Transcript eeboas.cecil.edu

Security+ Guide to Network
Security Fundamentals,
Fourth Edition
Chapter 8
Wireless Network Security
Objectives
• Describe the different types of wireless network
attacks
• List the vulnerabilities in IEEE 802.11 security
• Explain the solutions for securing a wireless
network
Security+ Guide to Network Security Fundamentals, Fourth Edition
2
Introduction
• Wireless data communications have revolutionized
computer networking
– Wireless data networks found virtually everywhere
• Wireless networks have been targets for attackers
– Early wireless networking standards had
vulnerabilities
– Changes in wireless network security yielded
security comparable to wired networks
Security+ Guide to Network Security Fundamentals, Fourth Edition
3
Wireless Attacks
• Bluetooth
– Wireless technology
– Uses short-range radio frequency transmissions
– Provides for rapid, ad-hoc device pairings
• Example: smartphone and Bluetooth headphones
– Personal Area Network (PAN) technology
• Two types of Bluetooth network topologies
– Piconet
– Scatternet
Security+ Guide to Network Security Fundamentals, Fourth Edition
4
Table 8-1 Bluetooth products
Security+ Guide to Network Security Fundamentals, Fourth Edition
5
Wireless Attacks (cont’d.)
• Piconet
– Established when two Bluetooth devices come within
range of each other
– One device (master) controls all wireless traffic
– Other device (slave) takes commands
• Active slaves can send transmissions
• Parked slaves are connected but not actively
participating
Security+ Guide to Network Security Fundamentals, Fourth Edition
6
Figure 8-1 Bluetooth piconet
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
7
Wireless Attacks (cont’d.)
• Scatternet
– Group of piconets with connections between
different piconets
• Bluejacking
– Attack that sends unsolicited messages to
Bluetooth-enabled devices
• Text messages, images, or sounds
– Considered more annoying than harmful
• No data is stolen
Security+ Guide to Network Security Fundamentals, Fourth Edition
8
Figure 8-2 Bluetooth scatternet
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
9
Wireless Attacks (cont’d.)
• Bluesnarfing
– Unauthorized access to wireless information through
a Bluetooth connection
– Often between cell phones and laptops
– Attacker copies e-mails, contacts, or other data by
connecting to the Bluetooth device without owner’s
knowledge
Security+ Guide to Network Security Fundamentals, Fourth Edition
10
Wireless LAN Attacks
• Institute of Electrical and Electronics Engineers
(IEEE)
– Most influential organization for computer networking
and wireless communications
– Dates back to 1884
– Began developing network architecture standards in
the 1980s
• 1997: release of IEEE 802.11
– Standard for wireless local area networks (WLANs)
– Higher speeds added in 1999: IEEE 802.11b
Security+ Guide to Network Security Fundamentals, Fourth Edition
11
Wireless LAN Attacks (cont’d.)
• IEEE 802.11a
– Specifies maximum rated speed of 54Mbps using
the 5GHz spectrum
• IEEE 802.11g
– Preserves stable and widely accepted features of
802.11b
– Increases data transfer rates similar to 802.11a
• IEEE 802.11n
– Ratified in 2009
Security+ Guide to Network Security Fundamentals, Fourth Edition
12
Wireless LAN Attacks (cont’d.)
• Improvements in IEEE 802.11n
–
–
–
–
Speed
Coverage area
Interference
Security
• Wireless client network interface card adapter
– Performs same functions as wired adapter
– Antenna sends and receives signals
Security+ Guide to Network Security Fundamentals, Fourth Edition
13
Wireless LAN Attacks (cont’d.)
• Access point (AP) major parts
– Antenna and radio transmitter/receiver send and
receive wireless signals
– Bridging software to interface wireless devices to
other devices
– Wired network interface allows it to connect by cable
to standard wired network
• AP functions
– Acts as “base station” for wireless network
Security+ Guide to Network Security Fundamentals, Fourth Edition
14
Figure 8-3 Access point
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
15
Wireless LAN Attacks (cont’d.)
• AP functions (cont’d.)
– Acts as a bridge between wireless and wired
networks
• Can connect to wired network by a cable
• Autonomous access points
– Separate from other network devices and access
points
– Have necessary “intelligence” for wireless
authentication, encryption, and management
Security+ Guide to Network Security Fundamentals, Fourth Edition
16
Wireless LAN Attacks (cont’d.)
• Wireless broadband routers
– Single hardware device containing AP, firewall,
router, and DHCP server
• Wireless networks have been vulnerable targets for
attackers
– Not restricted to a cable
• Types of wireless LAN attacks
– Discovering the network
– Attacks through the RF spectrum
– Attacks involving access points
Security+ Guide to Network Security Fundamentals, Fourth Edition
17
Wireless LAN Attacks (cont’d.)
• Discovering the network
– One of first steps in attack is to discover presence of
a network
• Beaconing
– AP sends signal at regular intervals to announce its
presence and provide connection information
– Wireless device scans for beacon frames
• War driving
– Process of passive discovery of wireless network
locations
Security+ Guide to Network Security Fundamentals, Fourth Edition
18
Table 8-2 War driving tools
Security+ Guide to Network Security Fundamentals, Fourth Edition
19
Wireless LAN Attacks (cont’d.)
• War chalking
– Documenting and then advertising location of
wireless LANs for others to use
– Previously done by drawing on sidewalks or walls
around network area
– Today, locations are posted on Web sites
Security+ Guide to Network Security Fundamentals, Fourth Edition
20
Table 8-4 War chalking symbols
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
21
Wireless LAN Attacks (cont’d.)
• Attacks through the RF spectrum
– Wireless protocol analyzer
– Generating interference
• Wireless protocol analyzer
– Wireless traffic captured to decode and analyze
packet contents
– Network interface card (NIC) adapter must be in
correct mode
Security+ Guide to Network Security Fundamentals, Fourth Edition
22
Wireless LAN Attacks (cont’d.)
• Six modes of wireless NICs
–
–
–
–
–
–
Master (acting as an AP)
Managed (client)
Repeater
Mesh
Ad-hoc
Monitor
• Interference
– Signals from other devices can disrupt wireless
transmissions
Security+ Guide to Network Security Fundamentals, Fourth Edition
23
Wireless LAN Attacks (cont’d.)
• Devices that can cause interference with a WLAN
–
–
–
–
–
–
Microwave ovens
Elevator motors
Copy machines
Outdoor lighting (certain types)
Theft protection devices
Bluetooth devices
Security+ Guide to Network Security Fundamentals, Fourth Edition
24
Figure 8-5 Attacker interference
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
25
Wireless LAN Attacks (cont’d.)
• Attacks using access points
– Rogue access points
– Evil twins
• Rogue access point
– Unauthorized access point that allows attacker to
bypass network security configurations
– May be set up behind a firewall, opening the network
to attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition
26
Figure 8-6 Rogue access point
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
27
Wireless LAN Attacks (cont’d.)
• Evil twin
– AP set up by an attacker
– Attempts to mimic an authorized AP
– Attackers capture transmissions from users to evil
twin AP
Security+ Guide to Network Security Fundamentals, Fourth Edition
28
Vulnerabilities of IEEE 802.11 Security
• Original IEEE 802.11 committee recognized
wireless transmissions could be vulnerable
– Implemented several wireless security protections in
the standard
– Left others to WLAN vendor’s discretion
– Protections were vulnerable and led to multiple
attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition
29
MAC Address Filtering
• Method of controlling WLAN access
– Limit a device’s access to AP
• Media Access Control (MAC) address filtering
– Used by nearly all wireless AP vendors
– Permits or blocks device based on MAC address
• Vulnerabilities of MAC address filtering
– Addresses exchanged in unencrypted format
– Attacker can see address of approved device and
substitute it on his own device
– Managing large number of addresses is challenging
Security+ Guide to Network Security Fundamentals, Fourth Edition
30
Figure 8-7 MAC address filtering
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
31
SSID Broadcast
• Each device must be authenticated prior to
connecting to the WLAN
• Open system authentication
– Device discovers wireless network and sends
association request frame to AP
– Frame carries Service Set Identifier (SSID)
• User-supplied network name
• Can be any alphanumeric string 2-32 characters long
– AP compares SSID with actual SSID of network
• If the two match, wireless device is authenticated
Security+ Guide to Network Security Fundamentals, Fourth Edition
32
Figure 8-8 Open system authentication
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
33
SSID Broadcast (cont’d.)
• Open system authentication is weak
– Based only on match of SSIDs
– Attacker can wait for the SSID to be broadcast by
the AP
• Users can configure APs to prevent beacon frame
from including the SSID
– Provides only a weak degree of security
– Can be discovered when transmitted in other frames
– Older versions of Windows XP have an added
vulnerability if this approach is used
Security+ Guide to Network Security Fundamentals, Fourth Edition
34
Wired Equivalent Privacy (WEP)
• IEEE 802.11 security protocol
• Encrypts plaintext into ciphertext
• Secret key is shared between wireless client device
and AP
– Key used to encrypt and decrypt packets
• WEP vulnerabilities
– WEP can only use 64-bit or 128-bit number to
encrypt
• Initialization vector (IV) is only 24 of those bits
• Short length makes it easier to break
Security+ Guide to Network Security Fundamentals, Fourth Edition
35
Figure 8-9 WEP encryption process
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
36
Wired Equivalent Privacy (cont’d.)
• WEP vulnerabilities (cont’d.)
– Violates cardinal rule of cryptography: avoid a
detectable pattern
– Attackers can see duplication when IVs start
repeating
• Keystream attack (or IV attack)
– Attacker identifies two packets derived from same IV
– Uses XOR to discover plaintext
– See Figures 8-10 and 8-11 for details
Security+ Guide to Network Security Fundamentals, Fourth Edition
37
Figure 8-10 XOR operations
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
38
Figure 8-11 Capturing packets
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
39
Wireless Security Solutions
• Unified approach to WLAN security was needed
– IEEE and Wi-Fi Alliance began developing security
solutions
• Resulting standards used today
– IEEE 802.11i
– WPA and WPA2
Security+ Guide to Network Security Fundamentals, Fourth Edition
40
Wi-Fi Protected Access (WPA)
• Introduced in 2003 by the Wi-Fi Alliance
• A subset of IEEE 802.11i
• Design goal: protect present and future wireless
devices
• Temporal Key Integrity Protocol (TKIP) Encryption
– Used in WPA
– Uses longer 128 bit key than WEP
– Dynamically generated for each new packet
Security+ Guide to Network Security Fundamentals, Fourth Edition
41
Wi-Fi Protected Access (cont’d.)
• Preshared Key (PSK) Authentication
– After AP configured, client device must have same
key value entered
– Key is shared prior to communication taking place
– Uses a passphrase to generate encryption key
• Must be entered on each AP and wireless device in
advance
– Not used for encryption
• Serves as starting point for mathematically generating
the encryption keys
Security+ Guide to Network Security Fundamentals, Fourth Edition
42
Wi-Fi Protected Access (cont’d.)
• Vulnerabilities in WPA
– Key management
• Key sharing is done manually without security
protection
• Keys must be changed on a regular basis
• Key must be disclosed to guest users
– Passphrases
• PSK passphrases of fewer than 20 characters subject
to cracking
Security+ Guide to Network Security Fundamentals, Fourth Edition
43
Wi-Fi Protected Access 2 (WPA2)
• Second generation of WPA known as WPA2
– Introduced in 2004
– Based on final IEEE 802.11i standard
– Uses Advanced Encryption Standard (AES)
– Supports both PSK and IEEE 802.11x authentication
• AES-CCMP Encryption
– Encryption protocol standard for WPA2
– CCM is algorithm providing data privacy
– CBC-MAC component of CCMP provides data
integrity and authentication
Security+ Guide to Network Security Fundamentals, Fourth Edition
44
Wi-Fi Protected Access 2 (cont’d.)
• AES encryption and decryption
– Should be performed in hardware because of its
computationally intensive nature
• IEEE 802.1x authentication
– Originally developed for wired networks
– Provides greater degree of security by implementing
port security
– Blocks all traffic on a port-by-port basis until client is
authenticated
Security+ Guide to Network Security Fundamentals, Fourth Edition
45
Wi-Fi Protected Access 2 (cont’d.)
• Extensible Authentication Protocol (EAP)
– Framework for transporting authentication protocols
– Defines message format
– Uses four types of packets
•
•
•
•
Request
Response
Success
Failure
• Lightweight EAP (LEAP)
– Proprietary method developed by Cisco Systems
Security+ Guide to Network Security Fundamentals, Fourth Edition
46
Wi-Fi Protected Access 2 (cont’d.)
• Lightweight EAP (cont’d.)
– Requires mutual authentication used for WLAN
encryption using Cisco client software
– Can be vulnerable to specific types of attacks
• No longer recommended by Cisco
• Protected EAP (PEAP)
– Simplifies deployment of 802.1x by using Microsoft
Windows logins and passwords
– Creates encrypted channel between client and
authentication server
Security+ Guide to Network Security Fundamentals, Fourth Edition
47
Table 8-3 Wireless security solutions
Security+ Guide to Network Security Fundamentals, Fourth Edition
48
Other Wireless Security Steps
• Antenna placement
– Locate near center of coverage area
– Place high on a wall to reduce signal obstructions
and deter theft
• Power level controls
– Some APs allow adjustment of the power level at
which the LAN transmits
– Reducing power allows less signal to reach
outsiders
Security+ Guide to Network Security Fundamentals, Fourth Edition
49
Other Wireless Security Steps (cont’d.)
• Organizations are becoming increasingly
concerned about existence of rogue APs
• Rogue access point discovery tools
– Security personnel can manually audit airwaves
using wireless protocol analyzer
– Continuously monitoring the RF airspace using a
wireless probe
• Types of wireless probes
– Wireless device probe
– Desktop probe
Security+ Guide to Network Security Fundamentals, Fourth Edition
50
Other Wireless Security Steps (cont’d.)
• Types of wireless probes (cont’d.)
– Access point probe
– Dedicated probe
• Wireless virtual LANs (VLANs)
– Organizations may set up to wireless VLANs
• One for employee access, one for guest access
– Configured in one of two ways
• Depending on which device separates and directs the
packets to different networks
Security+ Guide to Network Security Fundamentals, Fourth Edition
51
Summary
• Bluetooth is a wireless technology using shortrange RF transmissions
• IEEE has developed five wireless LAN standards to
date, four of which are popular today
– (IEEE 802.11a/b/g/n)
• Attackers can identify the existence of a wireless
network using war driving
• Wired Equivalent Privacy relies on a secret key
shared between wireless client device and access
point
Security+ Guide to Network Security Fundamentals, Fourth Edition
52
Summary (cont’d.)
• Wi-Fi Protected Access (WPA) and WPA2 have
become the foundations of wireless security today
• Other steps to protect a wireless network include:
– Antenna positioning
– Access point power level adjustment
– Detecting rogue access points
Security+ Guide to Network Security Fundamentals, Fourth Edition
53