Chapter 6 begins with a cautionary tale, of a large company that used an obsolete security protocol at a particular store, which led to an attacker accessing the company's main database, which led to millions of dollars of loss. The attack was made easier because the company used wireless networking and did not upgrade from a technology that had a well known exploit.
The text introduces the Institute of Electrical and Electronics Engineers (IEEE) as the main standards body for networking technologies. They have established many standards for networking. This chapter is concerned with the 802.11 series of standards that relate to wireless networking.
The text reviews some of the iterations of the 802.11 standard:
Leaving the discussion of technology itself, the text turns to security issues. It describes three "protections" included in the original 802.11 standard:
Vulnerabilities of IEEE 802.11
On page 198, the text begins a discussion of the vulnerabilities in the system described so far.
Open System Authentication
As noted above the broadcasting of the SSID in beacon frames is a security issue. The text points out that beaconing is needed for roaming from access point to access point. Another issue is a flaw in Windows XP. Devices running it prefer access points that beacon over those that do not. Even when the SSID is not broadcast, it is transmitted in clear text when a device sends an association request. Note the procedure in the text to force a device to send an association request by sending it a disassociation frame.MAC Address Filtering
MAC addresses are sent in clear text when associating, so they are easily discovered, then the attacker pretends to be the same device. Controlling access by MAC address becomes more difficult, the more devices you allow to attach to the network. This is like the standard recommendation to use host files only if you have fewer than 10 hosts in your LAN. So this method becomes hard to manage as well as being less than secure.
This discussion goes on for several pages. Students should be aware of the major problems with WEP.
The text turns to better methods of implementing wireless security.
WPA Personal Security
WPA is Wi-Fi Protected Access, developed in 2003. It contains two components to improve on WEP. They are:
WPA2 Personal Security
WPA2 is a 2004 revision of WPA. The text says it became mandatory for new equipment in 2006. One of its two components changed:
Enterprise Wireless Security
The text presents several topics under this heading.
This is one of the major models that enterprise wireless security may use. The text is critical of WEP's PRNG (which most Vulcan's might recall means Pseudo-Random Number Generator). This standard began development in 2001, and was not finished until 2004. In the same time frame, the WPA standard (which is not a standard of the IEEE) was also developed. IEEE 802.11i uses the port blocking methods found in the IEEE 802.1x standard (for wired LANs). Ports are not opened until a device authenticates as one allowed to join the network. The text lists two features. Key-caching saves a user's credentials to allow roaming away from the WLAN and reentering it without fully reauthenticating. Pre-authentication allows an AP the user is communicating with to hand off authentication for the session to the next AP, like a cell system, authorizing the user on the next AP before contact would otherwise be made.
Note that IEEE 802.11i only allows clients using AES-CCMP encryption.
WPA Enterprise Security
The personal version of WPA uses PSK for authentication, but this enterprise version uses 802.1x for authentication, and requires an authentication server. It uses TKIP for encryption.
The author ends the chapter with a discussion of wireless security devices.
Thin Access Points
Thin access points are simpler than regular access points. Thin access points are simple radios, and their usual gatekeeper functions are placed on a wireless switch instead. The wireless switch performs authentication and allows the administrator to remotely manage each access point.
Wireless VLANs are described on page 210, and two methods are illustrated on page 211. In the first method, separate access points are created for users in different departments. Packets are passed from the access points to a switch which sends the packets to the appropriate VLAN. The switch separates the packets based on the access point of the connection. The text points out that this method could be used to restrict a particular wireless user to connecting through a particular access point, which inhibits roaming.
In the second method shown on page 211, two access points are set up and wireless users are allowed to connect through either one. Each access point has two SSIDs, which are used to separate the users of the two wireless VLANs. In this case, the access point separates the packets before sending them to the switch. Separate SSIDs on an access point allow separate encryption and authentication schemes for each one.
Rogue Access Point Discovery
The text describes the vulnerability that an unencrypted, unmanaged access point creates in a network. It is not just that an attacker can get access, but also that the attacker could intercept unencrypted traffic being passed by the access point. Consumer versions of access points, cell phones, and commercial equipment are all possible problems.
The text discusses network staff monitoring for rogue access points regularly, but decides this is not as effective as using a wireless probe to continuously monitor wireless traffic. Four types of wireless probes are described:
Network management software would be used to examine the reports to the database, to compare to a list on known, managed access points, and to disable any switch ports being used by rogue access points.