Chapter 7 Basic WLAN Security Measures PDF

Summary

This document provides an overview of basic WLAN security measures, including design, implementation, authentication, access control, data protection, and ongoing management. It discusses different security protocols like WEP, WPA, WPA2, and WPA3, along with potential vulnerabilities and best practices for network security.

Full Transcript

Basic WLAN Security Measures

Chapter 7

Dr. xiaojie zhu
Learning Outcomes
 Understand how proper design and installation contribute to basic security
 Describe methods of radio frequency design, layering, and security management
 Understand the security implications of basic authentication and access
 Describe access methods such as SSID masking, MAC filtering, VPNs, and VLANs
 Understand the importance of data protection on wireless networks
 List the common methods of data protection
 Understand how ongoing management affects security
 Describe best practices for periodic security checks and physical sweeps
Overview
Design and Implementation Considerations for Basic Security
Authentication and Access Restriction
Data Protection
Ongoing Management Security Considerations
Design and Implementation Considerations for Basic Security
Every basic security discussion should begin with the design considerations
that support basic security.
Radio frequency design
Radio frequency waves can travel through walls and windows and leak into the
outside world.
It is crucial to restrict the RF coverage to the premise’s boundaries.
 Provides physical security and avoid polluting the neighboring wireless networks.
Use wireless repeaters instead of Access point to boost the signals.
Equipment configuration and placement
Consider the antenna type and coverage pattern.
For example, an Omnidirectional antenna transmits in all directions to form a 360-
degree coverage area and in general, supports a large area.
Omni directional antenna may be placed at a central location instead of installing near
an external window.
Examples of both Azimuth (Horizontal) and Elevation(Vertical) signal
distribution for a wireless antenna
Interoperability and Layering
Delivering RF coverage in a building can be a difficult task and is prone to
unpredictability.
The most common way to check for this is to walk the premises using a
tablet or laptop to measure the received signal strength.

If there are dead spots (spots where the signal does not reach),
you might increase the power setting or adjust the position of the access point to try
to compensate.
A wireless extender or wireless repeater is a device that uses the same frequency and
channel to overlap the original basic service set (BSS) coverage area by 50 percent,
increasing the reach/coverage of the access point by half.

Twin Access points using same SSID and on non-interfering channels may be
used to overlap 100% connections.
Security Management
When managing wireless networks from a security perspective, it is important
to have detailed knowledge of all the available security tools and techniques.
The specific requirements and characteristics should be considered.
Consider a public relations/internet marketing agency that is heavily reliant on the
wireless network to support Voice over WLAN (VoWLAN), the key performance and
design criteria are:
1. The reliability,
2. Quality, and
3. Availability of these voice calls
Another scenario: Mobile telephone reseller may not require VoWLAN support but they
need to secure hundreds of thousands of pre-paid vouchers on its servers and design
criteria must include authentication and encryption.
No one-size-fits-all design
The specific requirements and characteristics should be considered.
Basic Security and Best Practices
Despite each network being different with regard to layout, coverage,
performance and security there are some Basic security best practices for
small office/home (SOHO) networks, and these include:
Limiting RF leakage by lowering the transmission power of access points
SSID cloaking
WPA2 encryption with a strong passphrase
Authentication
MAC filtering
Keeping access points in a locked closet
Regularly checking for and installing software or firmware patches
All this information should be documented in a process called a risk
assessment.
Authentication and Access Restriction-I
The first is simply hide the network (Physical security).
Authentication plays a key role in keeping unauthorized users off the network.
It includes both inside and outside unauthorized access.
SSID (Service Set IDentifier) obfuscation/Segmentation
Commonly used in pre-Robust Security Network (RSN)
Define in IEEE 802.11i security standard
By assigning an SSID to a virtual LAN (VLAN), the administrator provides a method to
segment users by SSID/VLAN pairs.
Typically, three SSID/VLAN pairs are created, one each for voice, data, and guests.
 Voice needs QoS, Data needs Strong security and Guest needs only internet access without security.
The downside: the amount of work required to configure each individual access point.
Authentication and Access Restriction-II
SSID cloaking
The broadcast SSID option is disabled during configuration.
Effectively hide the WLAN from unauthorized client stations by inhibiting the
advertising of the SSID.
It cannot be discovered by passive or active scanning and can defeat tools like insider
with modified active scanning process.
Protocol analyzers could defeat cloaking
Clients must be pre-configured with SSID and when probe request with the pre-
configured SSID is send out, only then access point responds.
If attacker can eavesdrop the probe response, it can learn MAC, SSID and BSSID.
User must enter SSID physically in client device, which is subject to social engineering.
Friends/Guests may ask for SSID
Best to avoid casual and opportunistic access. However, it cannot protect from a
moderately skilled hackers from accessing the network.
MAC Filters
Each MAC address is a unique Six-byte number that is hardcoded into the
network interface of each device capable of electronic communication.
OSI Layer 2 (Data Link Layer)
MAC addresses represent the physical addresses while IP address is a logical
address.
Unlike packets at layer 3, the layer 2 constitutes frames and MAC addresses
at layer 2 identify source and destination.
MAC filters are used in a “deny by default, permit by exception” scheme,
where only those MAC addresses that are listed are permitted access.
For small networks like SOHO, it may work excellently; however, for large
networks or public networks MAC filtering is not practical.
Moreover, MAC addresses could be spoofed.
Like SSID Cloaking, MAC filtering can avoid casual and opportunistic access.
Authentication and Association
For a client station to be able to join a network, it must go through the initial mandatory
process of authentication and association.
Open System Authentication (OSA): as long as SSID is known, the client can access the
network and receive nonencrypted information.
Shared Key Authentication (SKA): is part of Wired Equivalent Privacy (WEP) encryption.
Client can access the wireless network and send and receive encrypted data by matching
the encryption key on the access point.
 OSA is still in use while SKA is deprecated and is not recommended
 SKA involves extra 2 message exchanges and 2 encryption/decryption operations during four-way
handshake.
 In SKA, the challenge is in plaintext, the attacker can eavesdrop both
Challenge and client encrypted response. The attacker can use the
challenge-response in a replay message and try to expose the static
keys.
 The static key is also used to encrypt payload and attacker can use
this in order to break the encryption.
VPN over Wireless
Before 2007, Virtual private network (VPN) over wireless was a commonly
used technique for securing user connections.
Inter-building bridges secure point to point user connections
But now it is discouraged because of high overhead and performance issues
One downside of using VPN for secure Wi-Fi access is that they operate at
Layer 3, which means an attacker can get access to both layer 2 and layer 3
connections before the VPN tunnel is established.
After 2007, layer 2 security solution is provided.
To protect layer 2 information, use of WEP was adopted but this double encryption
created more overhead and has significant impact on performance and throughput.
Video: What is VPN and how it works? - YouTube
Virtual Local Area Network
VLAN specifies broadcast domains, which define logical segments of the
network that receive the same broadcast messages over the shared
medium.
By creating VLANs, an administrator restricts broadcasts to individual VLAN
members and provides isolation from other VLANs.
By inserting VLAN ID (802.1Q tagging) into packets header to identify individual
packets as being in a particular VLAN.
The communication between different VLANs is bridged via routers.
QoS can also be defined on a per-VLAN basis to give priority to certain
classes of traffic type (voice, video etc.)
VLAN is Logical Partitions
Data Protection
Wireless traffic is available to anyone within the reach of the radio signals
transmitted to and from client devices.
Security professionals must be concerned with the protection of both the
data and authentication credentials. (via encryption).
WEP (Wired Equivalent Privacy)
WPA (Wi-Fi Protected Access)
WPA2 (Wi-Fi Protected Access 2)
WPA3 (Wi-Fi Protected Access 3)
Wired Equivalent Privacy
Wired Equivalent Privacy
The goal of the WEP was to provide confidentiality, integrity, and access control for
wireless networks.
In the original IEEE 802.11 standard in 1997, WEP was defined to provide data privacy
through encryption and access control via a static-key form of authentication, and data
integrity through a checksum to ensure that data has not been modified.
Static WEP key was also used to encrypt layer 3 payload.
Two Key versions of WEP: Layer 2, 64-bit WEP which uses 40-bit secret static key or
128-bit WEP with 104-bit static key bit WEP versions uses locally generated random
number of 24-bit as an initial vector(IV) to complete the key size of 64 and 128 bits.
IV is just appended at end of the key.
Weakness of WEP
Static key,
IV collision attack: If IV is reused, the same static key is repeated and by analyzing
packets from the same keys, attacker can break WEP encryption in less than 5 mints.
Wi-Fi Protected Access (WPA)
WPA was introduced by Wi-Fi Alliance in 2003 to support Temporal Key Integrity
Protocol(TKIP)/RC4 dynamic encryption key generation.
It was viewed as an intermediate solution to address the serious weaknesses in WEP until
the WPA2 was available.
Improvements over WPA
 TKIP (a stream cipher) Combined the secret encryption key with an IV before initiating RC4 initialization
process.
 WPA uses sequence counter to protect against replay attacks.
 TKIP implements 64-bit message integrity check to ensure that messages have not been modified in
transit.
Weakness: Attacks were on data integrity not on exposing the encryption keys.
 Beck-Tews attack: the method involved making minor changes to packets encrypted with TKIP, and then
send the packets back to the access point. The checksum was no encrypted and attackers exploited this
vulnerability.
 Ohagi/Mori attack: Improves on the Beck-Tews attack and lowers the amount of time needed to
execute it to about one minute.
Wi-Fi Protected Access 2 (WPA2)
WPA2 is built on the AES algorithm in Counter mode Cipher block chaining Message
authentication code Protocol (CCMP)
AES is a block cipher algorithm that may be incorporated into many security products.
AES supports three key sizes-128, 192, and 256 bits with a fixed block size of 128 bits
CCMP is the security encryption protocol defined by 802.11i WPA2.
Data confidentiality via encryption
Authentication
Access control with layer management
CCMP uses a fixed block size of 128 bits and a fixed key size of 128 bits. CCMP is a
layer 2 protocol that ensures the information from Layer 3 to 7 is encrypted in the
802.11 data frame. The layer 3 payload (data) is encrypted using AES and protected
from manipulation and tampering by a message integrity code (MIC).
Weakness of WPA 2
Dictionary Attack
Order of Preference for Wi-Fi Data Protection
WPA2 + CCMP
WPA2 + AES
WPA + AES
WPA + TKIP
WEP
Open network (no security)
WPA3
In 2018, the Wi-Fi alliance introduced the WPA3 security standard that adds
four new features to bolster the original WPA2 specification.
Data privacy over public networks: introduce “individualized data encryption”. When
you connect to an open Wi-Fi network, the traffic between your device and the Wi-Fi
access point is encrypted.
Protection against Brute force attacks: new handshake protocol delivers robust
protection
An easier connection process for devices without displays: simplify the process of
configuring security for devices that have limited or no display interface
Higher security for government, defense, and industrial applications: stronger and
longer session key up to 192 bits
Recommendation
Ongoing Management Security Considerations
Any aspects of the network that are not actively monitored and managed
become a potential vulnerability.
Firmware upgrades
Physical security
Periodic inventory
Identifying rogue WLANs/Wireless access points
Firmware Update
Firmware is a specific class of computer software that provides low-level
control for a device's specific hardware
A hacker’s best practice is to look for unpatched equipment. When such
devices are found, there is often a “cookbook” approach to exploiting the
unfixed issue.
The typical method of upgrading a legacy access point or adapter is to use a
File Transfer Protocol (FTP) server to download the firmware upgrade from
the vendor’s website using a web browser or GUI-based program.
Telnet, a network protocol that supports remote nonsecure access to
another device, is also used.
This is a good example of central device management, which is a necessary
and essential element of a large network management.
Physical Security
Physical security is an often-overlooked aspect of wireless security policy. If
devices have been pre-configured for wireless security, only legitimate
wireless-enabled device will be able to access the network.
In an enterprise environment, authentication methods make it easy to
blacklist the lost or stolen device to prevent unauthorized access to the
WLAN.
In a SOHO environment, if no such level of device management will be in
force, the administrator should change all the passphrases and (Pre-Shared
Key ) PSKs.
When an employee leaves, it is not just to retrieve their laptops but you must
access their devices to remove the Wi-Fi security configurations.
A good practice is to change the PSKs and passphrases monthly basis
Periodic Inventory
It is always good practice to keep an up-to-date inventory of all devices
authorized to connect to the WLAN.
You must be aware of all devices and their respective MAC addresses to
manage the access list.
It is common to find anonymous devices using WLAN services. So it is a good
idea to create a guest VLAN with internet-only access.
By running periodic inventory checks, the network administrator in a SOHO
setup can audit the MAC addresses traversing the WLAN and identify them as
known or unknown.
Identifying Rogue WLANs/Wireless Access Points
The best preventative measure for rogue access points is to conduct regular
and frequent audits of all access points on the WLAN.
One strategy is to manage Ethernet switch ports and wall sockets to ensure
that unused ports are disabled by default.
RF coverage is limited to the boundaries of the premises and will restrict the
installation of access points outside the building to eavesdrop on the internal
WLAN.
If rogue access points continue to appear on the WLAN, consider configuring
one of the newer access points as remote authentication Dial-in user service
authentication server (RDIUS).
Video introduces RDIUS: RADIUS tutorial,AAA protocol - YouTube