MF Wireless LAN Security
About The Module
You need wireless and you need security. How hard can it be to not install wires? Well, it is not that simple either. Wireless networks are forcing organizations to rethink how they secure their networks and devices to prevent attacks and misuse that expose critical assets and confidential data. By their very nature, wireless networks are difficult to roll out, secure and manage. Wireless networks offer great potential for exploitation for two reasons; they use the airwaves for communication, and wireless-enabled laptops are ubiquitous. Wireless networks are vulnerable in a myriad of ways.
In this module, we will take you through the complexities of the theory of wireless LAN security. We will cover the following topics:
- Overview of Wireless LAN security
- Wireless Vulnerabilities and Threats
- Threat Mitigation Technologies
- Strong Authentication and Encryption Algorithms
- Centralizing WLAN Authentication for the Enterprise
This course contains the following pages:
- Presentations: Twelve short recorded video presentations created by various presenters.
- Additional Resources: Links to additional resources are also provided as a convenience to learners. The appearance of external links does not constitute endorsement by Cisco, nor does Cisco exercise any editorial control over the information found at these external sites.
- Quiz: Brief quiz after each module to check your understanding of key concepts presented in each module.
Upon completion of this module, you will be able to:
- Understand Wireless Threats and Vulnerabilities
- Understand Wireless Security Protocols for Authentication and Encryption
- Understand Mitigation Technologies
- Understand how to secure Enterprise Wireless LANs
Overview of Wireless LAN Security
Two important security considerations in wireless networks are authentication and encryption of data. Authentication allows us to determine who gets access to the network. The encryption protects that wireless traffic flow at the RF level. Encryption is needed for privacy. The author provides an overview of the considerations for securing wireless networks.
The Need for Wireless LAN Security
There are various reasons why wireless LANs security are important:
- Open-air, pervasive nature of radio frequency technology. Propagation of RF signal is very hard to control, therefore there is a need to protect against that open, pervasive nature of RF.
- Protect from the impact of stolen data.
- Vulnerabilities resulting from the innate design of IEEE 802.11 protocols.
- Protect and authorize access to network services and resources
- Visibility of wireless LAN, especially public WiFi and hotspots.
Attacks and Exploits
Unlike a wired network that requires physical access to a device, a wireless network can be targeted and exploited from a distance. Some of the common threats are:
- On-Wire Attacks where you can allow for a client-to-client backdoor access to the secured network.
- Over-the-Air Attacks, such as Honeypot APs, Rouge APs. Wireless APs can be easily deployed by anyone with access to a network connection, anywhere within a corporation or business. Unauthorized wireless APs are known more commonly as Rogue APs.
- Reconnaissance attack, occurs when an adversary tries to learn information about your network through unauthorized discovery and mapping of systems, services, or vulnerabilities. In most cases, it precedes an actual access or DoS attack.
- Denial-of-service attack (DoS), which is one of the simplest network attacks to perpetrate because it only requires limiting access to services. This is done by sending a large amount of traffic at a specific target to overwhelm the capacity and resources of the victim device, thereby rendering it unable to provide the require services to users.
- Cracking Tools. Basically wireless hacking tools are of two types. One of which can be used to sniff the network and monitor what is happening in the network. And other kinds of tools are used to hack WEP/WPA keys. These can crack Wi-Fi access and encryption, and facilitates eavesdropping.
Types of Vulnerabilities
In addition to all the vulnerabilities common to wired networks, wireless LANs introduce a new series of risks. More specifics around the common vulnerabilities are covered in this video:
- 802.11 WEP
- Rogue Devices
- Dictionary Attack
- MAC Address Spoofing
- Wireless Sniffing
- Authentication Vulnerabilities
Techniques and Tools
There are many attack methods and tools used to prey upon common wireless LAN vulnerabilities. A brief overview is covered in the video.
Note: This serves as awareness of the various tools available, and not an encouragement to launch attacks.
Mitigation Technologies for Corporate Networks
The best way to secure networks is to design a system that prevents an attack before damage can be done. Cisco has several wireless-specific security solutions including CleanAir, rogue detection and switch port tracing and aWIPS (Adaptive Wireless Intrusion Protection System) to proactively prevent attacks.
The On-Wire attacks and Over-the-Air attacks can all be detected by the Cisco Intrusion Prevention System technologies.
The non-802.11 attacks can be detected and mitigated through Cisco’s proprietary ‘Clean Air’ technology. So, rogue detection, classification and mitigation will basically address all of the On-Wire attacks.
Over-the-Air attacks can be mitigated by technologies such as the Management Frame Protection, the use of WPA2, and the IEEE 802.11i advanced security capabilities.
It is very important to use secure methods for authentication and encryption in a wireless LAN to ensure access for only be authorized users and devices.
There is a distinction between being authenticated onto a wireless network and then having the traffic passed be encrypted. It is possible to be authenticated onto a network but pass unencrypted data traffic.
There are three main methods of authentication that are used:
- Open authentication: the simplest and only requires that the end device be aware of the Service-Set Identifier (SSID) used on the network, as long as the SSID is known, the device will be allowed onto the network.
- Shared authentication: commonly used on individual or small business wireless LANs. This method uses a shared key (Pre-Shared Key – PSK) that is given to both sides of the connection; the device is allowed onto the network if the keys matched.
- EAP (Extensible Authentication Protocol) authentication is the most common method used by enterprises. It utilizes an authentication server that is queried for authentication using a variety of credential options.
Choosing EAP Methods
The Extensible Authentication Protocol (EAP) is a framework for transporting authentication protocols, rather than a authentication protocol itself. EAP can be used for authenticating dial-up, point-to-point (PPP) and VPN connections, and also Local Area Network (LAN) port, including Wireless networks in conjunction with IEEE 802.1X. It is defined in RFC 3748.
EAP is not a wire protocol; instead it only defines message formats. Each protocol that uses EAP defines a way to encapsulate EAP messages within that protocol’s messages. It provides some common functions and negotiation of authentication methods called EAP methods.
Along with authentication methods, the choice of encryption method is a very important part in implementing a secure wireless LAN. Many of the encryption methods that were implemented in earlier wireless LAN standards have been proven be insecure and have been depreciated by more modern technologies.
In this video, the author covers the available encryption methods:
- Wired Equivalent Privacy (WEP)
- Temporal Key Integrity Protocol (TKIP)
- Advanced Encryption Standard (AES)
802.1X is a IEEE standard for passing EAP over a wired or wireless LAN for authentication. It is also known as “EAP over LAN” or EAPOL. 802.1X enhances security and deployment by providing support for centralized user identification, authentication, dynamic key management, and accounting.
802.1X provides an authentication framework consisting a three-component architecture: a supplicant (end-user station), access device (switch, access point) and authentication server (RADIUS). EAPOL communication occurs between the supplicant and the authenticator. The RADIUS protocol is used for communication between the authenticator and the RADIUS server.
Types of EAPs
There are many types of EAP. The type an organization should use depends upon the desired level of security, desired complexity, and the server/client specs.
- LEAP: The Lightweight Extensible Authentication Protocol method was developed by Cisco Systems prior to the ratification of 802.11i security standard. LEAP has known vulnerabilities.
- PEAP: Protected EAP. This is originally proposed by Microsoft. PEAP will form a potentially encrypted TLS tunnel between the client and server, using the x.509 certificate on the server, similar to SSL tunnel that is established between a web browser and a secure website. After the tunnel has been formed, PEAP will use another EAP type such as EAP-GTC, EAP-MSCHAP as an “inner method” to authenticate the client using EAP within the outer tunnel.
- EAP-FAST: Flexible Authentication via Secure Tunnel (FAST) is very similar to PEAP. FAST was created by Cisco Systems as an alternative to PEAP that allows for faster re-authentications and supports faster wireless roaming. FAST forms a TLS outer-tunnel and then transmits the client credentials within that TLS tunnel. FAST differs from the PEAP in the ability to use Protected Access Credentials (PACs).
- EAP-TLS: An EAP type that uses TLS (Transport Layer Security) to provide the secure identity transaction. This is very similar to SSL and the way encryption is formed between your web browser and a secure website.
- EAP-GTC: EAP-Generic Token Card (GTC). This inner method was created by Cisco as an alternative to MSCHAPv2 that allows generic authentications to virtually any identity store, including One-Time-Password (OTP) token servers, LDAP and more.
- EAP-MSCAPv2: The client’s credentials are sent to the server encrypted within an MSCHAPv2 session. This is the most common inner method, as it allows for simple transmission of username and password, or even computer-name and computer-passwords to the RADIUS server, which in-turn will authenticate them to Active Directory.
Web Authentication is a Layer 3 authentication mechanism used to authenticate guest users for Internet access where no client side configuration required. Users authenticated using this process will not be able to access the Internet until they successfully complete the authentication process.
One of the things that always need to be considered in deploying wireless networks is security. Security needs to be the primary concern. It also needs to be the primary focus.
In deploying wireless LAN and security, you must at a minimum, use WPA2 with a pre-shared key and AES encryption. Anything less than that sets up an opportunity for vulnerability.
Guest wireless access when deployed in an enterprise environment should also adhere to that same minimum security of WPA2 with a pre-shared key and AES encryption. In the event that the organization does not find that feasible, use a WebAuth Splash page with disclaimers and a login prompt that you could have users put in their email address and a common password. You could have a document that you update or change weekly or monthly with a specific login IDs and passwords for guests that could be deployed through the reception desk.
In Enterprise wireless LAN deployments, you should always separate your guest access from any corporate access. That separation should always be done with unique wireless VLANs and completely separate SSIDs. Doing that you can actually have different security methods that we have discussed throughout the series for both the guests as well as the corporate.
Lastly, your wireless LANs are always being scanned. Someone is always turning on a packet capturing device, and watching and monitoring your wireless frames. Be aware of that and monitor your RF environment yourself, and you might actually find an intruder.