Lecture 10 -Wireless Security PDF

Summary

This document is a lecture on Wireless Security, covering key factors contributing to higher security risks in wireless networks compared to wired networks. It details threats, and the wireless environment.

Full Transcript

LECTURE 9: WIRELESS NETWORK SECURITY
 WIRELESS SECURITY
Key factors contributing to higher security risk of wireless networks compared to wired networks include:
Channel
Wireless networking typically involves broadcast communications, which is far more
susceptible to eavesdropping and jamming than wired networks.
Wireless networks are also more vulnerable to active attacks that exploit vulnerabilities in
communications protocols
Mobility
Wireless devices are far more portable and mobile, thus resulting in a number of risks
Resources
Some wireless devices, such as smartphones and tablets, have sophisticated operating
systems but limited memory and processing resources with which to counter threats,
including denial of service and malware
Accessibility
Some wireless devices, such as sensors and robots, may be left unattended in remote and/or
hostile locations, thus greatly increasing their vulnerability to physical attacks

Wireless networks are also more vulnerable to active attacks that
exploit vulnerabilities in communications protocols.
the wireless environment consists of three components that provide
point of attack ( Figure 24.1 ). The wireless client can be a cell phone,
a Wi-Fi enabled laptop or tablet, a wireless sensor, a Bluetooth device,
and so on.
The wireless access point provides a connection to the network or
service. Examples of access points are cell towers, Wi-Fi hot spots,
and wireless access points to wired local or wide-area networks. The
transmission medium, which carries the radio waves for data transfer,
is also a source of vulnerability.
 WIRELESS NETWORK THREATS Accidental association: Company wireless LANs or wireless access points to wired LANs in
close proximity (e.g., in the same or neighboring buildings) may create overlapping
transmission ranges. A user intending to connect to one LAN may unintentionally lock on to a
wireless access point from a neighboring network. Although the security breach is accidental, it
Accidental Malicious Ad hoc nevertheless exposes resources of one LAN to the accidental user.
Malicious association: In this situation, a wireless device is configured to appear to be a
association association networks legitimate access point, enabling the operator to steal passwords from legitimate users and then
penetrate a wired network through a legitimate wireless access point.
Ad hoc networks: These are peer-to-peer networks between wireless computers with no
access point between them. Such networks can pose a security threat due to a lack of a central
Identity theft Man-in-the point of control.
Nontraditiona Nontraditional networks: Nontraditional networks and links, such as personal network
(MAC middle Bluetooth devices, barcode readers, and handheld PDAs pose a security risk both in terms of
l networks eavesdropping and spoofing.
spoofing) attacks Identity theft (MAC spoofing): This occurs when an attacker is able to eavesdrop on network
traffic and identify the MAC address of a computer with network privileges.
Man-in-the middle attacks: this attack involves persuading a user and an access point to
believe that they are talking to each other when in fact the communication is going through an
Denial of Network intermediate attacking device. Wireless networks are particularly vulnerable to such attacks.
Denial of service (DoS): A wireless network, a DoS attack occurs when an attacker
service (DoS) injection continually bombards a wireless access point or some other accessible wireless port with
various protocol messages designed to consume system resources. The wireless environment
lends itself to this type of attack, because it is so easy for the attacker to direct multiple wireless
messages at the target.
Network injection: A network injection attack targets wireless access
points that are exposed to non-filtered network traffic, such as routing
protocol messages or network management messages. An example of
such an attack is one in which bogus reconfiguration commands are
used to affect routers and switches to degrade network performance.
 Principal threats are eavesdropping, altering or inserting messages, and
disruption

Countermeasures for eavesdropping:
Signal-hiding techniques:

SECURING Encryption

WIRELESS The use of encryption and authentication protocols is the standard
TRANSMISSIONS method of countering attempts to alter or insert transmissions

Signal-hiding techniques: Organizations can take a number of measures to make it more
difficult for an attacker to locate their wireless access points, including turning off service set
identifier (SSID) broadcasting by wireless access points; assigning cryptic names to SSIDs;
reducing signal strength to the lowest level that still provides requisite coverage; and locating
wireless access points in the interior of the building, away from windows and exterior walls.
Encryption: Encryption of all wireless transmission is effective against eavesdropping to the
extent that the encryption keys are secured.
The main threat involving wireless access
points is unauthorized access to the
network

Principal approach for The standard SECURING
WIRELESS
provides an
preventing such access is authentication
the IEEE 802.1X standard mechanism for
devices wishing to
for port-based network attach to a LAN or

NETWORKS
access control wireless network

Use of 802.1X can prevent rogue access
points and other unauthorized devices from
becoming insecure backdoors
WIRELESS NETWORK SECURITY
TECHNIQUES
Allow only specific
computers to
Use encryption
access your
wireless network

Use anti-virus and Change your
anti-spyware router’s pre-set
software and a password for
firewall administration

Change the
Turn off identifier identifier on your
broadcasting router from the
default
 An organization’s networks must accommodate:
Growing use of new devices
Significant growth in employee’s use of mobile devices
Cloud-based applications
Applications no longer run solely on physical servers in
MOBILE DEVICE corporate data centers

SECURITY De-perimeterization
There are a multitude of network perimeters around devices,
applications, users, and data
External business requirements
The enterprise must also provide guests, third-party
contractors, and business partners network access using
various devices from a multitude of locations
SECURITY THREATS

Lack of physical Use of Use of
security untrusted untrusted
controls networks mobile devices

Use of Use of
Interaction with
untrusted untrusted
other systems
applications content

Use of location
services
IEEE 802.11 TERMINOLOGY
 WIRELESS FIDELITY
(WI-FI) ALLIANCE
802.11b
First 802.11 standard to gain broad industry acceptance
Wireless Ethernet Compatibility Alliance (WECA)
Industry consortium formed in 1999 to address the concern of products
from different vendors successfully interoperating
Later renamed the Wi-Fi Alliance
Term used for certified 802.11b products is Wi-Fi
Has been extended to 802.11g products
Wi-Fi Protected Access (WPA)
Wi-Fi Alliance certification procedures for IEEE802.11 security standards
WPA2 incorporates all of the features of the IEEE802.11i WLAN security
specification
 The lowest layer of the IEEE 802 reference model is the physical layer ,
which includes such functions as encoding/decoding of signals and
bit transmission/reception. In addition, the physical layer includes a
specification of the transmission medium. In the case of IEEE 802.11, the
physical layer also defines frequency bands and antenna characteristics.
 MAC Control: This field contains any protocol control information needed for the functioning of the MAC protocol. For
example, a priority level could be indicated here.
Destination MAC Address: The destination physical address on the LAN for this MPDU.
Source MAC Address: The source physical address on the LAN for this MPDU.
MAC Service Data Unit: The data from the next higher layer.
CRC: The cyclic redundancy check field, also known as the Frame Check Sequence (FCS) field. This is an error-detecting
code, such as that which is used in other data-link control protocols. The CRC is calculated based on the bits in the entire
MPDU. The sender calculates the CRC and adds it to the frame. The receiver performs the same calculation on the
incoming MPDU and compares that calculation to the CRC field in that incoming MPDU. If the two values don’t match,
then one or more bits have been altered in transit. The fields preceding the MSDU field are referred to as the MAC
header, and the field following the MSDU field is referred to as the MAC trailer. The header and trailer contain control
information that accompany the data field and that are used by the MAC protocol.
This model developed by the 802.11 working group. The smallest building block of a
wireless LAN is a basic service set (BSS), which consists of wireless stations executing the
same MAC protocol and competing for access to the same shared wireless medium. A BSS
may be isolated or it may connect to a backbone distribution system (DS) through an
access point (AP). The AP functions as a bridge and a relay point. In a BSS, client stations
do not communicate directly with one another. Rather, if one station in the BSS wants to
communicate with another station in the same BSS, the MAC frame is first sent from the
originating station to the AP and then from the AP to the destination station. Similarly, a
MAC frame from a station in the BSS to a remote station is sent from the local station to the
AP and then relayed by the AP over the DS on its way to the destination station. The BSS
generally corresponds to what is referred to as a cell in the literature. The DS can be a
switch, a wired network, or a wireless network.
When all the stations in the BSS are mobile stations that communicate directly with one
another (not using an AP) the BSS is called an independent BSS (IBSS). An IBSS is
typically an ad hoc network. In an IBSS, the stations all communicate directly, and no AP is
involved.
IEEE 802.11
SERVICES
DISTRIBUTION OF MESSAGES
WITHIN A DS
The two services involved with the distribution of messages within a DS
are:
Distribution
Integration

The primary service used by stations to exchange MPDUs
Distribution when the MPDUs must traverse the DS to get from a station
in one BSS to a station in another BSS

Enables transfer of data between a station on an IEEE 802.11

Integration LAN and a station on an integrated IEEE 802x LAN
Service enables transfer of data between a station on an IEEE
802.11 LAN and a station on an integrated IEEE 802.x LAN
 Transition types, based on mobility:
No transition
A station of this type is either stationary or moves only
within the direct communication range of the communicating
stations of a single BSS
BSS transition
ASSOCIATION- Station movement from one BSS to another BSS within the
RELATED SERVICES same ESS; delivery of data to the station requires that the
addressing capability be able to recognize the new location of
the station
ESS transition
Station movement from a BSS in one ESS to a BSS within
another ESS; maintenance of upper-layer connections
supported by 802.11 cannot be guaranteed
SERVICES

Association Reassociation Disassociation
Establishes an initial Enables an established A notification from either a
association between a station association to be transferred station or an AP that an
and an AP from one AP to another, existing association is
allowing a mobile station to terminated
move from one BSS to
another
WIRELESS LAN SECURITY

Wired Equivalent Privacy (WEP) algorithm
802.11 privacy

Wi-Fi Protected Access (WPA)
Set of security mechanisms that eliminates most 802.11 security issues and was
based on the current state of the 802.11i standard

Robust Security Network (RSN)
Final form of the 802.11i standard

Wi-Fi Alliance certifies vendors in compliance with the full
802.11i specification under the WPA2 program
 Authentication: A protocol is used to define an exchange between a user
and an AS (authentication server) that provides mutual authentication and
generates temporary keys to be used between the client and the AP over the
wireless link.

Access control: This function enforces the use of the authentication function,
routes the messages properly, and facilitates key exchange. It can work with a
variety of authentication protocols.

Privacy with message integrity: MAC-level data (e.g., an LLC PDU) are
encrypted along with a message integrity code that ensures that the data have
not been altered.
 1. Two wireless stations in the same BSS communicating via the access point
for that BSS.

2. Two wireless stations (STAs) in the same ad hoc IBSS communicating
directly with each other.

3. Two wireless stations in different BSSs communicating via their respective
APs across a distribution system.

4. A wireless station communicating with an end station on a wired network
via its AP and the distribution system.
During this phase, the STA and AP decide on specific techniques in the following areas:

Confidentiality and MPDU integrity protocols for protecting unicast traffic (traffic only between this STA
and AP)

Authentication method

Cryptography key management approach
Confidentiality and integrity protocols for protecting multicast/broadcast traffic are dictated by the AP,
since all STAs in a multicast group must use the same protocols and ciphers. The specification of a
protocol, along with the chosen key length (if variable), is known as a cipher suite
MPDU EXCHANGE

Authentication phase consists of three phases:
Connect to AS
The STA sends a request to its AP that it has an association with
for connection to the AS; the AP acknowledges this request and
sends an access request to the AS
EAP exchange
Authenticates the STA and AS to each other
Secure key delivery
Once authentication is established, the AS generates a master
session key and sends it to the STA
IEEE 802.11I
KEYS FOR DATA
CONFIDENTIALIT Y
AND INTEGRIT Y
PROTOCOLS
TEMPORAL KEY INTEGRITY
PROTOCOL (TKIP)
Designed to require only software changes to devices that are
implemented with the older wireless LAN security approach
called WEP

Message Data
integrity confidentiality
Provides two
services:
Adds a message Provided by
integrity code to encrypting the
the 802.11 MAC MPDU
frame after the
data field
COUNTER MODE-CBC MAC
PROTOCOL (CCMP)
Intended for newer IEEE 802.11 devices that are equipped
with the hardware to support this scheme

Message Data
Provides two integrity confidentiality
services:
Uses the CTR
Uses the cipher-block- block cipher mode
chaining message of operation with
authentication code AES for encryption
(CBC-MAC)