Communications and Network Security Part 8 - Wireless Networks

Show video

In this lesson, I describe wireless networking  technologies and related safeguards.   In addition to encryption, I explore other steps   an organization can take to protect  information passing through the air.   You can download the script for this video  from above or at the end of the video. Wireless network deployments are common,  so common has to be the primary connection   medium for many businesses. With the emergence  and continued growth of IoT and IIoT devices   wireless connectivity in even heavily  wired enterprises is rapidly expanding.

Let's first look at the IEEE 802.11 standards,  which are commonly used for home and business   wireless networks. This table shows the different  standards, associated bandwidths, and frequency.   As we'll see later, frequency is an important  consideration when managing how far a device can   be from a wireless access point or WAP, and still  communicate efficiently. Each standard uses one of  

three transmission standards that enable different  data rates for the same frequency. These are DSSS,   or direct sequence spread spectrum, FHSS,  frequency hopping spread spectrum, OFDM,   orthogonal frequency multiplexing, and OFDMA,  orthogonal frequency division multiple access.   OFDM is used for wi-fi versions three through  five and version 6 uses OFDMA, an extension   of OFDM. Without access to an organization's  wireless network, a threat actor has to find   another way in. Many attacks attempt to compromise  a user computer. Once access is gained, malware  

that enables network interface card promiscuous  mode can collect all packets the device can see.   Another way as shown in this graphic is  to gain physical access to a facility.   Once access is gained, the threat actor  finds an open active network port, like in   a conference room. Once connected, all packets  on the segment to which the port is connected   are available for theft or modification.  This graphic shows a common wireless  

network configuration in which security was not  necessarily a consideration in the design phase.   Note that an attacker could gain access  to a common area of the organization   or simply sit in the parking lot to access  to network wireless transmissions or signals. Another method of attacking wireless connections  is a man-in-the-middle attack over a public   network. In this example, Alice attempts to  connect from her laptop in an airport to a   server in her organization's data center. Because  Alice's organization has not yet secured this type  

of access, Alice's attempt to enter is intercepted  by a threat actor. The threat actor now becomes an   intermediary or middleman who can see all traffic  between Alice's laptop and the data center server. In general, an entity can directly connect  to a wireless network in one of two ways.  

The first is open system authentication, or OSA.  With OSA configured, an entity just has to be   within range of the wireless signal to connect. No  other authentication is needed. With the second,   shared key authentication or SKA, the wireless  network is configured to require a shared key   or other type of authentication in which  the entity must present proof of identity.

Wireless access points initially used WEP, or  wired equivalent privacy, to protect wireless   connections using Rivest Cipher 4, or RC4. WEP  encrypts transmissions between endpoint devices   and wireless access points, but it does not  provide end-to-end security because it only   operates at OSI layers 1 and 2. When configuring  WEP, a shared key is created. An entity needing   access to an access point must provide the  key to gain access and enable encryption.   Because of weaknesses in WEP, including  always using the same key for every packet,   WEP was quickly broken. Today a threat actor  can crack WEP security in less than a minute. To   fill the gap, the Wi-Fi Alliance developed Wi-Fi  Protected Access or WPA. WPA was supposed to be  

a temporary solution. The alliance was hoping for  a reasonably quick release of IEEE 802.11i, which   I cover in the next slide. However, WPA lasted a  while as 802.11i release was delayed for years. Because of this lag in the  release of the IEEE standard,   WPA was developed as a longer term replacement  for WEP. It used leap, or lightweight extensible  

authentication protocol, which we cover in a later  slide, and TKIP, temporal key integrity protocol.   Unlike WEP, WPA can dynamically create a new  128-bit key for each wireless packet. Further,   WPA does not use the same key set across all  clients. A separate key set is negotiated with   each device. The key set is created after an  endpoint uses a WPA passphrase to authenticate.  

WPA is not usually secure enough for enterprise  protection. Although the passphrase must   be no shorter than 14 characters, it's  still a single factor approach that can   fall to brute force attacks. Attacks like  coWPAtty and a GPU-based cracking tool   have broken WPA as a safeguard  for highly classified information.   WPA2 replaced and is backward compatible  with WPA. It integrates IEEE 802.1x   with AES encryption. WPA2 comes in two  versions: WPA2-Personal and WPA2-enterprise. WPA2-Personal, also known as WPA2-PSK, can  be implemented in two ways: with AES or TKIP.  

PSK stands for pre-shared key. TKIP  implementations are backward compatible   with older devices that do not support AES.  However, AES is considered more secure,   and it is the default implementation when using  WPA2. Let's look at how this works. We usually   find WPA2-Personal in homes, home offices,  and small businesses. The administrator sets   a passphrase in the router with a length from 8  to 63 characters. In order to access the wireless   network, the laptop or other wireless device  must provide the passphrase for authentication.  

After authentication, the connection is  encrypted with aes symmetric encryption. WPA2-Enterprise and the newer WPA3-Enterprise  combined WPA2 AES encryption with IEEE 802.1x   network authentication. It eliminates  the need for a pre-shared key.   Let's step through a sample connection process.  The client in 802.1x is known as the supplicant.  

The admin must configure supplicant software on  the supplicant before the laptop can connect.   A laptop, or the supplicant, attempts to connect  to a wireless router. The wireless router places   the laptop into an unauthorized state and begins  the authentication process. The wireless router   sends the credentials provided by the laptop  to the RADIUS server. Depending on policies   configured on the RADIUS server, the iID is sent  to Active Directory to verify the user identity.   This process can include passwords only or  the use of both user and device certificates.  

If the identity is confirmed, the RADIUS server  returns that information to the wireless router.   The wireless router changes the laptop  status to authorized and provides network   access. This is a basic look at how this works.  Implementation of EAP to secure this process   is covered later in this lesson. Instead of  simply providing a passphrase, an organization   can require multi-factor authentication to  access the network. And as explained before,   policies configured on the RADIUS server can  enforce conditions under which access is granted. WPA3 is replacing WPA2. As of 2021, the Wi-Fi  Alliance requires all Version 6 echo, or 6e,  

certified devices to support it. Cisco claims  that 60% of its customers had adopted WPA3   as of the middle of 2021. While WPA3 connection  processes are fundamentally the same as WPA2,   WPA3 is considered more secure for four reasons.  First, the handshake used to establish a wireless   connection is more secure. Second, it's  easier to securely add new devices. Third,   it provides basic hotspot protection. And fourth  key sizes for session encryption are bigger.

It's important to note that these protocols  can also be used for wired connections.   The first protocol we look at is EAP or the  extensible authentication protocol. Actually,   EAP is all we look at in this lesson, but we  look at different implementations of its methods.   This protocol is actually a framework rather  than a discrete piece of software, and it's   used in both wireless and wired connections.  Defined in RFC 3748 and updated by RFC 5247,  

EAP provides a set of about 40 methods  designed to provide for secure authentication. This is our earlier authentication example. Let's  use it to walk through how basic EAP works. EAP   uses the 802.1x standard I covered earlier. The  authentication process requires three components:   the user's wireless device, a wireless  access point, and an authentication server.   The user sends a connection  request to the access point,   also known as a transceiver. The access point  then requests the user's identity information.  

Once a user provides its identity information,  the access point forwards that information to   the authentication server. The authentication  server then sends a request to the access point   for verification of the identity information.  Verification is commonly done with a certificate.   The access point obtains the verification  information from the user and sends it to   the authentication server. If the authentication  server is able to successfully validate the user's   identity, the user is allowed access. Our example  includes a RADIUS server, which will also supply   business policies to determine if an authenticated  identity is allowed remote access. This is the   basic operation of EAP, and you may recognize  it as the basic 802.1x authentication process we  

walked through earlier. In this lesson, however,  the actual authentication process varies based   on the type of EAP used and the authentication  security needed. Let's look at four variations. One commonly used type is EAP-TLS, which  authenticates both the client and the network.   This approach requires a supplicant  certificate and a network certificate.   A detailed walkthrough of TLS versions and how  they work is available in the video above. The   EAP-TLS generates random session keys that secure  communication between the AP and the client.  

One disadvantage of this approach is the need  to manage certificates for all wireless clients.   EAP-TTLS, or EAP Tunneled TLS, also  uses mutual certificate authentication,   but only the network side needs a certificate.  This is done by requiring the authenticator to use   legacy authentication databases like Active  Directory. By using legacy information in   a centralized database, the effort needed  to manage client certificates is reduced.   LEAP, lightweight extensible authentication  protocol, is a Cisco proprietary alternative to   WPA using TKIP. TKIP is temporal key integrity  protocol, and it's included as an encryption   method in the 802.11i standard for wireless  networks. LEAP also requires mutual authentication  

between the client and the network. The LEAP  server sends the client a random challenge,   and the client returns a hashed password. Once the  password is authenticated, the client then asks   the network for a password. Once this is sent,  the client and the network execute a key exchange.   PEAP, or protected EAP, is intended to  be a more secure approach than LEAP.   Using network side certificates, it creates a  TLS tunnel for secure client authentication.

Finally, let's look at securing the  operation of wireless access points   or WAPS. As we have seen in this lesson, a  WAP receives signals from and sends signals to   the client. It acts as an access point  through which wireless devices can reach   and use network resources. Securing the use of  WAPs is a process consisting of first a site   survey, followed by determining access point  placement, and then configuring the access points,   and finally implementation of  filtering or other access controls.

Site surveys are usually walkthroughs of the  current or intended wireless environment using   special software. They not only help determine  effective placement of authorized access points,   they also help identify rogue access points. Rogue  access points can be placed by threat actors,   but they're also often used by employees who  want to bypass the organization's wireless   access restrictions. In addition to rogue AP  identification, a survey also determines where   to place access points for new areas or to improve  signal strength for existing coverage areas. For   example, an existing access point might be less  effective because of new signal barriers caused by   remodeling, placement of devices that can cause  signal interference, or other factors. Another  

goal of the survey is to identify areas where  the organization does not want to provide strong   signal support. In this example, a threat  actor is sitting outside the building   in the parking lot. Placement and tuning of  access points can eliminate or severely attenuate,   or limit the signal strength, available to  the threat actor. Another consideration is   doing site surveys after replacement of existing  access points with access points that support   higher frequency signals. Higher frequencies have  a harder time getting through barriers like walls,   so it's important to understand how increased  frequency affects coverage of wireless access.

After the survey, we need to determine  where to place access points. According   to the 2020 CISSP common body of knowledge,  the following are general considerations.   Centralize the access points in needed coverage  areas. Understand and avoid or manage physical   obstructions that limit signal strength. Remember  that reflective and flat services can seriously  

attenuate signals. Manage the placement  of access points to manage interference by   equipment that emit electromagnetic fields  that interfere with access point signals.   Position external omnidirectional antennas  vertically. Properly direct directional antennas.   At this point we need to define  and apply some terms and concepts.

As indicated in the previous slide,  there are two types of antennas:   omnidirectional and directional. We usually have  omnidirectional antennas on home wireless routers.   These are poles that transmit  signals in all directions.   Directional antennas focus  the signal in one direction.   Panel and parabolic antennas are two examples.  It's important to understand that directional   antennas can create strong signals that need to be  considered when trying to limit wireless coverage. Access points can be deployed in two  ways: infrastructure mode and ad hoc   mode. Infrastructure mode is the best choice  when using centralized management and control  

of access points. Ad hoc mode allows connection  of wireless devices without centralized control   and without any authentication at all. There are four types of infrastructure modes.  The type used depends on how the organization is   managing access. In standalone mode, the access  point connects wireless devices to each other but   not to any wired resources. Wired extension links  wireless devices to the wired network. When an   organization needs to provide a large physical  area to the same wired network, enterprise   extended or ESSID enables the movement of devices  within the area without interruption of wireless   service. And bridge links two wireless networks  this is often used between floors or buildings.

Service set identifiers or SSIDs provide  each wireless network with a name.   This makes it easier for users  to find and connect to resources.   There are two types of SSID. We have already  looked at ESSIDs that enable wide area movement   of devices without any significant interruption in  service. This type is used in the infrastructure   mode we just covered called extended.  The other type is BSSID, or basic SSID.  

BSSID is used when the access point is implemented  in ad hoc or peer-to-peer modes. It is considered   security best practice to hide the SSID. This  is done by configuring the access points to not   broadcast the SSID beacon frame. This requires  the user to know the SSID in order to initially  

access the wireless network. SSID hiding is not strong security;   it's just a weak security layer. Threat actors  are can easily capture the SSID with sniffers. Next are captive portals. These are safeguards  that protect authentication for many public   networks. Public networks include hotels,  restaurants, airports, and libraries. They can   also include visitor networks for organizations.  They are also used on wired networks. This graphic   is a captive portal example. The captive  portal process forces a newly connected  

device to a starting page that requests  credentials provided by the network owner,   potentially offers service or enhanced service  for a fee, and provides network use policies. One way to filter out wireless devices that should  not connect to the network is via MAC filters.   MAC filters look at a device's MAC address and  compare it to a list of authorized addresses.   While IP addresses can change, a  device's MAC address is burned in,   so it never changes. However, threat actors can  easily spoof MAC addresses which can bypass MAC   filtering. MAC address spoofing is detectable by  special software tools. However, I would implement   certificates in WPA3-Enterprise for medium  to large businesses. Another downside of MAC  

filtering is the amount of work needed to manage  large numbers of wireless devices. I've worked   for organizations in which management insisted  on this approach to save money. Trying to keep   up with new and changing mac addresses quickly  became frustrating to both it and the users.

Finally let's look at common attacks against  wireless networks. Some attacks against wireless   networks are also attack vectors used against  wired networks. These include packet sniffing   and password theft. Man-in-the-middle attacks are  also possible on a wired network, if the threat   actor gains physical access to the wired network.  However, it is easier to fall to man-in-the-middle   for wireless connections because no physical  access to the wired network is necessary.   Attacks unique to wireless include signal jamming  and war driving. In signal jamming, a threat actor  

uses tools and techniques to overwhelm an access  point's ability to manage incoming and outgoing   signals. This is illegal, but jamming tools  are available online and easy to implement.   When threat actors move through an area  looking for wireless networks to attack,   they are performing what is known as war driving.  War driving can involve driving slowly down the   street or walking down the sidewalk. Using  tools like AirCrack. AirSnort, and WireShark,  

the threat actor first detects wireless  traffic. If the SSID is not clearly broadcasted,   she uses her tools to extract the SSID  and identify active IP addresses. She   also captures valid MAC addresses and the  authentication mechanism used for access.   Once the threat actor has this  information, she can insert herself   as a man-in-the-middle. She can also attempt to  connect to the network. Her approach to capturing   packets or gaining access to the wired networks  will depend on how wireless access is secured...   or not secured. In some cases, war drivers  are only trying to gain free Wi-Fi access.  

War drivers share the information they gather  about existing wireless networks they found.   The CISSP common body of knowledge lists some  of these sites as WiGLE, openBmap, and Geomena. That's it for this lesson. If  you have questions, please ask.   ...and until next time be careful what you click

2022-01-18

Show video