Security+ Guide to Network

Security Fundamentals, Third

Edition

Chapter 6
Wireless Network Security
 Objectives
• Describe the basic IEEE 802.11 wireless security
protections
• Define the vulnerabilities of open system
authentication, WEP, and device authentication
• Describe the WPA and WPA2 personal security
models
• Explain how enterprises can implement wireless
security

Security+ Guide to Network Security Fundamentals, Third Edition 2

 IEEE 802.11 Wireless Security
Protections
• Institute of Electrical and Electronics Engineers
(IEEE)
– The most widely known and influential organization for
computer networking and wireless communications
• In the early 1980s, the IEEE began work on
developing computer network architecture standards
– This work was called Project 802
• In 1990, the IEEE formed a committee to develop a
standard for WLANs
– That operate at a speed of 1 and 2 million bits per
second (Mbps)
Security+ Guide to Network Security Fundamentals, Third Edition 3
 IEEE 802.11 Wireless Security
Protections (continued)
• In 1997, the IEEE approved the IEEE 802.11 WLAN
standard
• Revisions
– IEEE 802.11a
– IEEE 802.11b
– IEEE 802.11g
– IEEE 802.11n

Security+ Guide to Network Security Fundamentals, Third Edition 4

 Controlling Access
• Controlling wireless access of devices to the WLAN
– Accomplished by limiting a device’s access to the access
point (AP)
• By restricting access to the AP, only those devices that
are authorized are able to connect to the AP and
become part of the wireless network
• The IEEE 802.11 standard does not specify how to
implement controlling access
• Almost all wireless AP vendors implement access
control through Media Access Control (MAC) address
filtering
Security+ Guide to Network Security Fundamentals, Third Edition 5
 Controlling Access (continued)

Security+ Guide to Network Security Fundamentals, Third Edition 6

 Controlling Access (continued)

Security+ Guide to Network Security Fundamentals, Third Edition 7

 Controlling Access (continued)
• MAC address filtering is usually implemented by
permitting instead of preventing
• Wired Equivalent Privacy (WEP)
– Designed to ensure that only authorized parties can
view transmitted wireless information
– Uses encryption to protect traffic
• The IEEE 802.11 committee designed WEP to meet
the following criteria:
– Efficient, exportable, optional, self-synchronizing, and
reasonably strong

Security+ Guide to Network Security Fundamentals, Third Edition 8

 Controlling Access (continued)
• IEEE 802.11 WEP shared secret keys must be a
minimum of 64 bits in length
• The options for creating keys are as follows:
– 64-bit key
– 128-bit key
– Passphrase
• The AP and devices can hold up to four shared
secret keys
– One of which must be designated as the default key

Security+ Guide to Network Security Fundamentals, Third Edition 9

Security+ Guide to Network Security Fundamentals, Third Edition 10
 Controlling Access (continued)

Security+ Guide to Network Security Fundamentals, Third Edition 11

 Controlling Access (continued)

Security+ Guide to Network Security Fundamentals, Third Edition 12

 Controlling Access (continued)
• Device authentication
– Wireless LANs cannot limit access to the wireless
signal by walls or doors
• Sometimes called data emanation
• Types of authentication supported by the 802.11
standard
– Open system authentication
• See Figure 6-6
– Shared key authentication
• See Figure 6-7

Security+ Guide to Network Security Fundamentals, Third Edition 13

Security+ Guide to Network Security Fundamentals, Third Edition 14
Security+ Guide to Network Security Fundamentals, Third Edition 15
Vulnerabilities of IEEE 802.11 Security
• The primary vulnerabilities are in the areas of open
system authentication, MAC address filtering, and
WEP

Security+ Guide to Network Security Fundamentals, Third Edition 16

 Open System Authentication
Vulnerabilities
• Open system authentication is considered weak
because authentication is based on only one factor:
– A match of SSID
• The easiest way to discover the SSID is to actually
do nothing
– Exploits the beaconing process
• Once a wireless device receives a beacon frame, it
can attempt to join the network
– By sending an association request frame back to the
AP

Security+ Guide to Network Security Fundamentals, Third Edition 17

 Open System Authentication
Vulnerabilities (continued)
• Passive scanning
– The most common type of scanning
– A wireless device simply listens for a beacon frame
for a set period of time
• For a degree of protection, some wireless security
sources encourage users to configure their APs to
prevent the beacon frame from including the SSID
– But instead require the user to enter the SSID
manually on the wireless device

Security+ Guide to Network Security Fundamentals, Third Edition 18

 Open System Authentication
Vulnerabilities (continued)
• Problems arise when the SSID is not beaconed
– Can affect roaming
– Can also affect devices running Microsoft Windows XP
• The SSID can be easily discovered even when it is
not contained in beacon frames
– Still is transmitted in other management frames sent
by the AP
• Configuring an access point to not allow the beacon
frame to include the SSID provides virtually no
protection
Security+ Guide to Network Security Fundamentals, Third Edition 19
Security+ Guide to Network Security Fundamentals, Third Edition 20
 MAC Address Filtering Weaknesses
• MAC addresses are initially exchanged in an
unencrypted format through the WLAN
– An attacker can easily see the MAC address of an
approved device and use it to join the network
• Managing a large number of MAC addresses can
pose significant challenges
• MAC address filtering does not provide a means to
temporarily allow a guest user to access the network
– Other than manually entering the user’s MAC address
into the access point

Security+ Guide to Network Security Fundamentals, Third Edition 21

 WEP
• To encrypt packets WEP can use only a 64-bit or
128-bit number
– Which is made up of a 24-bit initialization vector (IV)
and a 40-bit or 104-bit default key
– The relatively short length of the default key limits its
strength
• WEP implementation violates the cardinal rule of
cryptography:
– Anything that creates a detectable pattern must be
avoided at all costs
– IVs would start repeating in fewer than seven hours
Security+ Guide to Network Security Fundamentals, Third Edition 22
 WEP (continued)
• Because of the weaknesses of WEP
– Possible for an attacker to identify two packets
derived from the same IV (called a collision)
• Keystream attack
– A method of determining the keystream by analyzing
two packets that were created from the same IV

Security+ Guide to Network Security Fundamentals 23

 WEP (continued)

Security+ Guide to Network Security Fundamentals, Third Edition 24

 WEP (continued)

Security+ Guide to Network Security Fundamentals, Third Edition 25

 Personal Wireless Security
• The wireless security requirements for personal
wireless security are most often based on two
models promoted by the Wi-Fi Alliance:
– WPA Personal Security
– WPA2 Personal Security

Security+ Guide to Network Security Fundamentals, Third Edition 26

 WPA Personal Security

• Wireless Ethernet Compatibility Alliance (WECA)

– A consortium of wireless equipment manufacturers and
software providers formed to promote wireless network
technology
• WECA goals:
– To encourage wireless manufacturers to use the IEEE
802.11 technologies
– To promote and market these technologies
– To test and certify that wireless products adhere to the
IEEE 802.11 standards to ensure product interoperability

Security+ Guide to Network Security Fundamentals, Third Edition 27

 WPA Personal Security (continued)

• In 2002, the WECA organization changed its name

to Wi-Fi (Wireless Fidelity) Alliance
• In October 2003 the Wi-Fi Alliance introduced Wi-Fi
Protected Access (WPA)
– WPA had the design goal to protect both present and
future wireless devices, addresses both wireless
authentication and encryption
• PSK addresses authentication and TKIP addresses
encryption

Security+ Guide to Network Security Fundamentals, Third Edition 28

 WPA Personal Security (continued)
• Preshared key (PSK) authentication
– Uses a passphrase to generate the encryption key
• When using PSK, a key must be created and
entered into both the access point and all wireless
devices
– Prior to the devices communicating with the AP
• The PSK is not used for encryption
– Instead, it serves as the starting point (seed) for
mathematically generating the encryption keys

Security+ Guide to Network Security Fundamentals, Third Edition 29

 WPA Personal Security (continued)
• WPA replaces WEP with an encryption technology called
Temporal Key Integrity Protocol (TKIP)
• TKIP has several advantages over WEP:
– TKIP uses a longer 128-bit key
– TKIP keys are known as per-packet keys
– When coupled with other technologies, TKIP provides an
even greater level of security
• WPA also replaces the (CRC) function in WEP with the
Message Integrity Check (MIC)
– Designed to prevent an attacker from capturing, altering,
and resending data packets

Security+ Guide to Network Security Fundamentals, Third Edition 30

 WPA2 Personal Security
• Wi-Fi Protected Access 2 (WPA2)
– Introduced by the Wi-Fi Alliance in September 2004
– The second generation of WPA security
– Still uses PSK authentication but instead of TKIP
encryption it uses enhanced data encryption
• PSK Authentication
– Intended for personal and small office home office users
who do not have advanced server capabilities
– PSK keys are automatically changed and authenticated
between devices after a specified period of time known as
the rekey interval

Security+ Guide to Network Security Fundamentals, Third Edition 31

 WPA2 Personal Security (continued)
• PSK key management weaknesses:
– The distribution and sharing of PSK keys is performed
manually without any technology security protections
– PSK only uses a single key
– Changing the PSK key requires reconfiguring the key
on every wireless device and on all access points
– In order to allow a guest user to have access to a
PSK WLAN, the key must be given to that guest
• A second area of PSK vulnerability is the use of
passphrases

Security+ Guide to Network Security Fundamentals, Third Edition 32

 WPA2 Personal Security (continued)
• A PSK is a 64-bit hexadecimal number
– The most common way in which this number is
generated is by entering a passphrase
• Consisting of letters, digits, punctuation, etc. that is
between 8 and 63 characters in length
– PSK passphrases of fewer than 20 characters can be
subject to a specific type of attack and broken
• AES-CCMP Encryption
– Encryption under the WPA2 personal security model
is accomplished by AES-CCMP

Security+ Guide to Network Security Fundamentals, Third Edition 33

 WPA2 Personal Security (continued)

• CCMP is based upon the Counter Mode with CBC-

MAC (CCM)
– Of the Advanced Encryption Standard (AES)
encryption algorithm
• CCM is the algorithm providing data privacy
– While the Cipher Block Chaining Message
Authentication Code (CBCMAC) component of CCMP
provides data integrity and authentication

Security+ Guide to Network Security Fundamentals, Third Edition 34

 WPA2 Personal Security (continued)

Security+ Guide to Network Security Fundamentals, Third Edition 35

 Enterprise Wireless Security

• The enterprise wireless security options can be

divided into those that follow the IEEE 802.11i
standard and those that follow the WPA and WPA2
models

Security+ Guide to Network Security Fundamentals, Third Edition 36

 IEEE 802.11i

• The IEEE 802.11i wireless security standard

– Addresses the two main weaknesses of wireless
networks: encryption and authentication
• Encryption is accomplished by replacing WEP’s
original PRNG RC4 algorithm
– With a stronger cipher that performs three steps on
every block (128 bits) of plaintext
• IEEE 802.11i authentication and key management is
accomplished by the IEEE 802.1x standard

Security+ Guide to Network Security Fundamentals, Third Edition 37

 IEEE 802.11i (continued)

Security+ Guide to Network Security Fundamentals, Third Edition 38

 IEEE 802.11i (continued)

• Key-caching
– Stores information from a device on the network so if
a user roams away from a wireless access point and
later returns, he does not need to re-enter all of the
credentials
• Pre-authentication
– Allows a device to become authenticated to an AP
before moving into range of the AP

Security+ Guide to Network Security Fundamentals, Third Edition 39

 WPA Enterprise Security

• The WPA Enterprise Security model is designed for

medium to large-size organizations
– Provides improved authentication and encryption over
the personal model on a wireless LAN
• The authentication used is IEEE 802.1x and the
encryption is TKIP

Security+ Guide to Network Security Fundamentals, Third Edition 40

 WPA Enterprise Security (continued)

• IEEE 802.1x Authentication

– Provides an authentication framework for all IEEE
802-based LANs
– Uses port-based authentication mechanisms
– Does not perform any encryption
• TKIP Encryption
– An improvement on WEP encryption
– Designed to fit into the existing WEP procedure

Security+ Guide to Network Security Fundamentals, Third Edition 41

 WPA Enterprise Security (continued)

Security+ Guide to Network Security Fundamentals, Third Edition 42

 WPA2 Enterprise Security

• Provides the highest level of secure authentication

and encryption on a wireless LAN
• Authentication used is IEEE 802.1x and the
encryption is AES-CCMP
• IEEE 802.1x authentication provides the most
robust authentication for a WPA2 enterprise model
WLAN
• Encryption is based on the stronger AES-CCMP
– Only the 128-bit key and 128-bit block are mandatory
for WPA2
Security+ Guide to Network Security Fundamentals, Third Edition 43
 WPA2 Enterprise Security (continued)

Security+ Guide to Network Security Fundamentals, Third Edition 44

 Enterprise Wireless Security Devices

• Thin Access Point

– An access point without the authentication and
encryption functions
• These features reside on the wireless switch
• Advantages
– The APs can be managed from one central location
– All authentication is performed in the wireless switch

Security+ Guide to Network Security Fundamentals, Third Edition 45

 Enterprise Wireless Security Devices
(continued)

Security+ Guide to Network Security Fundamentals, Third Edition 46

 Enterprise Wireless Security Devices
(continued)
• Wireless VLANs
– Can be used to segment traffic and increase security
– The flexibility of a wireless VLAN depends on which
device separates the packets and directs them to
different networks
• See Figures 6-14 and 6-15
• For enhanced security many organizations set up
two wireless VLANs
– One for employee access
– One for guest access
Security+ Guide to Network Security Fundamentals, Third Edition 47
Security+ Guide to Network Security Fundamentals, Third Edition 48
Security+ Guide to Network Security Fundamentals, Third Edition 49
 Enterprise Wireless Security Devices
(continued)
• Rogue Access Point Discovery Tools
– Wireless protocol analyzer
• Allows auditing the airwaves for rogue access points
– Monitoring the RF frequency requires a special sensor
called a wireless probe
• Types of wireless probes:
– Wireless device probe
– Desktop probe
– Access point probe
– Dedicated probe
Security+ Guide to Network Security Fundamentals, Third Edition 50
Security+ Guide to Network Security Fundamentals, Third Edition 51
 Summary
• The initial IEEE 802.11 standard contained security
controls for protecting wireless transmissions from
attackers
• The Wi-Fi Alliance has introduced two levels of personal
security
– Wi-Fi Protected Access (WPA) and Wi-Fi Protected
Access 2 (WPA2)
• Enterprise wireless security requires different security
models from personal wireless security
• Additional wireless security devices can be used to
defend against attackers
Security+ Guide to Network Security Fundamentals, Third Edition 52