Unit 2: Security Solutions for Wi-Fi Networks

Captive Portals

A captive portal, sometimes called a walled garden, is a web page redirection that a wireless device user is presented with after performing an IEEE 802.11 open system authentication and IEEE 802.11 association when connecting to a wireless (Wi-Fi) network. Captive portals are not limited to Wi-Fi networks, but this is one network type where they are often used. In order for the user to access permitted resources or gain wireless network access, a web page will require them to authenticate in some way, which may include the following: Entering user credentials (username and password) Inputting payment information Agreeing to terms and conditions When one or more of these methods is used, the wireless device will be able to access the network and use whatever resources they have permissions to use. Most if not all public access wireless networks have some type of captive portal enabled. This includes networks at public venues such as hotels, coffeehouses, restaurants, and airports. This will help to protect both the provider (host) and the user of the wireless network. Private corporate networks also use captive portals when a user connects to the guest service set identifier (SSID). Using captive portal authentication with enterprise guest networks will ensure that a user is connecting to an authorized company access point and not a potential rogue access point. Most enterprise-grade wireless access points, including cloud-based access points and wireless LAN controllers, have built-in captive portal capabilities that are fairly straightforward and easy to implement. Keep in mind that a captive portal does not offer security of any data and only provides a way for network infrastructure devices to restrict device and user access to a network until some type of successful authentication has been provided. This "authentication" could be as simple as agreeing to a "Terms and Conditions" web page. After a user connects to a wireless network through a captive portal, additional security measures should be put in place. For public networks, this includes options such as virtual private network (VPN) connections or using a secure protocol like HTTPS, at a minimum. With a corporate network, additional authentication may include WPA2 passphrase authentication or IEEE 802.1X/EAP user/certificate-based authentication. These and other security concepts will be discussed further in Chapter 16, "Device Authentication and Data Encryption." The Self-Service Portal

Hotspots

A wireless hotspot is defined as a location that offers wireless network connectivity for free or as for-profit public or patron services. It allows a variety of mobile devices (computers, tablets, smartphones, and so on) to connect to and access public Internet and private network resources. Many users work from remote locations and require Internet access as part of their job. This can include access from a wireless hotspot. A typical wireless hotspot will be configured with at least one wireless LAN router connected to an ISP. In some cases, this setup could be as simple as a location offering free Wi-Fi Internet access for its customers. More sophisticated hotspots will have several wireless access points or a complete wireless infrastructure and will be connected to a remote billing server that is responsible for collecting revenue from the user. In many cases, when a user connects to the hotspot router, they will be prompted with a web page for authentication. At this point they might be asked to enter information such as an account number, username and password, or a credit card number to allow usage for a limited period of time. In the case of a free hotspot, typically this web page lists terms and conditions the user agrees to prior to accessing the Internet. This type of web page configuration is known as a captive portal. Captive portals are discussed in more detail in Chapter 10, "Introduction to Mobile Device Management." Wireless hotspots can raise security concerns for the user. Without a secure connection, all information is passed in cleartext through the air via radio frequency, potentially allowing an intruder to capture usernames, passwords, credit card numbers, or other information that could lead to identity theft. Most hotspots do not have the capability to provide a secure wireless connection from the user's computer or wireless device to the wireless router or network. The secure connection then becomes the responsibility of the user. Since many corporations allow employees to work remotely from wireless hotspot connections, extra security measures need to be explored and implemented. In this case, usually a virtual private network (VPN) is used to ensure security. A VPN creates a secure tunnel between the user and the corporate network, allowing for a secure encrypted connection for the user from the wireless hotspot to their corporate network over the Internet or public network. For users who connect to wireless hotspots, it is important for their wireless devices to be secured with the appropriate antivirus software, firewall software, and up-to-date operating system patches or service packs. Following these guidelines can help protect the user from attacks when they are connected to and using a wireless hotspot.

CCMP

Counter Mode with Cipher-Block Chaining Message Authentication Code Protocol (CCMP) Counter Mode with Cipher-Block Chaining Message Authentication Code Protocol (CCMP) is a mandatory part of the IEEE 801.11i amendment, now in the IEEE 802.11-2012 standard and part of Wi-Fi Protected Access 2.0 (WPA2) certification from the Wi-Fi Alliance. CCMP uses the Advanced Encryption Standard (AES) algorithm block cipher. CCMP capability is mandatory for robust security network (RSN) compliance. If an RSN is required to comply with an industry or government regulation, CCMP must be used. CCMP is also intended as a replacement to TKIP. Because of the strong encryption CCMP provides, it may require replacement of legacy wireless hardware devices that are not capable of the newer technology. In some cases, it may use a separate chip to perform computation-intensive AES ciphering. Configuration of CCMP is similar to that of TKIP, discussed earlier. The main difference with CCMP is that legacy hardware devices may not support it and it is a stronger encryption solution. Figure 16.7 illustrates the CCMP encryption process. CCMP is the most secure encryption method to use to secure a wireless network.

802.1X/EAP (CCMP/AES) [how does this relate to WEP, TKIP, RC4, WPA/WPA2]

EEE 802.1X/EAP IEEE 802.1X/EAP consists of two different components used together to form an enterprise network security solution. In the standards-based wireless networking world, IEEE 802.1X/EAP is defined in the IEEE 802.11-2012 standard but was originally part of the IEEE 802.11i amendment. We'll first discuss the IEEE 802.1X standard and then Extensible Authentication Protocol (EAP). Then we'll combine the technology and terms to form IEEE 802.1X/EAP.

Robust Secure Networks (RSN)

RSN (Robust Secure Network) is a protocol for establishing secure communications over an 802.11 wireless network. RSN (Robust Secure Network) is part of the 802.11i standard. The RSN Protocol Process The RSN protocol functions as follows: The wireless NIC sends a Probe Request. The wireless access point sends a Probe Response with an RSN Information Exchange (IE) frame. The wireless NIC requests authentication via one of the approved methods. The wireless access point provides authentication for the wireless NIC. The wireless NIC sends an Association Request with an RSN Information Exchange (IE) frame. The wireless access point send an Association Response.

RC4

Stream ciphers Rivest Cipher 4 (RC4), named after Ron Rivest of RSA Security

TKIP

Temporal Key Integrity Protocol The bottom line is that WPA is a pre-802.11i certification, introducing more advanced security solutions such as Temporal Key Integrity Protocol (TKIP), passphrase, and 802.1X/EAP. Temporal Key Integrity Protocol (TKIP) Temporal Key Integrity Protocol (TKIP) was designed as a firmware upgrade to WEP. This provided a fix for some of the inherent flaws with WEP and an interim solution pending the release of the IEEE 802.11i amendment, which specified CCMP/AES to provide a strong security solution. TKIP added several enhancements to the WEP algorithm and was the foundation for the Wi-Fi Protected Access (WPA) certification from the Wi-Fi Alliance. These enhancements are as follows: Per-packet key mixing of the IV to separate IVs from weak keys A dynamic rekeying mechanism to change encryption and integrity keys 48-bit IV and IV sequence counter to prevent replay attacks Message integrity check (MIC) to prevent forgery attacks Use of the RC4 stream cipher, thereby allowing backward compatibility with WEP Configuring a wireless network to use TKIP is a fairly straightforward process. It can be accomplished either by using the web interface available on most SOHO access points or by using the web interface or command-line interface for enterprise-level access points. For the wireless client devices, TKIP will be configured through the client software utility. Some older wireless hardware devices may not support TKIP. If this is the case, replacement of the hardware will be necessary in order to take advantage of newer security solutions. Figure 16.6 shows a block diagram of the TKIP process.

WIDS

The WIDS is the software that detects an attack on a wireless network or wireless system. A network IDS (NIDS) is designed to support multiple hosts, whereas a host IDS (HIDS) is set up to detect illegal actions within the host. Most IDS programs typically use signatures of known cracker attempts to signal an alert. Others look for deviations of the normal routine as indications of an attack.

WPS

Wi-Fi Protected Setup Certification Wi-Fi Protected Setup (WPS) was defined because SOHO users wanted a simple way to provide the best security possible for their installations without the need for extensive technical knowledge of wireless networking. Wi-Fi Protected Setup provides strong out-of-the-box setup adequate for many SOHO implementations. The Wi-Fi Protected Setup certification requires support for two types of authentication that enable users to automatically configure network names and strong WPA2 data encryption and authentication: Push-button configuration (PBC) allows for quick setup for consumer-grade Wi-Fi equipment. Typically a hardware button on the router is pushed and within two minutes a software "button" on the client device is pushed. The intent is to provide easy, secure setup for the home wireless network. PIN-based configuration is based on a personal identification number. It is similar to PBC, but with this method a PIN is entered on all devices that you wish to connect together on the same wireless network. Support for both PIN and PBC configurations are required for access points; client devices at a minimum must support PIN. A third, optional method, near field communication (NFC) tokens, is also supported. With NFC, if the client device is within a very close proximity to the wireless access point, it will allow for radio communications. NFC will also allow for the exchange of information such as photos or contacts between mobile devices in a peer-to-peer or ad hoc environment. NFC evolved from radio-frequency identification (RFID) technology that provided radio communications using either passive or active tags.

AES

Advanced Encryption Standard (AES) AES is a strong encryption algorithm that is widely used in modern day wireless networks. In conjunction with CCMP encryption, it is considered unbreakable and is the required cipher suite for IEEE 802.11i compliance and WPA2-certified devices. AES uses a larger block size of 128 bits (recall 64 bits with DES and 3DES) and three possible key lengths of 128, 192, and 256 bits.

SIEM/Mobile Device Log Files,

Log files produce a wealth of useful data, but it can be extremely time consuming to analyze and take action on it. This difficulty is compounded when your security team does not have any specialized resources for mobile device and application security. One way to alleviate the load is to integrate log events and correlations into a SIEM solution. This will allow real-time alerting when an immediate response is required and permit non-mobile security specialists to stay on top of emerging threats.

WPA/WPA2

WPA, and WPA2 security methods. Wireless Networking WPA and WPA2 Enterprise Security Concerned about problems connected with MAC address filtering and WEP, the industry drove the development of additional, improved wireless security solutions. One of these solutions also operates at Layer 2 and is an IEEE standard. This advanced enterprise-level solution is known as IEEE 802.1X, which addresses port-based access control and, used in conjunction with Extensible Authentication Protocol (EAP), allows for user-based authentication. You will learn more about IEEE 802.1X and EAP next. User-based security allows an administrator to restrict access to a wireless network and its resources by creating users in a centralized database. Anyone trying to join the network will be required to authenticate as one of the users by supplying a valid username and password. After successful authentication, the user will be able to gain access to resources for which they have permissions. This type of mutual authentication is more secure than the previously mentioned passphrase security method.

WEP

Wired Equivalent Privacy (WEP), defined by the IEEE 802.11 standard, was intended to prevent casual eavesdropping. WEP was compromised early on, making wireless LANs vulnerable to intrusion and providing little if any security. This issue was addressed by stronger security mechanisms (mainly Counter Mode with Cipher-Block Chaining Message Authentication Code Protocol/Advanced Encryption Standard, or CCMP/AES) that became available with the introduction of the IEEE 802.11i amendment to the standard.