View
255
Download
0
Category
Tags:
Preview:
Citation preview
Objectives
• Describe the different types of wireless network attacks
• List the vulnerabilities in IEEE 802.11 security
• Explain the solutions for securing a wireless network
Security+ Guide to Network Security Fundamentals, Fourth Edition 2
Introduction
• Wireless data communications have revolutionized computer networking– Wireless data networks found virtually everywhere
• Wireless networks have been targets for attackers– Early wireless networking standards had
vulnerabilities– Changes in wireless network security yielded
security comparable to wired networks
Security+ Guide to Network Security Fundamentals, Fourth Edition 3
Wireless Attacks
• Bluetooth– Wireless technology– Uses short-range radio frequency transmissions– Provides for rapid, ad-hoc device pairings
• Example: smartphone and Bluetooth headphones
– Personal Area Network (PAN) technology
• Two types of Bluetooth network topologies– Piconet– Scatternet
Security+ Guide to Network Security Fundamentals, Fourth Edition 4
Wireless Attacks (cont’d.)
• Piconet– Established when two Bluetooth devices come within
range of each other– One device (master) controls all wireless traffic– Other device (slave) takes commands
• Active slaves can send transmissions
• Parked slaves are connected but not actively participating
Security+ Guide to Network Security Fundamentals, Fourth Edition 6
Security+ Guide to Network Security Fundamentals, Fourth Edition 7
Figure 8-1 Bluetooth piconet© Cengage Learning 2012
Wireless Attacks (cont’d.)
• Scatternet– Group of piconets with connections between
different piconets
• Bluejacking– Attack that sends unsolicited messages to Bluetooth-
enabled devices• Text messages, images, or sounds
– Considered more annoying than harmful• No data is stolen
– http://www.youtube.com/watch?v=ajo0njlklYo
Security+ Guide to Network Security Fundamentals, Fourth Edition 8
Security+ Guide to Network Security Fundamentals, Fourth Edition 9
Figure 8-2 Bluetooth scatternet© Cengage Learning 2012
Wireless Attacks (cont’d.)
• Bluesnarfing– Unauthorized access to wireless information through
a Bluetooth connection– Often between cell phones and laptops– Attacker copies e-mails, contacts, or other data by
connecting to the Bluetooth device without owner’s knowledge
– http://www.youtube.com/watch?v=KfZ7Ek409LM– http://www.youtube.com/watch?v=AwoEflxJPzE
Security+ Guide to Network Security Fundamentals, Fourth Edition 10
Wireless LAN Attacks
• Institute of Electrical and Electronics Engineers (IEEE)– Most influential organization for computer networking
and wireless communications– Dates back to 1884– Began developing network architecture standards in
the 1980s
• 1997: release of IEEE 802.11– Standard for wireless local area networks (WLANs)– Higher speeds added in 1999: IEEE 802.11b
Security+ Guide to Network Security Fundamentals, Fourth Edition 11
Wireless LAN Attacks (cont’d.)
• IEEE 802.11a– Specifies maximum rated speed of 54Mbps using
the 5GHz spectrum
• IEEE 802.11g– Preserves stable and widely accepted features of
802.11b– Increases data transfer rates similar to 802.11a
• IEEE 802.11n– Ratified in 2009
Security+ Guide to Network Security Fundamentals, Fourth Edition 12
Wireless LAN Attacks (cont’d.)
• Improvements in IEEE 802.11n– Speed – up to 600Mbps– Coverage area – double a, b, g– Interference – different frequencies– Security – high level encryption required
• Wireless client network interface card adapter– Performs same functions as wired adapter– Antenna sends and receives signals
Security+ Guide to Network Security Fundamentals, Fourth Edition 13
Wireless LAN Attacks (cont’d.)
• Access point (AP) major parts– Antenna and radio transmitter/receiver send and
receive wireless signals– Bridging software to interface wireless devices to
other devices– Wired network interface allows it to connect by cable
to standard wired network
• AP functions– Acts as “base station” for wireless network
Security+ Guide to Network Security Fundamentals, Fourth Edition 14
Security+ Guide to Network Security Fundamentals, Fourth Edition 15
Figure 8-3 Access point© Cengage Learning 2012
Wireless LAN Attacks (cont’d.)
• AP functions (cont’d.)– Acts as a bridge between wireless and wired
networks• Can connect to wired network by a cable
• Autonomous access points– Separate from other network devices and access
points– Have necessary “intelligence” for wireless
authentication, encryption, and management
Security+ Guide to Network Security Fundamentals, Fourth Edition 16
Wireless LAN Attacks (cont’d.)
• Wireless broadband routers– Single hardware device containing AP, firewall,
router, and DHCP server
• Wireless networks have been vulnerable targets for attackers– Not restricted to a cable
• Types of wireless LAN attacks– Discovering the network– Attacks through the RF spectrum– Attacks involving access points
Security+ Guide to Network Security Fundamentals, Fourth Edition 17
Wireless LAN Attacks (cont’d.)• Discovering the network
– One of first steps in attack is to discover presence of a network
• Beaconing– AP sends signal at regular intervals to announce its
presence and provide connection information– Wireless device scans for beacon frames– http://www.youtube.com/watch?v=rGYy1F1fhjc
• War driving– Process of passive discovery of wireless network
locations
18
Wireless LAN Attacks (cont’d.)
• War chalking– Documenting and then advertising location of
wireless LANs for others to use– Previously done by drawing on sidewalks or walls
around network area– Today, locations are posted on Web sites
– http://www.youtube.com/watch?v=2rM-K6SQTiU
Security+ Guide to Network Security Fundamentals, Fourth Edition 20
Security+ Guide to Network Security Fundamentals, Fourth Edition 21
Table 8-4 War chalking symbols© Cengage Learning 2012
Wireless LAN Attacks (cont’d.)
• Attacks through the RF spectrum– Wireless protocol analyzer– Generating interference
• Wireless protocol analyzer– Wireless traffic captured to decode and analyze
packet contents– Network interface card (NIC) adapter must be in
correct mode– Kismet, Airmon, Wireshark
Security+ Guide to Network Security Fundamentals, Fourth Edition 22
Wireless LAN Attacks (cont’d.)
• Six modes of wireless NICs– Master (acting as an AP)– Managed (client)– Repeater– Mesh– Ad-hoc– Monitor – (Must be this for analyzing/capturing)
• Interference– Signals from other devices can disrupt wireless
transmissions
Security+ Guide to Network Security Fundamentals, Fourth Edition 23
Wireless LAN Attacks (cont’d.)
• Devices that can cause interference with a WLAN– Microwave ovens– Elevator motors– Copy machines– Outdoor lighting (certain types)– Theft protection devices– Bluetooth devices
Security+ Guide to Network Security Fundamentals, Fourth Edition 24
Security+ Guide to Network Security Fundamentals, Fourth Edition 25
Figure 8-5 Attacker interference© Cengage Learning 2012
Wireless LAN Attacks (cont’d.)
• Attacks using access points– Rogue access points – installed by internal user– Evil twin – installed by hacker
• Rogue access point– Unauthorized access point that allows attacker to bypass
network security configurations– May be set up behind a firewall, opening the network to
attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition 26
Security+ Guide to Network Security Fundamentals, Fourth Edition 27
Figure 8-6 Rogue access point© Cengage Learning 2012
Wireless LAN Attacks (cont’d.)
• Evil twin– AP set up by an attacker– Attempts to mimic an authorized AP– Attackers capture transmissions from users to evil twin
AP– http://news.yahoo.com/blogs/upgrade-your-life/banking-online-not-hacked-182159934.html
– Hacking Facebook, Twitter, etc. • http://www.youtube.com/watch?v=9T8xaDoYNmg
– Detecting Firesheep – ‘Blacksheep’- ttechdows.com/2010/11/blacksheep-detects-firesheep-use-on-wireless-networks.html
– http://www.readwriteweb.com/archives/facebooks_zuckerberg_says_the_age_of_privacy_is_ov.php
Security+ Guide to Network Security Fundamentals, Fourth Edition 28
Vulnerabilities of IEEE 802.11 Security
• Original IEEE 802.11 committee recognized wireless transmissions could be vulnerable– Implemented several wireless security protections in
the standard– Left others to WLAN vendor’s discretion– Protections were vulnerable and led to multiple
attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition 29
MAC Address Filtering
• Method of controlling WLAN access– Limit a device’s access to AP
• Media Access Control (MAC) address filtering– Used by nearly all wireless AP vendors– Permits or blocks device based on MAC address
• Vulnerabilities of MAC address filtering– Addresses exchanged in unencrypted format– Attacker can see address of approved device and
substitute it on his own device– Managing large number of addresses is challenging
Security+ Guide to Network Security Fundamentals, Fourth Edition 30
Security+ Guide to Network Security Fundamentals, Fourth Edition 31
Figure 8-7 MAC address filtering© Cengage Learning 2012
SSID Broadcast
• Each device must be authenticated prior to connecting to the WLAN
• Open system authentication– Device discovers wireless network and sends
association request frame to AP– Frame carries Service Set Identifier (SSID)
• User-supplied network name
• Can be any alphanumeric string 2-32 characters long
– AP compares SSID with actual SSID of network• If the two match, wireless device is authenticated
Security+ Guide to Network Security Fundamentals, Fourth Edition 32
Security+ Guide to Network Security Fundamentals, Fourth Edition 33
Figure 8-8 Open system authentication© Cengage Learning 2012
SSID Broadcast (cont’d.)
• Open system authentication is weak– Based only on match of SSIDs– Attacker can wait for the SSID to be broadcast by
the AP
• Users can configure APs to prevent beacon frame from including the SSID– Provides only a weak degree of security– Can be discovered when transmitted in other frames– Older versions of Windows XP have an added
vulnerability if this approach is used
Security+ Guide to Network Security Fundamentals, Fourth Edition 34
Wired Equivalent Privacy (WEP)
• IEEE 802.11 security protocol
• Encrypts plaintext into ciphertext
• Secret key is shared between wireless client device and AP– Key used to encrypt and decrypt packets
• WEP vulnerabilities– WEP can only use 64-bit or 128-bit number to
encrypt• Initialization vector (IV) is only 24 of those bits
• Short length makes it easier to break
Security+ Guide to Network Security Fundamentals, Fourth Edition 35
Security+ Guide to Network Security Fundamentals, Fourth Edition 36
Figure 8-9 WEP encryption process© Cengage Learning 2012
Wired Equivalent Privacy (cont’d.)
• WEP vulnerabilities (cont’d.)– Violates cardinal rule of cryptography: avoid a
detectable pattern– Attackers can see duplication when IVs start
repeating
• Keystream attack (or IV attack)– Attacker identifies two packets derived from same IV– Uses XOR to discover plaintext– See Figures 8-10 and 8-11 for details
Security+ Guide to Network Security Fundamentals, Fourth Edition 37
Security+ Guide to Network Security Fundamentals, Fourth Edition 38
Figure 8-10 XOR operations© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition 39
Figure 8-11 Capturing packets© Cengage Learning 2012
Wireless Security Solutions
• Unified approach to WLAN security was needed– IEEE and Wi-Fi Alliance began developing security
solutions
• Resulting standards used today– IEEE 802.11i– WPA and WPA2
Security+ Guide to Network Security Fundamentals, Fourth Edition 40
Wi-Fi Protected Access (WPA)
• Introduced in 2003 by the Wi-Fi Alliance
• A subset of IEEE 802.11i
• Design goal: protect present and future wireless devices
• Temporal Key Integrity Protocol (TKIP) Encryption– Used in WPA– Uses longer 128 bit key than WEP– Dynamically generated for each new packet
Security+ Guide to Network Security Fundamentals, Fourth Edition 41
Wi-Fi Protected Access (cont’d.)
• Preshared Key (PSK) Authentication– After AP configured, client device must have same
key value entered– Key is shared prior to communication taking place– Uses a passphrase to generate encryption key
• Must be entered on each AP and wireless device in advance
– Not used for encryption• Serves as starting point for mathematically generating
the encryption keys
Security+ Guide to Network Security Fundamentals, Fourth Edition 42
Wi-Fi Protected Access (cont’d.)
• Vulnerabilities in WPA– Key management
• Key sharing is done manually without security protection
• Keys must be changed on a regular basis
• Key must be disclosed to guest users
– Passphrases• PSK passphrases of fewer than 20 characters subject
to cracking
Security+ Guide to Network Security Fundamentals, Fourth Edition 43
Wi-Fi Protected Access 2 (WPA2)
• Second generation of WPA known as WPA2– Introduced in 2004– Based on final IEEE 802.11i standard– Uses Advanced Encryption Standard (AES)– Supports both PSK and IEEE 802.11x authentication
• AES-CCMP Encryption– Encryption protocol standard for WPA2– CCM is algorithm providing data privacy– CBC-MAC component of CCMP provides data integrity
and authentication
Security+ Guide to Network Security Fundamentals, Fourth Edition 44
Wi-Fi Protected Access 2 (cont’d.)
• AES encryption and decryption– Should be performed in hardware because of its
computationally intensive nature
• IEEE 802.1x authentication– Originally developed for wired networks– Provides greater degree of security by implementing
port security– Blocks all traffic on a port-by-port basis until client is
authenticated
Security+ Guide to Network Security Fundamentals, Fourth Edition 45
Wi-Fi Protected Access 2 (cont’d.)
• Extensible Authentication Protocol (EAP)– Framework for transporting authentication protocols– Defines message format– Uses four types of packets
• Request
• Response
• Success
• Failure
• Lightweight EAP (LEAP)– Proprietary method developed by Cisco Systems
Security+ Guide to Network Security Fundamentals, Fourth Edition 46
Wi-Fi Protected Access 2 (cont’d.)
• Lightweight EAP (cont’d.)– Requires mutual authentication used for WLAN
encryption using Cisco client software– Can be vulnerable to specific types of attacks
• No longer recommended by Cisco
• Protected EAP (PEAP)– Simplifies deployment of 802.1x by using Microsoft
Windows logins and passwords– Creates encrypted channel between client and
authentication server
Security+ Guide to Network Security Fundamentals, Fourth Edition 47
Security+ Guide to Network Security Fundamentals, Fourth Edition 48
Table 8-3 Wireless security solutions
Other Wireless Security Steps
• Antenna placement– Locate near center of coverage area– Place high on a wall to reduce signal obstructions
and deter theft
• Power level controls– Some APs allow adjustment of the power level at
which the LAN transmits– Reducing power allows less signal to reach outsiders
Security+ Guide to Network Security Fundamentals, Fourth Edition 49
Other Wireless Security Steps (cont’d.)
• Organizations are becoming increasingly concerned about existence of rogue APs
• Rogue access point discovery tools– Security personnel can manually audit airwaves
using wireless protocol analyzer– Continuously monitoring the RF airspace using a
wireless probe
• Types of wireless probes– Wireless device probe– Desktop probe
Security+ Guide to Network Security Fundamentals, Fourth Edition 50
Other Wireless Security Steps (cont’d.)
• Types of wireless probes (cont’d.)– Access point probe– Dedicated probe
• Wireless virtual LANs (VLANs)– Organizations may set up to wireless VLANs
• One for employee access, one for guest access
– Configured in one of two ways• Depending on which device separates and directs the
packets to different networks
Security+ Guide to Network Security Fundamentals, Fourth Edition 51
Summary
• Bluetooth is a wireless technology using short-range RF transmissions
• IEEE has developed five wireless LAN standards to date, four of which are popular today– (IEEE 802.11a/b/g/n)
• Attackers can identify the existence of a wireless network using war driving
• Wired Equivalent Privacy relies on a secret key shared between wireless client device and access point
Security+ Guide to Network Security Fundamentals, Fourth Edition 52
Summary (cont’d.)
• Wi-Fi Protected Access (WPA) and WPA2 have become the foundations of wireless security today
• Other steps to protect a wireless network include:– Antenna positioning– Access point power level adjustment– Detecting rogue access points
Security+ Guide to Network Security Fundamentals, Fourth Edition 53
Recommended