Network Management and

Security

Chapter 7

Wireless Security

Gebeyehu B. (Dr. of Eng.) Asct Professor

[email protected]

Network management and security Chapter 7

 Chapter contents
Basic concept of wireless security

WLAN Definition, Configurations and Architecture (How

Wireless Works)

Risks of Wireless Open Ports

War-Driving and War-Chalking

SAFE WLAN Design Techniques and Considerations

Network management and security Chapter 7 2

 Basic concept of wireless security
What are Wireless Networks?
A wireless network is the way that a computer is connected to a router
without a physical link.

Why do we need?
Facilitates mobility – You can use lengthy wires instead, but someone might
trip over them.

Why security?
Attacker may hack a victim’s personal computer and steal private data or may
perform some illegal activities or crimes using the victim’s machine and ID.
Also there's a possibility to read wirelessly transferred data (by using
sniffers)

The three security approaches are:

WEP (Wired Equivalent Privacy)
WPA (Wi-Fi Protected Access)
WPA2 (Wi-Fi Protected Access, Version 2)
Network management and security Chapter 7 3
 Basic concept of wireless security
A wireless LAN or WLAN is a wireless local area network that
uses radio waves as its carrier.
The last link with the users is wireless, to give a network connection
to all users in a building or campus.
The backbone network usually uses cables
The wireless LAN connects to a wired
LAN
There is a need of an access point that
bridges wireless LAN traffic into the wired
LAN.
The access point (AP) can also act as a
repeater for wireless nodes, effectively
doubling the maximum possible distance
between nodes.

Network management and security Chapter 7 4

 Basic concept of wireless security
Elements of a wireless network
base station
typically connected to wired network
relay - responsible for sending
packets between wired network and
wireless host(s) in its “area”
e.g., cell towers, 802.11 access points

wireless hosts
laptop, smartphone
run applications
network may be stationary (non-mobile) or
infrastructure mobile
wireless does not always mean
mobility

wireless link
typically used to connect mobile(s) to
base station
also used as backbone link
multiple access control (MAC)
protocol coordinates link access
various data rates, transmission
distance

Network management and security Chapter 7 5

 Basic concept of wireless security
Elements of a wireless network

infrastructure mode
base station connects mobiles into
wired network
handoff: mobile changes base
station providing connection into
wired network

network
infrastructure

Network management and security Chapter 7 6

 Basic concept of wireless security
Wireless LANs very useful and convenient, but current security state
not ideal for sensitive environments.
Growing use and popularity require increased focus on security
concerns for wireless security are similar to those found in a wired
environment
security requirements are the same:
confidentiality, integrity, availability, authenticity, accountability
most significant source of risk is the underlying communications medium

Key factors contributing to higher security risk of wireless networks

Channel
Wireless networking typically involves broadcast communications, which is far
more susceptible to eavesdropping and jamming than wired networks
Wireless networks are also more vulnerable to active attacks that exploit
vulnerabilities in communications protocols
Mobility
Wireless devices are far more portable and mobile, thus resulting in a number of
risks
Network management and security Chapter 7 7
 Basic concept of wireless security
Key factors contributing to higher security risk of wireless networks
Resources
Some wireless devices, such as smartphones and tablets, have
sophisticated operating systems but limited memory and processing
resources with which to counter threats, including denial of service and
malware
Accessibility
Some wireless devices, such as sensors and robots, may be left
unattended in remote and/or hostile locations, thus greatly increasing their
vulnerability to physical attacks

Uses
Key drivers are mobility and accessibility
Easily change work locations in the office
Increased productivity
Improved collaboration
No need to reconnect to the network Reduced costs
Ability to work in more areas No need to wire hard-to-reach areas
Network management and security Chapter 7 8
 Basic concept of wireless security
The WLAN security wheel

An effective wireless security policy works to ensure that the network assets of the
organization are protected from sabotage and from inappropriate access, which
includes both intentional and accidental access.

All wireless security features should be configured in compliance with the security
policy of the organization.

If a security policy is not present, or if the policy is out of date, the policy should
be created or updated before deciding how to configure or deploy wireless
devices.
Chapter 7 9
 WLAN Definition, Configurations and Architecture
(How Wireless Works)

Network management and security Chapter 7 10

 WLAN Definition, Configurations and Architecture
(How Wireless Works)
Basic Configuration
WLAN Communication
WLAN Packet Structure

Basic configuration
Most wireless access points are easily
accessible.
They are usually located near users and
outside of locked rooms.
This puts wireless access points at special
risk for theft and for compromise by
malicious users.
Network monitoring can be used to
determine when an access point goes off.
Proper procedures will need to be followed
to determine what happened to the
equipment.
Almost all wireless vendors publish the
methods of resetting an access point using
reset buttons or the console port.
Network management and security Chapter 7 11
 WLAN Definition, Configurations and Architecture
(How Wireless Works)
WLAN Communication

CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance)

instead of Collision Detection
WLAN adapter cannot send and receive traffic at the same time
on the same channel
Hidden Node Problem

Four-Way Handshake
Security Issues and Solutions
Sniffing and War Driving
Rogue Networks
Policy Management SSID
MAC Address WEP

Network management and security Chapter 7 12

 WLAN Definition, Configurations and Architecture
(How Wireless Works)
Basic WLAN architecture
Service set ID (SSID)
SSID is the network name for a
wireless network
WLAN products common
defaults: “101” for 3COM and
“tsunami” for Cisco
Can be required to specifically
request the access point by
name (lets SSID act as a
password)

The more people that know the

SSID, the higher the likelihood
it will be misused.

Changing the SSID requires

communicating the change to
all users of the network
Network management and security Chapter 7 13
 WLAN Definition, Configurations and Architecture
(How Wireless Works)
Wired equivalent privacy (WEP)
Designed to be computationally efficient, self-synchronizing, and
exportable

Vulnerable to attack
Passive attacks to decrypt traffic based on statistical analysis
Active attacks to inject new traffic from unauthorized mobile stations,
based on known plaintext
Dictionary-building attack that, after analysis of a day’s worth of traffic,
allows real-time automated decryption of all traffic

All users of a given access point share the same encryption key

Data headers remain unencrypted so anyone can see the source

and destination of the data stream

Network management and security Chapter 7 14

 WLAN Definition, Configurations and Architecture
(How Wireless Works)

WLAN Implementaion

Varies due to organization size and security concerns

Rapidly becoming very popular.

This is due to many characteristics such as:

Need for mobility.
Cost effectiveness.
Convenience.
Rapid deployment ability.
Decrease in size of electronic and digital equipment.
Speed of mobile computing devices.

Network management and security Chapter 7 15

WLAN Definition, Configurations and Architecture
(How Wireless Works)
Type of WLAN
LAN Extension:
Provide wireless connections of mobile computing units to a wired network.
Used in manufacturing, stock exchange, and warehouses.
Cross-building Interconnect:
Used to provide wireless connections between buildings.
Uses microwave communications with dish shaped antennas.
More of a link than a LAN.
Nomadic Access:
Used to provide connectivity from mobile units such as a laptop, PDA or
other computing devices to a fixed campus network per example.
Ad Hoc Networking:
Also called rapidly deployable networks.
An increasingly popular form of establishing networks between mobile
computing devices, such as laptops, computers inside moving vehicles.
The temporary wireless network is established dynamically on the fly.
Chapter 7 16
 Risks of Wireless Open Ports

Network management and security Chapter 7 17

 Risks of Wireless Open Ports
Wireless attack methods can be broken up into three categories:
Reconnaissance
Access attack
Denial of Service (DoS)

Reconnaissance
Reconnaissance is the unauthorized discovery and mapping of systems,
services, or vulnerabilities.

Not usually illegal, but is illegal in some countries.

It is also known as information gathering and it usually precedes an actual

access or DoS attack.

Reconnaissance is similar to a thief scouting a neighborhood for unsecure

homes.

Wireless reconnaissance is often called war-driving.

Network management and security Chapter 7 18

 Risks of Wireless Open Ports
Wireless attack methods can be broken up into three categories:
Reconnaissance
Access attack
Denial of Service (DoS)

Reconnaissance
Reconnaissance is the unauthorized discovery and mapping of systems,
services, or vulnerabilities.

Not usually illegal, but is illegal in some countries.

It is also known as information gathering and it usually precedes an actual

access or DoS attack.

Reconnaissance is similar to a thief scouting a neighborhood for unsecure

homes.

Wireless reconnaissance is often called war driving.

Network management and security Chapter 7 19

 Risks of Wireless Open Ports
Access attack
System access, in this context, is the ability for an unauthorized intruder to
gain access to a device for which the intruder does not have an account or
password.
Entering or accessing systems to which one does not have authorized access
usually involves running a hack script or tool that exploits a known
vulnerability of the system or application being attacked.
Includes
Exploitation of weak or non-existent passwords
Exploitation of services such as HTTP, FTP, SNMP, CDP, and Telnet.

Wired Equivalent Privacy (WEP) Attacks

Attacks against WEP include Bit Flipping, Replay Attacks, and Weak IV
collection.
Many WEP attacks have not been released from the laboratory, but they are
well documented.
One utility, called AirSnort, captures weak Initialization Vectors to determine
the WEP key being used.
Network management and security Chapter 7 20
 Risks of Wireless Open Ports
Denial of service (DoS)
DoS is when an attacker disables
or corrupts wireless networks,
systems, or services, with the
intent of denying the service to
authorized users.

DoS attacks take many forms.

In most cases, performing the

attack simply involves running a
hack, script, or tool.

Network management and security Chapter 7 21

 Risks of Wireless Open Ports
How to make your wireless network secure?

Access Control Lists

Base on MAC address
Configure AP to only allow connection from ‘trusted’ stations with the
right MAC address
Most vendors support this, although not in the standard

Use WEP encryption/decryption as authentication mechanism

Use WEP to encrypt data transmitted to guard against

eavesdropping

Network management and security Chapter 7 22

 Risks of Wireless Open Ports
Secure WLAN
Intent to protect link between wireless client and (assumed) more
secure wired network

Similar to a VPN and provides server authentication, client

authentication, data privacy, and integrity using per session and
per user short life keys

Simpler and more cost efficient than a VPN

Cross-platform support and interoperability, not highly scaleable,

though

Supports Linux and Windows

Open Source (slan.sourceforge.net)

Network management and security Chapter 7 23

 Risks of Wireless Open Ports
Secure WLAN
Things to keep in mind when securing a WLAN

All WLAN should be considered insecure, and thus should be

treated that way

Never put a WLAN within the perimeter of your wired LAN’s

firewall

Use WEP, it will deter most would be trespassers

Do not leave default WEP key

Implement 802.1X with key rotation every 5 to 10 minutes

Combine security mechanisms.

Network management and security Chapter 7 24
 Risks of Wireless Open Ports
Secure WLAN
Security Service Dependencies
Authentication

Authorization

Data Integrity Data Confidentiality

Network management and security Chapter 7 25

 Risks of Wireless Open Ports
Authentication and association

Probe Authentication Association

process process process
Successful Successful
Authentication Association

State 1 State 2 State 3

Unauthenticated Authenticated Authenticated
Unassociated Unassociated Associated
Deauthentication Disassociation

Open Authentication and Shared Key Authentication are the two methods that the
802.11 standard defines for clients to connect to an access point.
The association process can be broken down into three elements known as probe,
authentication, and association.
This section will explain both authentication methods.

Network management and security Chapter 7 26

 Risks of Wireless Open Ports
Open authentication

Open Authentication is basically a null authentication, which means there is

no verification of the user or machine.

Network management and security Chapter 7 27

 Risks of Wireless Open Ports
Authentication process

On a wired network, authentication is implicitly provided by the physical cable

from the PC to the switch.
Authentication is the process to ensure that stations attempting to associate with
the network (AP) are allowed to do so.
802.11 specifies two types of authentication:
Open-system
Shared-key (makes use of WEP)

Network management and security Chapter 7 28

 Risks of Wireless Open Ports
Data integrity
The MIC is a feature used to augment the ineffective Integrity Check Value
(ICV) of 802.11 standard. (More to be added on this at a later date.)
The MIC solves vulnerabilities such as the frame tampering/bit flipping
attacks (to be added later).
The IEEE has proposed a specific algorithm, Michael, to augment the ICV
function in the encryption of 802.11 data frames.
The MIC is a unique key that differs from the key used to encrypt data frames.
This unique key is mixed with the destination MAC address and the source
MAC address from the frame as well as the entire unencrypted data payload
of the frame.

Network management and security Chapter 7 29

 Risks of Wireless Open Ports
Security solution
Wired Equivalent Privacy (WEP) and WEP2

Media access control (MAC) addresses: configuring access

points to permit only particular MAC addresses onto the
network. Easy to implement, but fairly easy to defeat.

IEEE 802.1X: This standard, supported by Windows XP, defines

a framework for MAC-level authentication. Susceptible to
session-hijacking and man-in-the-middle attacks.

VPNs: using a VPN to encrypt data on wireless networks. VPNs

require a lot of management and client configuration.

User authentication

The Temporal Key Integrity Protocol (TKIP) [IEEE 802.11i]

Network management and security Chapter 7 30
 Risks of Wireless Open Ports
Security solution
Advanced Encryption Standard (AES) encryption [IEEE
802.11i]

"Key-hopping" technology that can change the encryption key as

often as every few seconds.

EAP-TTLS (Extensible Authentication Protocol (EAP) -

Tunneled Transport Layer Security)

Enhanced Security Network (ESN) - Extended Service Set with

enhanced authentication mechanism for both STAs and APs based on

802.11x
key management
dynamic, association-specific cryptographic keys
enhanced data encapsulation using AES

Network management and security Chapter 7 31

 Risks of Wireless Open Ports
Security solution

Wireless Protocol Analyzers. They can:

check for unknown MAC (Media Access Control) addresses and alert the
network manager

log attempts to gain unauthorized access to the network

filter access attempts based on the type of network card

conduct site survey of traffic usage

find dead zones in the wireless network

Network management and security Chapter 7 32

 War-Driving and War-Chalking

Network management and security Chapter 7 33

 War-Driving and War-Chalking
Default installation allow any wireless NIC to access the network
Drive around (or walk) and gain access to wireless networks
Provides direct access behind the firewall
War driving is a security issue, which is a trip or momentarily loss
of balance or walk unsteadily,
Network is vulnerable to War Driving and sniffing and even we
may not know it
As the solution of such issues, mean that as to be safe, ethical, and
legal stumbling, there are rules that we need to knows.
Do not connect: at no time should you ever connect to any AP's that are not
your own. Disable client managers and TCP/IP stacks to be sure. Simply
associating can be interpreted as computer trespass by law enforcement.
Obey traffic laws: it is the traffic laws that for everyone's safety including
your own. Doing doughnuts at 3am gets unwanted attention from the
authorities anyways.
Network management and security Chapter 7 34
 War-Driving and War-Chalking
As the solution of such issues, mean that as to be safe, ethical, and
legal stumbling, there are rules that we need to knows.

Obey private property and no-trespassing signs: Don't trespass in order to

scan an area. That's what the directional antenna is for :) You wouldn't want
people trespassing on your property

Don't use your data for personal gain: Share the data with like-minded
people, show it to people who can change things for the better, use it for
education but don't try and make any money or status off your data.

Be like the hiker motto of 'take only pictures, leave only footprints':
Detecting SSID's and moving on is legal, anything else is irresponsible to
yourself and your community.

Speak intelligently to others: When telling others about war-driving and

wireless security, don't get sensationalistic.

Network management and security Chapter 7 35

 SAFE WLAN Design Techniques and Considerations

Network management and security Chapter 7 36

 SAFE WLAN Design Techniques and Considerations
Change router default user name and password

Change the internal IP subnet if possible

Change default name and hide broadcasting of the SSID (Service

Set Identifier)

None of the attack methods are faster or effective when a larger

passphrase is used.

Restrict access to your wireless network by filtering access based

on the MAC (Media Access Code) addresses

Use Encryption

Network management and security Chapter 7 37

 SAFE WLAN Design Techniques and Considerations
Basic techniques and considerations

Access Control
Ensure that your wireless infrastructure is not used.

Data Integrity
Ensure that your data packets are not modified in transit.

Confidentiality
Ensure that contents of your wireless traffic is not leaked.

Understanding the WEP

WEP relies on a secret key which is shared between the sender (mobile
station) and the receiver (access point).
Secret Key : packets are encrypted using the secret key before they are
transmitted.
Integrity Check : it is used to ensure that packets are not modified in transit

Network management and security Chapter 7 38

 SAFE WLAN Design Techniques and Considerations
.

allow only specific

computers to
use encryption
access your
wireless network

use anti-virus and change your

anti-spyware router’s pre-set
software and a password for
firewall administration

change the
turn off identifier identifier on your
broadcasting router from the
default

Network management and security Chapter 7 39

 End!

Network management and security Chapter 7 40