Communications and Network Security Part 8 - Wireless Networks
In this lesson, I describe wireless networking technologies and related safeguards. In addition to encryption, I explore other steps an organization can take to protect information passing through the air. You can download the script for this video from above or at the end of the video. Wireless network deployments are common, so common has to be the primary connection medium for many businesses. With the emergence and continued growth of IoT and IIoT devices wireless connectivity in even heavily wired enterprises is rapidly expanding.
Let's first look at the IEEE 802.11 standards, which are commonly used for home and business wireless networks. This table shows the different standards, associated bandwidths, and frequency. As we'll see later, frequency is an important consideration when managing how far a device can be from a wireless access point or WAP, and still communicate efficiently. Each standard uses one of
three transmission standards that enable different data rates for the same frequency. These are DSSS, or direct sequence spread spectrum, FHSS, frequency hopping spread spectrum, OFDM, orthogonal frequency multiplexing, and OFDMA, orthogonal frequency division multiple access. OFDM is used for wi-fi versions three through five and version 6 uses OFDMA, an extension of OFDM. Without access to an organization's wireless network, a threat actor has to find another way in. Many attacks attempt to compromise a user computer. Once access is gained, malware
that enables network interface card promiscuous mode can collect all packets the device can see. Another way as shown in this graphic is to gain physical access to a facility. Once access is gained, the threat actor finds an open active network port, like in a conference room. Once connected, all packets on the segment to which the port is connected are available for theft or modification. This graphic shows a common wireless
network configuration in which security was not necessarily a consideration in the design phase. Note that an attacker could gain access to a common area of the organization or simply sit in the parking lot to access to network wireless transmissions or signals. Another method of attacking wireless connections is a man-in-the-middle attack over a public network. In this example, Alice attempts to connect from her laptop in an airport to a server in her organization's data center. Because Alice's organization has not yet secured this type
of access, Alice's attempt to enter is intercepted by a threat actor. The threat actor now becomes an intermediary or middleman who can see all traffic between Alice's laptop and the data center server. In general, an entity can directly connect to a wireless network in one of two ways.
The first is open system authentication, or OSA. With OSA configured, an entity just has to be within range of the wireless signal to connect. No other authentication is needed. With the second, shared key authentication or SKA, the wireless network is configured to require a shared key or other type of authentication in which the entity must present proof of identity.
Wireless access points initially used WEP, or wired equivalent privacy, to protect wireless connections using Rivest Cipher 4, or RC4. WEP encrypts transmissions between endpoint devices and wireless access points, but it does not provide end-to-end security because it only operates at OSI layers 1 and 2. When configuring WEP, a shared key is created. An entity needing access to an access point must provide the key to gain access and enable encryption. Because of weaknesses in WEP, including always using the same key for every packet, WEP was quickly broken. Today a threat actor can crack WEP security in less than a minute. To fill the gap, the Wi-Fi Alliance developed Wi-Fi Protected Access or WPA. WPA was supposed to be
a temporary solution. The alliance was hoping for a reasonably quick release of IEEE 802.11i, which I cover in the next slide. However, WPA lasted a while as 802.11i release was delayed for years. Because of this lag in the release of the IEEE standard, WPA was developed as a longer term replacement for WEP. It used leap, or lightweight extensible
authentication protocol, which we cover in a later slide, and TKIP, temporal key integrity protocol. Unlike WEP, WPA can dynamically create a new 128-bit key for each wireless packet. Further, WPA does not use the same key set across all clients. A separate key set is negotiated with each device. The key set is created after an endpoint uses a WPA passphrase to authenticate.
WPA is not usually secure enough for enterprise protection. Although the passphrase must be no shorter than 14 characters, it's still a single factor approach that can fall to brute force attacks. Attacks like coWPAtty and a GPU-based cracking tool have broken WPA as a safeguard for highly classified information. WPA2 replaced and is backward compatible with WPA. It integrates IEEE 802.1x with AES encryption. WPA2 comes in two versions: WPA2-Personal and WPA2-enterprise. WPA2-Personal, also known as WPA2-PSK, can be implemented in two ways: with AES or TKIP.
PSK stands for pre-shared key. TKIP implementations are backward compatible with older devices that do not support AES. However, AES is considered more secure, and it is the default implementation when using WPA2. Let's look at how this works. We usually find WPA2-Personal in homes, home offices, and small businesses. The administrator sets a passphrase in the router with a length from 8 to 63 characters. In order to access the wireless network, the laptop or other wireless device must provide the passphrase for authentication.
After authentication, the connection is encrypted with aes symmetric encryption. WPA2-Enterprise and the newer WPA3-Enterprise combined WPA2 AES encryption with IEEE 802.1x network authentication. It eliminates the need for a pre-shared key. Let's step through a sample connection process. The client in 802.1x is known as the supplicant.
The admin must configure supplicant software on the supplicant before the laptop can connect. A laptop, or the supplicant, attempts to connect to a wireless router. The wireless router places the laptop into an unauthorized state and begins the authentication process. The wireless router sends the credentials provided by the laptop to the RADIUS server. Depending on policies configured on the RADIUS server, the iID is sent to Active Directory to verify the user identity. This process can include passwords only or the use of both user and device certificates.
If the identity is confirmed, the RADIUS server returns that information to the wireless router. The wireless router changes the laptop status to authorized and provides network access. This is a basic look at how this works. Implementation of EAP to secure this process is covered later in this lesson. Instead of simply providing a passphrase, an organization can require multi-factor authentication to access the network. And as explained before, policies configured on the RADIUS server can enforce conditions under which access is granted. WPA3 is replacing WPA2. As of 2021, the Wi-Fi Alliance requires all Version 6 echo, or 6e,
certified devices to support it. Cisco claims that 60% of its customers had adopted WPA3 as of the middle of 2021. While WPA3 connection processes are fundamentally the same as WPA2, WPA3 is considered more secure for four reasons. First, the handshake used to establish a wireless connection is more secure. Second, it's easier to securely add new devices. Third, it provides basic hotspot protection. And fourth key sizes for session encryption are bigger.
It's important to note that these protocols can also be used for wired connections. The first protocol we look at is EAP or the extensible authentication protocol. Actually, EAP is all we look at in this lesson, but we look at different implementations of its methods. This protocol is actually a framework rather than a discrete piece of software, and it's used in both wireless and wired connections. Defined in RFC 3748 and updated by RFC 5247,
EAP provides a set of about 40 methods designed to provide for secure authentication. This is our earlier authentication example. Let's use it to walk through how basic EAP works. EAP uses the 802.1x standard I covered earlier. The authentication process requires three components: the user's wireless device, a wireless access point, and an authentication server. The user sends a connection request to the access point, also known as a transceiver. The access point then requests the user's identity information.
Once a user provides its identity information, the access point forwards that information to the authentication server. The authentication server then sends a request to the access point for verification of the identity information. Verification is commonly done with a certificate. The access point obtains the verification information from the user and sends it to the authentication server. If the authentication server is able to successfully validate the user's identity, the user is allowed access. Our example includes a RADIUS server, which will also supply business policies to determine if an authenticated identity is allowed remote access. This is the basic operation of EAP, and you may recognize it as the basic 802.1x authentication process we
walked through earlier. In this lesson, however, the actual authentication process varies based on the type of EAP used and the authentication security needed. Let's look at four variations. One commonly used type is EAP-TLS, which authenticates both the client and the network. This approach requires a supplicant certificate and a network certificate. A detailed walkthrough of TLS versions and how they work is available in the video above. The EAP-TLS generates random session keys that secure communication between the AP and the client.
One disadvantage of this approach is the need to manage certificates for all wireless clients. EAP-TTLS, or EAP Tunneled TLS, also uses mutual certificate authentication, but only the network side needs a certificate. This is done by requiring the authenticator to use legacy authentication databases like Active Directory. By using legacy information in a centralized database, the effort needed to manage client certificates is reduced. LEAP, lightweight extensible authentication protocol, is a Cisco proprietary alternative to WPA using TKIP. TKIP is temporal key integrity protocol, and it's included as an encryption method in the 802.11i standard for wireless networks. LEAP also requires mutual authentication
between the client and the network. The LEAP server sends the client a random challenge, and the client returns a hashed password. Once the password is authenticated, the client then asks the network for a password. Once this is sent, the client and the network execute a key exchange. PEAP, or protected EAP, is intended to be a more secure approach than LEAP. Using network side certificates, it creates a TLS tunnel for secure client authentication.
Finally, let's look at securing the operation of wireless access points or WAPS. As we have seen in this lesson, a WAP receives signals from and sends signals to the client. It acts as an access point through which wireless devices can reach and use network resources. Securing the use of WAPs is a process consisting of first a site survey, followed by determining access point placement, and then configuring the access points, and finally implementation of filtering or other access controls.
Site surveys are usually walkthroughs of the current or intended wireless environment using special software. They not only help determine effective placement of authorized access points, they also help identify rogue access points. Rogue access points can be placed by threat actors, but they're also often used by employees who want to bypass the organization's wireless access restrictions. In addition to rogue AP identification, a survey also determines where to place access points for new areas or to improve signal strength for existing coverage areas. For example, an existing access point might be less effective because of new signal barriers caused by remodeling, placement of devices that can cause signal interference, or other factors. Another
goal of the survey is to identify areas where the organization does not want to provide strong signal support. In this example, a threat actor is sitting outside the building in the parking lot. Placement and tuning of access points can eliminate or severely attenuate, or limit the signal strength, available to the threat actor. Another consideration is doing site surveys after replacement of existing access points with access points that support higher frequency signals. Higher frequencies have a harder time getting through barriers like walls, so it's important to understand how increased frequency affects coverage of wireless access.
After the survey, we need to determine where to place access points. According to the 2020 CISSP common body of knowledge, the following are general considerations. Centralize the access points in needed coverage areas. Understand and avoid or manage physical obstructions that limit signal strength. Remember that reflective and flat services can seriously
attenuate signals. Manage the placement of access points to manage interference by equipment that emit electromagnetic fields that interfere with access point signals. Position external omnidirectional antennas vertically. Properly direct directional antennas. At this point we need to define and apply some terms and concepts.
As indicated in the previous slide, there are two types of antennas: omnidirectional and directional. We usually have omnidirectional antennas on home wireless routers. These are poles that transmit signals in all directions. Directional antennas focus the signal in one direction. Panel and parabolic antennas are two examples. It's important to understand that directional antennas can create strong signals that need to be considered when trying to limit wireless coverage. Access points can be deployed in two ways: infrastructure mode and ad hoc mode. Infrastructure mode is the best choice when using centralized management and control
of access points. Ad hoc mode allows connection of wireless devices without centralized control and without any authentication at all. There are four types of infrastructure modes. The type used depends on how the organization is managing access. In standalone mode, the access point connects wireless devices to each other but not to any wired resources. Wired extension links wireless devices to the wired network. When an organization needs to provide a large physical area to the same wired network, enterprise extended or ESSID enables the movement of devices within the area without interruption of wireless service. And bridge links two wireless networks this is often used between floors or buildings.
Service set identifiers or SSIDs provide each wireless network with a name. This makes it easier for users to find and connect to resources. There are two types of SSID. We have already looked at ESSIDs that enable wide area movement of devices without any significant interruption in service. This type is used in the infrastructure mode we just covered called extended. The other type is BSSID, or basic SSID.
BSSID is used when the access point is implemented in ad hoc or peer-to-peer modes. It is considered security best practice to hide the SSID. This is done by configuring the access points to not broadcast the SSID beacon frame. This requires the user to know the SSID in order to initially
access the wireless network. SSID hiding is not strong security; it's just a weak security layer. Threat actors are can easily capture the SSID with sniffers. Next are captive portals. These are safeguards that protect authentication for many public networks. Public networks include hotels, restaurants, airports, and libraries. They can also include visitor networks for organizations. They are also used on wired networks. This graphic is a captive portal example. The captive portal process forces a newly connected
device to a starting page that requests credentials provided by the network owner, potentially offers service or enhanced service for a fee, and provides network use policies. One way to filter out wireless devices that should not connect to the network is via MAC filters. MAC filters look at a device's MAC address and compare it to a list of authorized addresses. While IP addresses can change, a device's MAC address is burned in, so it never changes. However, threat actors can easily spoof MAC addresses which can bypass MAC filtering. MAC address spoofing is detectable by special software tools. However, I would implement certificates in WPA3-Enterprise for medium to large businesses. Another downside of MAC
filtering is the amount of work needed to manage large numbers of wireless devices. I've worked for organizations in which management insisted on this approach to save money. Trying to keep up with new and changing mac addresses quickly became frustrating to both it and the users.
Finally let's look at common attacks against wireless networks. Some attacks against wireless networks are also attack vectors used against wired networks. These include packet sniffing and password theft. Man-in-the-middle attacks are also possible on a wired network, if the threat actor gains physical access to the wired network. However, it is easier to fall to man-in-the-middle for wireless connections because no physical access to the wired network is necessary. Attacks unique to wireless include signal jamming and war driving. In signal jamming, a threat actor
uses tools and techniques to overwhelm an access point's ability to manage incoming and outgoing signals. This is illegal, but jamming tools are available online and easy to implement. When threat actors move through an area looking for wireless networks to attack, they are performing what is known as war driving. War driving can involve driving slowly down the street or walking down the sidewalk. Using tools like AirCrack. AirSnort, and WireShark,
the threat actor first detects wireless traffic. If the SSID is not clearly broadcasted, she uses her tools to extract the SSID and identify active IP addresses. She also captures valid MAC addresses and the authentication mechanism used for access. Once the threat actor has this information, she can insert herself as a man-in-the-middle. She can also attempt to connect to the network. Her approach to capturing packets or gaining access to the wired networks will depend on how wireless access is secured... or not secured. In some cases, war drivers are only trying to gain free Wi-Fi access.
War drivers share the information they gather about existing wireless networks they found. The CISSP common body of knowledge lists some of these sites as WiGLE, openBmap, and Geomena. That's it for this lesson. If you have questions, please ask. ...and until next time be careful what you click
2022-01-18 20:13