1. Security+ Guide to Network Security Fundamentals, Fifth Edition
Chapter 9
Wireless Network Security
Chapter 9
Wireless Network Security

2. Objectives Describe the different types of wireless network attacks
List the vulnerabilities in IEEE security
Explain the solutions for securing a wireless network
Objectives
Describe the different types of wireless network attacks
List the vulnerabilities in IEEE security
Explain the solutions for securing a wireless network
Security+ Guide to Network Security Fundamentals, Fifth Edition

3. Introduction
Wireless data communications have revolutionized computer networking
Wireless data networks found virtually everywhere
Wireless networks have been targets for attackers
Early wireless networking standards had vulnerabilities
Changes in wireless network security yielded security comparable to wired networks
Introduction
Wireless data communications have revolutionized computer networking
Wireless data networks found virtually everywhere
Wireless networks have been targets for attackers
Early wireless networking standards had vulnerabilities
Changes in wireless network security yielded security comparable to wired networks
Security+ Guide to Network Security Fundamentals, Fifth Edition

4. Wireless Attacks
Several attacks can be directed against wireless data systems
Attacks can be directed against:
Bluetooth systems
Near field communication devices
Wireless local area networks
Wireless Attacks
Several attacks can be directed against wireless data systems
Attacks can be directed against:
Bluetooth systems
Near field communication devices
Wireless local area networks
Security+ Guide to Network Security Fundamentals, Fifth Edition

5. Bluetooth
Bluetooth - Wireless technology uses short-range radio frequency (RF) transmissions
Provides for rapid, ad-hoc device pairings
Enables users connect wirelessly to wide range of computing and telecommunications devices
Bluetooth is a Personal Area Network (PAN) technology data communication over short distances
Provides virtually instantaneous connections between Bluetooth-enabled device and receiver
Current version Bluetooth v4.0
Bluetooth
Bluetooth - Wireless technology uses short-range radio frequency (RF) transmissions
Provides for rapid, ad-hoc device pairings
Enables users connect wirelessly to wide range of computing and telecommunications devices
Bluetooth is a Personal Area Network (PAN) technology data communication over short distances
Provides virtually instantaneous connections between Bluetooth-enabled device and receiver
Current version Bluetooth v4.0
Security+ Guide to Network Security Fundamentals, Fifth Edition

6. Bluetooth Products (Table 9-1)
A table with three columns and eight rows. The first row is composed of column headers: Category, Bluetooth pairing, and Usage. Row 2. Category: Automobile Bluetooth pairing: Hands-free car system with cell phone Usage: Drivers can speak commands to browse the cell phone’s contact list, make hands-free phone calls, or use its navigation system. Row 3. Category: Home entertainment Bluetooth pairing: Stereo headphones with portable music player Usage: Users can create a playlist on a portable music player and listen through a set of wireless headphones or speakers. Row 4. Category: Photographs Bluetooth pairing: Digital camera with printer Usage: Digital photos can be sent directly to a photo printer or from pictures taken on one cell phone to another phone. Row 5. Category: Computer accessories Bluetooth pairing: Computer with keyboard and mouse Usage: Small travel mouse can be linked to a laptop or a full-size mouse and keyboard that can be connected to a desktop computer. Row 6. Category: Gaming Bluetooth pairing: Video game system with controller Usage: Gaming devices and video game systems can support multiple controllers, while Bluetooth headsets allow gamers to chat as they play. Row 7. Category: Sports and fitness Bluetooth pairing: Heart-rate monitor with wristwatch Usage: Athletes can track heart rates while exercising by glancing at their watch. Row 8. Category: Medical and health Bluetooth pairing: Blood pressure monitors with smartphones Usage: Patient information can be sent to a smartphone, which can then send an emergency phone message if necessary.
Security+ Guide to Network Security Fundamentals, Fifth Edition

7. Bluetooth Topologies Two types of Bluetooth network topologies:
Piconet – Established when two Bluetooth devices come within range of each other
Scatternet - Group of piconets in which connections exist between different piconets
Bluetooth Topologies
Two types of Bluetooth network topologies:
Piconet – Established when two Bluetooth devices come within range of each other
Scatternet - Group of piconets in which connections exist between different piconets
Security+ Guide to Network Security Fundamentals, Fifth Edition

8. Bluetooth Piconet (Figure 9-1)
A figure. The left circle contains a smaller circle labeled M that connects to a smaller circle labeled AS with a solid line. A dashed line connects M to a smaller circle labeled PS. The right circle has a smaller circle labeled M that connects to four smaller circles, each labeled AS. Beneath is the legend M = Master, AS = Active slave, and PS = Parked slave
Security+ Guide to Network Security Fundamentals, Fifth Edition

9. Bluetooth Scatternet (Figure 9-2)
A figure. The left circle a smaller circle labeled M that connects to four smaller circles, each labeled AS. A small circle labeled PS is also within the circle. The right circle is identical. In the middle the two circles overlap and each connect to a smaller circle labeled AS. Beneath is the legend M = Master, AS = Active slave, and PS = Parked slave
Security+ Guide to Network Security Fundamentals, Fifth Edition

10. Bluejacking
Bluejacking - Attack that sends unsolicited messages to Bluetooth-enabled devices
Can be text messages, images, or sounds
Considered more annoying than harmful
No data is stolen
Bluejacking
Bluejacking - Attack that sends unsolicited messages to Bluetooth-enabled devices
Can be text messages, images, or sounds
Considered more annoying than harmful
No data is stolen
Security+ Guide to Network Security Fundamentals, Fifth Edition

11. Bluesnarfing
Bluesnarfing - Unauthorized access to wireless information through Bluetooth connection
Often between cell phones and laptops
Attacker copies s, contacts, or other data by connecting to Bluetooth device without owner’s knowledge
Bluesnarfing
Bluesnarfing - Unauthorized access to wireless information through Bluetooth connection
Often between cell phones and laptops
Attacker copies s, contacts, or other data by connecting to Bluetooth device without owner’s knowledge
Security+ Guide to Network Security Fundamentals, Fifth Edition

12. Near Field Communication (NFC)
Near field communication (NFC) –Low speed and low power technology for smartphones and smart cards
Used to establish communication between devices in close proximity
Once devices tapped together or brought within several centimeters each other two-way communication established
NFC’s ease of use opened door for wide range of practical short-range communications
Near Field Communication (NFC)
Near field communication (NFC) –Low speed and low power technology for smartphones and smart cards
Used to establish communication between devices in close proximity
Once devices tapped together or brought within several centimeters each other two-way communication established
NFC’s ease of use opened door for wide range of practical short-range communications
Security+ Guide to Network Security Fundamentals, Fifth Edition

13. NFC Contactless Payment
NFC devices increasingly used in contactless payment systems so consumer can pay for purchase by tapping store’s payment terminal with smartphone
Users store credit card and/or store loyalty card information in “virtual wallet” the smartphone to pay for purchases at NFC-enabled point-of-sale (PoS) checkout device
NFC contactless payment systems has risks because of the nature of this technology
NFC Contactless Payment
NFC devices increasingly used in contactless payment systems so consumer can pay for purchase by tapping store’s payment terminal with smartphone
Users store credit card and/or store loyalty card information in “virtual wallet” the smartphone to pay for purchases at NFC-enabled point-of-sale (PoS) checkout device
NFC contactless payment systems has risks because of the nature of this technology
Security+ Guide to Network Security Fundamentals, Fifth Edition

14. Contactless Payment System (Figure 9-3)
A figure. A hand holding a smartphone is help inches above a point-of-sale terminal.
Security+ Guide to Network Security Fundamentals, Fifth Edition

15. NFC risks and defenses (Table 9-2)
A table with three columns and five rows. The first row is composed of column headers: Vulnerability, Explanation, and Defense. Row 2. Vulnerability: Eavesdropping Explanation: The NFC communication between device and terminal can be intercepted and viewed. Defense: Because an attacker must be extremely close to pick up the signal, users should be aware of this. Also, some NFC applications can perform encryption. Row 3. Vulnerability: Data manipulation Explanation: Attackers can jam an NFC signal so transmission cannot occur. Defense: Some NFC devices can monitor for data manipulation attacks. Row 4. Vulnerability: Man-in-the-middle attack Explanation: An attacker can intercept the NFC communications between devices and forge a fictitious response. Defense: Devices can be configured in active-passive pairing so one device only sends while the other can only receive. Row 5. Vulnerability: Device theft Explanation: The theft or loss of a smartphone could allow an attacker to use that phone for purchases. Defense: Smartphones should be protected with passwords or PINs.
Security+ Guide to Network Security Fundamentals, Fifth Edition

16. Wireless Local Area Network (WLAN) Attacks
Wireless local area network (WLAN) - Designed to replace or supplement wired local area network (LAN)
Tablets, laptop computers, smartphones, and printers within 460 feet (140 meters) of centrally located connection device
Can send and receive information from 54 Mbps to 7 billion bits per second (Gbps)
Wireless Local Area Network (WLAN) Attacks
Wireless local area network (WLAN) - Designed to replace or supplement wired local area network (LAN)
Tablets, laptop computers, smartphones, and printers within 460 feet (140 meters) of centrally located connection device
Can send and receive information from 54 Mbps to 7 billion bits per second (Gbps)
Security+ Guide to Network Security Fundamentals, Fifth Edition

17. IEEE WLANs
Institute of Electrical and Electronics Engineers (IEEE) - Most influential organization for computer networking and wireless communications
Dates back 1884
Began developing network architecture standards in 1980s
In 1997 released IEEE standard for wireless local area networks (WLANs)
Today multiple IEEE WLAN standards
IEEE WLANs
Institute of Electrical and Electronics Engineers (IEEE) - Most influential organization for computer networking and wireless communications
Dates back 1884
Began developing network architecture standards in 1980s
In 1997 released IEEE standard for wireless local area networks (WLANs)
Today multiple IEEE WLAN standards
Security+ Guide to Network Security Fundamentals, Fifth Edition

18. IEEE WLAN Standards (Table 9-3)
A table with seven columns and seven rows. The first row is composed of column headers: blank, , b, a, g, n, and ac. Row 2. blank: Frequency : 2.4 GHz b: 2.4 GHz a: 5 GHz g: 2.4 GHz n: 2.4 & 5 GHz ac: 5 GHz Row 3. blank: Nonoverlapping channels : b: a: g: n: ac: 21 Row 4. blank: Maximum data rate : 2 Mbps b: 11 Mbps a: 54 Mbps g: 54 Mbps n: 600 Mbps ac: 7.2 Gbps Row 5. blank: Indoor range (feet/meters) : 65/ b: 125/ a: 115/ g: 115/ n: 230/ ac: 115/35 Row 6. blank: Outdoor range (feet/meters) : 328/ b: 460/ a: 393/ g: 460/ n: 820/ ac: 460/140 Row 7. blank: Ratification date : b: a: g: n: ac: 2014
Security+ Guide to Network Security Fundamentals, Fifth Edition

19. WLAN Hardware
Wireless client network interface card adapter - Performs same functions as wired adapter with antenna that sends and receives signals
Access point (AP) consists of:
Antenna and radio transmitter/receiver to send and receive wireless signals
Special bridging software to interface wireless devices to other devices
Wired network interface that allows to connect by cable to a standard wired network
WLAN Hardware
Wireless client network interface card adapter - Performs same functions as wired adapter with antenna that sends and receives signals
Access point (AP) consists of:
Antenna and radio transmitter/receiver to send and receive wireless signals
Special bridging software to interface wireless devices to other devices
Wired network interface that allows to connect by cable to a standard wired network
Security+ Guide to Network Security Fundamentals, Fifth Edition

20. AP Functions AP has two basic functions:
Acts as “base station” the wireless network: all wireless devices with wireless NIC transmit to AP, which in turn, redirects signal (if necessary) to other wireless devices
Acts as bridge between wireless and wired networks so AP can be connected to the wired network by a cable, allowing all wireless devices to access through AP to wired network (and vice versa)
AP Functions
AP has two basic functions:
Acts as “base station” the wireless network: all wireless devices with wireless NIC transmit to AP, which in turn, redirects signal (if necessary) to other wireless devices
Acts as bridge between wireless and wired networks so AP can be connected to the wired network by a cable, allowing all wireless devices to access through AP to wired network (and vice versa)
Security+ Guide to Network Security Fundamentals, Fifth Edition

21. Access point (AP) In WLAN (Figure 9-4)
A figure. A horizontal line labeled Wired network is connected to icons above the line labeled File server, PC, and Internet. Beneath the line are two Laptop computers that are transmitting to an AP that is connected to the Wired network.
Security+ Guide to Network Security Fundamentals, Fifth Edition

22. Home WLAN Hardware
For a small office or home another device is commonly used
Device combines multiple features into a single hardware device: AP
Firewall
Router
Dynamic host configuration protocol (DHCP) server
Devices are residential WLAN gateways but often called wireless routers
Home WLAN Hardware
For a small office or home another device is commonly used
Device combines multiple features into a single hardware device: AP
Firewall
Router
Dynamic host configuration protocol (DHCP) server
Devices are residential WLAN gateways but often called wireless routers
Security+ Guide to Network Security Fundamentals, Fifth Edition

23. WLAN Enterprise Attacks
In traditional wired network well-defined boundary (“hard edge”) protects data and resources
Two types of hard edges:
Network hard edge: Wired network typically has one point through which data must pass from an external network to secure internal network; single data entry point makes it easier to defend against attacks because any attack must likewise pass through one point
Walls of building: Walls keep out unauthorized personnel who cannot physically access computing devices or network equipment
WLAN Enterprise Attacks
In traditional wired network well-defined boundary (“hard edge”) protects data and resources
Two types of hard edges:
Network hard edge: Wired network typically has one point through which data must pass from an external network to secure internal network; single data entry point makes it easier to defend against attacks because any attack must likewise pass through one point
Walls of building: Walls keep out unauthorized personnel who cannot physically access computing devices or network equipment
Security+ Guide to Network Security Fundamentals, Fifth Edition

24. Network Hard Edge (Figure 9-5)
A figure. At the left an icon of the Internet connects to an icon of a Firewall with the label “Single entry point.” Lines from the firewall encompass icons of a desktop, corporate laptop, network device, server, printer, and desktop. The lines from the server are labeled Network hard edge.
Security+ Guide to Network Security Fundamentals, Fifth Edition

25. Blurred Edges
Introduction of WLANs in enterprises has changed hard edges to “blurred edges”
Instead of network hard edge with single data entry point, WLAN can contain multiple entry points
Because RF signals extend beyond boundaries of building, walls cannot be considered as a hard edge to keep away attackers
Blurred Edges
Introduction of WLANs in enterprises has changed hard edges to “blurred edges”
Instead of network hard edge with single data entry point, WLAN can contain multiple entry points
Because RF signals extend beyond boundaries of building, walls cannot be considered as a hard edge to keep away attackers
Security+ Guide to Network Security Fundamentals, Fifth Edition

26. Network Blurred Edge (Figure 9-6)
A figure. At the left an icon of the Internet connects to an icon of a Firewall with the label “Single entry point.” Lines from the firewall encompass icons of a desktop, corporate laptop, network device, server, printer, desktop, and two access points. The lines from the server are labeled Network blurred edge. One attacker laptop connects to an access points and is labeled “Injects infections behind firewall.” A second attacker laptop connects to the other access point and is labeled “Listens to data transmissions.”
Security+ Guide to Network Security Fundamentals, Fifth Edition

27. Additional WLAN Enterprise Attacks
In addition to creating multiple entry points, several different wireless attacks can be directed at enterprise:
Rogue access points
Evil twins
Intercepting wireless data
Wireless replay attacks
Wireless denial of service attacks
Additional WLAN Enterprise Attacks
In addition to creating multiple entry points, several different wireless attacks can be directed at enterprise:
Rogue access points
Evil twins
Intercepting wireless data
Wireless replay attacks
Wireless denial of service attacks
Security+ Guide to Network Security Fundamentals, Fifth Edition

28. Rogue Access Points
Rogue access point - Unauthorized AP allows attacker to bypass network security configurations and opens network and users to attacks
Attacker who can access network through rogue access point is behind firewall and network protections
Rogue APs can be hardware or software
Rogue Access Points
Rogue access point - Unauthorized AP allows attacker to bypass network security configurations and opens network and users to attacks
Attacker who can access network through rogue access point is behind firewall and network protections
Rogue APs can be hardware or software
Security+ Guide to Network Security Fundamentals, Fifth Edition

29. Rogue Access Point and Evil Twin Attacks (Figure 9-7)
A figure. At the left an icon of the Internet connects to an icon of a Firewall with the label “Single entry point.” Lines from the firewall encompass icons of a desktop, corporate laptop, network device, server, printer, desktop, and two access points and one rogue access point. The lines from the server are labeled Network blurred edge. One attacker laptop connects to an access points and is labeled “Injects infections behind firewall.” A second attacker laptop connects to the other access point and is labeled “Listens to data transmissions.” A computer labeled "Corporate laptop" connects to an access point and is labeled "Running software-based rogue AP" and an attacker connects to that computer with a wireless signal. Another corporate laptop connects to an AP labeld "evil twin" and is labeled "Connects to evil twin by mistake."
Security+ Guide to Network Security Fundamentals, Fifth Edition

30. Intercepting Wireless Data
One of most common wireless attacks is intercepting and reading data (packet sniffing) being transmitted
Attacker can pick up RF signal from open or misconfigured AP and read any confidential wireless transmissions
If attacker manages to connect to enterprise wired network through rogue AP, also could read broadcast and multicast wired network traffic that leaks from wired network to wireless network
Intercepting Wireless Data
One of most common wireless attacks is intercepting and reading data (packet sniffing) being transmitted
Attacker can pick up RF signal from open or misconfigured AP and read any confidential wireless transmissions
If attacker manages to connect to enterprise wired network through rogue AP, also could read broadcast and multicast wired network traffic that leaks from wired network to wireless network
Security+ Guide to Network Security Fundamentals, Fifth Edition

31. Wireless Replay Attack
Wireless attack can “hijacking” wireless connection to perform wireless man-in-the-middle attack
Makes it appear that wireless device and network computers are communicating with each other, when actually they sending and receiving data through evil twin AP ( “man-in-the-middle”)
Wireless replay - Attacker captures data being transmitted, records, and then sends to original recipient without attacker’s presence being detected
Wireless Replay Attack
Wireless attack can “hijacking” wireless connection to perform wireless man-in-the-middle attack
Makes it appear that wireless device and network computers are communicating with each other, when actually they sending and receiving data through evil twin AP ( “man-in-the-middle”)
Wireless replay - Attacker captures data being transmitted, records, and then sends to original recipient without attacker’s presence being detected
Security+ Guide to Network Security Fundamentals, Fifth Edition

32. Wireless Denial of Service Attack
RF jamming - Using intentional RF interference to flood RF spectrum with enough interference to prevent device from effectively communicating with AP
Another wireless DoS attack takes advantage of an IEEE design weakness
Different types of frames can be “spoofed” by an attacker to prevent client from being able to remain connected to WLAN
Wireless Denial of Service Attack
RF jamming - Using intentional RF interference to flood RF spectrum with enough interference to prevent device from effectively communicating with AP
Another wireless DoS attack takes advantage of an IEEE design weakness
Different types of frames can be “spoofed” by an attacker to prevent client from being able to remain connected to WLAN
Security+ Guide to Network Security Fundamentals, Fifth Edition

33. Wireless Home Attacks
Home users face several risks from attacks on their insecure wireless networks:
Data theft
Read wireless transmissions
Inject malware
Download harmful content
Wireless Home Attacks
Home users face several risks from attacks on their insecure wireless networks:
Data theft
Read wireless transmissions
Inject malware
Download harmful content
Security+ Guide to Network Security Fundamentals, Fifth Edition

34. War Driving
War driving - Searching for wireless signals from automobile or on foot using portable computing device
War chalking - Documenting and advertising location of wireless LANs for others
Previously done by drawing on sidewalks or walls around network area
Today, locations are posted on Web sites
War Driving
War driving - Searching for wireless signals from automobile or on foot using portable computing device
War chalking - Documenting and advertising location of wireless LANs for others
Previously done by drawing on sidewalks or walls around network area
Today, locations are posted on Web sites
Security+ Guide to Network Security Fundamentals, Fifth Edition

35. War Chalking Symbols (Figure 9-8)
A figure. The left icon is an open circle. The middle icon are two half-circles back-to-back. The right circle has a W embedded in the middle. The left circle is labeled Network name and Closed network. The middle circle is labeled Network name, Bandwidth, and Open network. The right circle is labeled Network name, Bandwidth, and Encrypted network
Security+ Guide to Network Security Fundamentals, Fifth Edition

36. War driving tools (Table 9-4)
A table with two columns and six rows. The first row is composed of column headers: Tool and Purpose. Row 2. Tool: Mobile computing device Purpose: A mobile computing device with a wireless NIC can be used for war driving. This includes a standard portable computer, a pad computer, or a smartphone. Row 3. Tool: Wireless NIC adapter Purpose: Many war drivers prefer an external wireless NIC adapter that connects into a USB or other port and has an external antenna jack. Row 4. Tool: Antenna(s) Purpose: Although all wireless NIC adapters have embedded antennas, attaching an external antenna will significantly increase the ability to detect a wireless signal. Row 5. Tool: Software Purpose: Client utilities and integrated operating system tools provide limited information about a discovered WLAN. Serious war drivers use more specialized software. Row 6. Tool: Global positioning system (GPS) receiver Purpose: Although this is not required, it does help to pinpoint the location more precisely if this information will be recorded or shared with others.
Security+ Guide to Network Security Fundamentals, Fifth Edition

37. Vulnerabilities of IEEE Wireless Security
Original IEEE committee recognized wireless transmissions could be vulnerable
Implemented several wireless security protections in standard while left others to WLAN vendor’s discretion
Protections were vulnerable and led to multiple attacks
Vulnerabilities of IEEE Wireless Security
Original IEEE committee recognized wireless transmissions could be vulnerable
Implemented several wireless security protections in standard while left others to WLAN vendor’s discretion
Protections were vulnerable and led to multiple attacks
Security+ Guide to Network Security Fundamentals, Fifth Edition

38. Categories of Vulnerabilities
Four categories vulnerabilities:
Wired Equivalent Privacy (WEP)
Wi-Fi Protected Setup (WPS)
MAC address filtering
SSID broadcasting
Categories of Vulnerabilities
Four categories vulnerabilities:
Wired Equivalent Privacy (WEP)
Wi-Fi Protected Setup (WPS)
MAC address filtering
SSID broadcasting
Security+ Guide to Network Security Fundamentals, Fifth Edition

39. Wired Equivalent Privacy (WEP)
Wired Equivalent Privacy (WEP) - IEEE security protocol designed to ensure that only authorized parties can view transmitted wireless information by encrypting transmissions
WEP relies on shared secret key known only by wireless client and AP
Initialization vector (IV) - 24-bit value that changes each time packet is encrypted and combined with shared secret key
Wired Equivalent Privacy (WEP)
Wired Equivalent Privacy (WEP) - IEEE security protocol designed to ensure that only authorized parties can view transmitted wireless information by encrypting transmissions
WEP relies on shared secret key known only by wireless client and AP
Initialization vector (IV) - 24-bit value that changes each time packet is encrypted and combined with shared secret key
Security+ Guide to Network Security Fundamentals, Fifth Edition

40. WEP Vulnerabilities WEP security vulnerabilities:
WEP limited by length of IV of only 24 bits
WEP creates detectable pattern that can provide attacker with valuable information to break encryption
WEP Vulnerabilities
WEP security vulnerabilities:
WEP limited by length of IV of only 24 bits
WEP creates detectable pattern that can provide attacker with valuable information to break encryption
Security+ Guide to Network Security Fundamentals, Fifth Edition

41. Wi-Fi Protected Setup (WPS)
Wi-Fi Protected Setup (WPS) - Optional means of configuring security on wireless local area networks
Designed to help users with limited knowledge of security to quickly and easily implement security on their WLANs
Accomplished by pushing button or entering PIN
Design and implementation flaws in WPS using PIN method makes it vulnerable
Wi-Fi Protected Setup (WPS)
Wi-Fi Protected Setup (WPS) - Optional means of configuring security on wireless local area networks
Designed to help users with limited knowledge of security to quickly and easily implement security on their WLANs
Accomplished by pushing button or entering PIN
Design and implementation flaws in WPS using PIN method makes it vulnerable
Security+ Guide to Network Security Fundamentals, Fifth Edition

42. MAC Address Filtering
Method of controlling WLAN access limit a device’s access to AP
Media Access Control (MAC) address filtering - Used by nearly all wireless AP vendors that permits or blocks device based on MAC address
Vulnerabilities of MAC address filtering:
Addresses exchanged in unencrypted format
Attacker can see address of approved device and substitute it on his own device
Managing large number of addresses is challenging
Security+ Guide to Network Security Fundamentals, Fifth Edition

43. MAC Address Filtering (Figure 9-10)
A screen capture. The first line is labeled “Wireless Mac Filter” with two radio buttons “Enable” and “Disable”. The second line is labeled “Prevent:” and has two radio buttons “Prevent PCs listed rom accessing the wireless” with a callout line “Keep out these devices only.” The third line is labeled “Permit Only:” with a radio button “Permit only PCs listed to access the wireless network” with a callout line “Allow in only these devices.”
Security+ Guide to Network Security Fundamentals, Fifth Edition

44. Disabling SSID Broadcasts
Service Set Identifier (SSID) - User-supplied network name of wireless network
Normally SSID is broadcast so that any device can see it
Broadcast can be restricted with intent that only those users that know the “secret” SSID in advance would be allowed to access the network
Provides only a weak degree of security and has several limitations
Disabling SSID Broadcasts
Service Set Identifier (SSID) - User-supplied network name of wireless network
Normally SSID is broadcast so that any device can see it
Broadcast can be restricted with intent that only those users that know the “secret” SSID in advance would be allowed to access the network
Provides only a weak degree of security and has several limitations
Security+ Guide to Network Security Fundamentals, Fifth Edition

45. Wireless Security Solutions
As result of wireless security vulnerabilities in IEEE and Wi-Fi Alliance technologies, both organizations worked to create comprehensive security solutions
IEEE i
Wi-Fi Alliance - Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2)
WPA and WPA2 are primary wireless security solutions today
Other security steps can also be taken
Wireless Security Solutions
As result of wireless security vulnerabilities in IEEE and Wi-Fi Alliance technologies, both organizations worked to create comprehensive security solutions
IEEE i
Wi-Fi Alliance - Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2)
WPA and WPA2 are primary wireless security solutions today
Other security steps can also be taken
Security+ Guide to Network Security Fundamentals, Fifth Edition

46. Wi-Fi Protected Access (WPA)
Wi-Fi Protected Access (WPA) – Security solution introduced by Wi-Fi Alliance.
Design goal to fit into existing WEP engine without requiring extensive hardware upgrades or replacements
Addresses both encryption and authentication
Two modes of WPA
WPA Personal - Designed for individuals or small office/home office (SOHO) settings, which typically have 10 or fewer employees
WPA Enterprise - Intended for larger enterprises, schools, and government agencies
Wi-Fi Protected Access (WPA)
Wi-Fi Protected Access (WPA) – Security solution introduced by Wi-Fi Alliance.
Design goal to fit into existing WEP engine without requiring extensive hardware upgrades or replacements
Addresses both encryption and authentication
Two modes of WPA
WPA Personal - Designed for individuals or small office/home office (SOHO) settings, which typically have 10 or fewer employees
WPA Enterprise - Intended for larger enterprises, schools, and government agencies
Security+ Guide to Network Security Fundamentals, Fifth Edition

47. WPA TKIP and PSK
Temporal Key Integrity Protocol (TKIP) – Encryption technology “wrapper” around WEP by adding additional layer of security but still preserving WEP’s basic functionality
Preshared Key (PSK) Authentication - Secret value manually entered on both AP and each wireless device (essentially identical to “shared secret” used in WEP)
Because secret key not widely known, it may be assumed that only approved devices have key value
WPA TKIP and PSK
Temporal Key Integrity Protocol (TKIP) – Encryption technology “wrapper” around WEP by adding additional layer of security but still preserving WEP’s basic functionality
Preshared Key (PSK) Authentication - Secret value manually entered on both AP and each wireless device (essentially identical to “shared secret” used in WEP)
Because secret key not widely known, it may be assumed that only approved devices have key value
Security+ Guide to Network Security Fundamentals, Fifth Edition

48. WPA Vulnerabilities Vulnerabilities in WPA: Key management Passphrases
Key sharing done manually without security protection
Keys must be changed on regular basis
Key must be disclosed to guest users
Passphrases
PSK passphrases fewer than 20 characters subject to cracking
WPA Vulnerabilities
Vulnerabilities in WPA:
Key management
Key sharing done manually without security protection
Keys must be changed on regular basis
Key must be disclosed to guest users
Passphrases
PSK passphrases fewer than 20 characters subject to cracking
Security+ Guide to Network Security Fundamentals, Fifth Edition

49. Wi-Fi Protected Access 2 (WPA2)
Wi-Fi Protected Access 2 (WPA2) – Second generation of WPA security
Based on final IEEE i standard
Primary difference WPA2 allows wireless clients using TKIP to operate in same WLAN
Like WPA are two modes WPA2:
WPA2 Personal
WPA2 Enterprise
Wi-Fi Protected Access 2 (WPA2)
Wi-Fi Protected Access 2 (WPA2) – Second generation of WPA security
Based on final IEEE i standard
Primary difference WPA2 allows wireless clients using TKIP to operate in same WLAN
Like WPA are two modes WPA2:
WPA2 Personal
WPA2 Enterprise
Security+ Guide to Network Security Fundamentals, Fifth Edition

50. CCMP
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) - Encryption protocol for WPA2
Specifies use of CCM (general-purpose cipher mode algorithm providing data privacy) with AES
Cipher Block Chaining Message Authentication Code (CBC-MAC) component of CCMP provides data integrity and authentication
CCM not require specific block cipher used, but AES is mandated by WPA2 (CCMP for WLANs often designated AES-CCMP)
CCMP
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) - Encryption protocol for WPA2
Specifies use of CCM (general-purpose cipher mode algorithm providing data privacy) with AES
Cipher Block Chaining Message Authentication Code (CBC-MAC) component of CCMP provides data integrity and authentication
CCM not require specific block cipher used, but AES is mandated by WPA2 (CCMP for WLANs often designated AES-CCMP)
Security+ Guide to Network Security Fundamentals, Fifth Edition

51. Extensible Authentication Protocol (EAP)
Authentication for WPA2 Enterprise model uses IEEE 802.1x standard
Extensible Authentication Protocol (EAP) - Framework for transporting authentication protocols
EAP created as more secure alternative than weak Challenge-Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP)
EAP is framework but not authentication protocol
Extensible Authentication Protocol (EAP)
Authentication for WPA2 Enterprise model uses IEEE 802.1x standard
Extensible Authentication Protocol (EAP) - Framework for transporting authentication protocols
EAP created as more secure alternative than weak Challenge-Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP)
EAP is framework but not authentication protocol
Security+ Guide to Network Security Fundamentals, Fifth Edition

52. EAP Protocols Two common EAP protocols:
Lightweight EAP (LEAP) - Proprietary EAP method developed by Cisco Systems requires mutual authentication using Cisco client software; Cisco now recommends that users migrate to a more secure EAP than LEAP
Protected EAP (PEAP) - Designed to simplify the deployment of 802.1x by using Microsoft Windows logins and passwords; considered more flexible EAP scheme because it creates an encrypted channel between client and authentication server
EAP Protocols
Two common EAP protocols:
Lightweight EAP (LEAP) - Proprietary EAP method developed by Cisco Systems requires mutual authentication using Cisco client software; Cisco now recommends that users migrate to a more secure EAP than LEAP
Protected EAP (PEAP) - Designed to simplify the deployment of 802.1x by using Microsoft Windows logins and passwords; considered more flexible EAP scheme because it creates an encrypted channel between client and authentication server
Security+ Guide to Network Security Fundamentals, Fifth Edition

53. EAP Protocols Supported By WPA2 Enterprise (Table 9-5)
A table with two columns and eight rows. The first row is composed of column headers: EAP name and Description. Row 2. EAP name: EAP-TLS Description: This Internet Engineering Task Force (IETF) global standard protocol uses digital certificates for authentication. Row 3. EAP name: EAP-TTLS/MSCHAPv2 Description: This EAP protocol securely tunnels client password authentication within Transport Layer Security (TLS) records. Row 4. EAP name: PEAPv0/EAP-MSCHAPv2 Description: This version of EAP uses password-based authentication. Row 5. EAP name: PEAPv1/EAP-GTC Description: PEAPv1 uses a changing token value for authentication. Row 6. EAP name: EAP-FAST Description: This EAP protocol securely tunnels any credential form for authentication (such as a password or a token) using TLS. Row 7. EAP name: EAP-SIM Description: EAP-SIM is based on the subscriber identity module (SIM) card installed in mobile phones and other devices that use Global System for Mobile Communications (GSM) networks. Row 8. EAP name: EAP-AKA Description: This EAP uses the Universal Mobile Telecommunications System (UMTS) Subscriber Identity Module (USIM) for authentication.
Security+ Guide to Network Security Fundamentals, Fifth Edition

54. Additional Wireless Security Protections
Public area served by WLAN usually advertises itself or wants user to read and accept Acceptable Use Policy (AUP) before using WLAN
Captive portal AP - Uses standard web browser to:
Provide information
Give wireless user opportunity to agree to policy
Present valid login credentials
Wi-Fi Protected Access 2 (WPA2) (cont.)
Two common EAP protocols:
Lightweight EAP (LEAP) - Proprietary EAP method developed by Cisco Systems requires mutual authentication using Cisco client software; Cisco now recommends that users migrate to a more secure EAP than LEAP
Protected EAP (PEAP) - Designed to simplify the deployment of 802.1x by using Microsoft Windows logins and passwords; considered more flexible EAP scheme because it creates an encrypted channel between client and authentication server
Security+ Guide to Network Security Fundamentals, Fifth Edition

55. Rogue AP Detection Several methods to detect rogue AP:
Wireless device probe - Standard wireless device (portable laptop computer) can be configured as wireless probe
Desktop probe – Desktop computer used as probe
Access point probe – APs can detect neighboring APs
Dedicated probe – Exclusively monitor RF frequency for transmissions
Rogue AP Detection
Several methods to detect rogue AP:
Wireless device probe - Standard wireless device (portable laptop computer) can be configured as wireless probe
Desktop probe – Desktop computer used as probe
Access point probe – APs can detect neighboring APs
Dedicated probe – Exclusively monitor RF frequency for transmissions
Security+ Guide to Network Security Fundamentals, Fifth Edition

56. Power Levels and Placement
Some APs allow adjustment of power level that device transmits
Reducing power allows less signal to reach outsiders
Antenna placement can provide security
Locate near center of coverage area
Place high on wall to reduce signal obstructions and deter theft
Power Levels and Placement
Some APs allow adjustment of power level that device transmits
Reducing power allows less signal to reach outsiders
Antenna placement can provide security
Locate near center of coverage area
Place high on wall to reduce signal obstructions and deter theft
Security+ Guide to Network Security Fundamentals, Fifth Edition

57. Site Survey
Site survey - In-depth examination and analysis of wireless LAN site
Several reasons for conducting a site survey (example: achieving best possible performance from WLAN)
Can also can be used to enhance security of WLAN
Survey can provide optimum location of APs so minimum amount of signal extends past boundaries of organization to be accessible to attackers
Site Survey
Site survey - In-depth examination and analysis of wireless LAN site
Several reasons for conducting a site survey (example: achieving best possible performance from WLAN)
Can also can be used to enhance security of WLAN
Survey can provide optimum location of APs so minimum amount of signal extends past boundaries of organization to be accessible to attackers
Security+ Guide to Network Security Fundamentals, Fifth Edition

58. Security+ Guide to Network Security Fundamentals, Fifth Edition
Chapter 9
Wireless Network Security
Chapter 9
Wireless Network Security