Security Fundamentals: Chapter 8 - Wireless Network Security
Access point (AP) functions:
-Acts as "base station" for wireless network -Acts as a bridge between wireless and wired networks •Can connect to wired network by a cable
•Other advantages of controller A Ps:
-Handoff procedure is eliminated because all authentications are performed in the WLC -Offers tools that provide for monitoring the environment and providing information regarding the best locations for APs, wireless AP configuration settings, and power settings
in wireless home attacks attackers can:
-Steal data -Read wireless transmissions -Inject malware -Download harmful content
wireless peripheral protection protections include:
-Updating or replacing any vulnerable devices -Switching to more fully tested Bluetooth mice and keyboards -Substitute with a wired mouse or keyboard
•Protected E A P (P E A P)
A common E A P protocol •Simplifies deployment of 802.1x by using Microsoft Windows logins and passwords •Creates encrypted channel between the client and the authentication server
Networks that aren't using an AP operate in...
Ad Hoc Mode •Devices can only communicate between themselves and cannot connect to another network •The Wi-Fi Alliance has created a similar technical specification called Wi-Fi Direct
In wireless networks, AP can be divided into _______ (3 choices)
Fat vs. thin, Controller vs. Standalone, & Captive Portal APs
Hard Edge
In a network, this is a well-defined boundary that protects data and resources •The introduction of WLANs in enterprises has changed hard edges to "blurred edges"
WLAN using an AP operates in....
Infrastructure Mode
What is the difference between an RFID and NFC wireless technology?
NFC- standards used to establish communication between devices in close proximity, used in contactless payment systems RFID-Commonly used to transmit information between employee identification badges, inventory tags, book labels, and other paper-based tags that can be detected by a proximity reader
Spectrum Selection
Some APs provide the ability to adjust frequency spectrum settings, including: -Frequency band -Channel selection -Channel width
What is the encryption for WPA?
TKIP pre-shared key = authentication
EAP-FAST
This protocol securely tunnels any credential form for authentication (such as a password or a token) using T L S
DAP-TTLS
This protocol securely tunnels client password authentication within Transport Layer Security (T L S) records
EAP-TLS
This protocol uses digital certificates for authentication
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) is the encryption protocol used for ________.
WPA2
Wireless Denial of Service Attack: RF Jamming
attackers use intentional RF interference to flood the RF spectrum with enough interference to prevent a device from communicating with the AP
_______ is an attack that sends unsolicited messages to Bluetooth-enabled devices, while ______ is and attack that accesses unauthorized information from a wireless device through a Bluetooth connection.
bluejacking, bluesnarfing
Active NFC Device
can read information as well as transmit data (i.e.: credit card machine)
Passive NFC Device
contains information that other devices can read but does not read or receive any information (example: NFC tag)
What is an AP that is set up by an attacker that is designed to mimic an authorized AP?
evil twin
NFC vulnerability: data theft
explanation: Attackers can "bump" a portable reader to a user's smartphone in a crowd to make an N F C connection and steal payment information stored on the phone defense: can be prevented by turning off N F C while in a large crowd
NFC vulnerability: eavesdropping
explanation: Unencrypted N F C communication between the device and terminal can be intercepted and viewed defense: Because an attacker must be extremely close to pick up the signal, users should remain aware of their surroundings while making a payment
key phrases:
hijacking/jacking = stealing spoofing = lying aggregate =
Wireless Home Attacks
most home users fail to configure any security on their home networks
Antennas
•A P should be located near the center of the coverage area •Place high on a wall to reduce signal obstructions and deter theft •If possible, the A P and antenna should be positioned so that a minimal amount of signal reaches beyond the security perimeter of the building
•Extensible Authentication Protocol (E A P)
•A framework for transporting authentication protocols •Defines message format •Uses four types of packets -Request -Response -Success -Failure
Near Field Communication (NFC)
•A set of standards used to establish communication between devices in close proximity •Once devices are brought within 4 cm of each other or tapped together, two-way communication is established •Devices using NFC can be active or passive Example -> ApplePay
Wireless Security Solutions
•A unified approach to WLAN security was needed •IEEE and Wi-Fi Alliance began developing security solutions •Resulting standards used today •IEEE 802.11i •W P A and W P A 2
•Evil twin
•AP set up by an attacker •Attempts to mimic an authorized AP •Attackers capture transmissions from users to evil twin AP *malicious in intent
•Vulnerabilities of MAC address filtering
•Addresses exchanged in unencrypted format -Attacker can see address of approved device and substitute it on his own device •Managing large number of addresses is challenging
A E S-C C M P Encryption
•Advanced Encryption Standard (A E S) block cipher •A E S performs three steps on every block (128 bits) of plaintext •Within second step, multiple iterations are performed •Bytes are substituted and rearranged
•Wireless Replay Attack
•Also known as "hijacking" •The attacker captures transmitted wireless data, records it, and then sends it on to the original recipient without the attacker's presence being detected •Can be accomplished using an evil twin A P •Known as a man-in-the-middle attack
Bluesnarfing
•An attack that accesses unauthorized information from a wireless device through a Bluetooth connection •Often between cell phones and laptops •Attacker copies e-mails, contacts, or other data by connecting to the Bluetooth device without the owner's knowledge
Intercepting Wireless Data
•An attacker can pick up the RF signal from an open or misconfigured AP •Using a WLAN to read this data could yield significant information to an attacker regarding the wired enterprise network
Site Surveys
•An in-depth examination and analysis of a wireless LAN site
•Rogue access point
•An unauthorized access point that allows an attacker to bypass network security configurations •Usually set up by an insider (employee) •May be set up behind a firewall, opening the network to attacks *just trying to circumvent security
•Access point (A P) major parts
•Antenna and radio transmitter/receiver send and receive wireless signals •Bridging software to interface wireless devices to other devices •Wired network interface allows it to connect by cable to standard wired network
Preshared Key (P S K) Authentication
•Authentication for W P A Personal is accomplished by using a preshared key (P S K) •After A P is configured, the client device must have the same key value entered •Key is shared prior to communication taking place •Uses a passphrase to generate encryption key •Must be entered on each A P and wireless device in advance •Devices that have the secret key are automatically authenticated by the A P *key = the password
Examples of NFC uses:
•Automobile •Entertainment •Office •Retail stores •Transportation •N F C devices are used in contactless payment systems •A consumer can pay for a purchase by simply tapping a store's payment terminal with their smartphone
•Fat vs. Thin A Ps
•Autonomous APs have the intelligence required to manage wireless authentication, encryption, and other functions for the wireless devices they serve (called fat APs) •"Lightweight" APs do not contain all the management and configuration functions found in fat APs (called thin APs)
Several attacks can be directed against wireless data systems:
•Bluetooth attacks •Near Field Communication (NFC) attacks •Radio frequency identification systems •Wireless local area network attacks
Radio frequency identification (RFID)
•Commonly used to transmit information between employee identification badges, inventory tags, book labels, and other paper-based tags that can be detected by a proximity reader •Most R F I D tags are passive •Do not have their own power supply •Because they do not require a power supply, they can be very small •R F I D tags are susceptible to different attacks •Current version of R F I D standards known as Generation 2 •Contains some security enhancements over the previous version
Standalone vs. Controller APs
•Controller A Ps can be managed through a dedicated wireless LAN controller (W L C) •The W L C is the single device that can be configured and settings are automatically distributed to all controller A Ps
Piconet
•Established when two Bluetooth devices come within range of each other •One device (master) controls all wireless traffic •Other device (slave) takes commands -Active slaves are sending transmissions -Parked slaves are connected but not actively participating *M = master AS = active slave PS = parked slave
AP types can be divided into:
•Fat vs. thin •Controller vs. standalone •Captive portal A Ps
Important info to know about WLANs:
•History and specifications of IEEE WLANs •Hardware necessary for a wireless network •Different types of WLAN attacks directed at both enterprise and home users
Wi-Fi Protected Access (W P A)
•Introduced in 2003 by the Wi-Fi Alliance •A subset of IEEE 802.11i •Two modes of WPA: •W P A Personal •W P A Enterprise •W P A addresses both encryption and authentication
WPA Vulnerabilities
•Key management -Key sharing is done manually without security protection -Keys must be changed on a regular basis -Key must be disclosed to guest users •Passphrases -PSK passphrases of fewer than 20 characters subject to cracking
MAC Address Filtering
•Method of controlling WLAN access •Limit a device's access to AP
Institute of Electrical and Electronics Engineers (IEEE) WLANS
•Most influential organization for computer networking and wireless communications •Dates back to 1884 •Began developing network architecture standards in the 1980s •1997: release of IEEE 802.11 •Standard for wireless local area networks (WLANs) •Higher speeds (5.5 Mbps and 11 Mbps) added in 1999: IEEE 802.11b
vulnerabilities of IEEE wireless security
•Original IEEE 802.11 committee recognized wireless transmissions could be vulnerable •Implemented several wireless security protections in the standard •Left others to WLAN vendor's discretion •Protections were vulnerable and led to multiple attacks
IEEE 802.1x Authentication
•Originally developed for wired networks •Provides greater degree of security by implementing port-based authentication •Blocks all traffic on a port-by-port basis until client is authenticated
AP Configuration and Device Options
•Other A P configuration settings are designed to limit the spread of the wireless R F signal •So that a minimum amount of signal extends past the physical boundaries of the enterprise to be accessible to outsiders
2 common WPS methods:
•PIN method - utilizes a PIN printed on a sticker of the wireless router or displayed through a software wizard -User enters PIN and the security configuration automatically occurs •Push-button method - user pushes buttons and the security configuration takes place
•Wireless client network interface card adapter
•Performs same functions as wired adapter •Antenna sends and receives signals through airwaves
•IEEE 802.11g
•Preserves stable and widely accepted features of 802.11b and increases data transfer rates similar to 802.11a
IEEE 802.11n
•Ratified in 2009 •Improvements: speed, coverage area, resistance to interference, and strong security
•IEEE 802.11ac
•Ratified in early 2014 and has data rates over 7 Gbps
Additional Wireless Security Protections
•Rogue A P system detection •Using the correct type of A P •A P configuration settings •Wireless peripheral protection
Types of wireless attacks:
•Rogue access points •Evil twins •Intercepting wireless data •Wireless replay attacks •Denial of service attacks
•Not advertising the SSID only provides a weak degree of security and has limitations:
•SSID can be discovered when transmitted in other frames •May prevent users from being able to freely roam from one A P coverage area to another •It's not always possible to turn off SSID beaconing
Wi-Fi Protected Access 2 (W P A 2)
•Second generation of W P A is known as W P A 2 •Introduced in 2004 •Based on final IEEE 802.11i standard •Two modes of WPA2: •W P A 2 Personal •W P A 2 Enterprise •Addresses two major security areas of WLANs: •Encryption •Authentication
Signal Strength Settings
•Some APs allow adjustment of the power level at which the LAN transmits •Reducing power allows less signal to reach outsiders
IEEE 802.11a
•Specifies maximum rated speed of 54Mbps using the 5GHz spectrum
•Once a suspicious signal is detected by a wireless probe:
•The information is sent to a centralized database where WLAN management system software compares it to a list of approved A Ps •Any device not on the list is considered a rogue A P
Service Set Identifier (SSID)
•The user-supplied network name of a wireless network; usually broadcast so that any device can see it -The broadcast can be restricted •Some wireless security sources encourage users to configure their A Ps to prevent the broadcast of the S S ID
WPS design and implementation flaws:
•There is no lockout limit for entering PINs •The last PIN character is only a checksum •The wireless router reports the validity of the first and second halves of the PIN separately
Media Access Control (MAC) Address Filtering
•Used by nearly all wireless AP vendors •Permits or blocks device based on MAC address
•Residential WLAN gateway
•Used by small offices or home users to connect to the Internet •Features included are A P, firewall, router, dynamic host configuration protocol (D H C P) server, and others
Temporal Key Integrity Protocol (T K I P) Encryption
•Used in W P A •Uses a longer 128 bit key than W E P •Dynamically generated for each new packet •Includes a Message Integrity Check (M I C), designed to prevent man-in-the-middle attacks for wireless
Captive Portal APs
•Uses a standard web browser to provide information •Gives the wireless user the opportunity to agree to a policy or present valid login credentials
•Wireless Peripheral Protection
•Vulnerabilities in wireless mice and keyboards are common •One attack could let a threat actor inject mouse movements or keystrokes from a nearby antenna up to 100 yards away
WEP vulnerabilities:
•W E P can only use 64-bit or 128-bit number to encrypt -Initialization vector (IV) is only 24 of those bits -Short length makes it easier to break •Violates cardinal rule of cryptography: avoid a detectable pattern -Attackers can see duplication when IVs start repeating
•Rouge A P Discovery Tools - 4 types of wireless probes can monitor airwaves for traffic:
•Wireless device probe •Desktop probe •Access point probe •Dedicated probe
Bluetooth
•Wireless technology that uses short-range radio frequency (RF) transmissions •Provides rapid device pairings -Example: smartphone and a Bluetooth mouse •Personal Area Network (PAN) technology •Current version is Bluetooth 5 with a range of 800 ft (243 meters)
WEP- wired Equivalent Privacy
•an IEEE 802.11 security protocol designed to ensure that only authorized parties can view transmissions •Encrypts plaintext into ciphertext •Secret key is shared between wireless client device and A P
Bluejacking
•an attack that sends unsolicited messages to Bluetooth-enabled devices •Text messages, images, or sounds •considered more annoying than harmful •No data is stolen
Wi-Fi Protected Setup (WPS)
•an optional means of configuring security on WLANS
•Wireless Denial of Service Attack: Spoofing
•attackers craft a fictitious frame that pretends to come from a trusted client when it actually comes from the attacker
•Wireless Denial of Service Attack: Manipulating Duration Field Values
•attackers send a frame with the duration field set to a high value, preventing other devices from transmitting for that period of time
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (C C M P)
•the encryption protocol used for W P A 2 •Specifies the use of C C M with A E S •The Cipher Block Chaining Message Authentication Code (C B C-M A C) component of C C M P provides data integrity and authentication •Both C C M P and T K I P use a 128-bit key for encryption •Both methods use a 64-bit M I C value
