¿Es Insurance Wi - Fi?
Is it safe Wi-Fi? But the protocol includes some design flaws that prevent the security provided is effective.
Many companies have implemented wireless networks (or are currently in the process), largely because of the reduction in the cost of wiring, the low price of devices, and ease of deployment of new networks or extending existing ones. in shared key mode, it sends a string of bytes to the device tries to connect to the wireless network, and it must respond with the same string encrypted with the key you both know, resulting in a classic pattern of "challenge - response. " If the customer fails to send the string properly encrypted, not allowed access to the network. Additionally, WEP provides a mechanism for encryption of data transmitted in the air, using an algorithm called RC4 "which can operate with keys of 40 or 128 bits. All information in transit between the access points and wireless network cards from customers, are encrypted and it is this mechanism that is trusted to provide security throughout the network. However, the protocol includes some design flaws that prevent the security provided is effective.
In particular, the so-called "key schedule" (essentially the way that the keys are chosen and are changing) and the size of the initialization vector used to encrypt each byte, together with the predictability of many of the data traffic (IP packet headers, header data transfer protocols, etc..) permit that can run attacks on the cryptographic system.
Such attacks are easily done with tools available freely on the Internet. As an example, using a tool to capture traffic, enough to get between about 5 and 10 million encrypted packets to derive the key, which in a network of medium size can be achieved in about 15 minutes (!) Of passive listening. However, it is important to note that this is not a specific weakness of the algorithm "RC4" but the way in which it is used (incorrectly) in the WEP protocol. 
The other option available-key-static devices causes considerable administrative effort, which requires more time for proper implementation. Also, if a team has incorporated the key is stolen or stolen, the password can be easily retrieved from the configuration, jeopardizing the entire network from the time of the robbery until the change of total static keys and this just happen when the device is declared as stolen.
These security issues prompted the companies to implement incorrect policies, due to ignorance of existing weaknesses in the beginning and the lack of simple solutions after they were detected. But, beyond the security flaws of wireless networks, which can compromise the data in transit, there are different denial of service attacks. Some examples are listed below:
Interference of the bands used for data transmission (other technologies such as Bluetooth use the same frequency range). Depletion
bands due to connection requests that are not finished.
usual attacks on physical networks as "spoofing" MAC or IP address.
Knowing the risks, a network administrator may decide that this solution, however interesting it may seem, should not be implemented without proper controls or until they develop an acceptable safety standard. However, another possible problem that can happen is that someone from installing a wireless access point somewhere on the physical network. These access points are generally configured to not require any kind of authentication. This facilitates the user's internal use, but also allows any person outside the company, access to our network, for example, a laptop parked front of the building or in a nearby office.
Also, most wireless cards allow you to create a network between them without having an access point in the network (in the "ad-hoc"). If these machines are also connected to the physical network of the company, again establishing a point of access to equipment and possibly the network, an attacker need not be physically on the premises. Another variation of this attack, the attacker is to install an access point near the office, making clients authenticate against the access point can handle the packets coming to this access point. Importantly, that this situation is difficult to detect because they should be periodically reviews all physical and logical network (usually with the same tools used by the attacker) to identify and remove these access points.
All this leads logically to think that corporate environments, this technology is not adequate, and that are required extensions to existing standards that can be used in environments where information security is a factor determinant.
One approach is the use of IPSec tunnels, which is an open standard IP network encryption using DES, 3DES or AES. This requires installing a client on each PC you want to connect to the network to the tunnels for, and filtering all types of wireless communication is not authenticated by access lists, allowing only connections to the provider of tunnels, and teams that provide IP addresses (DHCP). Another solution is provided by the extension of the standard 802.11x, using EAP (Extensible Autentication Protocol) which adds to the 802.11 standard, centralized authentication and dynamic key exchange. These extensions not only add client authentication with the access point, but also the access point must authenticate within the network to work. This prevents the installation of access points and all the associated problems that previously indicated. The keys are created and changed dynamically, so it never airs the necessary amount of packages with the same encryption key to the performance-oriented tools of attacks, can detect this key, or alternatively, when the get , it will no longer be in use.
To alleviate the problems of WEP were also introduced two (2) changes, one is to start encrypting communications using AES and stop using RC4. Also implemented a method of integrity check packet contents, known as TKIP (Temporal Key Integrity Protocol) for use with RC4.
These extensions require more initial investment, as well as network cards and access points require a server for IPSec tunnel termination (for the first option) or a Radius server (for 802.11X extensions) for authentication, creation and transmission of keys generated dynamically as well as the need for the network switches capable of handling 802.11X extensions. Detailing
security scheme 802.1x (port based), we can say it was designed to provide security for authentication, access control and key management, facilitating scaling WLANs because it provides a centralized authentication of users and stations. Among its main features are:
Authentication is done to the environment.
Autentication is based on Extensible Protocol (EAP). Allows
transport such as WEP and WPA keys.
In conclusion, it may indicate some important considerations for any organization that has (or is planning to install) wireless networks:
WEP protocol included in the 802.11 (particularly in their modes 64 and 128 bits) is unsafe and should not be used on networks that contain sensitive information or where the authentication of the origin of messages is critical.
mode ad-hoc "operation has a number of significant security weaknesses - if it is used, the network where it is applied properly should be segmented from the rest of the organization's network.
programs should be added to internal control and audit, periodic enforcement tools, in order to identify points of local network access based on wireless technology.
safe alternatives exist the use of wireless technology, but represent a major investment. As in any development or extension technology, the cost - benefit should be analyzed before implementation.
Espiñeira, Sheldon & Associates, member firm of PricewaterhouseCoopers
Pablo Ramírez Torrejón
Related Sites:
- Science and Technology
- Science News
Related Videos:
THAT FOLLOW n I present a collection of videos related and not so related to this article.
Title: Life Insurance
Why a family requires a life insurance policy, rather than a washing machine.
Title: Safe sex wisin y yandel
0 comments:
Post a Comment