CIST 1601 Information Security Fundamentals Chapter 12 Wireless Networking Security Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College
Working with Wireless Systems The standard specifies the technologies that are used for wireless LANs. The Institute of Electrical and Electronics Engineers (IEEE) developed the standard x transmissions generate detectable radio- frequency signals in all directions
IEEE x Wireless Protocols The standard defines wireless LANs transmitting at 1Mbps or 2Mbps bandwidths using the 2.4GHz frequency spectrum and using either frequency- hopping spread spectrum (FHSS) or direct-sequence spread spectrum (DSSS) for data encoding. The a standard provides wireless LAN bandwidth of up to 54Mbps in the 5GHz frequency spectrum. The a uses orthogonal frequency division multiplexing (OFDM) for encoding. The b standard provides for bandwidths of up to 11Mbps in the 2.4GHz frequency spectrum. This standard is also called Wi-Fi or high rate. The b standard uses only DSSS for encoding. The g standard provides for bandwidths of up to 54Mbps in the 2.4GHz frequency spectrum. The n standard provides for bandwidths of up to 300Mbps in the 5GHz frequency spectrum (it can also communicate at 2.4GHz for compatibility). It offers higher speed and a frequency with less interference.
Direct-sequence spread spectrum (DSSS) transmits a signal that is a combination of an artificial and a real signal. DSSS accomplishes communication by adding the data to a higher speed transmission. The higher speed transmission contains redundant information to ensure data accuracy. Each packet can then be reconstructed in the event of a disruption. The receiving end utilizes the additional signal to maintain the integrity of the real signal when interference is experienced. Both ends must agree upon the method for generating the signal. DSSS offers superior range, the ability to block interference, and a transmission rate of 11 Mbps. Frequency-hopping spread spectrum (FHSS) accomplishes communication by hopping the transmission over a range of predefined frequencies. The changing or hopping is synchronized between both ends and appears to be a single transmission channel to both ends. FHSS signals are difficult for malicious users to pick up. Orthogonal Frequency-Division Multiplexing (OFDM) is a modulation scheme used with networks in the IEEE a standard. ODFM accomplishes communication by breaking the data into subsignals and transmitting them simultaneously. These transmissions occur on different frequencies or subbands. IEEE x Wireless Protocols
The Wireless Application Protocol (WAP) is the technology designed for use with wireless devices. WAP functions are equivalent to TCP/IP functions in that they’re trying to serve the same purpose for wireless devices. The gateway converts information back and forth between HTTP and WAP as well as encodes and decodes between the security protocols. If the interconnection between the WAP server and the Internet isn’t encrypted, packets between the devices may be intercepted, creating a potential vulnerability. This vulnerability is called a gap in the WAP. Wired Equivalent Privacy (WEP) is a standard for wireless devices that encrypts data to provide data security. WEP is vulnerable due to weaknesses in the way the encryption algorithms are employed. It can potentially be cracked in as few as five minutes using available PC software. This makes WEP one of the more vulnerable protocols available for security. The Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) technologies were designed to address the core problems with WEP. These technologies implement the i standard. The difference between WPA and WPA2 is that the WPA implements most of i in order to be able to communicate with older wireless cards, while WPA2 implements the full standard and is not compatible with older cards. WPA2 is currently the highest standard for Wi-Fi communication security. WEP/WAP/WPA/WPA2 WEP and WPA (4:30)
Wireless Transport Layer Security Wireless transport layer security (WTLS) is the security layer for wireless connections that use the wireless access protocol (WAP). Wireless Application Protocol (WAP) is an open international standard for applications that use wireless communication. WTLS provides authentication, encryption, and data integrity for wireless devices in the WAP environment.. WTLS provides reasonable security for mobile devices, and it’s being widely implemented in wireless devices. WAP provides the functional equivalent of TCP/IP for wireless devices. Many devices, including newer cell phones and PDAs, include support for WTLS as part of their networking protocol capabilities. WTLS as part of the WAP environment
Understanding Mobile Devices Mobile devices, including pagers and personal digital assistants (PDAs) use either RF signaling or cellular technologies for communication. If the device uses the Wireless Application Protocol (WAP), the device in all likelihood doesn’t have security enabled. Several levels of security exist in the WAP protocol: Anonymous authentication, which allows virtually anyone to connect to the wireless portal Server authentication, which requires the workstation to authenticate against the server Two-way (client and server) authentication, which requires both ends of the connection (client and server) to authenticate to confirm validity Many new wireless devices are also capable of using certificates to verify authentication. The Wireless Session Protocol (WSP) manages the session information and connection between the devices. The Wireless Transaction Protocol (WTP) provides services similar to TCP and UDP for WAP. The Wireless Datagram Protocol (WDP) provides the common interface between devices. Wireless Transport Layer Security (WTLS) is the security layer of the Wireless Application Protocol. A mobile environment using WAP security. This network uses both encryption and authentication to increase security.
Wireless Access Points To build a wireless network: On the client side, you need a wireless NIC On the network side, you need a wireless access point (WAP) A wireless access point (WAP) is a low-power transmitter/receiver, also known as a transceiver, which is strategically placed for access. The portable device and the access point communicate using one of several communications protocols, including IEEE (also known as Wireless Ethernet). Wireless offers mobile connectivity within a campus, a building, or even a city. Wireless communications, although convenient, can also be less than secure. While many WAPs now ship with encryption on, you will still want to verify that this is the case with your network. A wireless portal being used to connect a computer to a company network. Notice that the portal connects to the network and is treated like any other connection used in the network.
Wireless Access Points Antenna Placement There isn’t any one universal solution to this issue, and it depends on the environment in which the access point is placed. As a general rule, the greater the distance the signal must travel, the more it will attenuate. Avoid placing access points near metal or near the ground. In the center of the area to be served and high enough to get around most obstacles is recommended. MAC Filtering Most APs offer the ability to turn on MAC filtering, which is off by default. When MAC filtering is used, the administrator compiles a list of the MAC addresses associated with the users’ computers and enters those. If the address appears in the list, the client is able to connect to that AP.
Extensible Authentication Protocol Extensible Authentication Protocol (EAP) provides a framework for authentication that is often used with wireless networks. Lightweight Extensible Authentication Protocol (LEAP) was created by Cisco an an extension to EAP but is being phased out in favor of PEAP. It is proprietary to Cisco and only meant as a quick fix for problems with WEP. It lacks native Windows support. LEAP requires mutual authentication to improve security but is susceptible to dictionary attacks. It is considered a weak EAP protocol. Protected Extensible Authentication Protocol (PEAP) was created by Cisco, RSA, and Microsoft. It replaces LEAP and there is native support for it in Windows beginning with Windows XP. PEAP is secure since it establishes an encrypted channel between the server and client.
Wireless Vulnerabilities to Know Wireless systems are vulnerable to all the attacks that wired networks are vulnerable to. However, because these protocols use radio frequency signals for data emanation, they can be easily intercepted. To intercept x traffic, all you need is a PC with an appropriate x card installed. Without the use of a mandated encryption standard, data transmitted over an 802.1x wireless link may be passed in clear form. Additional forms of encryption may be implemented, such as WEP and AES, but transport encryption mechanisms suffer from the fact that a determined listener can obtain enough traffic data to calculate the encoding key in use. Wireless networks often announce their service set identifier (SSID) to allow mobile devices to discover available WAPs. Turning off this broadcast can reduce the vulnerability of a broadcast packet sniffer readily identifying a WAP. Turning off SSID broadcast should be considered a “best practice,” along with conducting the site survey, selecting channels not already in use in the area, requiring WPA2 (or newer) encryption, and restricting access to a known list of Wi-Fi MAC addresses where possible. MAC Filtering and SSID Management (3:20)
A site survey is the process of monitoring a wireless network using a computer, wireless controller, and analysis software. Site surveys generally produce information on the types of systems in use, the protocols in use, and other critical information. You should periodically complete a site survey to ensure that no unauthorized wireless access points are established. You will also want to perform a site survey before implementing any WLAN solution. This is particularly important in wireless networks spanning multiple buildings or open natural areas, where imposing structures and tree growth may affect network access in key areas. Site surveys are easily accomplished and hard to detect. To protect against unauthorized site surveys, change the default SSID and disable SSID broadcasts. Upon discovering a WAP using a site survey, physically locate the device and disconnect it. War driving is the act of driving about with a laptop looking for wireless LANs in a geographic area announcing their SSID broadcasts and WEP keys. Wireless Vulnerabilities to Know Wardriving and Warchalking (4:22)
When a client attempts to contact a wireless access point (AP), the AP authenticates the client through a basic challenge-response method, and then provides connectivity to a wired network or servers. Because the client request is an omnidirectional open broadcast, it is possible for a hijacker to act as an access point to the client, and as a client to the true network access point, allowing the hijacker to follow all data transactions with the ability to modify, insert, or delete packets at will. By implementing a rogue AP with stronger signal strength than more remote permanent installations, the attacker can cause a wireless client to preferentially connect to their own stronger nearby connection using the wireless device’s standard roaming handoff mechanism. Blue jacking is an attack that sends unsolicited messages over a Bluetooth connection. It can be considered spamming in a Bluetooth environment. Mobile devices equipped for Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are vulnerable. Attackers use blue jacking to generate messages that appear to be from the device itself. This leads users to follow prompts and establish an open Bluetooth connection to the attacker’s device. Once paired with the attacker’s device, the user’s data becomes available for unauthorized access, modification, or deletion, which is an attack referred to as bluesnarfing. Wireless Vulnerabilities to Know Rogue Access Points and Evil Twins (5:21) Bluejacking and Bluesnarfing (5:44)
The End