520 likes | 542 Views
Learn about the basic IEEE 802.11 wireless security protections, vulnerabilities of open system authentication, WEP, and device authentication, and how enterprises can implement wireless security.
E N D
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security
Objectives • Describe the basic IEEE 802.11 wireless security protections • Define the vulnerabilities of open system authentication, WEP, and device authentication • Describe the WPA and WPA2 personal security models • Explain how enterprises can implement wireless security Security+ Guide to Network Security Fundamentals, Third Edition
IEEE 802.11 Wireless Security Protections • Institute of Electrical and Electronics Engineers (IEEE) • The most widely known and influential organization for computer networking and wireless communications • In the early 1980s, the IEEE began work on developing computer network architecture standards • This work was called Project 802 • In 1990, the IEEE formed a committee to develop a standard for WLANs • That operate at a speed of 1 and 2 million bits per second (Mbps) Security+ Guide to Network Security Fundamentals, Third Edition
IEEE 802.11 Wireless Security Protections (continued) • In 1997, the IEEE approved the IEEE 802.11 WLAN standard • Revisions • IEEE 802.11a • IEEE 802.11b • IEEE 802.11g • IEEE 802.11n Security+ Guide to Network Security Fundamentals, Third Edition
Controlling Access • Controlling wireless access of devices to the WLAN • Accomplished by limiting a device’s access to the access point (AP) • By restricting access to the AP, only those devices that are authorized are able to connect to the AP and become part of the wireless network • The IEEE 802.11 standard does not specify how to implement controlling access • Almost all wireless AP vendors implement access control through Media Access Control (MAC) address filtering Security+ Guide to Network Security Fundamentals, Third Edition
Controlling Access (continued) Security+ Guide to Network Security Fundamentals, Third Edition
Controlling Access (continued) Security+ Guide to Network Security Fundamentals, Third Edition
Controlling Access (continued) • MAC address filtering is usually implemented by permitting instead of preventing • Wired Equivalent Privacy (WEP) • Designed to ensure that only authorized parties can view transmitted wireless information • Uses encryption to protect traffic • The IEEE 802.11 committee designed WEP to meet the following criteria: • Efficient, exportable, optional, self-synchronizing, and reasonably strong Security+ Guide to Network Security Fundamentals, Third Edition
Controlling Access (continued) • IEEE 802.11 WEP shared secret keys must be a minimum of 64 bits in length • The options for creating keys are as follows: • 64-bit key • 128-bit key • Passphrase • The AP and devices can hold up to four shared secret keys • One of which must be designated as the default key Security+ Guide to Network Security Fundamentals, Third Edition
Security+ Guide to Network Security Fundamentals, Third Edition
Controlling Access (continued) Security+ Guide to Network Security Fundamentals, Third Edition
Controlling Access (continued) Security+ Guide to Network Security Fundamentals, Third Edition
Controlling Access (continued) • Device authentication • Wireless LANs cannot limit access to the wireless signal by walls or doors • Sometimes called data emanation • Types of authentication supported by the 802.11 standard • Open system authentication • See Figure 6-6 • Shared key authentication • See Figure 6-7 Security+ Guide to Network Security Fundamentals, Third Edition
Security+ Guide to Network Security Fundamentals, Third Edition
Security+ Guide to Network Security Fundamentals, Third Edition
Vulnerabilities of IEEE 802.11 Security • The primary vulnerabilities are in the areas of open system authentication, MAC address filtering, and WEP Security+ Guide to Network Security Fundamentals, Third Edition
Open System Authentication Vulnerabilities • Open system authentication is considered weak because authentication is based on only one factor: • A match of SSID • The easiest way to discover the SSID is to actually do nothing • Exploits the beaconing process • Once a wireless device receives a beacon frame, it can attempt to join the network • By sending an association request frame back to the AP Security+ Guide to Network Security Fundamentals, Third Edition
Open System Authentication Vulnerabilities (continued) • Passive scanning • The most common type of scanning • A wireless device simply listens for a beacon frame for a set period of time • For a degree of protection, some wireless security sources encourage users to configure their APs to prevent the beacon frame from including the SSID • But instead require the user to enter the SSID manually on the wireless device Security+ Guide to Network Security Fundamentals, Third Edition
Open System Authentication Vulnerabilities (continued) • Problems arise when the SSID is not beaconed • Can affect roaming • Can also affect devices running Microsoft Windows XP • The SSID can be easily discovered even when it is not contained in beacon frames • Still is transmitted in other management frames sent by the AP • Configuring an access point to not allow the beacon frame to include the SSID provides virtually no protection Security+ Guide to Network Security Fundamentals, Third Edition
Security+ Guide to Network Security Fundamentals, Third Edition
MAC Address Filtering Weaknesses • MAC addresses are initially exchanged in an unencrypted format through the WLAN • An attacker can easily see the MAC address of an approved device and use it to join the network • Managing a large number of MAC addresses can pose significant challenges • MAC address filtering does not provide a means to temporarily allow a guest user to access the network • Other than manually entering the user’s MAC address into the access point Security+ Guide to Network Security Fundamentals, Third Edition
WEP • To encrypt packets WEP can use only a 64-bit or 128-bit number • Which is made up of a 24-bit initialization vector (IV) and a 40-bit or 104-bit default key • The relatively short length of the default key limits its strength • WEP implementation violates the cardinal rule of cryptography: • Anything that creates a detectable pattern must be avoided at all costs • IVs would start repeating in fewer than seven hours Security+ Guide to Network Security Fundamentals, Third Edition
WEP (continued) • Because of the weaknesses of WEP • Possible for an attacker to identify two packets derived from the same IV (called a collision) • Keystream attack • A method of determining the keystream by analyzing two packets that were created from the same IV Security+ Guide to Network Security Fundamentals
WEP (continued) Security+ Guide to Network Security Fundamentals, Third Edition
WEP (continued) Security+ Guide to Network Security Fundamentals, Third Edition
Personal Wireless Security • The wireless security requirements for personal wireless security are most often based on two models promoted by the Wi-Fi Alliance: • WPA Personal Security • WPA2 Personal Security Security+ Guide to Network Security Fundamentals, Third Edition
WPA Personal Security • Wireless Ethernet Compatibility Alliance (WECA) • A consortium of wireless equipment manufacturers and software providers formed to promote wireless network technology • WECA goals: • To encourage wireless manufacturers to use the IEEE 802.11 technologies • To promote and market these technologies • To test and certify that wireless products adhere to the IEEE 802.11 standards to ensure product interoperability Security+ Guide to Network Security Fundamentals, Third Edition
WPA Personal Security (continued) • In 2002, the WECA organization changed its name to Wi-Fi (Wireless Fidelity) Alliance • In October 2003 the Wi-Fi Alliance introduced Wi-Fi Protected Access (WPA) • WPA had the design goal to protect both present and future wireless devices, addresses both wireless authentication and encryption • PSK addresses authentication and TKIP addresses encryption Security+ Guide to Network Security Fundamentals, Third Edition
WPA Personal Security (continued) • Preshared key (PSK) authentication • Uses a passphrase to generate the encryption key • When using PSK, a key must be created and entered into both the access point and all wireless devices • Prior to the devices communicating with the AP • The PSK is not used for encryption • Instead, it serves as the starting point (seed) for mathematically generating the encryption keys Security+ Guide to Network Security Fundamentals, Third Edition
WPA Personal Security (continued) • WPA replaces WEP with an encryption technology called Temporal Key Integrity Protocol (TKIP) • TKIP has several advantages over WEP: • TKIP uses a longer 128-bit key • TKIP keys are known as per-packet keys • When coupled with other technologies, TKIP provides an even greater level of security • WPA also replaces the (CRC) function in WEP with the Message Integrity Check (MIC) • Designed to prevent an attacker from capturing, altering, and resending data packets Security+ Guide to Network Security Fundamentals, Third Edition
WPA2 Personal Security • Wi-Fi Protected Access 2 (WPA2) • Introduced by the Wi-Fi Alliance in September 2004 • The second generation of WPA security • Still uses PSK authentication but instead of TKIP encryption it uses enhanced data encryption • PSK Authentication • Intended for personal and small office home office users who do not have advanced server capabilities • PSK keys are automatically changed and authenticated between devices after a specified period of time known as the rekey interval Security+ Guide to Network Security Fundamentals, Third Edition
WPA2 Personal Security (continued) • PSK key management weaknesses: • The distribution and sharing of PSK keys is performed manually without any technology security protections • PSK only uses a single key • Changing the PSK key requires reconfiguring the key on every wireless device and on all access points • In order to allow a guest user to have access to a PSK WLAN, the key must be given to that guest • A second area of PSK vulnerability is the use of passphrases Security+ Guide to Network Security Fundamentals, Third Edition
WPA2 Personal Security (continued) • A PSK is a 64-bit hexadecimal number • The most common way in which this number is generated is by entering a passphrase • Consisting of letters, digits, punctuation, etc. that is between 8 and 63 characters in length • PSK passphrases of fewer than 20 characters can be subject to a specific type of attack and broken • AES-CCMP Encryption • Encryption under the WPA2 personal security model is accomplished by AES-CCMP Security+ Guide to Network Security Fundamentals, Third Edition
WPA2 Personal Security (continued) • CCMP is based upon the Counter Mode with CBC-MAC (CCM) • Of the Advanced Encryption Standard (AES) encryption algorithm • CCM is the algorithm providing data privacy • While the Cipher Block Chaining Message Authentication Code (CBCMAC) component of CCMP provides data integrity and authentication Security+ Guide to Network Security Fundamentals, Third Edition
WPA2 Personal Security (continued) Security+ Guide to Network Security Fundamentals, Third Edition
Enterprise Wireless Security • The enterprise wireless security options can be divided into those that follow the IEEE 802.11i standard and those that follow the WPA and WPA2 models Security+ Guide to Network Security Fundamentals, Third Edition
IEEE 802.11i • The IEEE 802.11i wireless security standard • Addresses the two main weaknesses of wireless networks: encryption and authentication • Encryption is accomplished by replacing WEP’s original PRNG RC4 algorithm • With a stronger cipher that performs three steps on every block (128 bits) of plaintext • IEEE 802.11i authentication and key management is accomplished by the IEEE 802.1x standard Security+ Guide to Network Security Fundamentals, Third Edition
IEEE 802.11i (continued) Security+ Guide to Network Security Fundamentals, Third Edition
IEEE 802.11i (continued) • Key-caching • Stores information from a device on the network so if a user roams away from a wireless access point and later returns, he does not need to re-enter all of the credentials • Pre-authentication • Allows a device to become authenticated to an AP before moving into range of the AP Security+ Guide to Network Security Fundamentals, Third Edition
WPA Enterprise Security • The WPA Enterprise Security model is designed for medium to large-size organizations • Provides improved authentication and encryption over the personal model on a wireless LAN • The authentication used is IEEE 802.1x and the encryption is TKIP Security+ Guide to Network Security Fundamentals, Third Edition
WPA Enterprise Security (continued) • IEEE 802.1x Authentication • Provides an authentication framework for all IEEE 802-based LANs • Uses port-based authentication mechanisms • Does not perform any encryption • TKIP Encryption • An improvement on WEP encryption • Designed to fit into the existing WEP procedure Security+ Guide to Network Security Fundamentals, Third Edition
WPA Enterprise Security (continued) Security+ Guide to Network Security Fundamentals, Third Edition
WPA2 Enterprise Security • Provides the highest level of secure authentication and encryption on a wireless LAN • Authentication used is IEEE 802.1x and the encryption is AES-CCMP • IEEE 802.1x authentication provides the most robust authentication for a WPA2 enterprise model WLAN • Encryption is based on the stronger AES-CCMP • Only the 128-bit key and 128-bit block are mandatory for WPA2 Security+ Guide to Network Security Fundamentals, Third Edition
WPA2 Enterprise Security (continued) Security+ Guide to Network Security Fundamentals, Third Edition
Enterprise Wireless Security Devices • Thin Access Point • An access point without the authentication and encryption functions • These features reside on the wireless switch • Advantages • The APs can be managed from one central location • All authentication is performed in the wireless switch Security+ Guide to Network Security Fundamentals, Third Edition
Enterprise Wireless Security Devices (continued) Security+ Guide to Network Security Fundamentals, Third Edition
Enterprise Wireless Security Devices (continued) • Wireless VLANs • Can be used to segment traffic and increase security • The flexibility of a wireless VLAN depends on which device separates the packets and directs them to different networks • See Figures 6-14 and 6-15 • For enhanced security many organizations set up two wireless VLANs • One for employee access • One for guest access Security+ Guide to Network Security Fundamentals, Third Edition
Security+ Guide to Network Security Fundamentals, Third Edition
Security+ Guide to Network Security Fundamentals, Third Edition
Enterprise Wireless Security Devices (continued) • Rogue Access Point Discovery Tools • Wireless protocol analyzer • Allows auditing the airwaves for rogue access points • Monitoring the RF frequency requires a special sensor called a wireless probe • Types of wireless probes: • Wireless device probe • Desktop probe • Access point probe • Dedicated probe Security+ Guide to Network Security Fundamentals, Third Edition