security+ guide to network security fundamentals, fourth edition chapter 8 wireless network security

Security+ Guide to Network Security Fundamentals,

Fourth Edition

Chapter 8Wireless Network Security

Objectives

• Describe the different types of wireless network attacks

• List the vulnerabilities in IEEE 802.11 security

• Explain the solutions for securing a wireless network

Security+ Guide to Network Security Fundamentals, Fourth Edition 2

Introduction

• Wireless data communications have revolutionized computer networking– Wireless data networks found virtually everywhere

• Wireless networks have been targets for attackers– Early wireless networking standards had

vulnerabilities– Changes in wireless network security yielded

security comparable to wired networks


Wireless Attacks

• Bluetooth– Wireless technology– Uses short-range radio frequency transmissions– Provides for rapid, ad-hoc device pairings

• Example: smartphone and Bluetooth headphones

– Personal Area Network (PAN) technology

• Two types of Bluetooth network topologies– Piconet– Scatternet



Table 8-1 Bluetooth products

Wireless Attacks (cont’d.)

• Piconet– Established when two Bluetooth devices come within

range of each other– One device (master) controls all wireless traffic– Other device (slave) takes commands

• Active slaves can send transmissions

• Parked slaves are connected but not actively participating



Figure 8-1 Bluetooth piconet© Cengage Learning 2012


• Scatternet– Group of piconets with connections between

different piconets

• Bluejacking– Attack that sends unsolicited messages to Bluetooth-

enabled devices• Text messages, images, or sounds

– Considered more annoying than harmful• No data is stolen

– http://www.youtube.com/watch?v=ajo0njlklYo



Figure 8-2 Bluetooth scatternet© Cengage Learning 2012


• Bluesnarfing– Unauthorized access to wireless information through

a Bluetooth connection– Often between cell phones and laptops– Attacker copies e-mails, contacts, or other data by

connecting to the Bluetooth device without owner’s knowledge

– http://www.youtube.com/watch?v=KfZ7Ek409LM– http://www.youtube.com/watch?v=AwoEflxJPzE


Wireless LAN Attacks

• Institute of Electrical and Electronics Engineers (IEEE)– Most influential organization for computer networking

and wireless communications– Dates back to 1884– Began developing network architecture standards in

the 1980s

• 1997: release of IEEE 802.11– Standard for wireless local area networks (WLANs)– Higher speeds added in 1999: IEEE 802.11b


Wireless LAN Attacks (cont’d.)

• IEEE 802.11a– Specifies maximum rated speed of 54Mbps using

the 5GHz spectrum

• IEEE 802.11g– Preserves stable and widely accepted features of

802.11b– Increases data transfer rates similar to 802.11a

• IEEE 802.11n– Ratified in 2009



• Improvements in IEEE 802.11n– Speed – up to 600Mbps– Coverage area – double a, b, g– Interference – different frequencies– Security – high level encryption required

• Wireless client network interface card adapter– Performs same functions as wired adapter– Antenna sends and receives signals



• Access point (AP) major parts– Antenna and radio transmitter/receiver send and

receive wireless signals– Bridging software to interface wireless devices to

other devices– Wired network interface allows it to connect by cable

to standard wired network

• AP functions– Acts as “base station” for wireless network



Figure 8-3 Access point© Cengage Learning 2012


• AP functions (cont’d.)– Acts as a bridge between wireless and wired

networks• Can connect to wired network by a cable

• Autonomous access points– Separate from other network devices and access

points– Have necessary “intelligence” for wireless

authentication, encryption, and management



• Wireless broadband routers– Single hardware device containing AP, firewall,

router, and DHCP server

• Wireless networks have been vulnerable targets for attackers– Not restricted to a cable

• Types of wireless LAN attacks– Discovering the network– Attacks through the RF spectrum– Attacks involving access points


Wireless LAN Attacks (cont’d.)• Discovering the network

– One of first steps in attack is to discover presence of a network

• Beaconing– AP sends signal at regular intervals to announce its

presence and provide connection information– Wireless device scans for beacon frames– http://www.youtube.com/watch?v=rGYy1F1fhjc

• War driving– Process of passive discovery of wireless network

locations

18


Table 8-2 War driving tools


• War chalking– Documenting and then advertising location of

wireless LANs for others to use– Previously done by drawing on sidewalks or walls

around network area– Today, locations are posted on Web sites

– http://www.youtube.com/watch?v=2rM-K6SQTiU



Table 8-4 War chalking symbols© Cengage Learning 2012


• Attacks through the RF spectrum– Wireless protocol analyzer– Generating interference

• Wireless protocol analyzer– Wireless traffic captured to decode and analyze

packet contents– Network interface card (NIC) adapter must be in

correct mode– Kismet, Airmon, Wireshark



• Six modes of wireless NICs– Master (acting as an AP)– Managed (client)– Repeater– Mesh– Ad-hoc– Monitor – (Must be this for analyzing/capturing)

• Interference– Signals from other devices can disrupt wireless

transmissions



• Devices that can cause interference with a WLAN– Microwave ovens– Elevator motors– Copy machines– Outdoor lighting (certain types)– Theft protection devices– Bluetooth devices



Figure 8-5 Attacker interference© Cengage Learning 2012


• Attacks using access points– Rogue access points – installed by internal user– Evil twin – installed by hacker

• Rogue access point– Unauthorized access point that allows attacker to bypass

network security configurations– May be set up behind a firewall, opening the network to

attacks



Figure 8-6 Rogue access point© Cengage Learning 2012


• Evil twin– AP set up by an attacker– Attempts to mimic an authorized AP– Attackers capture transmissions from users to evil twin

AP– http://news.yahoo.com/blogs/upgrade-your-life/banking-online-not-hacked-182159934.html

– Hacking Facebook, Twitter, etc. • http://www.youtube.com/watch?v=9T8xaDoYNmg

– Detecting Firesheep – ‘Blacksheep’- ttechdows.com/2010/11/blacksheep-detects-firesheep-use-on-wireless-networks.html

– http://www.readwriteweb.com/archives/facebooks_zuckerberg_says_the_age_of_privacy_is_ov.php


Vulnerabilities of IEEE 802.11 Security

• Original IEEE 802.11 committee recognized wireless transmissions could be vulnerable– Implemented several wireless security protections in

the standard– Left others to WLAN vendor’s discretion– Protections were vulnerable and led to multiple

attacks


MAC Address Filtering

• Method of controlling WLAN access– Limit a device’s access to AP

• Media Access Control (MAC) address filtering– Used by nearly all wireless AP vendors– Permits or blocks device based on MAC address

• Vulnerabilities of MAC address filtering– Addresses exchanged in unencrypted format– Attacker can see address of approved device and

substitute it on his own device– Managing large number of addresses is challenging



Figure 8-7 MAC address filtering© Cengage Learning 2012

SSID Broadcast

• Each device must be authenticated prior to connecting to the WLAN

• Open system authentication– Device discovers wireless network and sends

association request frame to AP– Frame carries Service Set Identifier (SSID)

• User-supplied network name

• Can be any alphanumeric string 2-32 characters long

– AP compares SSID with actual SSID of network• If the two match, wireless device is authenticated



Figure 8-8 Open system authentication© Cengage Learning 2012

SSID Broadcast (cont’d.)

• Open system authentication is weak– Based only on match of SSIDs– Attacker can wait for the SSID to be broadcast by

the AP

• Users can configure APs to prevent beacon frame from including the SSID– Provides only a weak degree of security– Can be discovered when transmitted in other frames– Older versions of Windows XP have an added

vulnerability if this approach is used


Wired Equivalent Privacy (WEP)

• IEEE 802.11 security protocol

• Encrypts plaintext into ciphertext

• Secret key is shared between wireless client device and AP– Key used to encrypt and decrypt packets

• WEP vulnerabilities– WEP can only use 64-bit or 128-bit number to

encrypt• Initialization vector (IV) is only 24 of those bits

• Short length makes it easier to break



Figure 8-9 WEP encryption process© Cengage Learning 2012

Wired Equivalent Privacy (cont’d.)

• WEP vulnerabilities (cont’d.)– Violates cardinal rule of cryptography: avoid a

detectable pattern– Attackers can see duplication when IVs start

repeating

• Keystream attack (or IV attack)– Attacker identifies two packets derived from same IV– Uses XOR to discover plaintext– See Figures 8-10 and 8-11 for details


Wireless Security Solutions

• Unified approach to WLAN security was needed– IEEE and Wi-Fi Alliance began developing security

solutions

• Resulting standards used today– IEEE 802.11i– WPA and WPA2


Wi-Fi Protected Access (WPA)

• Introduced in 2003 by the Wi-Fi Alliance

• A subset of IEEE 802.11i

• Design goal: protect present and future wireless devices

• Temporal Key Integrity Protocol (TKIP) Encryption– Used in WPA– Uses longer 128 bit key than WEP– Dynamically generated for each new packet


Wi-Fi Protected Access (cont’d.)

• Preshared Key (PSK) Authentication– After AP configured, client device must have same

key value entered– Key is shared prior to communication taking place– Uses a passphrase to generate encryption key

• Must be entered on each AP and wireless device in advance

– Not used for encryption• Serves as starting point for mathematically generating

the encryption keys


Wi-Fi Protected Access (cont’d.)

• Vulnerabilities in WPA– Key management

• Key sharing is done manually without security protection

• Keys must be changed on a regular basis

• Key must be disclosed to guest users

– Passphrases• PSK passphrases of fewer than 20 characters subject

to cracking


Wi-Fi Protected Access 2 (WPA2)

• Second generation of WPA known as WPA2– Introduced in 2004– Based on final IEEE 802.11i standard– Uses Advanced Encryption Standard (AES)– Supports both PSK and IEEE 802.11x authentication

• AES-CCMP Encryption– Encryption protocol standard for WPA2– CCM is algorithm providing data privacy– CBC-MAC component of CCMP provides data integrity

and authentication


Wi-Fi Protected Access 2 (cont’d.)

• AES encryption and decryption– Should be performed in hardware because of its

computationally intensive nature

• IEEE 802.1x authentication– Originally developed for wired networks– Provides greater degree of security by implementing

port security– Blocks all traffic on a port-by-port basis until client is

authenticated



• Extensible Authentication Protocol (EAP)– Framework for transporting authentication protocols– Defines message format– Uses four types of packets

• Request

• Response

• Success

• Failure

• Lightweight EAP (LEAP)– Proprietary method developed by Cisco Systems



• Lightweight EAP (cont’d.)– Requires mutual authentication used for WLAN

encryption using Cisco client software– Can be vulnerable to specific types of attacks

• No longer recommended by Cisco

• Protected EAP (PEAP)– Simplifies deployment of 802.1x by using Microsoft

Windows logins and passwords– Creates encrypted channel between client and

authentication server



Table 8-3 Wireless security solutions

Other Wireless Security Steps

• Antenna placement– Locate near center of coverage area– Place high on a wall to reduce signal obstructions

and deter theft

• Power level controls– Some APs allow adjustment of the power level at

which the LAN transmits– Reducing power allows less signal to reach outsiders


Other Wireless Security Steps (cont’d.)

• Organizations are becoming increasingly concerned about existence of rogue APs

• Rogue access point discovery tools– Security personnel can manually audit airwaves

using wireless protocol analyzer– Continuously monitoring the RF airspace using a

wireless probe

• Types of wireless probes– Wireless device probe– Desktop probe


Other Wireless Security Steps (cont’d.)

• Types of wireless probes (cont’d.)– Access point probe– Dedicated probe

• Wireless virtual LANs (VLANs)– Organizations may set up to wireless VLANs

• One for employee access, one for guest access

– Configured in one of two ways• Depending on which device separates and directs the

packets to different networks


Summary

• Bluetooth is a wireless technology using short-range RF transmissions

• IEEE has developed five wireless LAN standards to date, four of which are popular today– (IEEE 802.11a/b/g/n)

• Attackers can identify the existence of a wireless network using war driving

• Wired Equivalent Privacy relies on a secret key shared between wireless client device and access point


Summary (cont’d.)

• Wi-Fi Protected Access (WPA) and WPA2 have become the foundations of wireless security today

• Other steps to protect a wireless network include:– Antenna positioning– Access point power level adjustment– Detecting rogue access points


security+ guide to network security fundamentals, fourth edition chapter 8 wireless network security

Documents

network security fundamentals

wireless networks

networks security guide

b security guide

participating security

wireless traffic

wireless information

wireless networking