If an intruder is trying to gain unauthorized access via the Internet, he must do some information-gathering work to first figure out which networks or resources are susceptible to vulnerabilities. Some common methods used to identify potential targets follow.

Port Scanning

When live systems are discovered, an attacker will usually attempt to discover which services are available for exploitation. This is accomplished by a technique commonly known as port scanning. The sections in this chapter titled “The TCP/IP Protocol” and “The UDP Protocol” respectively detail both the TCP and UDP protocol and clarify how ports are used; suffice to say, however, that every application has a specific port number associated with it that identifies that application. Through the use of port scanners, intruders can gain access to information on which applications and network services are available to be exploited.

Figure 5-1 shows an example of a reconnaissance attempt.

Figure 5-1. Example Reconnaissance Attempt

The intruder may follow these steps to gain unauthorized access to a web server:

1. DNS query to figure out which web servers are available.

2. Ping sweep to see which servers are alive and accessible.

3. Port scan to see which services are available for exploitation.

NOTE

Network reconnaissance cannot be prevented entirely. If Internet Control Message Protocol (ICMP) echo and echo-reply is turned off on edge routers, ping sweeps can be stopped, but at the expense of network diagnostic data. However, port scans can easily be run without full ping sweeps; they just take longer because they need to scan IP addresses that might not be live. Intrusion detection systems (IDSs) at the network and host levels can usually notify an administrator when a reconnaissance attack is underway. This enables the administrator to better prepare for the coming attack or to notify the Internet service provider (ISP) that is hosting the system that is launching the reconnaissance probe.

The ease or difficulty of packet snooping (also known as eavesdropping) on networks depends largely on the technology implemented. Shared media networks are particularly susceptible to eavesdropping because this type of network transmits packets everywhere along the network as they travel from the origin to the final destination. When concentrators or hubs are used in a shared media environment (such as FDDI, 10BASE-T, or 100-Mbps Ethernet), it can be fairly easy to insert a new node with packet-capturing capability and then snoop the traffic on the network. As shown in Figure 5-2, an intruder can tap into an Ethernet switch and, using a packet-decoding program, such as EtherPeek or TCPDump, read the data crossing the Ethernet.

Figure 5-2. Unauthorized Access Using an Ethernet Packet Decoder

In this example, the intruder gains access to username/password information and sensitive routing protocol data using an Ethernet packet decoder such as EtherPeek. The data packets being sent are captured by the laptop running EtherPeek; the program decodes the hex data into human-readable form. After obtaining access to information, the intruder can use this information to gain access to a machine and then possibly copy-restricted, private information and programs. The intruder may also subsequently have the capability to tamper with an asset; that is, the intruder may modify records on a server or change the content of the routing information.

In recent years, it has been getting much easier for anyone with a portable laptop to acquire software that can capture data crossing data networks. Many vendors have created user-friendly (read easy-to-use) packet decoders that can be installed with minimal cost. These decoders were intended for troubleshooting purposes but can easily become tools for malicious intent.

Packet snooping by using these decoding programs has another effect: The technique can be used in impersonation attacks, which are discussed in the next section.

Packet snooping can be detected in certain instances, but it usually occurs without anyone knowing. For packet snooping to occur, a device must be inserted between the sending and receiving machines. This task is more difficult with point-to-point technologies such as serial line connections, but it can be fairly easy with shared media environments. If hubs or concentrators are used, it can be relatively easy to insert a new node. However, some devices are coming out with features that remember MAC addresses and can detect whether a new node is on the network. This feature can aid the network manager in noticing whether any suspicious devices have been added to the internal network. In addition, using 802.1x, which is discussed in Chapter 2, “Security Technologies,” can provide an effective security measure against MAC address spoofing.

Figure 5-3 shows an example of a switch that has the capability to learn MAC addresses and provide some measure of port security. The 10BASE-T Ethernet switch provides connectivity to several hosts. The switch learns the source MAC addresses of the connecting hosts and keeps an internal table representing the MAC address and associated ports. When a port receives a packet, the switch compares the source address of that packet to the source address learned by the port. When a source address change occurs, a notification is sent to a management station, and the port may be automatically disabled until the conflict is resolved.

Figure 5-3. Port Security on Ethernet Switches

As surprising as it sounds, there are still people out there who use well-known exploits, such as war dialing, to gain unauthorized access. This term became popular with the film War Games and refers to a technique that involves the exploitation of an organization's telephone, dial, and private branch exchange (PBX) systems to penetrate internal network and computing resources. All the attacker has to do is find a user within the organization with an open connection through a modem unknown to the IT staff or a modem that has minimal or, at worst, no security services enabled. It is important to note that all unknown modems bypass any IT security measures—firewalls, virus checkers, authentication servers, and so on—and the use of unauthorized modems should be considered a severe security breach.

Many corporations still set up modems to auto-answer and will allow unauthenticated access from the Public Switched Telephone Network (PSTN) directly into your protected infrastructure. Many war-dialer programs are freely available on the Internet (for example, Modemscan, PhoneTag, ToneLoc, and so on), which greatly simplify the attack methodology and decrease the time required for the discovery of a vulnerability. Most programs automatically dial a defined range of phone numbers and log and enter into a database those numbers that successfully connect to the modem. Some programs can also identify the particular modem manufacturer and, if the modem is attached to a computer, can identify the operating system and may also conduct automated penetration testing. In such cases, the war dialer runs through a predetermined list of common usernames and passwords in an attempt to gain access to the system. If the program does not provide automated penetration testing, the intruder may attempt to break into a modem with unprotected logins or easily cracked passwords. Figure 5-4 illustrates a typical war-dialing scenario.

Figure 5-4. War Dialing

The steps to gain unauthorized access in a war-dialing scenario are as follows:

An interesting paper was presented in spring 2001 by Peter Shipley and Simson Garfinkel. Refer to http://www.dis.org/filez/WardialShipleyGarfinkel.pdf. This paper formally presents the results of the first large-scale survey of dialup modems. The survey dialed approximately 5.7 million telephone numbers in the 510, 415, 408, 650, and parts of the 707 area codes, and the subsequent analysis of the 46,192 responding modems that were detected.

Wireless networks are especially susceptible to unauthorized access. Wireless access points are being widely deployed in corporate LANs because they easily extend connectivity to corporate users without the time and expense of installing wiring. These wireless access points (APs) act as bridges and extend the network up to 300 yards. Many airports, hotels, and even coffee shops make wireless access available for free, and therefore most anyone with a wirelss card on his mobile device is an authorized user. However, many wireless networks only want to allow restricted access and may not be aware of how easily someone can gain access to these networks. (I know of quite a few instances where people have made it a sport to drive around their neighborhoods to see how many networks they can access.) The number of wireless networks that have zero security measures enabled is astounding. A majority of people run their APs in effectively open mode, which means they are basically wide open and have no encryption enabled. A majority also run in default Service Set Identifier (SSID) and IP ranges, which strongly implies that they've used little or no configuration when they set up their wireless LAN.

Chapter 3, “Applying Security Technologies to Real Networks,” extensively discusses wireless networks and how security technologies apply. Remember from that discussion that the 802.11 cards and access points on the market implement a wireless encryption standard, called the Wired Equivalent Protocol (WEP), which in theory makes it difficult to access someone's wireless network without authorization, or to passively eavesdrop on communications. However, WEP has many inherent weaknesses that enable intruders to crack the crypto with sophisticated software, and ordinary off-the-shelf equipment. Later in this chapter, vulnerabilities in wireless networks are discussed in more detail. Follow the developments in this area carefully so that as better security functionality becomes available—such as implementations for Temporal Key Integrity Protocol (TKIP), Light Extensible Authentication Protocol (LEAP), Protected Extensible Authentication Protocol (PEAP), and so on—you can deploy it. For now, it still makes sense to enable WEP and to ensure that all defaults have been changed so that some reasonable authentication and confidentiality services are being used. This will go a long way in reducing unauthorized access from just the random drive-by intruder.

Figure 5-5 shows an example of an intruder gaining access to a wireless network.

Figure 5-5. Gaining Unauthorized Access to a Wireless Network

No matter which method is used for initial unauthorized access—reconnaisance work, access through the Internet, tapping into the physical wire, remote modem dial-in access, or wireless network access—the best way to deter unauthorized access is by using confidentiality and integrity security services to ensure that traffic crossing the insecure channel is scrambled and that it cannot be modified during transit.

Table 5-1 lists some of the more common access breaches and how they are a threat to corporate networks.

To establish a TCP/IP connection, a three-way handshake must occur between the two communicating machines. Each packet of the three-way handshake contains a sequence number; sequence numbers are unique to the connection between the two communicating machines. Figure 5-12 shows a sample three-way handshake scenario.

Figure 5-12. Establishing a TCP/IP Connection

The steps for establishing the initial TCP connection are as follows:

TCP uses a sequence number for every byte transferred and requires an acknowledgment of the bytes received from the other end upon receipt. The request for acknowledgment enables TCP to guarantee reliable delivery. The receiving end uses the sequence numbers to ensure that the data is in proper order and to eliminate duplicate data bytes.

You can think of TCP sequence numbers as 32-bit counters. These counters range from 0 to 4,294,967,295. Every byte of data exchanged across a TCP connection (as well as certain flags) is sequenced. The Sequence Number field in the TCP header contains the sequence number of the first byte of data in the TCP segment. The Acknowledgment (ACK) field in the TCP header holds the value of next expected sequence number, and also acknowledges all data up through this ACK number minus 1.

TCP uses the concept of window advertisement for flow control. That is, TCP uses a sliding window to tell the other end how much data it can buffer. Because the window size is 16 bits, a receiving TCP can advertise up to a maximum of 65,535 bytes. Window advertisement can be thought of as an advertisement from one TCP implementation to the other of how high acceptable sequence numbers can be.

Many TCP/IP implementations follow a predictable pattern for picking sequence numbers. When a host is bootstrapped, the initial sequence number is 1. The initial sequence number is incremented by 128,000 every second, which causes the 32-bit initial sequence number counter to wrap every 9.32 hours if no connections occur. Each time a connection is initiated, however, the counter is incremented by 64,000.

If sequence numbers were chosen at random when a connection arrived, no guarantees could be made that the sequence numbers would be different from a previous incarnation.

If an attacker wants to determine the sequencing pattern, all she has to do is establish a number of legitimate connections to a machine and track the sequence numbers used.

When an attacker knows the pattern for a sequence number, it is fairly easy to impersonate another host. Figure 5-13 shows such a scenario.

Figure 5-13. TCP/IP Sequence Number Spoofing

The steps for impersonating a host are as follows:

Because the sequence numbers are not chosen randomly (or incremented randomly), this attack works—although it does take some skill to carry out. Steven M. Bellovin, coauthor of Firewalls and Internet Security, describes a fix for TCP in RFC 1948 that involves partitioning the sequence number space. Each connection has its own separate sequence number space. The sequence numbers are still incremented as before; however, there is no obvious or implied relationship between the numbering in these spaces.

The best defense against spoofing is to enable packet filters at the entry and exit points of your networks. The external entry point filters should explicitly deny any inbound packets (packets coming in from the external Internet) that claim to originate from a host within the internal network. The internal exit point filters should permit only outbound packets (packets destined from the internal network to the Internet) that originate from a host within the internal network.

Session hijacking is a special case of TCP/IP spoofing, and the hijacking is much easier than sequence number spoofing. An intruder monitors a session between two communicating hosts and injects traffic that appears to come from one of those hosts, effectively stealing the session from one of the hosts. The legitimate host is dropped from the connection, and the intruder continues the session with the same access privileges as the legitimate host.

Session hijacking is very difficult to detect. The best defense is to use confidentiality security services and encrypt the data for securing sessions.

When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge) packet. The destination host must then hear an ACK (acknowledge) of the SYN/ACK before the connection is established. This exchange is the TCP three-way handshake, described earlier in this chapter.

While waiting for the ACK to the SYN/ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly because the ACK is expected to arrive a few milliseconds after the SYN/ACK is sent.

The TCP SYN attack exploits this design by having an attacking source host generate TCP SYN packets with random source addresses toward a victim host. The victim destination host sends a SYN/ACK back to the random source address and adds an entry to the connection queue. Because the SYN/ACK is destined for an incorrect or nonexistent host, the last part of the three-way handshake is never completed, and the entry remains in the connection queue until a timer expires—typically in about 1 minute. By generating phony TCP SYN packets from random IP addresses at a rapid rate, an intruder can fill up the connection queue and deny TCP services (such as e-mail, file transfer, or WWW service) to legitimate users.

There is no easy way to trace the originator of the attack because the IP address of the source is forged. In the network infrastructure, the attack can be constrained to a limited area if a router or firewall intercepts the TCP connection and proxies on behalf of the connection-initiating host to make sure that the connection is valid.

The land.c attack is used to launch DoS attacks against various TCP implementations. The land.c program sends a TCP SYN packet (a connection initiation), giving the target host's address as both the source and destination and using the same port on the target host as both the source and destination. This can cause many operating systems to hang in some way.

In all cases, the TCP ports reached by the attack must be ports on which services are actually being provided (such as the Telnet port on most systems). Because the attack requires spoofing the target's own address, systems behind effective antispoofing firewalls are safe.

The Ping of Death is an attack that exploits the fragmentation vulnerability of large ICMP echo request (that is, “ping”) packets. Figure 5-16 shows a sample ICMP echo request packet.

Figure 5-16. An ICMP Echo Request Packet

The ICMP echo request packet consists of eight octets of ICMP header information followed by the number of data octets in the ping request. The maximum allowable size of the data area is therefore calculated this way:

The problem is that it is possible to send an illegal ICMP echo packet with more than 65,507 octets of data because of the way the fragmentation is performed. The fragmentation relies on an offset value in each fragment to determine where the individual fragment goes when it is reassembled. Therefore, on the last fragment, it is possible to combine a valid offset with a suitable fragment size so that the following is true:

Because typical machines don't process the packet until they have all the fragments and have tried to reassemble them, there is the possibility of the overflow of 16-bit internal variables, which can lead to system crashes, reboots, kernel dumps, and other unwarranted behavior.

A temporary fix to prevent the Ping of Death is to block ping packets at the ingress points to the corporate network. The ideal solution is to secure the TCP/IP implementation against overflow when reconstructing IP fragments.

The Smurf attack starts with a perpetrator sending a large number of spoofed ICMP echo requests to broadcast addresses, hoping that these packets will be magnified and sent to the spoofed addresses. If the routing device delivering traffic to those broadcast addresses performs the Layer 3 broadcast to Layer 2 broadcast function, most hosts on that IP network will reply to the ICMP echo request with an ICMP echo-reply each, multiplying the traffic by the number of hosts responding. On a multiaccess broadcast network, there could potentially be hundreds of machines replying to each echo packet.

Turning off directed broadcast capability in the network infrastructure is one way to deter this kind of attack.

Teardrop.c is a program that results in another fragmentation attack. It works by exploiting a reassembly bug with overlapping fragments and causes the targeted system to crash or hang. A specific instance of a teardrop program is newtear.c, which is just a specific case in which the first fragment starts at offset 0 and the second fragment is within the TCP header.

The original teardrop.c program used fragmented ICMP packets, but people seem to have created all kinds of variants. The basic attack works for any IP protocol type because it hits the IP layer itself.

If broadcast addresses are used, turning off directed broadcast capability in the network infrastructure is one way to deter this kind of attack. However, the ideal solution is to secure the TCP/IP implementation against problems when reassembling overlapping IP fragments.

A large contingency of e-mail attacks are based on e-mail bombing or spamming. E-mail bombing is characterized by abusers repeatedly sending an identical e-mail message to a particular address. E-mail spamming is a variant of bombing; it refers to sending e-mail to hundreds or thousands of users (or to lists that expand to that many users). E-mail spamming can be made worse if recipients reply to the e-mail, causing all the original addresses to receive the reply.

When large amounts of e-mail are directed to or through a single site, the site may suffer a denial of service through loss of network connectivity, system crashes, or failure of a service because of these factors:

A recent mass-mailing, network-aware worm named W32.Sobig.F infected thousands of machines in August 2003. The worm used its own SMTP engine to propagate and sent itself to multiple addresses. The spoofed From addresses and the Send To addresses were both taken from the files found on the compromised computer.

Spamming or bombing attacks cannot be prevented, but you can minimize the number of machines available to an intruder for an SMTP-based attack. If your site uses a small number of e-mail servers, you may want to configure your ingress (entry from the Internet to the corporate network) and egress (exit from the corporate network to the Internet) points to ensure that SMTP connections from the outside can be made only to your central e-mail hubs and to none of your other systems. Additionally, you may want to configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif, and .scr files.

You can find more detailed information on SPAM attacks and deterrents at the following addresses: http://spam.abuse.net/ and http://www.cauce.org/.

Unauthorized access via VPNs would likely result from obtaining credentials, such as a username/password, for a given user or device. Typically, more robust authentication and authorization mechanisms would be used to make it harder to get access to the credentials used. Laptops being used for remote secure access can compromise a corporate VPN if they are not sufficiently protected. Often, the credentials used to authenticate the device are saved on the laptop via a VPN software package. If the laptop is stolen and the VPN software is not adequately protected on the laptop, a malicious user could easily gain access to the corporate VPN. To provide more protection, any remote user VPN scenario should obtain credentials to authenticate both a given device and individual user before allowing access to the corporate network.

Look at a situation where Layer 2 Tunneling Protocol (L2TP)/IPsec is deployed to create a secure VPN tunnel. Assume that the identity claimed in PPP is a user identity, whereas the identity claimed within Internet Key Exchange (IKE) is a device identity. Although PPP provides initial authentication, it does not provide per-packet authentication, integrity, or replay protection. For IPsec, when the identity asserted in IKE is authenticated, the resulting derived keys are used to provide per-packet authentication, integrity, and replay protection. As a result, the identity verified in the IKE conversation is subsequently verified on reception of each packet. So, in this scenario, because only the device identity is verified on a per-packet basis, there is no way to verify that only the user authenticated within PPP is using the tunnel. In fact, IPsec implementations that only support device authentication typically have no way to enforce traffic segregation. As a result, where device authentication is used, after an L2TP/IPsec tunnel is opened, any user on a multi-user machine will typically be able to send traffic down the tunnel.

If the IPsec implementation supports user authentication, this problem can be averted. When using IPsec with user authentication, the user identity asserted within IKE will be verified on a per-packet basis. To provide segregation of traffic between users when user authentication is used, the client can ensure that only traffic from that particular user is sent down the L2TP tunnel.

Impersonation could be accomplished if the actual key material gets compromised. If a company uses a group shared key for all employees, the shared key is more susceptible to getting compromised and can have a larger impact. It is best to avoid a group shared key whenever possible.

When using IPsec to deploy VPNs, it is still common to use preshared keys for authentication. Use of preshared keys in IKE phase 1 main mode increases vulnerability to man-in-the-middle attacks in remote access situations. In main mode, it is necessary for the derived encryption key to be used prior to the receipt of the identification payload. Therefore, the selection of the preshared key can only be based on information contained in the IP header. However, in remote access situations, dynamic IP address assignment is typical, so it is often not possible to identify the required preshared key based on the IP address.

When preshared keys are used in remote access scenarios, the same preshared key is shared by a group of users and is no longer able to function as an effective shared secret. In this situation, neither the client nor the server identifies itself during IKE phase 1; it is only known that both parties are members of the group with knowledge of the preshared key. This permits anyone with access to the group preshared key to act as a man in the middle.

This vulnerability does not occur in IKE phase 1 aggressive mode because the identity payload is sent earlier in the exchange, and therefore the preshared key can be selected based on the identity. When aggressive mode is used, however, the user identity is exposed and this is often considered undesirable.

As a result, where IKE phase 1 main mode is used with preshared keys, unless PPP performs mutual authentication, the server is not authenticated. This enables a rogue server in possession of the group preshared key to successfully masquerade as the L2TP network server (LNS) and mount a dictionary attack on legacy authentication methods such as Challenge Handshake Authentication Protocol (CHAP). Such an attack could potentially compromise many passwords at a time. This vulnerability is present in some existing IPsec tunnel mode implementations.

To avoid this problem, L2TP/IPsec implementations often do not use a group preshared key for Internet Key Exchange (IKE) authentication to the LNS.

DoS attacks may be directed at critical components in the VPN path, such as a VPN concentrator that could potentially terminates hundreds of VPN connections. If the VPN is created such that certain protocols that are part of the VPN (such as SSL/TLS, SSH, and IPsec) are inherently trusted and could bypass any firewall controls, a malicious user could potentially spoof these types of packets using trusted IP addresses and then use these spoofed packets to launch a DoS attack against internal corporate resources. Never assume that traffic, just by being transported as part of a VPN solution, is secure and can be trusted. How to make appropriate secure VPN design decisions is discussed in more detail in Chapter 12.

Unauthorized access to wireless LANs can be obtained in a number of ways. When strong directional antennas are used, a wireless LAN can reach well outside the buildings that it is designed for, and if WEP is not enabled it is easy to create an environment where traditional physical security controls are ineffective because the packets can be viewed by anyone within radio frequency range.

Most wireless LANs deployed by organizations operate in a mode called “infrastructure.” In this mode, all wireless clients connect through an AP for all communications. You can, however, deploy wireless LAN technology in a way that forms an independent peer-to-peer network, which is more commonly called an ad hoc wireless LAN. In an ad hoc wireless LAN, laptop or desktop computers that are equipped with compatible wireless LAN adapters and are within range of one another can share files directly, without the use of an AP. The range varies, depending on the type of wireless LAN system. Laptop and desktop computers equipped with 802.11b wireless LAN cards can create ad hoc networks if they are within at least 500 feet of one another. Many wireless cards, including some shipped as a default item by PC manufacturers, ship with ad hoc mode enabled by default. Any person who is also configured for ad hoc mode is immediately connected to PCs using these cards and could attempt to gain unauthorized access. In most environments, it would be prudent to disable ad hoc mode wireless LANs.

In the hands of a determined malicious intruder, a rogue AP can be a valuable asset in the attempted compromise of network resources. The principal threat is installing an AP into a network after gaining unauthorized access to a building. The user typically gains access to the building by following behind a user with a valid access badge or by obtaining a guest badge for some other reason. Because APs are relatively small and can be purchased at many electronics outlets worldwide, it is easy for the intruder not only to obtain the AP but also to install it discreetly. Attaching the AP to the underside of a conference-room table and plugging into the live network enables the intruder to break into a network from the relative security of his car in the parking lot. Man-in-the-middle attacks are also easy to carry out. Using a device that can masquerade as a trusted AP, an intruder can easily intercept and manipulate wireless packets.

The wireless LAN access points can identify every wireless card by its unique Media Access Control (MAC) address. Some APs have MAC address filtering capabilities that require that the cards be registered before the wireless services can be used. However, this introduces administrative nightmares because every AP needs to have this list configured. In addition, all MAC addresses are sent in the clear and there exist programs such as Network Stumbler that a malicious user can use to eavesdrop on a wireless network and to obtain valid MAC addresses. The eavesdropper could then use a wireless LAN card that can be loaded with firmware to define its MAC address. Using this spoofed MAC address, the malicious user can attempt to inject network traffic or spoof legitimate users.

It is easy to interfere with wireless communications. A simple jamming transmitter can easily cause a DoS attack and render communications impossible. For example, consistently sending access requests to an AP, whether successful or not, will eventually exhaust its available radio frequency spectrum and make it unavailable. Other wireless services in the same frequency range can also reduce the range and usable bandwidth of wireless LAN technology, as illustrated in Figure 5-20.

Figure 5-20. Wireless LAN Interference Considerations

Although by no means a malicious denial of service, those deploying wireless networks need to be aware of other obstructions that could potentially render a network unusable if they are added in an office environment. These include microwave ovens near kitchens, metal file cabinets, and possibly large industrial equipment.

The operation of WEP is described in Chapter 3. The 802.11 standards define WEP as a simple mechanism to protect the communication between wireless LAN APs and network interface cards (NICs). WEP uses the RC-4 encryption algorithm and requires that the same secret key be shared by all communicating parties. To avoid conflicting with U.S. export controls that were in effect at the time the standard was developed, 40-bit encryption keys were required by IEEE 802.11b, although many vendors now support the optional 128-bit standard. These key lengths are not very robust, and WEP can be easily cracked in both 40- and 128-bit variants by using off-the-shelf tools readily available on the Internet.

The IEEE 802.11 standard describes the use of the RC-4 algorithm and key in WEP, but does not specify specific methods for key distribution. Without an automated method for key distribution, any encryption protocol will have implementation problems due to the potential for human error in key input, escrow, and management. As discussed in Chapter 3, 802.1x is being embraced by the wireless LAN vendor community as a potential solution for this key distribution problem.

WEP's biggest problem came with the publication of weaknesses in RC-4 that were discovered by cryptanalysts Fluhrer, Mantin, and Shamir. The first weakness is in the Key Scheduling Algorithm (KSA), which derives the initial state from a variable key size. There exists a large class of keys (weak keys) in which a small part of the secret key determines a large number of bits in the KSA output. This weakness is known as the invariance weakness. The weakness can be exploited by what is termed the FMS attack (Fluhrer, Mantin, Shamir attack), which is illustrated in Figure 5-21 and is described in a paper found at http://www.cs.umd.edu/~waa/class-pubs/rc4_ksaproc.ps.

Figure 5-21. WEP Weak Key Attack

The paper discusses the theoretical derivation of a WEP key in a range of 100,000 to 1,000,000 packets encrypted using the same key. Recent practical implementations of the FMS attack have been able to derive a static WEP key by capturing about a million packets. This is demonstrated in a paper by AT&T Labs and Rice University at http://www.cs.rice.edu/~astubble/wep/wep_attack.pdf. Several independent developers then released their own implementations of the FMS attack; the most popular of these is AirSnort, which can be downloaded at http://airsnort.sourceforge.net/.

The second weakness is related to the first and occurs when part of the key presented to the KSA is exposed to the attacker. Because the initialization vector (IV) for RC-4 is transmitted as plaintext and placed in the 802.11 header, anyone eavesdropping on a wireless LAN can see it. Because the IV is 24 bits long, it provides a range of 16,777,216 possible values. A University of California at Berkeley paper found that when the same IV is used with the same key on an encrypted packet, an eavesdropper can capture the data frames and derive information about the data as well as the network. This is also known as the IV Collision attack and is illustrated in Figure 5-22.

Figure 5-22. WEP IV Collision Attack

For more information, refer to the University of California at Berkeley paper titled “Security of the WEP Algorithm” at http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html. To prevent attacks due to IV collisions, the base key should be changed before the IVs repeat, and many vendors are implementing proprietary mechanisms to address this issue until newer 802.11 standards incorporating Temporal Key Integrity Protocol (TKIP) and the Advanced Encryption Standard (AES) encryption algorithm are available.

Another concern with WEP is its vulnerability to replay attacks. This is due to the use of the cyclic redundancy check (CRC)-32 checksum function performed by standards-based WEP, as illustrated in Figure 5-23.

Figure 5-23. WEP Bit-Flipping Vulnerability

As the previously mentioned paper “Security of the WEP Algorithm” indicates, with CRC-32, it is, “possible to compute the bit difference of two CRCs based on the bit difference of the messages over which they are taken. In other words, flipping bit n in the message results in a deterministic set of bits in the CRC that must be flipped to produce a correct checksum on the modified message. Because flipping bits carries through after an RC-4 decryption, this allows the attacker to flip arbitrary bits in an encrypted message and correctly adjust the checksum so that the resulting message appears valid.”

Wireless networks are being deployed quite rapidly and although the standards work still needs to be completed to make these networks more secure, knowing which threats and vulnerabilites exist can help in deploying a reasonably secure wireless network, as discussed in Chapter 12.

Voice transport mechanisms generally don't use encryption, which makes it easy to use packet sniffers so that the voice steams can be saved and reassembled for listening. The tool “voice over misconfigured Internet telephones” (also known as vomit), takes an IP phone conversation trace captured by the UNIX tool tcpdump, and reassembles it into a WAV file for easy listening. The phones are not actually misconfigured. Rather, if someone were able to obtain access to the IP data stream at any point in the network, they could eavesdrop.

Another threat constitutes theft of service, and there are numerous methods an intruder could use to accomplish this task. In its most basic form, toll fraud includes an unauthorized user accessing an unattended IP phone to place calls. A more complex scenario might include placing a rogue IP phone or gateway on the network to place unauthorized calls.

Caller identity spoofing can occur when an intruder is able to trick a remote user into believing she is talking to someone when in fact she is really talking to the intruder. This type of attack typically occurs with the intruder assuming the identity of someone who is not familiar to the target. A complex attack would be to first place a rogue IP phone in the network and then via a secondary exploit assume the identity of a valid IP phone (assuming the identity that you want your target to see). It could also be as simple as a bypassing physical building security and using an unattended IP phone!

An IP spoofing attack can occur when an intruder inside or outside a network impersonates the conversations of a trusted computer. An intruder can do this in one of two ways. He uses either an IP address that is within the range of trusted IP addresses for a network or an authorized external IP address that is trusted and to which access is provided to specified resources on a network. IP spoofing attacks are often a launch point for other attacks. The classic example is to launch a DoS attack using spoofed source addresses to hide the intruder's identity. As it relates to IP telephony, without spoof mitigation filters the intruder might be able to spoof the address of the call-processing manager and UDP flood the entire voice segment.

Certainly the most publicized form of attack, DoS attacks are also among the most difficult to completely eliminate. These attacks include the following, all of which were discussed earlier in this chapter:

If not properly mitigated, all of these sample DoS attacks could render a voice segment unusable.

This section lists a few inherent insecurities to be aware of when using Session Initiation Protocol (SIP)-based networks. Most of these can be found in the discussion in the security considerations section of the SIP protocol (RFC 3261).