module 10 wireless networking net +

you can provide a level of security using the following practices

1.Change the administrator account name and password 2.Change SSID from default 3.Update the firmware 5.Enable the firewall on the AP 6.Disable DHCP 7.Enable MAC address filtering 8.Reduce RF emanations

Three different types of enterprise deployments have been commonly implemented

1.Independent access points 2.Hub-and-spoke infrastructure 3.Distributed wireless mesh infrastructure

Wireless networks are vulnerable to the following specific security attacks:

1.Rogue access point 2.Data emanation 3.Packet sniffing 4.Initialization vector (IV) attack 5.Interference 6.Jamming 7.Bluetooth

Use the following steps to configure wireless devices on your network:

1.Set the SSID 2.Configure the region (AP only) 3.Configure the channel 4.Configure security 5.Configure the beacon

Your site survey kit should include:

1.Two access points. 2.Two laptops with a network performance measurement utility, such as Iperf, installed so you can evaluate the network throughput available at each location. 3.A tall ladder so you can test each AP at height or close to height. 4.2-way radios to communicate with your assistants. 5.A spectrum analyzer.

Independent Basic Service Set (IBSS)

An IBSS is a set of STAs configured in ad hoc mode.

Station (STA)

An STA is a wireless NIC in an end device such as a laptop or wireless PDA. STA often refers to the device itself, not just the NIC.

Infrastructure

An infrastructure wireless network uses an access point (AP) that functions like a hub on an Ethernet network. Infrastructure networks have the following characteristics: • The network uses a physical star topology with a logical bus topology. • You can easily add hosts without increasing administrative efforts (scalable). • The AP can be connected to a wired network easily, allowing clients to access both wired and wireless hosts. • The placement and configuration of APs require planning to implement effectively. You should implement an infrastructure network for all but the smallest of wireless networks.

If you are having trouble establishing or keeping a wireless connection, consider the following factors:

Wireless on/off switch Incorrect configuration Range Obstructions Channel interference Atmospheric and EMI conditions AP placement Antenna orientation Latency Bandwidth saturation Device saturation Untested updates

beacon

a frame that is sent out periodically by the AP. The beacon announces the AP and the characteristics of the network, like the SSID, supported speeds, and the signaling method used.

Bluejacking

a rather harmless practice which involves business cards being sent anonymously to a Bluetooth recipient within a distance of 10-100 meters, depending on the class of the Bluetooth device. The business cards usually include a flirtatious message used by the attacker to elicit a visual reaction from the recipient. An attacker will send multiple messages to the device if they think there is a chance they will be added as a contact. Bluetooth devices are not susceptible to bluejacking if they are set to non-discoverable mode.

Wardriving

a technique that hackers use to find wireless networks. They use detection tools that locate wireless APs within an area, even if the SSID broadcast has been disabled. Once a wireless network has been detected, it is often easy for hackers to gain access to it, even if they are not physically present in your building or even on your property.

Ad hoc

ad hoc network works in peer-to-peer mode without an access point. The wireless NICs in each host communicate directly with one another. An ad hoc network: • Uses a physical mesh topology with a logical bus topology. • Is cheap and easy to set up. • Cannot handle a large number of hosts. • Requires special modifications to reach wired networks. You will typically only use an ad hoc network to create a direct, temporary connection between two hosts.

dual band access

can use one radio to transmit at one frequency, and a different radio to transmit at a different frequency

Signal to Noise Ratio (SNR)

compares the level of the wireless network signal (RSL) to the level of background noise (measured in decibels).

VLAN pooling

each wireless client is randomly assigned a VLAN from a pool of VLANs on the same SSID. This strategy automatically partitions a single broadcast domain into multiple VLANs.

Received Signal Level (RSL)

identifies how strong the radio signal is at the receiver. The closer you are to the transmitter, the stronger the RSL. The farther away you are, the lower the RSL.

Bandwidth saturation

the point at which all of the available bandwidth on an Internet connection has achieved maximum capacity and cannot pass any more data through the connection.

Random pulse jamming

uses radio signal pulses of random amplitude and frequency to interfere with a Wi-Fi network.

802.1x authentication

uses usernames and passwords, certificates, or devices such as smart cards to authenticate wireless clients. Originally designed for Ethernet networks, the 802.1x standards have been adapted for use in wireless networks to provide secure authentication.

Bluesnarfing

when an attacker gains unauthorized access to an existing Bluetooth connection between phones, desktops, laptops, or PDAs. Bluesnarfing allows access to the calendar, emails, text messages, and contact lists. Many Bluetooth devices have built-in features to prevent bluesnarfing, but it is still a known vulnerability.

hub-and-spoke configuration

wireless controller is connected to all APs through wired links. The individual APs contain very little embedded intelligence and are sometimes referred to as lightweight access points (LWAPs).

To mitigate and protect your network against data emanation threats:

• Do not place APs near outside walls. • Conduct a site survey to identify the coverage area of and optimal placement for wireless APs. This helps prevent signals from going beyond identified boundaries. A site survey uses tools to identify the presence and strength of wireless transmissions. • Implement a Faraday cage or Faraday shield. A Faraday cage is an enclosure that prevents radio frequency signals from emanating out of a controlled environment. It is made of conducting material, or a mesh of conducting material, that blocks external static electrical fields. Unfortunately, Faraday cages can also prevent cell phone usage. • Encrypt all data transmitted through your AP. • Use firewalls on each network AP.

interference is a signal that corrupts or destroys the wireless signal sent by APs and other wireless devices

• Electromagnetic Interference (EMI) is caused by motors, heavy machinery, and fluorescent lights. • Radio Frequency Interference (RFI) is caused by radio signals using the same radio channel—which can be caused by nearby wireless devices, such as cordless phones or microwave ovens.

The wireless controller:

• Manages all of the APs that are connected to it. Configuration changes are made once on the controller and are then pushed out to all connected APs. • Usually provides DHCP services to dynamically assign IP addressing information to wireless clients. • Connects the wireless network to the internal wired network. • Routes wireless traffic from the wireless network to the internal wired network (and vice versa).

Basic Service Set Identifier (BSSID)

The BSSID is a 48-bit value that identifies an AP in an infrastructure network or an STA in an ad hoc network. The BSSID allows devices to find a specific AP within an ESS that has multiple access points, and it is used by STAs to keep track of APs when roaming between BSSs. The BSSID is the MAC address of the AP and is set automatically. Do not confuse the BSSID with the SSID. They are not the same thing.

Distribution System (DS)

The DS is the backbone or LAN that connects multiple APs (and BSSs) together. The DS allows wireless clients to communicate with the wired network and with wireless clients in other cells.

Access Point (AP)

An AP, sometimes called a wireless AP (WAP), is the device that coordinates all communications between wireless devices, as well as the connection to the wired network. It acts as a hub on the wireless side and a bridge on the wired side. It also synchronizes the stations within a network to minimize collisions.

Extended Service Set (ESS)

An ESS consists of multiple BSSs with a distribution system (DS). In an ESS, BSSs that have an overlapping transmission range use different frequencies.

Distributed wireless mesh infrastructure

Newer wireless networks can be deployed using a distributed wireless mesh architecture. These networks still use a controller, but they move some of the network intelligence from the controller out to the individual APs. In this configuration, the controller is no longer a bottleneck. The APs are smart enough to communicate directly with each other to create more efficient data paths for network traffic.

War chalking

marks that indicate the presence of a wireless network are drawn outside of buildings. Attackers might use these marks to alert others of open or secured wireless networks. Businesses might even use these marks to advertise their free wireless networks.

The hub-and-spoke infrastructure

more efficient and allows for much larger wireless networks. However, the controller itself becomes a bottleneck. All wireless data must pass through the controller, even if it is destined for another wireless host on the same wireless network. The APs are not able to communicate directly with each other; they can communicate only with the wireless controller. If the controller goes down, the entire wireless network will cease to function even if the APs remain functional.

Device saturation

occurs when the percentage of CPU time where I/O requests are issued to a device, or the bandwidth utilization for the device, is close to 100%.

Random noise jamming

produces radio signals using random amplitudes and frequencies. While not as effective as a spark attack, the random noise attack is harder to identify due to the intermittent jamming it produces and the random nature of the interference. In fact, this type of signal is frequently mistaken for normal background radio noise that occurs naturally.

Open authentication

requires that clients provide a MAC address in order to connect to the wireless network. • You can use open authentication to allow any wireless client to connect to the AP. Open authentication is typically used on public networks. • You can implement MAC address filtering to restrict access to the AP to only known (or allowed) MAC addresses. Because MAC addresses are easily spoofed, this provides little practical security.

Jamming

signal interference that is created intentionally by an attacker. The goal of jamming is to make a wireless network unusable

Packet sniffing (also known as eavesdropping

the interception and possible decoding of wireless transmissions. Wireless transmissions can be easily intercepted. Encrypt all data transmitted through your AP to mitigate threats from packet sniffing.

Spark jamming

the most effective type of Wi-Fi interference attack. It repeatedly blasts receiving equipment with high-intensity, short-duration RF bursts at a rapid pace. Experienced RF signal technicians can usually identify this type of attack quickly because of the regular nature of the signal.

Goodput

the number of useful bits delivered from the sender to the receiver over the wireless network connection within a specified amount of time. Errors due to lost, corrupt, or dropped packets require retransmission and reduce the goodput of the connection

Untested updates

updates that have not been tested in a test environment on your network before you applied them to your network. You should never deploy an update that you have not tested on your network first.

Frequency Hopping Spread Spectrum (FHSS)

uses a narrow frequency band and hops data signals in a predictable sequence from frequency to frequency over a wide band of frequencies. •Because FHSS shifts automatically between frequencies, it can avoid interference that may be on a single frequency. •Hopping between frequencies increases transmission security by making eavesdropping and data capture more difficult.

802.1x authentication requires the following components:

• A RADIUS server to centralize user account and authentication information. A centralized database for user authentication is required to allow wireless clients to roam between cells but authenticate using the same account information. • A PKI for issuing certificates. At a minimum, the RADIUS server must have a server certificate. To support mutual authentication, each client must also have a certificate. Use 802.1x authentication on large, private networks. Users authenticate with unique usernames and passwords.

Service Set Identifier (SSID)

The SSID, also called the network name, groups wireless devices together into the same logical network. • All devices on the same network (within the BSS and ESS) must have the same SSID. • The SSID is a 32-bit value that is inserted into each frame. The SSID is case sensitive. • The SSID is sometimes called the ESSID (Extended Service Set ID) or the BSSID (Basic Service Set ID). In practice, each term means the same thing; however, they are technically different. Using BSSID to describe the SSID of a BSS is technically incorrect.

Wired Equivalent Privacy (WEP)

WEP is an optional component of the 802.11 specifications that was deployed in 1997. WEP was designed to provide wireless connections with the same security as wired connections. WEP has the following weaknesses: • A static pre-shared key (PSK) is configured on the AP and the client and cannot be dynamically changed or exchanged without administration. As a result, every host on large networks usually uses the same key. • Because key values are short and don't change, the key can be captured and easily broken. When using WEP, use open authentication. Shared key authentication with WEP uses the same key for both encryption and authentication, exposing the key to additional attacks.

Wi-Fi Protected Access (WPA)

WPA is the implementation name for wireless security based on initial 802.11i drafts that was deployed in 2003. It was intended to be an intermediate measure to take the place of WEP while a fully secured system (802.11i) was prepared. WPA: • Uses Temporal Key Integrity Protocol (TKIP) for encryption. • Supports both pre-shared key (WPA-PSK or WPA Personal) and 802.1x (WPA Enterprise) authentication. • Can use dynamic keys or pre-shared keys. • Can typically be implemented in WEP-capable devices through a software/firmware update. WPA keys can also be predicted by reconstructing the Message Integrity Check (MIC) of an intercepted packet, sending the packet to an AP, and observing whether the packet is accepted by the AP.

Wi-Fi Protected Access 2 (WPA2) or 802.11i

WPA2 is the implementation name for wireless security that adheres to the 802.11i specifications. It was deployed in 2005. It is built upon the idea of Robust Secure Networks (RSN). Like WPA, it resolves the weaknesses inherent in WEP; it is intended to eventually replace both WEP and WPA. WPA2: • Uses Advanced Encryption Standard (AES) as the encryption method. It is similar to (yet more secure than) TKIP but requires special hardware for performing encryption. • Uses Counter Mode with CBC-MAC Protocol (CCMP), also known as AES-CCMP. • Supports both pre-shared key (WPA2-PSK or WPA2 Personal) and 802.1x (WPA2 Enterprise) authentication. • Can use dynamic keys or pre-shared keys. WPA2 has the same advantages over WEP as WPA. While WPA2 is more secure than WPA, its main disadvantage is that it requires new hardware for implementation.

Collision avoidance uses the following process:

1. The sending device listens to make sure that no other device is transmitting. If another device is transmitting, the device waits a random period of time (called a backoff period) before attempting to send again. 2. If no other device is transmitting, the sending device broadcasts a Request to send (RTS) message to the receiver or AP. The RTS includes the source and destination, as well as information on the duration of the requested communication. 3. The receiving device responds with a Clear to send (CTS) message. The CTS also includes the communication duration period. Other devices use the information in the RTS and CTS to delay send attempts until the communication duration period (and subsequent acknowledgement) has passed. 4. The sending device transmits the data. The receiving device responds with an acknowledgement (ACK). If an acknowledgement is not received, the sending device assumes a collision occurred and retransmits the affected packet. 5. After the time interval specified in the RTS and CTS has passed, other devices can start the process again to attempt to transmit. The use of RTS and CTS (steps 2 and 3) is optional and depends on the capabilities of the wireless devices. Without RTS/CTS, collisions are more likely to occur. Wireless communication operates in half-duplex (shared, two-way communication). Devices can both send and receive, but not at the same time. Devices must take turns using the transmission channel. Once a party begins receiving a signal, it must wait for the transmitter to stop transmitting before it can reply.

The wireless network design process is composed of the following steps:

1.Gather network requirements 2.Clearly identify expectations 3.Identify key design considerations 4.Conduct initial RF modeling and mapping 5.Perform bandwidth planning 6.Conduct a site survey

Basic Service Set (BSS)

A BSS, also called a cell, is the smallest unit of a wireless network. All devices in the BSS can communicate with each other. The devices in the BSS depend on the operating mode. • In an ad hoc implementation, each BSS contains two devices that communicate directly with each other. • In an infrastructure implementation, the BSS consists of one AP and all STAs associated with the AP. All devices within the BSS use the same radio frequency channel to communicate.

Direct-Sequence Spread Spectrum (DSSS)

DSSS, the transmitter breaks data into pieces and sends the pieces across multiple frequencies in a defined range. DSSS is more susceptible to interference and less secure then FHSS.

Independent access points

Each AP stood alone, providing separate wireless networks by using its own independent configuration. Independent APs offered limited mobility and were difficult to manage. If you don't do these things, then mobile devices must get a new IP address every time they move to a different AP, which disrupts connectivity.

Orthogonal Frequency-Division Multiplexing (OFDM)

OFDM breaks data into very small data streams in order to send the information across long distances where environmental obstacles may be an issue. OFDM: • Modulates adjacent radio signals orthogonally, which allows for a very large number of small data streams in a single frequency. • Reduces the effects of signal interference caused by environmental obstacles, such as walls or buildings. • Is used by 802.11g/a/n and ac wireless networks to achieve higher transfer speeds.

Site survey test equipment

You should bring access points to each location to test the signal quality and to identify the node density required in each area.

Initialization vector (IV) attack

a seed value used in encryption. The IV and the key are used in an encryption algorithm to generate additional keys or to encrypt data. WEP encryption reuses IVs, which means that patterns can be observed and IVs can ultimately be cracked (known as an IV attack). For security, the IV should be large and unpredictable.

shared key authentication

clients and APs are configured with a shared key (called a secret or a passphrase). Only devices with the correct shared key can connect to the wireless network. • All APs and all clients use the same authentication key. • Use shared key authentication on small, private networks. • Shared key authentication is relatively insecure, as hashing methods used to protect the key can be easily broken.

Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA)

control media access and avoid (rather than detect) collisions

some utilities use the term mixed mode, meaning?

designate a network with both 802.11n and non-802.11n clients. In this configuration, one radio transmitter is used for legacy clients, and the remaining radio transmitters are used for 802.11n clients.

Bluebugging

gives an attacker access to all mobile phone commands that use Bluetooth technology, such as initiating phone calls, sending and receiving messages, listening to phone calls, and reading and writing phonebook contacts. Bluebugging can be accomplished by only highly-skilled individuals.

site survey report should contain

• A physical network diagram, including each access point, controller, and the media that connects them. • An RF model that includes a frequency/channel plan. • The spectrum analysis results. • A logical network diagram containing SSIDs, IP addressing, and VLAN information. • Photographs and diagrams of each access point mounting site. • A list of structural modifications required to build the network. • A list of alternate mounting locations (if necessary). • A list of equipment that must be purchased. • A cost estimate for equipment and labor.

some common devices that are used on a wireless network

• A wireless NIC sends and receives signals. • A wireless AP is the equivalent of an Ethernet hub. The wireless NICs connect to the AP, and the AP manages network communication. • A wireless bridge connects two wireless APs into a single network or connects a wireless AP to a wired network. Most APs include bridging features. Many wireless APs include ports (or hubs, switches, or routers) to connect the wireless network to the wired portion of the network.

When you perform your spectrum analysis, you should record

• The number of other APs in the area. • Channel utilization in the 2.4 and 5.x GHz bands to aid in channel planning. When running your spectrum analysis, you should gather data at the height where: • The AP will be installed. • User devices will be located.