Wireless LAN Security and IEEE 802.11w

Wireless LAN Security and IEEE 802.11w

By CWNP On 10/23/2009 - 21 Comments

As Wireless LANs (WLANs) have been increasingly entrusted to carry mission critical enterprise data and voice communication, the impact of Wireless LAN (WLAN) Denial of Service (DoS) attacks has increased manyfold. The recently ratified 802.11w standard that provides Management Frame Protection (MFP) does provide some help in fighting WLAN DoS attacks. But, if you think that 802.11w can put an end to all of your WLAN DoS problems, I beg to differ. Please read on to find out why.

 

Ever since inception, wireless LANs have been known to be susceptible to Denial of Service (DoS) attacks. Example DoS attacks include radio-level DoS attacks such as RF jamming and MAC-level DoS attacks such as deauthentication flood, disassociation flood, association flood, and virtual (802.11-NAV-field based) jamming. Tools to launch these DoS attacks are freely available on the Internet. There are 2 main reasons as to why WLANs have been vulnerable to DoS attacks. First, the wireless medium is not confined to physical boundaries such as wires and buildings. Hence, attacks can be potentially launched from outside an enterprise (e.g., from parking lots). Second, authentication/encryption of management and control plane frames was never a part of the original 802.11 specification. This makes it is easy for an attacker to transmit spoofed attack packets that appear legitimate.  

The IEEE 802.11w standard aims to mitigate certain types of WLAN DoS attacks. 802.11w extends strong cryptographic protection to specific management frames (in a manner that is similar to what 802.11i/RSN defines for data frames). A select set of management frames transmitted after 802.11i/RSN key derivation is protected. MFP is provided for a category of management frames called “Robust Management Frames”. Deauthentication frames, Disassociation frames, and certain categories of Action Management frames are defined as Robust Management Frames. Action Management Frames are special types of management frames that carry WLAN operation related information – e.g., QoS Management, Spectrum Management or BlockAck session management.  Note that management frames transmitted before the derivation of 802.11i/RSN keys are unprotected. 

802.11w provides data integrity and replay protection for broadcast/multicast Robust management frames. Additionally, data confidentiality is provided for unicast management frames. A new protocol “Broadcast Integrity Protocol” (BIP) is defined for achieving integrity of broadcast/multicast management frames. BIP makes use of a Message Integrity Code (MIC) that is calculated over the frame body to detect tampering of management frames. A receiver silently drops all tampered frames. The basic premise here is that the MIC computation uses a shared-secret that is available only to authorized WLAN users (and not to an attacker). I will explain this further using a deauthentication attack. An attacker launching a deauthentication attack cannot compute the correct MIC for the spoofed deauth packets. Hence, his or her deauth packets will be silently rejected by the 802.11w AP/clients in a WLAN. Alternately, he cannot replay any legitimate deauth packets due to replay protection. Thus, 802.11w can protect a WLAN against deauthentication attack.   

802.11w definitely helps mitigate certain classes of DoS attacks on WLANs – e.g., deauthentication attack, dis-association attack. However, the following are the limitations of 802.11w in fighting WLAN DoS attacks: 

-          802.11w provides protection for certain specific 802.11 management frames only, specifically, deauthentication frames, disassociation frames, and action management frames. Hence, DoS attacks based on management frames not protected by 802.11w are still possible (e.g., association based attacks, beacon based attacks).

-          DoS attacks based on 802.11 data and control frames are outside the scope of 802.11w and still continue to be a pain.

-          RF jamming based DoS attacks cannot be mitigated via 802.11w.

-          Certain logistical issues exist with the 802.11w solution

     o        802.11w requires a code change/software upgrade on not just an AP, but also on clients

     o        802.11w cannot protect the large number of legacy devices that exist today.

Hence, 802.11w is a good first line of defense in mitigating WLAN DoS attacks and you should adopt it. However, for more robust protection, it should be complemented by a DoS detection and mitigation strategy based on a Wireless Intrusion Prevention System (WIPS). Further, WIPS can help you protect against other wireless security threats that are completely outside of the scope of 802.11w – AP based threats (e.g., Rogue APs), client based threats (e.g., Evil Twins) and threats on WLAN infrastructure (e.g., Skyjacking). 

I look forward to hear your views. 

Thanks,Gopi

Tagged with: gopi

Blog Disclaimer: The opinions expressed within these blog posts are solely the author’s and do not reflect the opinions and beliefs of the Certitrek, CWNP or its affiliates.