Wireless LAN Security and Analysis

Transcription

1 Wireless LAN Security and Analysis Duration: 5 Days Course Code: GK3607 Overview: Tackle Wireless LAN security in this course that teaches the essential concepts and protocols from the inside out. Learn about frame formats and transmission protocols in order to gain an understanding of where vulnerabilities might lie, and then apply that knowledge to WLAN security design concepts that make life difficult for hackers at every turn. In addition to learning the intricacies of the standard, WPA/WPA2, and i, you will build a secure WLAN from the ground up. You will configure and crack a series of security methods during hands-on lab exercises before a robust WPA2 Enterprise network emerges at the end of the week. You will learn to use a variety of professional grade analysis tools and open source attack tools as you test different wireless security protocols. Preparing for the CWSP certification? This course is excellent as part of an overall study strategy for the CWNP certification CWSP. The course includes a CWSP study guide, certification practice exam, and test voucher, and many CWSP concepts are covered with lab emphasis on real-world solutions. Many CWNA and CWNE concepts are covered as well. Target Audience: Administrators: network, systems, infrastructure, security, and LAN/WLANs Designers: network, systems, and infrastructure Developers: wireless software and hardware products Consultants and integrators: IT, wireless, and security Decision makers: infrastructure managers, IT managers, security directors, chief security officers, and chief technology officers Objectives: Radio frequency modulation and signal analysis Wireless security standards, including i, WPA, and WPA2 The arbitration process that is used by WLAN devices for channel access Wired Equivalent Privacy (WEP) protocols and why WEP is not secure WPA protocols and how they solve the problems with WEP WPA2 protocols and how they should be configured to prevent attacks Detailed information about frame formats 802.1X/EAP methods, including which EAP type is appropriate in frame types and sub-types common WLAN deployments Design principles that ensure WLAN security Methods for preventing, detecting, responding to, and auditing state-of-the-art WLAN attacks Wireless intrusion detection and why it's essential for maintaining a secure network Prerequisites: Wireless LAN Foundations

2 Content: The Wireless Link RSN Key Management Lab 11: Network Intrusion: Denial of Service Block WLAN access using client-testing 2.4 GHz Channels i Amendment software and the CommView for Wi-Fi packet 2.4 GHz Networks Fast Transition Basics generator. 5 GHz Channels Fast Transition Options a Networks Fast, Secure Roaming RF Modulation Encryption and Network Access Day 4 OFDM Modulation Types Robust Security Network Lab 12: Network Intrusion: Rogue AP Data Encoding RSN Key Material Access the network via a network-based DSSS Coding Types Key Management Handshakes rogue AP. OFDM Convolutional Coding The 4-Way Handshake MIMO WLANs Group Key Handshake PeerKey Handshake Lab 13: Network-Based Rogue AP The Frame Format Key Management Summary Countermeasures Configure wired 802.1X to block The OSI Model Network Security network-based rogue APs. Networking Basics The Wi-Fi Effect Network Security The PHY Layer Prevention: Unauthorized Access Lab 14: VoWLAN Configuration DSSS and OFDM Preambles Integrating the WLAN Set up a Cisco 2100 Series WLAN controller DSSS Preamble Separating the WLAN for open VoWLAN access. OFDM Preamble MAC Address Spoofing DSSS and OFDM Preamble Differences Network Segmentation Options Physical Layer Information Network Rogue APs Lab 15: Wireless Data Intrusion: VoWLAN PHY Layer Troubleshooting Evil Twin Rogue APs Eavesdropping The Wi-Fi MAC Header Rogue AP Response Record and play back VoWLAN calls using Fields and Subfields DoS Response Wildpackets Omnipeek. Frame Control Field Frame Control Flags RF Denial of Service Duration/ID Field Client Testing Software Duration Values DoS: Connection Loss Lab 16: Secure WLAN Setup: WPA Addressing Handling DoS Personal Configuration Wireless Addresses Auditing: Wireless IDS and WNMS Configure a strong PSK with AES-CCMP Wired Addresses WIDS Rogue Prevention encryption to prevent attacks. IBSS Addressing Sequence Control Field Wireless Data Security Use in Troubleshooting Lab 17: Non-Broadcasting SSID configuration QoS Control Field (802.11e) Wireless Data Security Set up a Cisco 2100 Series WLAN controller HT Control Field General Security with a hidden SSID and connect. Frame Check Sequence Wireless Data Security Corruption Basics Encryption Options Endpoint Security Day Frame Types ESS Lab 18: End User Attack: Client Discovery NAC Use AirMagnet WiFi Analyzer to scan for Management Frames Wireless Date Security: Auditing vulnerable stations. Management Frame Structure Auditing: Protocol Analyzers Beacon Frames Auditing: Wireless IDS/IPS Beacon Information Lab 19: End User Attacks: Evil Twin Rogue Capability Information Labs AP and Man-in-the-Middle Standard Information Elements Day 1 Forward a hijacked user on to an authorized Additional Information Elements Lab 1: Analyzer Setup: Wildpackets WLAN. Active Scanning Frames Omnipeek Probe Request Frames Set up Wildpackets Omnipeek for WLAN Probe Response Frames monitoring. Lab 20: Evil Twin Rogue AP Authentication and Association Countermeasures Authentication Frames Identify, locate, and block an Evil Twin rogue Association Request Frames Lab 2: Analyzer Setup: AirMagnet WiFi AP using AirMagnet Enterprise WIDS. Association Response Frames Analyzer Action Frames Set up AirMagnet WiFi Analyzer for WLAN Roaming monitoring. Lab 21: End User Attack: 802.1X/EAP Reassociation Hijacking Connection Termination Use AP software and RADIUS software to Deauthentication Day 2 create an Evil Twin rogue AP running Disassociation Lab 3: Wireless IDS Setup: AirMagnet 802.1X/EAP. Management Frame Summary Enterprise

3 Control Frames Set up AirMagnet Enterprise server and Acknowledgments sensors for intrusion detection. Lab 22: Secure WLAN Setup: WPA2 Block Acknowledgments Enterprise Client Configuration Request-to-Send/Clear-to-Send Configure a WLAN client utility to avoid RTS/CTS Thresholds Lab 4: Guest WLAN Configuration: hijacking when using 802.1X/EAP Power Save Poll Frames Web-Based Authentication authentication. Next Generation Power Save Set up a Cisco 2100 Series WLAN controller Data Frames for web-based authentication. Contention-Based Data QoS Data Frames Lab 5: Network Intrusion: AP Discovery Arbitration Use AirMagnet WiFi Analyzer to scan for vulnerable WLANs Channel Access Arbitration CSMA/CA Lab 6: Network Intrusion: Circumventing A Clear Channel Web-Based Authentication The Arbitration Process Masquerade as an authorized user to gain Interframe Spacing network access. Random Backoff Time Winning Arbitration Acknowledgements Lab 7: Wireless Monitoring: Identify a MAC After the Acknowledgement Address Spoofing Attack An Arbitration Example Use Wildpackets Omnipeek to identify MAC Times address spoofing. IFS Times Frame Times ACK Times Day 3 Effects of Arbitration Lab 8: Home WLAN Configuration: WPA Personal e Quality of Service Set up a Cisco 2100 Series WLAN controller for PSK authentication. Enhanced Distributed Channel Access AIFSN Lengths The Contention Window (QoS) Lab 9: Network Intrusion: PSK Cracking and Other e Improvements TKIP Decryption TXOP and CFB Crack a PSK passphrase and gain network Block Acknowledgements access. Decrypt TKIP-encrypted data. CFB and BA Operation Signal Analysis RF Signal Analysis RF Math Basics Relationship of mw and Db Use of RF Math: Signal Changes Converting mw to dbm Use of RF Math: mw to dbm Conversions Approximating RF Math Calculations RSSI Values Relationship of RSSI to Data Rates Signal Range Co-Channel Interference Reading Interference Spectrum Analyzer Usage Lab 10: Enterprise WLAN Configuration: WPA2 Enterprise Set up a Cisco 2100 Series WLAN controller for WPA2 Enterprise security. Connection Analysis The Wi-Fi Connection Beyond Basic Troubleshooting Connection Fundamentals Scanning Analysis Authentication and Association Secure Connections PSK Connections 802.1X/EAP Connections

4 Roaming Roaming Problems Connection Loss Forged Deauthentification and Disassociation Frames Performance Analysis WLAN Performance Network Load Effects of Channel Overload QBSS Load Dynamic Rate Selection Use of the Wireless Channel Wi-Fi Overhead Wi-Fi Collisions Acknowledgements Protection Mechanism Mixed Mode Performance Degradation Interface Types RTS/CTS General Security Approach WLAN Security Fundamentals Wireless Security Approach Wireless Data Security Data Security Approach Network Security Network Security Approach Endpoint Security WLAN Infrastructure WLAN Security Infrastructure WPA2 Enterprise 802.1X/EAP Basic Enterprise Architecture Users Authenticate LAN Protection Data Protection Access points Segmentation Device Security WLAN Controllers Security Benefits Integrated Firewalls WLAN Management Systems WNMS Deployment RADIUS Servers Advanced Authorization Features RADIUS Server Deployment Virtual LANs Wireless VLAN Security Wireless VLANs Security (WEP) Wired Equivalent Privacy Goals of WEP WEP Authentication Open System Authentication Shared Key Authentication 802.1X/EAP and WEP WEP Encryption

5 Rotating Initialization Vector WEP Key Management WEP Data Integrity Flaws on WEP Minor Vulnerabilities Major Vulnerabilities The Double Major Vulnerabilities Why Cover WEP? Linear integrity check Brute force attacks RSN Authentication 802/11i Encryption Protocols All Networks Accommodated Preshared Key Small Networks PSK Vulnerability Preshared Key Design 802.1X Extensible Authentication Protocol 802.1X/EAP Design EAP Types EAP-Cisco Wireless (EAP-LEAP) EAP-FAST EAP-TLS EAP-TTLS Protected EAP Choosing an EAP Type RSN Encryption i Encryption Protocols RC4 Encryption Secure Stream Cipher Temporal Key Integrity Protocol TKIP Operation Counter-Mode CBC-MAC Protocol AES-CCMP Similarities to TKIP AES-CCMP Operation Data Frame Encryption WEP Encapsulation TKIP Encapsulation AES-CCMP Encapsulation i Encryption Summary Automatic Encryption Selection Encrypting in the Real World Further Information: For More information, or to book your course, please call us on Head Office / Northern Office info@globalknowledge.co.uk Global Knowledge, Mulberry Business Park, Fishponds Road, Wokingham Berkshire RG41 2GY UK