1 / 41

CWNA Guide to Wireless LANs, Second Edition

CWNA Guide to Wireless LANs, Second Edition. Chapter Eight Wireless LAN Security and Vulnerabilities. Objectives. Define information security Explain the basic security protections for IEEE 802.11 WLANs List the vulnerabilities of the IEEE 802.11 standard

becky
Download Presentation

CWNA Guide to Wireless LANs, Second Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CWNA Guide to Wireless LANs, Second Edition Chapter Eight Wireless LAN Security and Vulnerabilities

  2. Objectives • Define information security • Explain the basic security protections for IEEE 802.11 WLANs • List the vulnerabilities of the IEEE 802.11 standard • Describe the types of wireless attacks that can be launched against a wireless network CWNA Guide to Wireless LANs, Second Edition

  3. Security Principles: What is Information Security? • Information security: Task of guarding digital information • Ensures protective measures properly implemented • Protects confidentiality, integrity, and availability (CIA) on the devices that store, manipulate, and transmit the information through products, people, and procedures CWNA Guide to Wireless LANs, Second Edition

  4. Security Principles: What is Information Security? (continued) Figure 8-1: Information security components CWNA Guide to Wireless LANs, Second Edition

  5. Security Principles: Challenges of Securing Information • Trends influencing increasing difficultly in information security: • Speed of attacks • Sophistication of attacks • Faster detection of weaknesses • Day zero attacks • Distributed attacks • The “many against one” approach • Impossible to stop attack by trying to identify and block source CWNA Guide to Wireless LANs, Second Edition

  6. Security Principles: Categories of Attackers • Six categories of attackers: • Hackers • Not malicious; expose security flaws • Crackers • Script kiddies • Spies • Employees • Cyberterrorists CWNA Guide to Wireless LANs, Second Edition

  7. Security Principles: Categories of Attackers (continued) Table 8-1: Attacker profiles CWNA Guide to Wireless LANs, Second Edition

  8. Security Principles: Security Organizations • Many security organizations exist to provide security information, assistance, and training • Computer Emergency Response Team Coordination Center (CERT/CC) • Forum of Incident Response and Security Teams (FIRST) • InfraGard • Information Systems Security Association (ISSA) • National Security Institute (NSI) • SysAdmin, Audit, Network, Security (SANS) Institute CWNA Guide to Wireless LANs, Second Edition

  9. Basic IEEE 802.11 Security Protections • Data transmitted by a WLAN could be intercepted and viewed by an attacker • Important that basic wireless security protections be built into WLANs • Three categories of WLAN protections: • Access control • Wired equivalent privacy (WEP) • Authentication • Some protections specified by IEEE, while others left to vendors CWNA Guide to Wireless LANs, Second Edition

  10. Access Control • Intended to guard availability of information • Wireless access control: Limit user’s admission to AP • Filtering • Media Access Control (MAC) address filtering: Based on a node’s unique MAC address Figure 8-2: MAC address CWNA Guide to Wireless LANs, Second Edition

  11. Access Control (continued) Figure 8-4: MAC address filtering CWNA Guide to Wireless LANs, Second Edition

  12. Access Control (continued) • MAC address filtering considered to be a basic means of controlling access • Requires pre-approved authentication • Difficult to provide temporary access for “guest” devices CWNA Guide to Wireless LANs, Second Edition

  13. Wired Equivalent Privacy (WEP) • Guard the confidentiality of information • Ensure only authorized parties can view it • Used in IEEE 802.11 to encrypt wireless transmissions • “Scrambling” CWNA Guide to Wireless LANs, Second Edition

  14. WEP: Cryptography • Cryptography: Science of transforming information so that it is secure while being transmitted or stored • scrambles” data • Encryption: Transforming plaintext to ciphertext • Decryption: Transforming ciphertext to plaintext • Cipher: An encryption algorithm • Given a key that is used to encrypt and decrypt messages • Weak keys: Keys that are easily discovered CWNA Guide to Wireless LANs, Second Edition

  15. WEP: Cryptography (continued) Figure 8-5: Cryptography CWNA Guide to Wireless LANs, Second Edition

  16. WEP: Implementation • IEEE 802.11 cryptography objectives: • Efficient • Exportable • Optional • Reasonably strong • Self-synchronizing • WEP relies on secret key “shared” between a wireless device and the AP • Same key installed on device and AP • Private key cryptography or symmetric encryption CWNA Guide to Wireless LANs, Second Edition

  17. WEP: Implementation (continued) Figure 8-6: Symmetric encryption CWNA Guide to Wireless LANs, Second Edition

  18. WEP: Implementation (continued) • WEP shared secret keys must be at least 40 bits • Most vendors use 104 bits • Options for creating WEP keys: • 40-bit WEP shared secret key (5 ASCII characters or 10 hexadecimal characters) • 104-bit WEP shared secret key (13 ASCII characters or 16 hexadecimal characters) • Passphrase (16 ASCII characters) • APs and wireless devices can store up to four shared secret keys • Default key used for all encryption CWNA Guide to Wireless LANs, Second Edition

  19. WEP: Implementation (continued) Figure 8-8: Default WEP keys CWNA Guide to Wireless LANs, Second Edition

  20. WEP: Implementation (continued) Figure 8-9: WEP encryption process CWNA Guide to Wireless LANs, Second Edition

  21. WEP: Implementation (continued) • When encrypted frame arrives at destination: • Receiving device separates IV from ciphertext • Combines IV with appropriate secret key • Create a keystream • Keystream used to extract text and ICV • Text run through CRC • Ensure ICVs match and nothing lost in transmission • Generating keystream using the PRNG is based on the RC4 cipher algorithm • Stream Cipher CWNA Guide to Wireless LANs, Second Edition

  22. WEP: Implementation (continued) Figure 8-10: Stream cipher CWNA Guide to Wireless LANs, Second Edition

  23. Authentication • IEEE 802.11 authentication: Process in which AP accepts or rejects a wireless device • Open system authentication: • Wireless device sends association request frame to AP • Carries info about supported data rates and service set identifier (SSID) • AP compares received SSID with the network SSID • If they match, wireless device authenticated CWNA Guide to Wireless LANs, Second Edition

  24. Authentication (continued) • Shared key authentication: Uses WEP keys • AP sends the wireless device the challenge text • Wireless device encrypts challenge text with its WEP key and returns it to the AP • AP decrypts returned result and compares to original challenge text • If they match, device accepted into network CWNA Guide to Wireless LANs, Second Edition

  25. Vulnerabilities of IEEE 802.11 Security • IEEE 802.11 standard’s security mechanisms for wireless networks have fallen short of their goal • Vulnerabilities exist in: • Authentication • Address filtering • WEP CWNA Guide to Wireless LANs, Second Edition

  26. Open System Authentication Vulnerabilities • Inherently weak • Based only on match of SSIDs • SSID beaconed from AP during passive scanning • Easy to discover • Vulnerabilities: • Beaconing SSID is default mode in all APs • Not all APs allow beaconing to be turned off • Or manufacturer recommends against it • SSID initially transmitted in plaintext (unencrypted) CWNA Guide to Wireless LANs, Second Edition

  27. Open System Authentication Vulnerabilities (continued) • Vulnerabilities (continued): • If an attacker cannot capture an initial negotiation process, can force one to occur • SSID can be retrieved from an authenticated device • Many users do not change default SSID • Several wireless tools freely available that allow users with no advanced knowledge of wireless networks to capture SSIDs CWNA Guide to Wireless LANs, Second Edition

  28. Open System Authentication Vulnerabilities (continued) Figure 8-12: Forcing the renegotiation process CWNA Guide to Wireless LANs, Second Edition

  29. Shared Secret Key Authentication Vulnerabilities • Attackers can view key on an approved wireless device (i.e., steal it), and then use on own wireless devices • Brute force attack: Attacker attempts to create every possible key combination until correct key found • Dictionary attack: Takes each word from a dictionary and encodes it in same way as passphrase • Compare encoded dictionary words against encrypted frame CWNA Guide to Wireless LANs, Second Edition

  30. Shared Secret Key Authentication Vulnerabilities (continued) • AP sends challenge text in plaintext • Attacker can capture challenge text and device’s response (encrypted text and IV) • Mathematically derive keystream CWNA Guide to Wireless LANs, Second Edition

  31. Shared Secret Key Authentication Vulnerabilities (continued) Table 8-2: Authentication attacks CWNA Guide to Wireless LANs, Second Edition

  32. Address Filtering Vulnerabilities Table 8-3: MAC address attacks CWNA Guide to Wireless LANs, Second Edition

  33. WEP Vulnerabilities • Uses 40 or 104 bit keys • Shorter keys easier to crack • WEP implementation violates cardinal rule of cryptography • Creates detectable pattern for attackers • APs end up repeating IVs • Collision: Two packets derived from same IV • Attacker can use info from collisions to initiate a keystream attack CWNA Guide to Wireless LANs, Second Edition

  34. WEP Vulnerabilities (continued) Figure 8-13: XOR operations CWNA Guide to Wireless LANs, Second Edition

  35. WEP Vulnerabilities (continued) Figure 8-14: Capturing packets CWNA Guide to Wireless LANs, Second Edition

  36. WEP Vulnerabilities (continued) • PRNG does not create true random number • Pseudorandom • First 256 bytes of the RC4 cipher can be determined by bytes in the key itself Table 8-4: WEP attacks CWNA Guide to Wireless LANs, Second Edition

  37. Other Wireless Attacks: Man-in-the-Middle Attack • Makes it seem that two computers are communicating with each other • Actually sending and receiving data with computer between them • Active or passive Figure 8-15: Intercepting transmissions CWNA Guide to Wireless LANs, Second Edition

  38. Other Wireless Attacks: Man-in-the-Middle Attack (continued) Figure 8-16: Wireless man-in-the-middle attack CWNA Guide to Wireless LANs, Second Edition

  39. Other Wireless Attacks: Denial of Service (DoS) Attack • Standard DoS attack attempts to make a server or other network device unavailable by flooding it with requests • Attacking computers programmed to request, but not respond • Wireless DoS attacks are different: • Jamming: Prevents wireless devices from transmitting • Forcing a device to continually dissociate and re-associate with AP CWNA Guide to Wireless LANs, Second Edition

  40. Summary • Information security protects the confidentiality, integrity, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures • Significant challenges in keeping wireless networks and devices secure • Six categories of attackers: Hackers, crackers, script kiddies, computer spies, employees, and cyberterrorists CWNA Guide to Wireless LANs, Second Edition

  41. Summary (continued) • Three categories of default wireless protection: access control, wired equivalent privacy (WEP), and authentication • Significant security vulnerabilities exist in the IEEE 802.11 security mechanisms • Man-in-the-middle attacks and denial of service attacks (DoS) can be used to attack wireless networks CWNA Guide to Wireless LANs, Second Edition

More Related