its resources.

Attacks on an LDAP database often involve spoofing, hijacking valid sessions or brute-force attacks against the authorization mechanisms.

An attack against an LDAP system could enable hacker to

  • Prevent legitimate users from accessing resources, in the case of a DoS attack.

  • Redirect access requests to imposter resources, for example to trick user into accessing the wrong shared folder.

  • Hide attempted or successful attacks on the data stored in the LDAP database.

Attacks are more targeted at the LDAP server’s operating system or the LDAP control software. An attacker could also attack support server such as the database server that stores the data managed by the LDAP system.

To access the LDAP directory service, the client must first authenticate itself to the LDAP server by performing a Bind operation. LDAP supports three Bind methods:

  • Simple Bind: here, the client sends its distinguished name (DN) along with a plaintext password. Such connections should be protected through TLS. During the Bind operation, the client specifies the LDAP protocol version to be used, which is typically LDAPv3 although other versions are available.

  • Simple Authentication and Security Layer (SASL) Bind: strong authentication methods are supported in a SASL Bind operation. For instance, the client and LDAP server can use Kerberos authentication or the client can send its security certificate over a TLS link.

  • Anonymous Bind: here, the client sends a message with an empty DN and password. This resets the connection to a non-authenticated or anonymous state.

b) TACACS+ and 802.1x Remote Access and NPS

TACACS+: Terminal Access Controller Access Control System is a proprietary authentication protocol developed by Cisco Systems. Like RADIUS, it is designed to provide centralised and scalable authentication. It also provides authorisation and accounting functions. TACACS+ is the current version of the protocol and is not compatible with TACACS and XTACACS, the earlier ones.

TACACS+ uses TCP port 49. Since it uses TCP it provides acknowledgement for the request that have been received. If a client or server doesn’t respond to a request within a predetermined time, it indicates that the request has failed. Unlike RADIUS, TACACS+ provides for message-based encryption and hence reduces the need for using IPSec or other means to secure authentication messages. TACACS+ server can be configured to use separate databases and configurations for each AAA function. It is also possible to choose separate TACACS+ servers for each of the functions.

TACACS+ supports username/password, AppleTalk Remote Access (ARA), Serial Line Internet Protocol (SLIP), PAP, CHAP and Telnet authentication messages by default. The protocol is also extensible, so vendors can add extra functionality – such as support for Kerberos authentication messages.

Finally, TACACS+ offers multiprotocol support. Apart from TCP/IP, it supports ARA, NetBIOS Frame Protocol Control, Novell Asynchronous Services Interface and X.25 Packet Assembler/Disassembler (PAD) connections.

802.1x: is based on Extensible Authentication Protocol (EAP). 802.1x is an extensible authentication protocol designed to let user control which devices to have an access to a network. It enables to prevent unauthorized workstations from connecting. It also enables to prevent users or attackers from attaching hubs and wires or wireless routes on the network which might be used to extend the network or create unsecured access points.

802.1x adds strong authentication services to wired and wireless networks. It works in conjunction with a dedicated authentication server such as RADIUS or TACACS+ server. In wireless networks 802.1x provide strong authentication even when using WEP encryption.

According to 802.1x protocol, devices have one of three roles:

  • Supplicant: refers to the end user’s PC or a network device.

  • Authenticator: refers to a switch between the supplicant and the remainder of the network.

  • Authentication server: refers to the RADIUS or TACACS+ authentication server that grants or denies access to the network.

When a supplicant attempts to connect to a network, it sends an authorization request that is passed from the authenticator to the server. The authentication server exchanges messages with the supplicant to establish an authenticated session. If an access is granted, the server notifies the authenticator, which then allows network traffic to and from the supplicant.

If a supplicant attempts to transmit data without authenticating, the authenticator or switch blocks the traffic. Despite the 802.1x system works well in most cases, a flaw has been discovered. Once a session has been authenticated, further traffic is permitted without any checks. Hence theoretically, a hacker can access a network by hijacking an authenticated session.

The rogue user would need physical access to the network to accomplish this attack – but with a wireless network, that could means simply being close enough within the range. Adding IPSec encryption to a system prevents these physical injection attacks.

Network Policy Server (NPS): is the implementation of a RADIUS server in Windows Server 2008. NPS has replaced Internet Authentication Service (IAS) in earlier version of Windows Server. These services are generally well-regarded as capable and secure implementations of RADIUS authenticators.

NPS is integrated with Microsoft Network Access Protection System which enables to enforce health requirements on network nodes. For example the system can be specified that clients must have operating systems patched to a specific level or antivirus software that is enabled and updated with current definitions.

NPS acts as a health policy server (HPS) to evaluate the health state of clients that authenticate via the NPS server.

NPS offers several new features:

  • RADIUS shared secret-key generator: NPS can generate strong shared secret keys that contain more than 22 random alphanumeric characters. These keys can be used to configure RADIUS clients.

  • Server Manager Integration: NPS can be installed, configured and managed via the Server Manager console.

  • Configuration data that is stored in XML files: As the configuration data is stored in easily exportable XML files, they can be more easily shared between NPS servers.

  • Support for IPv6: apart from IPv4 traffic, NPS supports IPv6 traffic.

  • EAP Host support: NPS supports EAP, Microsoft’s new architecture for EAP authentication methods. This also enables NPS to be compatible with Cisco’s Lightweight EAP (LEAP) architecture. The two systems can coexist on the same network.

To configure NPS on a Windows Server 2008:

  1. Install the Network Policy and Access Services service role and the Network Policy Server and routing and Remote Access services

  2. Configure an NPS network policy

  3. Configure NPS accounting

d) Virtual Private Networks

A VPN establishes a private or secure network connection within a public network. It enables the secure transmission of data over insecure networks. For example, employees can use a VPN for secure access to corporate network resources via the Internet using a VPN. This type of VPN is known as remote-access VPN. On the other hand, a VPN to link the networks at two locations via the Internet is known as a site-to-site VPN.

VPN uses various technologies to create a secure communications channel across a public network. These technologies include:

  • Authentication: many VPNs use RADIUS, Diameter, TACACS+ or other authentication technologies to ensure that only authorized users can access a network.

  • Encryption: a VPN can encrypt an entire client packet before putting it into the data field of a public network packet. This ensures that hackers cannot decipher information in the packet.

  • Tunnelling: packets sent to and from the end user can be bundled within the packets of the public network. Application at the client’s end inserts packets into Internet packets and sends them via the Internet to the corporate VPN server. At the other end, the interior packets are removed and forwarded onto LAN. The process is reversed for data being transmitted to the client’s workstation. In effect, the private network “tunnels” through the public network.

VPN typically follows one of three security models:

  1. Authentication before connection: here, clients, network devices and servers must authenticate to the VPN system before they can complete a connection. Tunnelling is not typically used with this model which is often used to provide a subset of users with access to additional resources over an existing LAN.

  2. Trusted delivery network: is a third-party private network protected by various means. Clients and servers connect to this type of network rather than connecting to the LAN via a public network. Security mechanisms on the provider’s network assure that data can be transmitted safely, so tunnelling is not typically used.

  3. Secure VPN: enables secure connections over insecure public networks and rely on tunnelling, authentication and encryption to protect private data. Secure VPNs use various protocols for transmitting data securely. The most common protocols are as follows:

  • Peer-to-peer Tunnelling Protocol (PPTP): is developed by Microsoft. Once a link has been established, the client is added as a virtual node on the LAN and packets between the client and LAN are encrypted using Microsoft Point-to-Point Encryption (MPPE).

  • Layer 2 Forwarding (L2F): is an obsolete Cisco VPN protocol.

  • Layer 2 Tunnelling Protocol (L2TP): is a standardised tunnelling protocol defined under RFC 3931. It combines the best features of PPTP and L2F to provide tunnelling over Internet Protocol (IP), X.25, Frame Relay and Asynchronous Transfer Mode (ATM) networks. L2TP relies on IPSec for encryption and RADIUS or TACACS+ for authentication. The current version is L2TPv3.

  • IP Security (IPSec): is a standardized network protocol that encrypts data at the Network layer of OSI Reference Model. Since it operates at the IP level, IPSec can provide security for both TCP and UDP traffic. Also, applications do not need to be specially designed to work with IPSec.

  • Secure Sockets Layer/Transport Layer Security (SSL/TLS): are widely being used in web-based technologies. SSL/TLS can either encrypt the entire protocol stack or be used to provide a proxy between a client and the network.

  • OpenVPN: is an open-source VPN project that uses a variant of SSL/TLS protocol to provide transmission security. With OpenVPN, the entire protocol stack is encrypted.

  • Multi Path Virtual Private Network (MPVPN): is a proprietary and trademarked protocol developed by the Regular Systems Development Company.

There are four main differences between PPTP and L2TP in terms of:

a) Encryption: In PPTP, native PPP encryption is used to encrypt data, but negotiations are sent in plaintext. L2TP relies on IPSec or other encryption protocols.

b) Authentication: PPTP uses PPP authentication using PAP, CHAP or Microsoft-CHAP (MS-CHAP). L2TP relies on RAIDUS or TACACS+ for authentication.

c) Data protocols: PPTP uses IP only, whereas L2TP users IP, IPX, SNA and NetBEUI data protocols.

d) Ports: PPTP uses TCP port 1723, whereas L2TP uses UDP port 1701.

The IPSec protocol suite is made up of four separate protocols:

  • Authentication Header (AH), which ensures authenticity by signing packet data with MD5 or SHA-1 hashes and a shared secret key.

  • Encapsulating Security Payload (ESP), which ensures confidentiality by encrypting packets using the Data Encryption Standard (DES) or Triple-DES (3DES) cipher.

  • IP Payload Compression Protocol (IPComp), which compresses packeted data before transmission.

  • Internet Key Exchange (IKE), which negotiates the shared secret keys.

While all four IPSec protocols are typically used, systems could implement each sub-protocol independently. IPSec enables two modes of encryption –

  • Transport mode: encrypts a packet’s data but not the packet header and is used in host-to-host or peer-to-peer communications.

  • Tunnel mode: encrypts the entire packet. In this mode, source and destination addresses are hidden so that eavesdroppers cannot access information about the internal network configuration.

SSH:For better security, Secure Shell can be used. It uses public key encryption to establish an encrypted and secure connection from the user’s workstation to the remote host. By default, a server listens on TCP port 22 for SSH connections. The current protocol version SSH-2 divides functionality into three primary layers:

  1. Transport layer: as defined in RFC 4253 manages the key exchange process.

  2. User authentication layer: as defined in RFC 4252 manages client authentication using methods such as public keys, passwords, and Kerberos.

  3. Connection layer: as defined in RFC 4254 manages communication channel. Each client-server connection can support multiple channels over which distinct operations can proceed. For instance, it is possible to have multiple command-line shells and a file transfer session over a single connection using multiple channels.

To create a VPN, there are two categories of components are to be configured:

  • Remote access communication options

  • VPN hardware and software

VPN solutions are offered by many vendors. Some require dedicated access hardware, most commonly at the corporate LAN side of the connection. Many also require special software to be installed on client workstations. Microsoft’s VPN solution uses standards Windows component on the client side. Under Windows Server 2008, a Routing and Remote Access Service (RRAS) component of NPS is installed for setting up the server to which clients connect.

With RRAS, VPN clients can be enabled to connect to a network. The server running RRAS requires having two network adapters – one connected to the Internet and other connected to the LAN. For integrating RRAS with NPS, a NPS has to be configured first and generate a strong shared encryption key. The RRAS is to be configured. If these services are running on the same system, both services are to be configured at the same time. RRAS can either be used to manage authentication or be integrated with a RADIUS server, such as the one enabled by NPS.

Cisco, Juniper Networks and OpenVPN provide commercial or open-source VPN solutions. Some include only softwares whereas others require specialized hardware components.

Third-party service providers offer VPN solutions in which the business or end user creates a secure connection to the VPN provider’s systems. Clients then connect to the provider’s network via the Internet. Such solutions eliminate the need to purchase, install and maintain VPN systems. However, although communications over the provider’s network are secure, communications from clients to the provider are not secure.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.