Ch06 Wireless Network Security

Security+ Guide to Security+ Guide to Network Security Network Security

Fundamentals, Third Fundamentals, Third EditionEditionChapter 6Chapter 6

Wireless Network SecurityWireless Network Security

TJX Data BreachTJX Data Breach

TJX used WEP TJX used WEP security security

They lost 45 They lost 45 million million customer customer recordsrecords

They settled the They settled the lawsuits for lawsuits for $40.9 million$40.9 million• Link Ch 6aLink Ch 6a

ObjectivesObjectives

Describe the basic IEEE 802.11 Describe the basic IEEE 802.11 wireless security protectionswireless security protections

Define the vulnerabilities of open Define the vulnerabilities of open system authentication, WEP, and system authentication, WEP, and device authenticationdevice authentication

Describe the WPA and WPA2 personal Describe the WPA and WPA2 personal security modelssecurity models

Explain how enterprises can Explain how enterprises can implement wireless securityimplement wireless security

IEEE 802.11 Wireless IEEE 802.11 Wireless Security ProtectionsSecurity Protections

Institute of Electrical and Institute of Electrical and Electronics Engineers (IEEE)Electronics Engineers (IEEE)

In the early 1980s, the IEEE began In the early 1980s, the IEEE began work on developing computer work on developing computer network architecture standardsnetwork architecture standards• This work was called Project 802This work was called Project 802

In 1990, the IEEE formed a committee In 1990, the IEEE formed a committee to develop a standard for WLANs to develop a standard for WLANs (Wireless Local Area Networks)(Wireless Local Area Networks)• At that time WLANs operated at a speed At that time WLANs operated at a speed

of 1 to 2 million bits per second (Mbps)of 1 to 2 million bits per second (Mbps)

IEEE 802.11 WLAN StandardIEEE 802.11 WLAN Standard

In 1997, the IEEE approved the IEEE In 1997, the IEEE approved the IEEE 802.11 WLAN standard802.11 WLAN standard

RevisionsRevisions• IEEE 802.11aIEEE 802.11a• IEEE 802.11bIEEE 802.11b• IEEE 802.11gIEEE 802.11g• IEEE 802.11nIEEE 802.11n

Controlling Access to a WLANControlling Access to a WLAN

Access is controlled by limiting a Access is controlled by limiting a device’s access to the access point device’s access to the access point (AP)(AP)

Only devices that are authorized can Only devices that are authorized can connect to the APconnect to the AP• One way: Media Access Control (MAC) One way: Media Access Control (MAC)

address filteringaddress filtering• CCSF uses this technique (unfortunately)CCSF uses this technique (unfortunately)• See www.ccsf.edu/wifiSee www.ccsf.edu/wifi

Controlling AccessControlling Access

MAC Address FilteringMAC Address Filtering

MAC Address FilteringMAC Address Filtering

Usually Usually implemented by implemented by permitting permitting instead of instead of preventingpreventing

CCSF does thisCCSF does thiswww.ccsf.edu/wifiwww.ccsf.edu/wifi

Security+ Guide to Network Security Fundamentals, Third Edition

Wired Equivalent Privacy (WEP)Wired Equivalent Privacy (WEP)

Designed to ensure that only Designed to ensure that only authorized parties can view authorized parties can view transmitted wireless informationtransmitted wireless information

Uses encryption to protect trafficUses encryption to protect traffic WEP was designed to be:WEP was designed to be:

• Efficient and reasonably strongEfficient and reasonably strong

11

WEP KeysWEP Keys

WEP secret keys can be 64 or 128 WEP secret keys can be 64 or 128 bits longbits long

The AP and devices can hold up to The AP and devices can hold up to four shared secret keysfour shared secret keys• One of which must be designated as the One of which must be designated as the

default keydefault key

WEP Encryption ProcessWEP Encryption Process

Transmitting with WEPTransmitting with WEP

Device AuthenticationDevice Authentication

Before a computer can connect to a Before a computer can connect to a WLAN, it must be WLAN, it must be authenticatedauthenticated

Types of authentication in 802.11Types of authentication in 802.11• Open system authenticationOpen system authentication

Lets everyone inLets everyone in

• Shared key authenticationShared key authentication Only lets computers in if they know the Only lets computers in if they know the

shared keyshared key

Vulnerabilities of IEEE Vulnerabilities of IEEE 802.11 Security802.11 Security

Open system authenticationOpen system authentication

MAC address filteringMAC address filtering

WEPWEP

Open System AuthenticationOpen System Authentication

To connect, a computer To connect, a computer needs the SSID (network needs the SSID (network name)name)

Routers normally send Routers normally send out out beacon frames beacon frames announcing the SSIDannouncing the SSID

Passive scanningPassive scanning• A wireless device listens A wireless device listens

for a beacon framefor a beacon frame

Turning Off BeaconingTurning Off Beaconing

For "security" some people turn off For "security" some people turn off beaconsbeacons• This annoys your legitimate users, who This annoys your legitimate users, who

must now type in the SSID to connectmust now type in the SSID to connect• It doesn't stop intruders, because the SSID It doesn't stop intruders, because the SSID

is sent out in management frames anywayis sent out in management frames anyway• It can also affect roamingIt can also affect roaming• Windows XP prefers networks that Windows XP prefers networks that

broadcastbroadcast

MAC Address Filtering MAC Address Filtering WeaknessesWeaknesses

MAC addresses are transmitted in the MAC addresses are transmitted in the clearclear• An attacker can just sniff for MACsAn attacker can just sniff for MACs

Managing a large number of MAC Managing a large number of MAC addresses is difficultaddresses is difficult

MAC address filtering does not provide a MAC address filtering does not provide a means to temporarily allow a guest user means to temporarily allow a guest user to access the network to access the network • Other than manually entering the user’s MAC Other than manually entering the user’s MAC

address into the access pointaddress into the access point

WEPWEP To encrypt packets WEP can use only a To encrypt packets WEP can use only a

64-bit or 128-bit number64-bit or 128-bit number• Which is made up of a 24-bit initialization Which is made up of a 24-bit initialization

vector (IV) and a 40-bit or 104-bit default vector (IV) and a 40-bit or 104-bit default keykey

The 24-bit IV is too short, and repeats The 24-bit IV is too short, and repeats before longbefore long

In addition, packets can be replayed to In addition, packets can be replayed to force the access point to pump out IVsforce the access point to pump out IVs

Cracking WEPCracking WEP With the right equipment, WEP can With the right equipment, WEP can

be cracked in just a few minutesbe cracked in just a few minutes• You need a special wireless cardYou need a special wireless card• We do it in CNIT 123: Ethical Hacking We do it in CNIT 123: Ethical Hacking

and Network Defenseand Network Defense

Personal Wireless Personal Wireless SecuritySecurity

• WPA Personal SecurityWPA Personal Security• WPA2 Personal SecurityWPA2 Personal Security

WPA Personal SecurityWPA Personal Security

Wireless Ethernet Compatibility Alliance Wireless Ethernet Compatibility Alliance (WECA)(WECA)• A consortium of wireless equipment A consortium of wireless equipment

manufacturers and software providersmanufacturers and software providers WECA goals:WECA goals:

• To encourage wireless manufacturers to use the To encourage wireless manufacturers to use the IEEE 802.11 technologiesIEEE 802.11 technologies

• To promote and market these technologiesTo promote and market these technologies• To test and certify that wireless products adhere To test and certify that wireless products adhere

to the IEEE 802.11 standards to ensure product to the IEEE 802.11 standards to ensure product interoperabilityinteroperability


In 2002, the WECA organization changed its In 2002, the WECA organization changed its name to name to Wi-Fi (Wireless Fidelity) AllianceWi-Fi (Wireless Fidelity) Alliance

In October 2003 the Wi-Fi Alliance introduced In October 2003 the Wi-Fi Alliance introduced Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA)• WPA had the design goal to protect both present WPA had the design goal to protect both present

and future wireless devices, addresses both and future wireless devices, addresses both wireless authentication and encryptionwireless authentication and encryption

PSK addresses authentication and TKIP PSK addresses authentication and TKIP addresses encryptionaddresses encryption


Preshared key (PSK)Preshared key (PSK) authentication authentication• Uses a passphrase to generate the encryption Uses a passphrase to generate the encryption

keykey Key must be entered into both the access Key must be entered into both the access

point and all wireless devicespoint and all wireless devices• Prior to the devices communicating with the APPrior to the devices communicating with the AP

The PSK is not used for encryptionThe PSK is not used for encryption• Instead, it serves as the starting point (seed) Instead, it serves as the starting point (seed)

for mathematically generating the encryption for mathematically generating the encryption keyskeys

Temporal Key Integrity Protocol Temporal Key Integrity Protocol (TKIP)(TKIP)

WPA replaces WEP with TKIPWPA replaces WEP with TKIP TKIP advantages:TKIP advantages:

• TKIP uses a longer 128-bit keyTKIP uses a longer 128-bit key• TKIP uses a new key for each packetTKIP uses a new key for each packet

Message Integrity Check (MIC)Message Integrity Check (MIC) WPA also replaces the (CRC) function WPA also replaces the (CRC) function

in WEP with the in WEP with the Message Integrity Message Integrity Check (MIC)Check (MIC)• Designed to prevent an attacker from Designed to prevent an attacker from

capturing, altering, and resending data capturing, altering, and resending data packetspackets

• See link Ch 6bSee link Ch 6b

WPA2 Personal SecurityWPA2 Personal Security

Wi-Fi Protected Access 2 (WPA2)Wi-Fi Protected Access 2 (WPA2)• Introduced by the Wi-Fi Alliance in Introduced by the Wi-Fi Alliance in

September 2004September 2004• The second generation of WPA securityThe second generation of WPA security• Still uses PSK (Pre-Shared Key) Still uses PSK (Pre-Shared Key)

authenticationauthentication• But instead of TKIP encryption it uses a But instead of TKIP encryption it uses a

stronger data encryption method called stronger data encryption method called AES-CCMPAES-CCMP

WPA2 Personal SecurityWPA2 Personal Security

PSK AuthenticationPSK Authentication• Intended for personal and small office Intended for personal and small office

home office users who do not have home office users who do not have advanced server capabilitiesadvanced server capabilities

• PSK keys are automatically changed and PSK keys are automatically changed and authenticated between devices after a authenticated between devices after a specified period of time known as the specified period of time known as the rekey intervalrekey interval

PSK Key Management PSK Key Management WeaknessesWeaknesses

People may send the key by e-mail or People may send the key by e-mail or another insecure methodanother insecure method

Changing the PSK key is difficultChanging the PSK key is difficult• Must type new key on every wireless Must type new key on every wireless

device and on all access pointsdevice and on all access points• In order to allow a guest user to have In order to allow a guest user to have

access to a PSK WLAN, the key must be access to a PSK WLAN, the key must be given to that guestgiven to that guest

Pre-Shared Key WeaknessPre-Shared Key Weakness

A PSK is a 64-bit hexadecimal A PSK is a 64-bit hexadecimal numbernumber• Usually generated from a passphraseUsually generated from a passphrase

Consisting of letters, digits, punctuation, etc. Consisting of letters, digits, punctuation, etc. that is between 8 and 63 characters in that is between 8 and 63 characters in lengthlength

If the passphrase is a common word, If the passphrase is a common word, it can be found with a it can be found with a dictionary dictionary attackattack

Cracking WPACracking WPA

WPA2 Personal Security WPA2 Personal Security (continued)(continued)

AES-CCMP EncryptionAES-CCMP Encryption• Encryption under the WPA2 personal Encryption under the WPA2 personal

security model is accomplished by security model is accomplished by AES-AES-CCMPCCMP

• This encryption is so complex that it This encryption is so complex that it requires special hardware to be added requires special hardware to be added to the access points to perform itto the access points to perform it

WPA and WPA2 ComparedWPA and WPA2 Compared

Enterprise Wireless Enterprise Wireless SecuritySecurity

Two models:Two models:

IEEE 802.11i IEEE 802.11i

WPA and WPA2 modelsWPA and WPA2 models

IEEE 802.11iIEEE 802.11i

Improves Improves encryptionencryption and and authenticationauthentication

EncryptionEncryption• Replaces WEP’s original PRNG RC4 Replaces WEP’s original PRNG RC4

algorithmalgorithm• With a stronger cipher that performs With a stronger cipher that performs

three steps on every block (128 bits) of three steps on every block (128 bits) of plaintextplaintext

IEEE 802.11iIEEE 802.11i

IEEE 802.11i authentication and key IEEE 802.11i authentication and key management is accomplished by the management is accomplished by the IEEE 802.1x IEEE 802.1x standardstandard

802.1x Authentication802.1x Authentication

IEEE 802.11i (continued)IEEE 802.11i (continued) Key-cachingKey-caching

• Remembers a client, so if a user roams Remembers a client, so if a user roams away from a wireless access point and away from a wireless access point and later returns, she does not need to re-later returns, she does not need to re-enter her credentialsenter her credentials

Pre-authenticationPre-authentication• Allows a device to become authenticated Allows a device to become authenticated

to an AP before moving into range of the to an AP before moving into range of the APAP

• Authentication packet is sent aheadAuthentication packet is sent ahead

WPA Enterprise SecurityWPA Enterprise Security

Designed for medium to large-size Designed for medium to large-size organizationsorganizations

Improved authentication and Improved authentication and encryptionencryption

The authentication used is IEEE The authentication used is IEEE 802.1x and the encryption is TKIP802.1x and the encryption is TKIP

WPA Enterprise Security WPA Enterprise Security (continued)(continued)

IEEE 802.1x AuthenticationIEEE 802.1x Authentication• Provides an authentication framework Provides an authentication framework

for all IEEE 802-based LANsfor all IEEE 802-based LANs• Does not perform any encryptionDoes not perform any encryption

TKIP EncryptionTKIP Encryption• An improvement on WEP encryptionAn improvement on WEP encryption• Designed to fit into the existing WEP Designed to fit into the existing WEP

procedureprocedure

WPA2 Enterprise SecurityWPA2 Enterprise Security

The most secure methodThe most secure method Authentication uses IEEE 802.1xAuthentication uses IEEE 802.1x Encryption is AES-CCMPEncryption is AES-CCMP

Enterprise and Personal Enterprise and Personal Wireless Security ModelsWireless Security Models

Enterprise Wireless Security Enterprise Wireless Security DevicesDevices

Thin Access PointThin Access Point• An access point without the An access point without the

authentication and encryption functionsauthentication and encryption functions These features reside on the These features reside on the wireless switchwireless switch

AdvantagesAdvantages• The APs can be managed from one The APs can be managed from one

central locationcentral location• All authentication is performed in the All authentication is performed in the

wireless switchwireless switch

Enterprise Wireless Security Enterprise Wireless Security Devices (continued)Devices (continued)


Wireless VLANsWireless VLANs• Can segment traffic and increase Can segment traffic and increase

securitysecurity• The flexibility of a wireless VLAN The flexibility of a wireless VLAN

depends on which device separates the depends on which device separates the packets and directs them to different packets and directs them to different networksnetworks


For enhanced security, set up two For enhanced security, set up two wireless VLANswireless VLANs• One for employee accessOne for employee access• One for guest accessOne for guest access

Rogue Access Point Discovery Rogue Access Point Discovery ToolsTools

Wireless protocol analyzerWireless protocol analyzer• Auditors carry it around sniffing for rogue Auditors carry it around sniffing for rogue

access pointsaccess points For more security, set up For more security, set up wireless wireless

probes probes to monitor the RF frequencyto monitor the RF frequency

Types of Wireless ProbesTypes of Wireless Probes

Wireless device probeWireless device probe Desktop probeDesktop probe Access point probeAccess point probe Dedicated probeDedicated probe

Education

Ch06 Wireless Network Security