Security
A WLAN is open to anyone within range of an AP and the appropriate credentials to associate to it. With a wireless NIC and knowledge of cracking techniques, an attacker may not have to physically enter the workplace to gain access to a WLAN.
Attacks can be generated by outsiders, disgruntled employees, and even unintentionally by employees. Wireless networks are specifically susceptible to several threats, including:
- 1. Wireless intruders: Unauthorized users attempting to access network resources. The solution is to deter intruders using authentication.
- 2. Rogue apps: Unauthorized APs installed by a well-intentioned user or willingly for malicious purpose. Use wireless management software to detect rogue APs.
A rogue AP is an AP or wireless router that has either been:- Connected to a corporate network without explicit authorization and against corporate policy.
- Connected or enabled by an attacker to capture client data such as the MAC addresses of clients (both wireless and wired), or to capture and disguise data packets, to gain access to network resources, or to launch man-in-the-middle attack.
To prevent the installation of rogue APs, organizations must use monitoring software to actively monitor the radio spectrum for unauthorized APs. For example, the sample Cisco Prime Infrastructure network management software screenshot displays an RF map identifying the location of an intruder with a spoofed MAC address detected.
Note: Cisco Prime is network management software that works with other management software to provide a common look and central location for all network information. It is usually deployed in very large organizations.
- 3. Interception of data: Wireless data can easily be captured by eavesdroppers. Protect data exchanged between client and AP using encryption.
- 4. Man In The Middle(MITM): A popular wireless MITM attack is called the “evil twin AP” attack, where an attacker introduces a rogue AP and configures it with the same SSID as a legitimate AP.
Defeating an attack like an MITM attack depends on the sophistication of the WLAN infrastructure and the vigilance in monitoring activity on the network. The process begins with identifying legitimate devices on the WLAN. To do this, users must be authenticated. After all of the legitimate devices are known, the network can be monitored for abnormal devices or traffic.Enterprise WLANs that use state-of-the-art WLAN devices provide administrators with tools that work together as a wireless intrusion prevention system (IPS). These tools include scanners that identify rogue APs and ad hoc networks, and radio resource management (RRM), which monitors the RF band for activity and AP load. An AP that is busier than normal alerts the administrator of possible unauthorized traffic. - 5. DoS attacks: WLANs services can be compromised either accidently or for malicious intent. Various solutions exist depending on the source of DoS.
- Cause of DoS
- Improperly configured devices – Configuration errors can disable the WLAN.
- A malicious user intentionally interfering with the wireless communication – Their goal is to disable the wireless network completely or to the point where no legitimate device can access the medium.
- Accidental interference – WLANs operate in the unlicensed frequency bands and; therefore, all wireless networks, regardless of security features, are prone to interference from other wireless devices. Accidental interference may occur from such devices as microwave ovens, cordless phones, baby monitors, and more. The 2.4 GHz band is more prone to interference than the 5 GHz band.
- Eliminate DoS: keep passwords secure, create backups, and ensure that all configuration changes are incorporated off-hours.
- It is likelier that they will attempt to manipulate management frames to consume the AP resources and keep channels too busy to service legitimate user traffic.Management frames can be manipulated to create various types of DoS attacks. Two common management frame attacks include:
- A CTS flood – This occurs when an attacker takes advantage of the CSMA/CA contention method to monopolize the bandwidth and deny all other wireless clients access to the AP. To accomplish this, the attacker repeatedly floods the BSS with Clear to Send (CTS) frames to a bogus STA. All other wireless clients sharing the RF medium receive the CTS and withhold their transmissions until the attacker stops transmitting the CTS frames.
- A spoofed disconnect attack – This occurs when an attacker sends a series of “disassociate” commands to all wireless clients within a BSS. These commands cause all clients to disconnect. When disconnected, the wireless clients immediately try to re-associate, which creates a burst of traffic. The attacker continues sending disassociate frames and the cycle repeats itself.
- Cause of DoS
To mitigate many of these attacks, Cisco has developed a variety of solutions, including the Cisco Management Frame Protection (MFP) feature, which also provides complete proactive protection against frame and device spoofing. The Cisco Adaptive Wireless IPS contributes to this solution by an early detection system where the attack signatures are matched.
The IEEE 802.11 committee has also released two standards in regards to wireless security. The 802.11i standard, which is based on Cisco MFP, specifies security mechanisms for wireless networks while the 802.11w management frame protection standard addresses the problem of manipulating management frames.
Securing WLAN
Two early security features were used( proven to be too weak):
- SSID cloaking – APs and some wireless routers allow the SSID beacon frame to be disabled. Wireless clients must manually identify the SSID to connect to the network.
- MAC addresses filtering – An administrator can manually allow or deny clients wireless access based on their physical MAC hardware address.
Two types of authentication were introduced with the original 802.11 standard:
- Open system authentication – Any wireless client should easily be able to connect, and should only be used in situations where security is of no concern, such as in locations providing free Internet access.
- Shared key authentication – Provides mechanisms, such as WEP, WPA, or WPA2 to authenticate and encrypt data between a wireless client and AP. However, the password must be pre-shared between both parties to connect.
- Wired Equivalent Privacy (WEP) – Original 802.11 specification designed to provide privacy similar to connecting to a network using a wired connection. The data is secured using the RC4 encryption method with a static key. However, the key never changes when exchanging packets making it easy to hack.
- Wi-Fi Protected Access (WPA) – A Wi-Fi Alliance standard that uses WEP, but secures the data with the much stronger Temporal Key Integrity Protocol (TKIP) encryption algorithm. TKIP changes the key for each packet making it much more difficult to hack.
- IEEE 802.11i/WPA2 – IEEE 802.11i is the industry standard for securing wireless networks. The Wi-Fi alliance version is called WPA2. 802.11i and WPA2; both use the Advanced Encryption Standard (AES) for encryption. AES is currently considered the strongest encryption protocol.
Encryption rotocols
The IEEE 802.11i and the Wi-Fi Alliance WPA and WPA2 standards use the following encryption protocols:
- Temporal Key Integrity Protocol (TKIP) – TKIP is the encryption method used by WPA. It provides support for legacy WLAN equipment by addressing the original flaws associated with the 802.11 WEP encryption method. It makes use of WEP, but encrypts the Layer 2 payload using TKIP, and carries out a Message Integrity Check (MIC) in the encrypted packet to ensure the message has not been tampered with.
- Advanced Encryption Standard (AES) – AES is the encryption method used by WPA2. It is the preferred method because it aligns with the industry standard IEEE 802.11i. AES performs the same functions as TKIP, but it is a far stronger method of encryption. It uses the Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP) that allows destination hosts to recognize if the encrypted and non-encrypted bits have been tampered with.
Note: Always choose WPA2 with AES when possible.
Two types of authentication:
- Personal – Intended for home or small office networks, users authenticate using a pre-shared key (PSK). Wireless clients authenticate with the AP using a pre-shared password. No special authentication server is required.
- Enterprise – Intended for enterprise networks but requires a Remote Authentication Dial-In User Service (RADIUS) authentication server. Although more complicated to set up, it provides additional security. The device must be authenticated by the RADIUS server and then users must authenticate using 802.1X standard, which uses the Extensible Authentication Protocol (EAP) for authentication.New fields displayed when choosing an Enterprise version of WPA or WPA2. These fields are necessary to supply the AP with the required information to contact the AAA server:
- RADIUS Server IP address – This is the reachable address of the RADIUS server.
- UDP port numbers – Officially assigned UDP ports 1812 for RADIUS Authentication and 1813 for RADIUS Accounting, but could also operate using UDP ports 1645 and 1646.
- Shared key – Used to authenticate the AP with the RADIUS server.
The shared key is not a parameter that must be configured on a STA. It is only required on the AP to authenticate with the RADIUS server.
Note: There is no Password field listed, because the actual user authentication and authorization is handled by the 802.1X standard, which provides a centralized, server-based authentication of end users.
The 802.1X login process uses EAP to communicate with the AP and RADIUS server. EAP is a framework for authenticating network access. It can provide a secure authentication mechanism and negotiate a secure private key that can then be used for a wireless encryption session utilizing TKIP or AES encryption.