Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 8 Wireless Network Security

Transcription

1 Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 8 Wireless Network Security

2 Objectives Describe the different types of wireless network attacks List the vulnerabilities in IEEE security Explain the solutions for securing a wireless network Security+ Guide to Network Security Fundamentals, Fourth Edition 2

3 Introduction Wireless data communications have revolutionized computer networking Wireless data networks found virtually everywhere Wireless networks have been targets for attackers Early wireless networking standards had vulnerabilities Changes in wireless network security yielded security comparable to wired networks Security+ Guide to Network Security Fundamentals, Fourth Edition 3

4 Wireless Attacks Bluetooth Wireless technology Uses short-range radio frequency transmissions Provides for rapid, ad-hoc device pairings Example: smartphone and Bluetooth headphones Personal Area Network (PAN) technology Two types of Bluetooth network topologies Piconet Scatternet Security+ Guide to Network Security Fundamentals, Fourth Edition 4

5 Table 8-1 Bluetooth products Security+ Guide to Network Security Fundamentals, Fourth Edition 5

6 Wireless Attacks (cont d.) Piconet Established when two Bluetooth devices come within range of each other One device (master) controls all wireless traffic Other device (slave) takes commands Active slaves can send transmissions Parked slaves are connected but not actively participating Security+ Guide to Network Security Fundamentals, Fourth Edition 6

7 Figure 8-1 Bluetooth piconet Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 7

8 Wireless Attacks (cont d.) Scatternet Group of piconets with connections between different piconets Bluejacking Attack that sends unsolicited messages to Bluetooth-enabled devices Text messages, images, or sounds Considered more annoying than harmful No data is stolen Security+ Guide to Network Security Fundamentals, Fourth Edition 8

9 Figure 8-2 Bluetooth scatternet Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 9

10 Wireless Attacks (cont d.) Bluesnarfing Unauthorized access to wireless information through a Bluetooth connection Often between cell phones and laptops Attacker copies s, contacts, or other data by connecting to the Bluetooth device without owner s knowledge Security+ Guide to Network Security Fundamentals, Fourth Edition 10

11 Wireless LAN Attacks Institute of Electrical and Electronics Engineers (IEEE) Most influential organization for computer networking and wireless communications Dates back to 1884 Began developing network architecture standards in the 1980s 1997: release of IEEE Standard for wireless local area networks (WLANs) Higher speeds added in 1999: IEEE b Security+ Guide to Network Security Fundamentals, Fourth Edition 11

12 Wireless LAN Attacks (cont d.) IEEE a Specifies maximum rated speed of 54Mbps using the 5GHz spectrum IEEE g Preserves stable and widely accepted features of b Increases data transfer rates similar to a IEEE n Ratified in 2009 Security+ Guide to Network Security Fundamentals, Fourth Edition 12

13 Wireless LAN Attacks (cont d.) Improvements in IEEE n Speed Coverage area Interference Security Wireless client network interface card adapter Performs same functions as wired adapter Antenna sends and receives signals Security+ Guide to Network Security Fundamentals, Fourth Edition 13

14 Wireless LAN Attacks (cont d.) Access point (AP) major parts Antenna and radio transmitter/receiver send and receive wireless signals Bridging software to interface wireless devices to other devices Wired network interface allows it to connect by cable to standard wired network AP functions Acts as base station for wireless network Security+ Guide to Network Security Fundamentals, Fourth Edition 14

15 Figure 8-3 Access point Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 15

16 Wireless LAN Attacks (cont d.) AP functions (cont d.) Acts as a bridge between wireless and wired networks Can connect to wired network by a cable Autonomous access points Separate from other network devices and access points Have necessary intelligence for wireless authentication, encryption, and management Security+ Guide to Network Security Fundamentals, Fourth Edition 16

17 Wireless LAN Attacks (cont d.) Wireless broadband routers Single hardware device containing AP, firewall, router, and DHCP server Wireless networks have been vulnerable targets for attackers Not restricted to a cable Types of wireless LAN attacks Discovering the network Attacks through the RF spectrum Attacks involving access points Security+ Guide to Network Security Fundamentals, Fourth Edition 17

18 Wireless LAN Attacks (cont d.) Discovering the network One of first steps in attack is to discover presence of a network Beaconing AP sends signal at regular intervals to announce its presence and provide connection information Wireless device scans for beacon frames War driving Process of passive discovery of wireless network locations Security+ Guide to Network Security Fundamentals, Fourth Edition 18

19 Table 8-2 War driving tools Security+ Guide to Network Security Fundamentals, Fourth Edition 19

20 Wireless LAN Attacks (cont d.) War chalking Documenting and then advertising location of wireless LANs for others to use Previously done by drawing on sidewalks or walls around network area Today, locations are posted on Web sites Security+ Guide to Network Security Fundamentals, Fourth Edition 20

21 Table 8-4 War chalking symbols Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 21

22 Wireless LAN Attacks (cont d.) Attacks through the RF spectrum Wireless protocol analyzer Generating interference Wireless protocol analyzer Wireless traffic captured to decode and analyze packet contents Network interface card (NIC) adapter must be in correct mode Security+ Guide to Network Security Fundamentals, Fourth Edition 22

23 Wireless LAN Attacks (cont d.) Six modes of wireless NICs Master (acting as an AP) Managed (client) Repeater Mesh Ad-hoc Monitor Interference Signals from other devices can disrupt wireless transmissions Security+ Guide to Network Security Fundamentals, Fourth Edition 23

24 Wireless LAN Attacks (cont d.) Devices that can cause interference with a WLAN Microwave ovens Elevator motors Copy machines Outdoor lighting (certain types) Theft protection devices Bluetooth devices Security+ Guide to Network Security Fundamentals, Fourth Edition 24

25 Figure 8-5 Attacker interference Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 25

26 Wireless LAN Attacks (cont d.) Attacks using access points Rogue access points Evil twins Rogue access point Unauthorized access point that allows attacker to bypass network security configurations May be set up behind a firewall, opening the network to attacks Security+ Guide to Network Security Fundamentals, Fourth Edition 26

27 Figure 8-6 Rogue access point Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 27

28 Wireless LAN Attacks (cont d.) Evil twin AP set up by an attacker Attempts to mimic an authorized AP Attackers capture transmissions from users to evil twin AP Security+ Guide to Network Security Fundamentals, Fourth Edition 28

29 Vulnerabilities of IEEE Security Original IEEE committee recognized wireless transmissions could be vulnerable Implemented several wireless security protections in the standard Left others to WLAN vendor s discretion Protections were vulnerable and led to multiple attacks Security+ Guide to Network Security Fundamentals, Fourth Edition 29

30 MAC Address Filtering Method of controlling WLAN access Limit a device s access to AP Media Access Control (MAC) address filtering Used by nearly all wireless AP vendors Permits or blocks device based on MAC address Vulnerabilities of MAC address filtering Addresses exchanged in unencrypted format Attacker can see address of approved device and substitute it on his own device Managing large number of addresses is challenging Security+ Guide to Network Security Fundamentals, Fourth Edition 30

31 Figure 8-7 MAC address filtering Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 31

32 SSID Broadcast Each device must be authenticated prior to connecting to the WLAN Open system authentication Device discovers wireless network and sends association request frame to AP Frame carries Service Set Identifier (SSID) User-supplied network name Can be any alphanumeric string 2-32 characters long AP compares SSID with actual SSID of network If the two match, wireless device is authenticated Security+ Guide to Network Security Fundamentals, Fourth Edition 32

33 Figure 8-8 Open system authentication Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 33

34 SSID Broadcast (cont d.) Open system authentication is weak Based only on match of SSIDs Attacker can wait for the SSID to be broadcast by the AP Users can configure APs to prevent beacon frame from including the SSID Provides only a weak degree of security Can be discovered when transmitted in other frames Older versions of Windows XP have an added vulnerability if this approach is used Security+ Guide to Network Security Fundamentals, Fourth Edition 34

35 Wired Equivalent Privacy (WEP) IEEE security protocol Encrypts plaintext into ciphertext Secret key is shared between wireless client device and AP Key used to encrypt and decrypt packets WEP vulnerabilities WEP can only use 64-bit or 128-bit number to encrypt Initialization vector (IV) is only 24 of those bits Short length makes it easier to break Security+ Guide to Network Security Fundamentals, Fourth Edition 35

36 Figure 8-9 WEP encryption process Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 36

37 Wired Equivalent Privacy (cont d.) WEP vulnerabilities (cont d.) Violates cardinal rule of cryptography: avoid a detectable pattern Attackers can see duplication when IVs start repeating Keystream attack (or IV attack) Attacker identifies two packets derived from same IV Uses XOR to discover plaintext See Figures 8-10 and 8-11 for details Security+ Guide to Network Security Fundamentals, Fourth Edition 37

38 Figure 8-10 XOR operations Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 38

39 Figure 8-11 Capturing packets Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 39

40 Wireless Security Solutions Unified approach to WLAN security was needed IEEE and Wi-Fi Alliance began developing security solutions Resulting standards used today IEEE i WPA and WPA2 Security+ Guide to Network Security Fundamentals, Fourth Edition 40

41 Wi-Fi Protected Access (WPA) Introduced in 2003 by the Wi-Fi Alliance A subset of IEEE i Design goal: protect present and future wireless devices Temporal Key Integrity Protocol (TKIP) Encryption Used in WPA Uses longer 128 bit key than WEP Dynamically generated for each new packet Security+ Guide to Network Security Fundamentals, Fourth Edition 41

42 Wi-Fi Protected Access (cont d.) Preshared Key (PSK) Authentication After AP configured, client device must have same key value entered Key is shared prior to communication taking place Uses a passphrase to generate encryption key Must be entered on each AP and wireless device in advance Not used for encryption Serves as starting point for mathematically generating the encryption keys Security+ Guide to Network Security Fundamentals, Fourth Edition 42

43 Wi-Fi Protected Access (cont d.) Vulnerabilities in WPA Key management Key sharing is done manually without security protection Keys must be changed on a regular basis Key must be disclosed to guest users Passphrases PSK passphrases of fewer than 20 characters subject to cracking Security+ Guide to Network Security Fundamentals, Fourth Edition 43

44 Wi-Fi Protected Access 2 (WPA2) Second generation of WPA known as WPA2 Introduced in 2004 Based on final IEEE i standard Uses Advanced Encryption Standard (AES) Supports both PSK and IEEE x authentication AES-CCMP Encryption Encryption protocol standard for WPA2 CCM is algorithm providing data privacy CBC-MAC component of CCMP provides data integrity and authentication Security+ Guide to Network Security Fundamentals, Fourth Edition 44

45 Wi-Fi Protected Access 2 (cont d.) AES encryption and decryption Should be performed in hardware because of its computationally intensive nature IEEE 802.1x authentication Originally developed for wired networks Provides greater degree of security by implementing port security Blocks all traffic on a port-by-port basis until client is authenticated Security+ Guide to Network Security Fundamentals, Fourth Edition 45

46 Wi-Fi Protected Access 2 (cont d.) Extensible Authentication Protocol (EAP) Framework for transporting authentication protocols Defines message format Uses four types of packets Request Response Success Failure Lightweight EAP (LEAP) Proprietary method developed by Cisco Systems Security+ Guide to Network Security Fundamentals, Fourth Edition 46

47 Wi-Fi Protected Access 2 (cont d.) Lightweight EAP (cont d.) Requires mutual authentication used for WLAN encryption using Cisco client software Can be vulnerable to specific types of attacks No longer recommended by Cisco Protected EAP (PEAP) Simplifies deployment of 802.1x by using Microsoft Windows logins and passwords Creates encrypted channel between client and authentication server Security+ Guide to Network Security Fundamentals, Fourth Edition 47

48 Table 8-3 Wireless security solutions Security+ Guide to Network Security Fundamentals, Fourth Edition 48

49 Other Wireless Security Steps Antenna placement Locate near center of coverage area Place high on a wall to reduce signal obstructions and deter theft Power level controls Some APs allow adjustment of the power level at which the LAN transmits Reducing power allows less signal to reach outsiders Security+ Guide to Network Security Fundamentals, Fourth Edition 49

50 Other Wireless Security Steps (cont d.) Organizations are becoming increasingly concerned about existence of rogue APs Rogue access point discovery tools Security personnel can manually audit airwaves using wireless protocol analyzer Continuously monitoring the RF airspace using a wireless probe Types of wireless probes Wireless device probe Desktop probe Security+ Guide to Network Security Fundamentals, Fourth Edition 50

51 Other Wireless Security Steps (cont d.) Types of wireless probes (cont d.) Access point probe Dedicated probe Wireless virtual LANs (VLANs) Organizations may set up to wireless VLANs One for employee access, one for guest access Configured in one of two ways Depending on which device separates and directs the packets to different networks Security+ Guide to Network Security Fundamentals, Fourth Edition 51

52 Summary Bluetooth is a wireless technology using shortrange RF transmissions IEEE has developed five wireless LAN standards to date, four of which are popular today (IEEE a/b/g/n) Attackers can identify the existence of a wireless network using war driving Wired Equivalent Privacy relies on a secret key shared between wireless client device and access point Security+ Guide to Network Security Fundamentals, Fourth Edition 52

53 Summary (cont d.) Wi-Fi Protected Access (WPA) and WPA2 have become the foundations of wireless security today Other steps to protect a wireless network include: Antenna positioning Access point power level adjustment Detecting rogue access points Security+ Guide to Network Security Fundamentals, Fourth Edition 53