- Email: [email protected]
802.16 security: getting there?
wireless security
802.16 security: getting there?
WI R E LE SS
UR SE C IT Y
W
Bruce Potter The 802.16 protocol has the potential to revolutionise the MAN market. But they haven’t fixed the old security problems. The battle over the communications technologies used for the “last-mile” has been a long and strange trip. Originally the market was dominated by dial-up circuits and leased lines (T1/E1). As technology advanced, DSL and cable service has become common and relatively cheap. However, infrastructure providers have had a difficult time meeting consumer demand. Over the last several years, wireless Internet service providers (WISPs) have popped up to provide high speed access to homes and communities throughout the world via radio transmission. Until recently, there was no standardsbased, affordable wireless solution for WISPs. As part of the WiFi Alliance, many used the 802.11 protocol to deliver last mile bandwidth. 802.11, a local area network (LAN) protocol, is not designed to support a Metropolitan Area Network (MAN) architecture. But despite interference, bandwidth contention and security issues, WISPs chose WiFi because it exists and is inexpensive. The Institute for Electrical and Electronic Engineers (IEEE), a standardsetting body for computer networking, created the 802.16 suite of protocols to fill the need for high-speed data communications in a MAN. 802.16 was designed for use in a carrier/provider environment where subscribers access the providers’ core service via radio. Unlike 802.11, 802.16 is not limited to just one set of unlicensed frequencies. Carriers who own their own frequencies can run 802.16 and provide wireless communications with much less interference. They can also transmit at much
4
higher power levels, allowing communication at greater distance.
Round the bend 802.16a was approved by IEEE in January 2003. 802.16a provides fixed point-to-multipoint broadband access in frequencies under 11GHz. Due to its specialized modulation, 802.16a can achieve non-line-of-sight transmissions, something 802.11 cannot. Further, 802.16a can transmit up to 75Mb/s. This allows many customers to access the network at multi-megabit speeds simultaneously. Vendors are shipping 802.16a products and WISPs are rapidly adopting the technology.
Security mechanisms 802.16 clearly fills a gap in last mile service. It may not have the viral adoption rate of WiFi, but it will likely be the protocol of choice for MAN deployments for the next decade. A more recent version, the 802.16 security model, was designed to allow for distributed authentication and manageable encryption. This is in contrast to the monolithic key management model used in the original 802.11 specification. 802.16 uses X.509 certificates for authentication of devices on the network. Every subscriber device has its own certificate that uniquely identifies it to the infrastructure. This allows providers to control what devices are authorized to use their networks. Unfortunately, because 802.16 provides certificates for use by infrastructure devices, it eliminates the possibility of mutual authentication. This means that while the infrastructure can authenticate
a subscriber device, the subscriber device has no way to authenticate the infrastructure. This leads to potential spoofing or replay attacks against the subscriber device. This means we still face a very similar problem to the one caused by the original authentication mechanism used by 802.11. For link encryption, 802.16 uses DES encryption in an attempt to prevent disclosure of transmitted data. The manner in which encryption is performed is modeled after the method used in Data Over Cable Service Interface Specifications (DOCSIS). DOCSIS is a common protocol used in cable-based networks. By using DOCSIS, the designers of 802.16 hoped to help vendors build equipment with a known algorithm. Unfortunately, DES is a relatively weak algorithm by today’s standards. Cheap hardware will break a standard 56-bit DES key in a matter of days. Further, the way 802.16 uses DES is not as secure as it should be. The initialization vector used by 802.16 is predictable; this further weakens the confidentiality of the data. Weak initialization vectors were also problem with the early versions of 802.11. The new 802.16e draft standard tries to address some of these concerns. Rather than DES, 802.16e uses AES as its core encryption algorithm. This is a much stronger algorithm if used correctly. Further, 802.16e provides for use of Extensible Authentication Protocol (EAP) for authenticating devices on the network. EAP allows for nearly any imaginable authentication mechanism to be used, including those that support mutual authentication. EAP is a core part of the new 802.11i security standard as well.
Quality of service 802.16 has robust quality of service features to support the provider/subscriber
automatic updates model. The idea is to allow providers to supply fixed bandwidth “circuits” to a customer and to ensure that the proper amount of bandwidth is always available. For example, a customer may have a fixed 1Mb/s connection. The QoS capability in 802.16 guarantees the customer will have 1Mb/s regardless of how much data other customers are using. 802.16 also supports a dynamic model where a customer can transmit bursts of data a higher bandwidth, depending on how much bandwidth is available. The 802.16 QoS mechanism is based on the DOCSIS QoS mechanism. Again, the protocol’s designers were attempting to ease
the creation and management of infrastructure. QoS parameters have the ability to be controlled from either the subscriber side or the provider side. However the provider has the ability to disable or ignore the subscribers’ requests for changes to QoS.
Faster supply The protocol overcomes the problems of pushing 802.11 into a metropolitan architecture. It provides the core services expected by a carrier when building a data network. 802.16 may also cut the time to supply high speed data circuits from weeks (in the case of land lines) to hours. But the current security mechanisms
are far from perfect. Even though an 802.16 network does not resemble an 802.11 network, the security failings of the two are very similar. Much as 802.11i set a higher bar for WLAN security, the draft 802.16e standard will address the failings of the original 802.16 specification. Even so, the utility of the protocol will likely overcome present concerns about the security failings and lead to wide adoption over the next few years.
About the author Bruce Potter is currently a senior security consultant at Booz Allen Hamilton.
Automatic update risks: can patching let a hacker in?
that require accurate and timely fixes can make the task very difficult to manage. To make it easier, more and more software developers include the capability for end-users to update their applications automatically by downloading and installing fixes from manufacturer archives. This technology has become a Kevin Dunn, senior security consultant, NGSSoftware widely accepted method to acquire patches and close newly discovered holes System administrators and programmers are finally hearing the message IT secu- quickly. But do we put enough thought into rity professionals have been sending for years—automatic software updates can where the patch comes from? The whole introduce nasty code that cripples your environment. automatic update process relies on users This article aims to highlight the threats addition to badly configured network and administrators trusting the vendor to posed by the automatic update process hosts, risk from vulnerabilities discovered provide the solutions needed, and acceptwhen security vulnerabilities are intro- within network services themselves has ing that the patch has indeed come from duced into this model, and the possibility proven extremely serious. the right source. Combine these trust Programmatic shortcomings within concerns with the use of “blind updatof circumventing network protection to launch attacks against the corporate common network services have led to ing”, i.e. downloading and updating conditions such as stack or heap over- products without any interaction with network. In recent years the acceptance of activi- flows. These facilitate the execution of the administrator or user, and the ties like vulnerability assessment and pen- arbitrary code in the vulnerable process. potential for misuse becomes even more etration testing within the corporate Security compromises caused by these plausible. enterprise has risen significantly. The bugs let attackers gain interactive shell media has helped this growth by publicis- access to a host, to escalate user privileges What is automatic update? ing the dangers presented to networks by to administrator/root levels or cause Updating software is the process of prointelligent and aggressive worms that effective denial of service to legitimate viding product enhancements, functional users, among other irritations. roam the public domain. currency or post-release supplements to Patching or updating operating computer software. With regards to secuBetter configuration of historically weak network services and widespread systems and services to maintain a rity issues, the vendor or developer releasadoption of good security policy has secure network environment has become es patches to fix discovered vulnerabilities helped to secure environments and pro- daily routine for system administrators. that affect the integrity or functions of a tect from malicious threats. Even so, in In large networks the number of hosts product.
5
802.16 security: getting there?
WI R E LE SS
UR SE C IT Y
W
Bruce Potter The 802.16 protocol has the potential to revolutionise the MAN market. But they haven’t fixed the old security problems. The battle over the communications technologies used for the “last-mile” has been a long and strange trip. Originally the market was dominated by dial-up circuits and leased lines (T1/E1). As technology advanced, DSL and cable service has become common and relatively cheap. However, infrastructure providers have had a difficult time meeting consumer demand. Over the last several years, wireless Internet service providers (WISPs) have popped up to provide high speed access to homes and communities throughout the world via radio transmission. Until recently, there was no standardsbased, affordable wireless solution for WISPs. As part of the WiFi Alliance, many used the 802.11 protocol to deliver last mile bandwidth. 802.11, a local area network (LAN) protocol, is not designed to support a Metropolitan Area Network (MAN) architecture. But despite interference, bandwidth contention and security issues, WISPs chose WiFi because it exists and is inexpensive. The Institute for Electrical and Electronic Engineers (IEEE), a standardsetting body for computer networking, created the 802.16 suite of protocols to fill the need for high-speed data communications in a MAN. 802.16 was designed for use in a carrier/provider environment where subscribers access the providers’ core service via radio. Unlike 802.11, 802.16 is not limited to just one set of unlicensed frequencies. Carriers who own their own frequencies can run 802.16 and provide wireless communications with much less interference. They can also transmit at much
4
higher power levels, allowing communication at greater distance.
Round the bend 802.16a was approved by IEEE in January 2003. 802.16a provides fixed point-to-multipoint broadband access in frequencies under 11GHz. Due to its specialized modulation, 802.16a can achieve non-line-of-sight transmissions, something 802.11 cannot. Further, 802.16a can transmit up to 75Mb/s. This allows many customers to access the network at multi-megabit speeds simultaneously. Vendors are shipping 802.16a products and WISPs are rapidly adopting the technology.
Security mechanisms 802.16 clearly fills a gap in last mile service. It may not have the viral adoption rate of WiFi, but it will likely be the protocol of choice for MAN deployments for the next decade. A more recent version, the 802.16 security model, was designed to allow for distributed authentication and manageable encryption. This is in contrast to the monolithic key management model used in the original 802.11 specification. 802.16 uses X.509 certificates for authentication of devices on the network. Every subscriber device has its own certificate that uniquely identifies it to the infrastructure. This allows providers to control what devices are authorized to use their networks. Unfortunately, because 802.16 provides certificates for use by infrastructure devices, it eliminates the possibility of mutual authentication. This means that while the infrastructure can authenticate
a subscriber device, the subscriber device has no way to authenticate the infrastructure. This leads to potential spoofing or replay attacks against the subscriber device. This means we still face a very similar problem to the one caused by the original authentication mechanism used by 802.11. For link encryption, 802.16 uses DES encryption in an attempt to prevent disclosure of transmitted data. The manner in which encryption is performed is modeled after the method used in Data Over Cable Service Interface Specifications (DOCSIS). DOCSIS is a common protocol used in cable-based networks. By using DOCSIS, the designers of 802.16 hoped to help vendors build equipment with a known algorithm. Unfortunately, DES is a relatively weak algorithm by today’s standards. Cheap hardware will break a standard 56-bit DES key in a matter of days. Further, the way 802.16 uses DES is not as secure as it should be. The initialization vector used by 802.16 is predictable; this further weakens the confidentiality of the data. Weak initialization vectors were also problem with the early versions of 802.11. The new 802.16e draft standard tries to address some of these concerns. Rather than DES, 802.16e uses AES as its core encryption algorithm. This is a much stronger algorithm if used correctly. Further, 802.16e provides for use of Extensible Authentication Protocol (EAP) for authenticating devices on the network. EAP allows for nearly any imaginable authentication mechanism to be used, including those that support mutual authentication. EAP is a core part of the new 802.11i security standard as well.
Quality of service 802.16 has robust quality of service features to support the provider/subscriber
automatic updates model. The idea is to allow providers to supply fixed bandwidth “circuits” to a customer and to ensure that the proper amount of bandwidth is always available. For example, a customer may have a fixed 1Mb/s connection. The QoS capability in 802.16 guarantees the customer will have 1Mb/s regardless of how much data other customers are using. 802.16 also supports a dynamic model where a customer can transmit bursts of data a higher bandwidth, depending on how much bandwidth is available. The 802.16 QoS mechanism is based on the DOCSIS QoS mechanism. Again, the protocol’s designers were attempting to ease
the creation and management of infrastructure. QoS parameters have the ability to be controlled from either the subscriber side or the provider side. However the provider has the ability to disable or ignore the subscribers’ requests for changes to QoS.
Faster supply The protocol overcomes the problems of pushing 802.11 into a metropolitan architecture. It provides the core services expected by a carrier when building a data network. 802.16 may also cut the time to supply high speed data circuits from weeks (in the case of land lines) to hours. But the current security mechanisms
are far from perfect. Even though an 802.16 network does not resemble an 802.11 network, the security failings of the two are very similar. Much as 802.11i set a higher bar for WLAN security, the draft 802.16e standard will address the failings of the original 802.16 specification. Even so, the utility of the protocol will likely overcome present concerns about the security failings and lead to wide adoption over the next few years.
About the author Bruce Potter is currently a senior security consultant at Booz Allen Hamilton.
Automatic update risks: can patching let a hacker in?
that require accurate and timely fixes can make the task very difficult to manage. To make it easier, more and more software developers include the capability for end-users to update their applications automatically by downloading and installing fixes from manufacturer archives. This technology has become a Kevin Dunn, senior security consultant, NGSSoftware widely accepted method to acquire patches and close newly discovered holes System administrators and programmers are finally hearing the message IT secu- quickly. But do we put enough thought into rity professionals have been sending for years—automatic software updates can where the patch comes from? The whole introduce nasty code that cripples your environment. automatic update process relies on users This article aims to highlight the threats addition to badly configured network and administrators trusting the vendor to posed by the automatic update process hosts, risk from vulnerabilities discovered provide the solutions needed, and acceptwhen security vulnerabilities are intro- within network services themselves has ing that the patch has indeed come from duced into this model, and the possibility proven extremely serious. the right source. Combine these trust Programmatic shortcomings within concerns with the use of “blind updatof circumventing network protection to launch attacks against the corporate common network services have led to ing”, i.e. downloading and updating conditions such as stack or heap over- products without any interaction with network. In recent years the acceptance of activi- flows. These facilitate the execution of the administrator or user, and the ties like vulnerability assessment and pen- arbitrary code in the vulnerable process. potential for misuse becomes even more etration testing within the corporate Security compromises caused by these plausible. enterprise has risen significantly. The bugs let attackers gain interactive shell media has helped this growth by publicis- access to a host, to escalate user privileges What is automatic update? ing the dangers presented to networks by to administrator/root levels or cause Updating software is the process of prointelligent and aggressive worms that effective denial of service to legitimate viding product enhancements, functional users, among other irritations. roam the public domain. currency or post-release supplements to Patching or updating operating computer software. With regards to secuBetter configuration of historically weak network services and widespread systems and services to maintain a rity issues, the vendor or developer releasadoption of good security policy has secure network environment has become es patches to fix discovered vulnerabilities helped to secure environments and pro- daily routine for system administrators. that affect the integrity or functions of a tect from malicious threats. Even so, in In large networks the number of hosts product.
5