NET 211 - Wireless Networking

Chapter 10, Implementing Wireless LAN Security

Objectives:

This lesson continues the discussion about wireless security that started in the last chapter, focusing more on solutions for a wireless network. Objectives important to this lesson:

  1. Transitional security
  2. WPA2
  3. Wireless intrusion detection and wireless intrusion prevention
  4. Wireless security tools
Concepts:
Chapter 10

The author introduces the topics of this chapter with a story of a network hack from 2005 that compromised credit and debit card data for over 45 million customers. It is useful as a lesson that proper security is a serious business, not just something you learn in school.

The text lists three major problems with WEP encryption (which began use in IEEE 802.11b and 802.11a) on page 356. They mean that WEP can be broken due to its repetition of short Initialization Vectors in its keys. This is not as simple as clicking a button, but it is possible if you have the right tools and information. The situation was improved by the introduction of WEP2, which increased the length of the Initialization Vector and changed the authentication method to Kerberos, which is used in Windows network authentication. This improved version was still vulnerable to dictionary attacks, which use Kerberos encryption to send possible passwords to the network, one after another, until a login is successful.

Moving ahead to page 357, the text introduces Wi-Fi Protected Access (yes, sometimes they spell it with a hyphen, sometimes they don't). It was designed in two versions: WPA Personal and WPA Enterprise. This is more complicated because we now have WPA and WPA2. The text discusses all of them for several pages. Let's try to see through the fog.

WPA Personal Security

WPA is Wi-Fi Protected Access, developed in 2003. It contains two components to improve on WEP. They are:

  • PSK authentication - Preshared Keys are generated by running a pass phrase through an algorithm that turns out a 64 bit hexadecimal number (the key). This key must be coded into every access point and device that will use this WPA route into the network.
  • TKIP encryption - Temporal Key Integrity Protocol uses a 128 bit key. A new key can be generated for each packet. Keys can be sent to the devices that will use them. Uses Message Integrity Check (MIC) instead of CRC for better assurance of data integrity.
WPA2 Personal Security

WPA2 is a 2004 revision of WPA. It became mandatory for new equipment in 2006. One of its two components changed:

  • PSK authentication - Preshared Keys are still used. Another text lists some areas of concern where this method is weak. The worst point, in my opinion, is that a guest user has to use the same key as everyone else. This is not true in practice. I know that the guest account on my home AP allows a different key.
  • AES-CCMP encryption - The algorithm for this encryption method is intensive, incorporating several submethods. This is an improved level of encryption.
WPA Enterprise Security

The personal version of WPA uses PSK for authentication, but the enterprise version uses 802.1X for authentication, and requires an authentication server (such as a RADIUS server). It uses TKIP for encryption. IEEE 802.1x uses port blocking methods. Ports are not opened until a device authenticates as one allowed to join the network.

Summary of Access Methods
Methodology Authentication Encryption
WEP open system;
MAC filtering

shared secret keys

WPA personal PSK TKIP
WPA2 personal PSK AES-CCMP
802.11i 802.1X AES-CCMP
WPA enterprise 802.1X TKIP
WPA2 enterprise 802.1X AES-CCMP;
(TKIP clients allowed)

 The text explains on page 362 why the versions of WPA with AES are better than those without it.

  • TKIP used a stream cipher. This method replaces each character in the data stream, one at a time. This makes it easier to crack.
  • AES uses a block cipher. This method encrypts blocks of text together. The illustration in the text shows three bytes, but it is more likely that we will encrypt 64 to 128 bytes at a time. As shown, the output of the cipher method should never resemble the input.
  • CCMP does not specify which method to use, but the most common one paired with it is AES.

The text explains the use of a RADIUS server on page 364. The acronym stands for Remote Authentication Dial In User Service. It was invented in 1992 for remote users dialing in across plain telephone service. It is now used across the Internet, as well as in internal wireless access to a local WLAN, so Remote and Dial In are not always accurate regarding the present use. To use RADIUS, a client for it must be installed on the AP involved in the process. The connection steps shown on page 364 assume a wireless client is making a connection:

  1. The wireless device in RADIUS scenario is called a supplicant. It makes a request to connect to an AP.
  2. The AP requests a user ID and password from the supplicant. The AP is called the authenticator.
  3. The supplicant provides its information, and the AP creates an authentication request, which it sends to the RADIUS server. The request contains information to identify the AP, as well as the supplicant's provided user name and password, which are encrypted.
  4. The RADIUS server verifies that the AP sending the request is an approved AP. If it is, then the data from the supplicant is decrypted.
  5. The RADIUS server passes the user name and password to an appropriate database, such as Active Directory, for authentication.
  6. If the user information is correct, the RADIUS server sends an authentication acknowledgment to the AP, along with information about approved services. If the user information is not correct, the RADIUS server sends an authentication reject message to the AP.
  7. If tracking is enabled, an accounting database is updated in either case.
  8. The AP receives the message from the RADIUS server and proceeds to allow or deny access to the WLAN.

RADIUS Server Authentication

The text explains that the transmissions between the supplicant and the authenticator must be secure, so they are required to be compliant with a guideline called the Extensible Authentication Protocol (EAP). This is not a protocol. It is a guideline that may be met by several different protocols listed on the bottom of page 366.

On page 367, the text begins a discussion of wireless intrusion detection systems (WIDS) and wireless intrusion prevention systems (WIPS). Both are tasked with noticing that an intrusion is taking place. The difference is that a prevention system is also tasked with stopping the intrusion.

The text describes four types of wireless intrusion detection systems, based on their method of detection:

  • Signature-based monitoring - Packets transmitted to the network are compared to attributes (signatures) of packets created in known attack methods. When the system sees packets that match known signatures, an alert is generated.
  • Anomaly-based monitoring - This kind of system needs a baseline of data describing how your network normally works. Events that take place on the network are compared to the baseline. If an event is significantly different, an alert is generated.
  • Behavior-based monitoring - This method is very similar to anomaly-based monitoring. It uses a learning phase in which it records normal activity on the network, then it looks at all the actions that take place on the network. If it sees something taking place that is not usually done, an alert is generated.
  • Heuristic monitoring - This kind of system watches what is happening on a network, and it generates alerts when it detects an action that would have an undesired result.

The author presents a list of reasons to prefer a WIPS over a WIDS. The first two are obvious: a WIDS only generates an alert to administrators, and only after the attack has begun. There is a delay between the time an attack is noticed and the time an administrator takes any action about it. A WIPS addresses this by taking some action itself immediately. The text also points out that a WIPS may be part of a device itself. This is good and bad. When such a system is part of a device, such as an AP, it will protect that device better than a network system might. On the other hand, a system that is part of a device will not do much to protect the rest of the network unless that device is a transit hub, like a firewall, a switch, or an AP.

The text describes two kinds of sensors that are typically used in WIDS and WIPS systems:

  • Integrated sensors - This method uses the APs themselves as the sensing elements of the WIDS or WIPS. The text warns us that this saves money, but it may overburden the APs. In addition, older APs that only use 2.4 GHz frequencies cannot monitor 5 GHz frequencies. Also, this method is probably guaranteed to miss rogue access points, since most people who hang one on the network will do so where there is no adequate wireless coverage.
  • Overlay sensors - Dedicated sensors are added to the network in this method. As an add-on to the network, there is some setup work for this method, such as making the sensors aware of the other network components.

The last item leads nicely to the discussion of features one might expect to find in a WIDS or WIPS:

  • AP Identification and Categorization - If the system knows about legitimate APs (approved APs), it can easily recognize rogue APs. Categories may be used such as Approved (one of ours), Known (owned by someone else, but it does not hamper our network), Monitored (owned by someone else, and it may hamper our network), and Rogue (any other AP).
  • Device tracking - Can be useful for tracking assets, doing a site survey, or setting up ad hoc connections.
  • Event action and notification - This is the main function of a WIDS or a WIPS: to sense an attack, to notify administration, and (if so equipped) to do something about it.
  • RF scanning - As noted above, the system should scan all frequencies that are used in our network.
  • Protocol analysis - Used to collect, read, and analyze the packets that are being used to attack the network.

The last section of the chapter discusses other wireless tools:

  • Virtual Private Network (VPN) - A VPN is a secure communication channel that is often used by people who need to connect to their usual network when they are traveling, working from home, or are otherwise away from their usual work location. A VPN may pass traffic across the Internet, but it can be considered as secure because all traffic passed from one end of the channel to the other is encrypted. Using a VPN provides a level of security that an unsecured data channel cannot provide. Each end of a VPN channel is called an endpoint. As you can see from this description, using a VPN can answer some of the problems that we worry about when communicating wirelessly.
  • Secure device management protocols - Protocols that can transport secure information are very important to a secure network, or an unsecured network that we need to pass information across. The text mentions several protocols that are often used to support this goal, although for different purposes:
    • Secure Socket Layer (SSL) - This is the typical protocol used for purchases over the Internet, so it is endorsed by most vendors.

      It works together with Transport Layer Security (TLS) which was developed as an extension to SSL. Together, they provide authentication for servers and clients, as well as data encryption.

      When HTTP traffic is sent through SSL/TLS, it becomes Hypertext Transport Protocol over Secure Sockets Layer (HTTPS), which is typically passed on port 443 instead of port 80.
    • Secure Shell (SSH) - This protocol is used to make secure connections between two systems, whether they are on the same network or in widely separated locations. It is often used to make a connection from a Windows based computer to a UNIX or Linux based server. The text mentions that the current version of the protocol is Secure Shell 2 (SSH2 or SSH-2).
    • Simple Network Management Protocol (SNMP) - This protocol has been used to manage network devices for many years. A security flaw in early versions was that commands sent to devices had to include a community string, a prefix that gave the command permission to manage the device. The problem was that the default strings were well known. (If the video below starts at the beginning, skip ahead to 6 minutes and 35 seconds.)



      User IDs, passwords, and encryption were added in version 3 of SNMP. Obviously, Star Fleet was using an earlier version at the time of this encounter.
    • Wi-Fi Protected Setup (WPS) - This looked like a good idea for consuumer equipment, allowing the user to select preconfigured security settings by entering a PIN that was included with the device. A problem was found, and it was shown that the PIN was actually used in two parts, the first having 4 digits and the second having 3 digits. This made it possible for an attacker to hack the PIN, and it was made simpler by not enabling a lockout after a number of failed attempts. This feature should be disabled in devices that come with it.
    • Role-Based Access Control (RBAC) - The text explains that this is a method of granting rights to network resources based on granting sets of rights to specific roles, and assigning a role to each user on the system. This method is limited to assigning one and only one role to each user.

      In an Active Directory based network, users can be assigned to as many security groups as they need to be in, and they will inherit the sum of the rights of all of those groups. This is a more common approach.
    • Rogue AP Discovery Tools - The text recommends that we consider using one of four types of wireless probes listed on page 377. These are devices that can be set to monitor RF transmissions, looking for rogue APs or devices in communication with them.
      • Wireless device probe - Not all wireless devices are equipped with wireless NICs that allow them to act in this role. They need to be able to scan the two RF bands, to record traffic they notice, and to report their collected data to a central device. The text points out that such devices are limited to the range of their installed components, and that they cannot monitor while they are sending traffic themselves.
      • Desktop probe - A standard wireless device has an advantage over a desktop: the wireless device can usually be moved more easily to cover another area. A desktop computer would need a wireless NIC and its scanning would be limited to the area in which it is located.
      • AP probe - Like the desktop, an AP is typically stationary and limited to its current location. It may be more likely to be useful than the laptop or desktop computer, due to its nature as an RF sensing device.
      • Dedicated probe - This would be a device whose purpose iis to act as a listening station. It has an advantage over the other three: it has no other functions to perform, so it can do this job all the time it is turned on.