SECURITY + WIRELESS DEFENSES 5.12
EAP-MD5 offer
minimal security and is susceptible to dictionary attacks and man-in-the-middle attacks.
Do not place access points with omnidirectional antennae
near exterior walls. The signal will extend beyond the walls. Instead, do the following:
Radio waves sent by wireless devices are
not contained within a specific transmission path, but instead emanate or radiate in many directions from the wireless transmitters This makes wireless networks susceptible to data emanation, where wireless signals might be received beyond the intended area of coverage. Keep in mind the following recommendation
LEAP Requires the minimum
of a digital certificate on the server side and passwords and Cisco drivers on the client side. LEAP does not use PKI
Devices often get better
reception from access points that are above or below
Consider using a Faraday cage. A faraday cage is
shielded enclosure that minimizes or eliminates data emanation. However, be aware that a Faraday cage blocks all radio signals, including mobile phone signals.
MAC address filtering identifies
specific MAC addresses that are allowed to access the wireless access point. Clients with unidentified MAC addresses are not allowed to connect
Shared key authentication use
static pre-shared keys (PSKs) configured on the access point and the client
Open authentication requires
that clients provide a MAC address in order to connect to the wireless network.
Wireless access points are transceiver
that transmit and receive information on a wireless network
A captive portal may be configured with a whitelist of websites
that wireless users are allowed to access without completing the requirements of the captive portal web page
LEAP Is based on
the MS CHAP protocol.
By default, access points broadcast
the SSID to announce their presence and make it easy for clients to find and connect to the wireless network
Place omnidirectional access points toward
the center of the building and then manage the power level of the radio to decrease signal emanation outside of the building.
Using EAP,
the client and server negotiate the characteristics of authentication.
LEAP's major weakness is that
it uses MS-CHAPv1 in an unencrypted form for authentication.
Do not use a network name that
makes it easy to associate your access point with your organization.
There are two main bands or frequencies utilized in 802.1x.
2.4 GHz 5 GHz
Authentication options, from highest security to lowest, are:
802.1x (requires a RADIUS server and a directory service) Shared secret Open (use when you need to enable public access)
Access point configuration areas
SSID MAC filtering Signal strength Band selection/width Antenna types and placement Fat vs. thin Controller-based vs. standalone
When using 802.1x authentication for wireless networks:
A RADIUS server is required to centralize user account and authentication information A PKI is required for issuing certificates The wireless access point is a RADIUS client The wireless access point forwards the wireless device's credentials to the RADIUS server for authentication A RADIUS federation is multiple RADIUS servers that communicate with each other after establishing a trust relationship
A RADIUS server is required to centralize user account and authentication information
A centralized database for user authentication is required to allow wireless clients to roam between cells and authenticate using the same account information
Lightweight Extensible Authentication Protocol (LEAP)
A less secure 802.1x protocol developed by Cisco
EAP Flexible Authentication via Secure Tunneling (EAP-FAST
A replacement for LEAP that uses a Protected Access Credential (PAC).
SSID Obfuscation
A wireless security strategy of changing the default SSID or turning off the broadcasting of the SSID on a wireless access point.
MAC address filtering
A wireless security strategy of identifying specific MAC addresses and only allowing them to connect to the wireless access point.
Encryption methods, from highest security to lowest, are:
AES used with WPA2 RC4 used with WPA RC4 used with WEP
A captive portal requires wireless network users to abide by certain conditions before they are allowed access to the wireless network
Agree to an acceptable use policy Pay for access to the wireless network View information or advertisements about the organization providing the wireless network (such as an airport or hotel)
Protected Extensible Authentication Protocol (PEAP)
An 802.1x protocol that provides authentication in an SSL/TLS tunnel using a single certificate on the server.
EAP Transport Layer Security (EAP-TLS)
An 802.1x protocol that uses Transport Layer Security (TLS) and is considered to be one of the most secure EAP standards
EAP Tunneled Transport Layer Security (EAP-TTLS)
An 802.1x protocol that uses a CA signed certificate.
Faraday Cage
An enclosure made of metal mesh that prevents radio signal frequencies from emanating outside of an environment
Extensible Authentication Protocol (EAP)
An set of interface standards that allows various authentication methods.
EAP-TLS: Requires client-side and server-side
Certificate Authority (CA) signed certificates.
Additional security considerations with wireless networks include:
SSID Obfuscation MAC Address Filtering Antenna Placement, Power Level, and Orientation Encryption Captive Portals Authentication Rogue Host Detection Band Selection and Bandwidth
wireless security settings. Authentication protocols
EAP PEAP EAP-FAST EAP-TLS EAP-TTLS IEEE 802.1x RADIUS Federation
While more secure than EAP-MD5 and LEAP
EAP-FAST can still be compromised if the attacker can intercept the PAC
There are several EAP implementations that you need to be familiar with
EAP-TLS EAP-MD5 EAP-FAS
Always treat a wireless network as though it were a publicly accessible network. Don't assume that the traffic on that network is private and secure
If users need to transmit confidential or secret information, require them to connect to the wired network with a network cable. In a mixed environment (public users and internal users), make the wireless network a screened subnet, and have internal users access wired computers on the internal network through a VPN. Put the access points in separate virtual LANs. Implement intrusion detection to help identify when an attacker is attempting to set up a rogue access point or is using a brute force attack to gain access
Implement standard security measures
Install security updates as soon as they are available Install antivirus software on wireless hosts Change the default administrator password Enable firewall filtering Disable DHCP on the WAP
EAP-FAST is a replacement for
LEAP that uses a Protected Access Credential (PAC) to establish a TLS tunnel in which client authentication credentials are transmitted
wireless security settings Methods
PSK vs. Enterprise vs. Open WPS Captive portal
2.4 GHz
Provides a larger area of coverage Offers a slower speed of data transmission Offers only 14 channels with only three non-overlapping channels
5 GHz
Provides a smaller area of coverage Offers faster speeds of data transmission Channels do not overlap, but the use of some channels is restricted, depending on the country you live in
A RADIUS federation is multiple
RADIUS servers that communicate with each other after establishing a trust relationship. These servers may be on different networks and could span multiple organizations
PEAP Enables mutual authentication by requiring
The server to prove its identity with the client.
A PKI is required for issuing certificates At a minimum, the RADIUS server must have a server certificate
To support mutual authentication, each client must also have a certificate
EAP-TLS uses
Transport Layer Security (TLS) and is considered one of the most secure EAP standards available.
Four commonly used techniques for detecting rogue hosts include
Using site survey tools to identify hosts and APs on the wireless network Checking connected MAC addresses to identify unauthorized hosts Conducting an RF noise analysis to detect a malicious rogue AP that is using jamming to force wireless clients to connect to it instead of legitimate APs Analyzing wireless traffic to identify unauthorized system
(EAP-TTLS) Only one CA signed certificate
is required on the server, simplifying the implementation process.
LEAP: Requires
a Cisco RADIUS server and Cisco software on the client's side.
Change the default SSID to a
a non-apparent value to help obscure the wireless network.
PEAP: Creates
a secure communication channel for transmitting certificate or login credentials.
Either way, rogue hosts on your wireless network represent
a security risk and should be detected and subsequently removed,
Each access point has a
a service set identification (SSID) that identifies the wireless network
EAP-TLS: Is widely supported by
almost all manufacturers of wireless LAN hardware and software.
MAC address filtering provides a limited
amount of security; serious attackers are able to discover and spoof valid MAC addresses to bypass address filtering.
dictionary attack
an attacker would sniff both the challenge and the response during LEAP authentication and then run through all the words in a dictionary in an attempt to obtain the response that matches the challenge. If successful, the attacker has then guessed the password and can pose as the clien
A rogue host is
an unauthorized system that has connected to a wireless network It could be an unauthorized wireless device, or even an unauthorized wireless access point that someone connected to a wired network jack without permission.
Rogue hosts could be
benign in nature, or they could be malicious
PEAP Was a collaborative effort
between Cisco, Microsoft, and RSA
Prevent transmissions from reaching
beyond the designated wireless area by reducing the power level of the wireless access point.
EAP-FAST vulnerability is mitigated
by manual PAC provisioning or by using server certificates
The location of the access point antenna
can affect radio wave signal strength and network access.
The wireless access point forwards the wireless device's credentials
credentials to the RADIUS server for authentication
LEAP is also susceptible to
dictionary attacks.
Overlapping wireless networks should use
different channels to ensure that they do not conflict with each other
EAP supports multiple authentication methods
for example, smart cards, biometrics, and digital certificates
Many public Wi-Fi networks, such as those provided by airports, hotels, and restaurants,
implement some type of captive portal. A captive portal requires wireless network users to abide by certain conditions before they are allowed access to the wireless network
LEAP Transmits some of the information
in cleartext.
EAP-FAST: Establishes a TLS tunnel
in which client authentication credentials are transmitted
802.1x is a standard for local area networks
is created by The Institute of Electrical and Electronics Engineers Standards Association (IEEE-SA). This standard is often labeled IEEE 802.1x
Place directional access points around
the periphery of the building to provide even coverage. Aim the directional access points such that the signal does not emanate outside the structure.
A site survey uses tools to identify
the presence and strength of wireless transmissions.
LEAP is considered to be
the weakest 802.1x protocol. It does not use SSL/TLS to encapsulate authentication data
In general, place access points higher up
to avoid interference problems caused by building foundations.
users must manually specify the SSID
to connect to the wireless network. This helps to prevent casual attackers from connecting to the network. However, any serious hacker with the right tools can still connect to the wireless network
LEAP Can be upgraded
to have digital certificates on both sides.
Conduct a site survey to identify
to identify the coverage area and optimal placement for wireless access points to prevent signals from going beyond identified boundaries
EAP-TLS: Is labor-intensive and expensive
to implement.
Turn off the SSID broadcast
to keep a wireless network from being automatically discovered. When SSID broadcasting is turned off
MS-CHAPv1 is vulnerable
to offline dictionary attacks against dictionary-based passwords.
The main countermeasure to dictionary attacks is
to use a strong password policy
When a wireless device initially connects to the wireless network, all traffic to or from that device is blocked
until the user opens a browser and accesses the captive portal web page. After the host agrees to the terms and conditions, traffic is unblocked, and she can access the network normally
Many public access points use no encryption. If you use a public access point to connect to a private network
use a VPN to encrypt the connection. This is called VPN over open wireless.
802.1x authentication requires
user names and passwords, certificates, or devices such as smart cards to authenticate wireless clients.
Perform cell-shaping. Cell-shaping
uses directional antennas and shielding methods to provide coverage without emanation outside the facilit
802.1x authentication
uses either certificates or user names and passwords for authentication. Each is supported through extensible protocols such as the following
EAP-FAST Is susceptible to attackers
who intercept the Protected Access Credential (PAC) and use it to compromise user credentials.
Because wireless transmissions are easily captured,
you should implement some form of encryption on your wireless network