This lesson continues the discussion about wireless
security that started in the last chapter, focusing more on solutions
for a wireless network. Objectives important to this lesson:
Wireless intrusion detection and wireless intrusion
Wireless security tools
The author introduces the topics of this chapter with a story
of a network
hack from 2005 that compromised credit and debit card data for over
45 million customers. It is useful as a lesson that proper security is
a serious business, not just something you learn in school.
The text lists three major problems with WEP
encryption (which began use in IEEE 802.11b and 802.11a) on page 356.
They mean that WEP can be broken due to its repetition of short
Initialization Vectors in its keys. This is not as simple as clicking a
button, but it is possible if you have the right
tools and information. The situation was improved by the
introduction of WEP2, which increased the length of the
Initialization Vector and changed the authentication method to Kerberos,
which is used in Windows network authentication. This improved version
was still vulnerable to dictionary attacks, which use Kerberos
encryption to send possible passwords to the network, one after
another, until a login is successful.
Moving ahead to page 357, the text introduces Wi-Fi
Protected Access (yes, sometimes they spell it with a hyphen,
sometimes they don't). It was designed in two versions: WPA Personal
and WPA Enterprise. This is more complicated because we now have WPA
and WPA2. The text discusses all of them for several pages. Let's try
to see through the fog.
WPA Personal Security
WPA is Wi-Fi Protected Access,
developed in 2003. It contains two components to improve on WEP. They
PSK authentication - PresharedKeys are generated by running a pass
phrase through an algorithm that turns out a 64 bit
hexadecimal number (the key). This key must be coded
into every access point and device that will use this WPA route into
TKIP encryption - Temporal Key
Integrity Protocol uses a 128 bit key. A new key can be
generated for each packet. Keys can be sent to the devices that will
use them. Uses Message Integrity Check (MIC) instead of CRC for better
assurance of data integrity.
WPA2 Personal Security
WPA2 is a 2004 revision of WPA. It became
mandatory for new equipment in 2006. One of its two components changed:
PSK authentication - PresharedKeys are still used. Another text lists some
areas of concern where this method is weak. The worst point, in my
opinion, is that a guest user has to use the same key as everyone else.
This is not true in practice. I know that the guest account on my home
AP allows a different key.
AES-CCMP encryption - The algorithm for this
encryption method is intensive, incorporating several submethods. This
is an improved level of
WPA Enterprise Security
The personal version of WPA uses PSK for authentication,
but the enterprise version uses 802.1X
for authentication, and requires an authentication server (such
as a RADIUS server).
It uses TKIP for encryption. IEEE 802.1x uses port
blocking methods. Ports are not opened until a device
authenticates as one allowed to join the network.
Summary of Access Methods
shared secret keys
(TKIP clients allowed)
The text explains on page 362 why the versions of WPA
with AES are better than those without it.
TKIP used a stream cipher. This method replaces
each character in the data
stream, one at a time. This makes it easier to
AES uses a block cipher. This method encrypts blocks of
text together. The illustration in the text shows three bytes,
but it is more
likely that we will encrypt 64 to 128 bytes at a time. As shown, the
output of the cipher method should never resemble the input.
CCMP does not
specify which method to use, but the most
common one paired with it is AES.
The text explains the use of a RADIUS server on page 364. The
acronym stands for Remote
Authentication Dial In User Service. It was invented in 1992 for
remote users dialing in across plain telephone service. It is now used
across the Internet, as well as in internal wireless access to a local
WLAN, so Remote and Dial In are not always accurate
regarding the present use. To
use RADIUS, a client for it
must be installed on the AP
involved in the
process. The connection steps shown on page 364 assume a wireless
client is making a connection:
The wireless device in RADIUS scenario is called a supplicant. It makes a request to
connect to an AP.
The AP requests a
user ID and password from the supplicant.
The AP is called the authenticator.
The supplicant provides its information, and the AP creates
an authentication request,
which it sends to the RADIUS
server. The request contains information
to identify the AP, as well as
the supplicant's provided user name and password, which are
The RADIUS server
verifies that the AP sending the request is an approved AP. If it is, then the data
from the supplicant is decrypted.
The RADIUS server passes the
user name and password to an appropriate database, such as Active Directory,
If the user information is correct,
the RADIUS server sends an authentication
acknowledgment to the AP, along with information about approved
services. If the user information is not
correct, the RADIUS server sends an authentication reject message to the
If tracking is
enabled, an accounting database is updated
in either case.
The AP receives
the message from the RADIUS server and
proceeds to allow or deny access to the WLAN.
text explains that the transmissions between the supplicant and the
authenticator must be secure, so they are required to be compliant with
a guideline called the Extensible
Authentication Protocol (EAP).
This is not a protocol. It is a guideline that may be met by several
different protocols listed on the bottom of page 366.
On page 367, the text begins a discussion of wireless intrusion detectionsystems (WIDS) and wireless intrusion preventionsystems (WIPS). Both are tasked with noticing
that an intrusion is taking place. The difference is that a prevention
system is also tasked with stopping the intrusion.
The text describes four
types of wireless intrusion detection
systems, based on their method
- Packets transmitted to the network are compared to attributes (signatures) of packets created in
known attack methods. When the system sees packets that match known
signatures, an alert is generated.
- This kind of system needs a baseline
of data describing how your network normally
works. Events that take place on the network are compared to the
baseline. If an event is significantly different,
an alert is generated.
- This method is very similar to anomaly-based monitoring. It uses a
learning phase in which it records normal
activity on the network, then it looks at all the actions that take place on the
network. If it sees something taking place that is not usually done, an alert is
- This kind of system watches what is happening on a network, and it
generates alerts when it detects an action
that would have an undesired result.
The author presents a list of reasons to prefer a WIPS
over a WIDS. The first two are obvious: a WIDS only generates an alert to administrators, and only after the attack has begun. There is
a delay between the time an
attack is noticed and the time an administrator takes any action about
it. A WIPS addresses this by
taking some action itself
immediately. The text also points out that a WIPS may be part of a
device itself. This is good and bad. When such a system is part of a
device, such as an AP, it will protect that device better than a
network system might. On the other hand, a system that is part of a
device will not do much to protect the rest of the network unless that
device is a transit hub, like a firewall, a switch, or an AP.
The text describes two kinds of sensors that are typically
used in WIDS and WIPS systems:
- This method uses the APs
themselves as the sensing elements of the WIDS or WIPS. The text warns
us that this saves money, but it may overburden the APs. In addition,
older APs that only use 2.4 GHz frequencies cannot monitor 5 GHz
frequencies. Also, this method is probably guaranteed to miss rogue
access points, since most people who hang one on the network will do so
where there is no adequate wireless coverage.
Overlay sensors - Dedicated sensors are added to the
network in this method. As an add-on to the network, there is some
setup work for this method, such as making the sensors aware of the
other network components.
The last item leads nicely to the discussion of features one might expect to find in
a WIDS or WIPS:
AP Identification and
Categorization - If the system knows about legitimate APs (approved APs), it can easily
recognize rogue APs. Categories may be used such as Approved (one of
ours), Known (owned by someone else, but it does not hamper our
network), Monitored (owned by someone else, and it may hamper our
network), and Rogue (any other AP).
Device tracking -
Can be useful for tracking assets, doing a site survey, or setting up
ad hoc connections.
Event action and
notification - This is the main function of a WIDS or a WIPS: to
sense an attack, to notify administration, and (if so equipped) to do
something about it.
RF scanning - As
noted above, the system should scan all frequencies that are used in
Protocol analysis -
Used to collect, read, and analyze the packets that are being used to
attack the network.
The last section of the chapter discusses other wireless tools:
Virtual Private Network
(VPN) - AVPNis
a secure communication channel that is often used by people who need to
connect to their usual network when they are traveling, working from
home, or are otherwise away from their usual work location. A VPN may
pass traffic across the Internet, but it can be considered as secure
because all traffic passed from one end of the channel to the other is
encrypted. Using a VPN provides a level of security that an unsecured
data channel cannot provide. Each end of a VPN channel is called an
endpoint. As you can see from this
description, using a VPN can answer some of the problems that we worry
about when communicating wirelessly.
Secure device management protocols
- Protocols that can transport secure information are very important to
a secure network, or an unsecured network that we need to pass
information across. The text mentions several protocols that are often
used to support this goal, although for different purposes:
Socket Layer (SSL) - This is the typical protocol used for purchases
over the Internet, so it is endorsed by most vendors.
It works together with Transport Layer Security (TLS) which was
developed as an extension to SSL. Together, they provide authentication
for servers and clients, as well as data encryption.
When HTTP traffic is sent
through SSL/TLS, it becomes Hypertext
Transport Protocol over Secure Sockets Layer (HTTPS), which is typically passed on
port 443 instead of port 80.
Secure Shell (SSH)
- This protocol is used to make secure connections between two systems,
whether they are on the same network or in widely separated locations.
It is often used to make a connection from a Windows based computer to
a UNIX or Linux based server. The text mentions that the current
version of the protocol is Secure
Shell 2 (SSH2 or SSH-2).
Simple Network Management Protocol (SNMP) - This protocol has been used
to manage network devices for many years. A security flaw in early
versions was that commands sent to devices had to include a community string, a prefix that gave the command
permission to manage the device. The problem was that the default strings were well known. (If
the video below starts at the beginning, skip ahead to 6 minutes and 35
IDs, passwords, and encryption were added in version 3 of SNMP.
Obviously, Star Fleet was using an earlier version at the time of this
Wi-Fi Protected Setup (WPS)
- This looked like a good idea for consuumer equipment, allowing the
user to select preconfigured security settings by entering a PIN that
was included with the device. A problem was found, and it was shown
that the PIN was actually used in two parts, the first having 4 digits
and the second having 3 digits. This made it possible for an attacker
to hack the PIN, and it was made simpler by not enabling a lockout
after a number of failed attempts. This feature should be disabled in
devices that come with it.
Role-Based Access Control (RBAC) - The text explains that this
is a method of granting rights
to network resources based on
granting sets of rights to specific roles,
and assigning a role to each user
on the system. This method is limited
to assigning one and only one role to
In an Active Directory based
network, users can be assigned to as many security groups as they need to be
in, and they will inherit the sum
of the rights of all of those groups.
This is a more common approach.
Rogue AP Discovery Tools - The text
recommends that we consider using one of four types of wireless probes
listed on page 377. These are devices that can be set to monitor RF
transmissions, looking for rogue APs or devices in communication with
Wireless device probe -
Not all wireless devices are equipped with wireless NICs that allow
them to act in this role. They need to be able to scan the two RF
bands, to record traffic they notice, and to report their collected
data to a central device. The text points out that such devices are
limited to the range of their installed components, and that they
cannot monitor while they are sending traffic themselves.
- A standard wireless device has an advantage over a desktop: the
wireless device can usually be moved more easily to cover another area.
A desktop computer would need a wireless NIC and its scanning would be
limited to the area in which it is located.
- Like the desktop, an AP is typically stationary and limited to its
current location. It may be more likely to be useful than the laptop or
desktop computer, due to its nature as an RF sensing device.
- This would be a device whose purpose iis to act as a listening
station. It has an advantage over the other three: it has no other
functions to perform, so it can do this job all the time it is turned