Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 8 Wireless Network Security

Objectives Describe the different types of wireless network attacks List the vulnerabilities in IEEE 802.11 security Explain the solutions for securing a wireless network Security+ Guide to Network Security Fundamentals, Fourth Edition

Introduction Wireless data communications have revolutionized computer networking Wireless data networks found virtually everywhere Wireless networks have been targets for attackers Early wireless networking standards had vulnerabilities Changes in wireless network security yielded security comparable to wired networks Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless Attacks Bluetooth Two types of Bluetooth network topologies Wireless technology Uses short-range radio frequency transmissions Provides for rapid, ad-hoc device pairings Example: smartphone and Bluetooth headphones Personal Area Network (PAN) technology Two types of Bluetooth network topologies Piconet Scatternet Security+ Guide to Network Security Fundamentals, Fourth Edition

Table 8-1 Bluetooth products Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless Attacks (cont’d.) Piconet Established when two Bluetooth devices come within range of each other One device (master) controls all wireless traffic Other device (slave) takes commands Active slaves can send transmissions Parked slaves are connected but not actively participating Security+ Guide to Network Security Fundamentals, Fourth Edition

Figure 8-1 Bluetooth piconet © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless Attacks (cont’d.) Scatternet Group of piconets with connections between different piconets Bluejacking Attack that sends unsolicited messages to Bluetooth-enabled devices Text messages, images, or sounds Considered more annoying than harmful No data is stolen http://www.youtube.com/watch?v=ajo0njlklYo Security+ Guide to Network Security Fundamentals, Fourth Edition

Figure 8-2 Bluetooth scatternet © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless Attacks (cont’d.) Bluesnarfing Unauthorized access to wireless information through a Bluetooth connection Often between cell phones and laptops Attacker copies e-mails, contacts, or other data by connecting to the Bluetooth device without owner’s knowledge http://www.youtube.com/watch?v=KfZ7Ek409LM http://www.youtube.com/watch?v=AwoEflxJPzE Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless LAN Attacks Institute of Electrical and Electronics Engineers (IEEE) Most influential organization for computer networking and wireless communications Dates back to 1884 Began developing network architecture standards in the 1980s 1997: release of IEEE 802.11 Standard for wireless local area networks (WLANs) Higher speeds added in 1999: IEEE 802.11b Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless LAN Attacks (cont’d.) IEEE 802.11a Specifies maximum rated speed of 54Mbps using the 5GHz spectrum IEEE 802.11g Preserves stable and widely accepted features of 802.11b Increases data transfer rates similar to 802.11a IEEE 802.11n Ratified in 2009 Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless LAN Attacks (cont’d.) Improvements in IEEE 802.11n Speed – up to 600Mbps Coverage area – double a, b, g Interference – different frequencies Security – high level encryption required Wireless client network interface card adapter Performs same functions as wired adapter Antenna sends and receives signals Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless LAN Attacks (cont’d.) Access point (AP) major parts Antenna and radio transmitter/receiver send and receive wireless signals Bridging software to interface wireless devices to other devices Wired network interface allows it to connect by cable to standard wired network AP functions Acts as “base station” for wireless network Security+ Guide to Network Security Fundamentals, Fourth Edition

Figure 8-3 Access point © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless LAN Attacks (cont’d.) AP functions (cont’d.) Acts as a bridge between wireless and wired networks Can connect to wired network by a cable Autonomous access points Separate from other network devices and access points Have necessary “intelligence” for wireless authentication, encryption, and management Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless LAN Attacks (cont’d.) Wireless broadband routers Single hardware device containing AP, firewall, router, and DHCP server Wireless networks have been vulnerable targets for attackers Not restricted to a cable Types of wireless LAN attacks Discovering the network Attacks through the RF spectrum Attacks involving access points Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless LAN Attacks (cont’d.) Discovering the network One of first steps in attack is to discover presence of a network Beaconing AP sends signal at regular intervals to announce its presence and provide connection information Wireless device scans for beacon frames http://www.youtube.com/watch?v=rGYy1F1fhjc War driving Process of passive discovery of wireless network locations

Table 8-2 War driving tools Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless LAN Attacks (cont’d.) War chalking Documenting and then advertising location of wireless LANs for others to use Previously done by drawing on sidewalks or walls around network area Today, locations are posted on Web sites http://www.youtube.com/watch?v=2rM-K6SQTiU Security+ Guide to Network Security Fundamentals, Fourth Edition

Table 8-4 War chalking symbols © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless LAN Attacks (cont’d.) Attacks through the RF spectrum Wireless protocol analyzer Generating interference Wireless traffic captured to decode and analyze packet contents Network interface card (NIC) adapter must be in correct mode Kismet, Airmon, Wireshark Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless LAN Attacks (cont’d.) Six modes of wireless NICs Master (acting as an AP) Managed (client) Repeater Mesh Ad-hoc Monitor – (Must be this for analyzing/capturing) Interference Signals from other devices can disrupt wireless transmissions Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless LAN Attacks (cont’d.) Devices that can cause interference with a WLAN Microwave ovens Elevator motors Copy machines Outdoor lighting (certain types) Theft protection devices Bluetooth devices Security+ Guide to Network Security Fundamentals, Fourth Edition

Figure 8-5 Attacker interference © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless LAN Attacks (cont’d.) Attacks using access points Rogue access points – installed by internal user Evil twin – installed by hacker Rogue access point Unauthorized access point that allows attacker to bypass network security configurations May be set up behind a firewall, opening the network to attacks Security+ Guide to Network Security Fundamentals, Fourth Edition

Figure 8-6 Rogue access point © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless LAN Attacks (cont’d.) Evil twin AP set up by an attacker Attempts to mimic an authorized AP Attackers capture transmissions from users to evil twin AP http://news.yahoo.com/blogs/upgrade-your-life/banking-online-not-hacked-182159934.html Hacking Facebook, Twitter, etc. http://www.youtube.com/watch?v=9T8xaDoYNmg Detecting Firesheep – ‘Blacksheep’ - ttechdows.com/2010/11/blacksheep-detects-firesheep-use-on-wireless-networks.html http://www.readwriteweb.com/archives/facebooks_zuckerberg_says_the_age_of_privacy_is_ov.php Security+ Guide to Network Security Fundamentals, Fourth Edition

Vulnerabilities of IEEE 802.11 Security Original IEEE 802.11 committee recognized wireless transmissions could be vulnerable Implemented several wireless security protections in the standard Left others to WLAN vendor’s discretion Protections were vulnerable and led to multiple attacks Security+ Guide to Network Security Fundamentals, Fourth Edition

MAC Address Filtering Method of controlling WLAN access Limit a device’s access to AP Media Access Control (MAC) address filtering Used by nearly all wireless AP vendors Permits or blocks device based on MAC address Vulnerabilities of MAC address filtering Addresses exchanged in unencrypted format Attacker can see address of approved device and substitute it on his own device Managing large number of addresses is challenging Security+ Guide to Network Security Fundamentals, Fourth Edition

Figure 8-7 MAC address filtering © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

SSID Broadcast Each device must be authenticated prior to connecting to the WLAN Open system authentication Device discovers wireless network and sends association request frame to AP Frame carries Service Set Identifier (SSID) User-supplied network name Can be any alphanumeric string 2-32 characters long AP compares SSID with actual SSID of network If the two match, wireless device is authenticated Security+ Guide to Network Security Fundamentals, Fourth Edition

Figure 8-8 Open system authentication © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

SSID Broadcast (cont’d.) Open system authentication is weak Based only on match of SSIDs Attacker can wait for the SSID to be broadcast by the AP Users can configure APs to prevent beacon frame from including the SSID Provides only a weak degree of security Can be discovered when transmitted in other frames Older versions of Windows XP have an added vulnerability if this approach is used Security+ Guide to Network Security Fundamentals, Fourth Edition

Wired Equivalent Privacy (WEP) IEEE 802.11 security protocol Encrypts plaintext into ciphertext Secret key is shared between wireless client device and AP Key used to encrypt and decrypt packets WEP vulnerabilities WEP can only use 64-bit or 128-bit number to encrypt Initialization vector (IV) is only 24 of those bits Short length makes it easier to break Security+ Guide to Network Security Fundamentals, Fourth Edition

Figure 8-9 WEP encryption process © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

Wired Equivalent Privacy (cont’d.) WEP vulnerabilities (cont’d.) Violates cardinal rule of cryptography: avoid a detectable pattern Attackers can see duplication when IVs start repeating Keystream attack (or IV attack) Attacker identifies two packets derived from same IV Uses XOR to discover plaintext See Figures 8-10 and 8-11 for details Security+ Guide to Network Security Fundamentals, Fourth Edition

Figure 8-10 XOR operations © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

Figure 8-11 Capturing packets © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

Wireless Security Solutions Unified approach to WLAN security was needed IEEE and Wi-Fi Alliance began developing security solutions Resulting standards used today IEEE 802.11i WPA and WPA2 Security+ Guide to Network Security Fundamentals, Fourth Edition

Wi-Fi Protected Access (WPA) Introduced in 2003 by the Wi-Fi Alliance A subset of IEEE 802.11i Design goal: protect present and future wireless devices Temporal Key Integrity Protocol (TKIP) Encryption Used in WPA Uses longer 128 bit key than WEP Dynamically generated for each new packet Security+ Guide to Network Security Fundamentals, Fourth Edition

Wi-Fi Protected Access (cont’d.) Preshared Key (PSK) Authentication After AP configured, client device must have same key value entered Key is shared prior to communication taking place Uses a passphrase to generate encryption key Must be entered on each AP and wireless device in advance Not used for encryption Serves as starting point for mathematically generating the encryption keys Security+ Guide to Network Security Fundamentals, Fourth Edition

Wi-Fi Protected Access (cont’d.) Vulnerabilities in WPA Key management Key sharing is done manually without security protection Keys must be changed on a regular basis Key must be disclosed to guest users Passphrases PSK passphrases of fewer than 20 characters subject to cracking Security+ Guide to Network Security Fundamentals, Fourth Edition

Wi-Fi Protected Access 2 (WPA2) Second generation of WPA known as WPA2 Introduced in 2004 Based on final IEEE 802.11i standard Uses Advanced Encryption Standard (AES) Supports both PSK and IEEE 802.11x authentication AES-CCMP Encryption Encryption protocol standard for WPA2 CCM is algorithm providing data privacy CBC-MAC component of CCMP provides data integrity and authentication Security+ Guide to Network Security Fundamentals, Fourth Edition

Wi-Fi Protected Access 2 (cont’d.) AES encryption and decryption Should be performed in hardware because of its computationally intensive nature IEEE 802.1x authentication Originally developed for wired networks Provides greater degree of security by implementing port security Blocks all traffic on a port-by-port basis until client is authenticated Security+ Guide to Network Security Fundamentals, Fourth Edition

Wi-Fi Protected Access 2 (cont’d.) Extensible Authentication Protocol (EAP) Framework for transporting authentication protocols Defines message format Uses four types of packets Request Response Success Failure Lightweight EAP (LEAP) Proprietary method developed by Cisco Systems Security+ Guide to Network Security Fundamentals, Fourth Edition

Wi-Fi Protected Access 2 (cont’d.) Lightweight EAP (cont’d.) Requires mutual authentication used for WLAN encryption using Cisco client software Can be vulnerable to specific types of attacks No longer recommended by Cisco Protected EAP (PEAP) Simplifies deployment of 802.1x by using Microsoft Windows logins and passwords Creates encrypted channel between client and authentication server Security+ Guide to Network Security Fundamentals, Fourth Edition

Table 8-3 Wireless security solutions Security+ Guide to Network Security Fundamentals, Fourth Edition

Other Wireless Security Steps Antenna placement Locate near center of coverage area Place high on a wall to reduce signal obstructions and deter theft Power level controls Some APs allow adjustment of the power level at which the LAN transmits Reducing power allows less signal to reach outsiders Security+ Guide to Network Security Fundamentals, Fourth Edition

Other Wireless Security Steps (cont’d.) Organizations are becoming increasingly concerned about existence of rogue APs Rogue access point discovery tools Security personnel can manually audit airwaves using wireless protocol analyzer Continuously monitoring the RF airspace using a wireless probe Types of wireless probes Wireless device probe Desktop probe Security+ Guide to Network Security Fundamentals, Fourth Edition

Other Wireless Security Steps (cont’d.) Types of wireless probes (cont’d.) Access point probe Dedicated probe Wireless virtual LANs (VLANs) Organizations may set up to wireless VLANs One for employee access, one for guest access Configured in one of two ways Depending on which device separates and directs the packets to different networks Security+ Guide to Network Security Fundamentals, Fourth Edition

Summary Bluetooth is a wireless technology using short-range RF transmissions IEEE has developed five wireless LAN standards to date, four of which are popular today (IEEE 802.11a/b/g/n) Attackers can identify the existence of a wireless network using war driving Wired Equivalent Privacy relies on a secret key shared between wireless client device and access point Security+ Guide to Network Security Fundamentals, Fourth Edition

Summary (cont’d.) Wi-Fi Protected Access (WPA) and WPA2 have become the foundations of wireless security today Other steps to protect a wireless network include: Antenna positioning Access point power level adjustment Detecting rogue access points Security+ Guide to Network Security Fundamentals, Fourth Edition