CHAPTER 5: Wireless Networking 216 attacks. One possible example includes jamming the wireless network, thereby forcing clients to lose their connections with authorized APs. Dur- ing this time, rogue APs can be made available operating at a higher power than the authorized APs. When the jamming attack is stopped, the clients will tend to associate back to the AP that is presenting the strongest signal. Now the attacker owns all of the network clients attached to his rogue APs. The attack continues from there. In some cases, you find that RF jamming is not always intentional and may be the result of other, non-hostile, sources such as a nearby communications tower or another wireless LAN that is also operating in the same frequency range. Baby monitors, cordless telephones, microwave ovens, and many other consumer products may also be sources of possible interference. You can take some comfort in knowing that although a jamming attack is relatively easy and inexpensive to pull off, it is not the preferred means of attack. The only real victory with a jamming attack for most hackers is temporarily taking your wireless network offline. CONFIGURING WINDOWS CLIENT COMPUTERS FOR WIRELESS NETWORK SECURITY Wireless LAN security is provided through a myriad of solutions. Some of these mechanisms are internal to Windows itself, while others are third-party solutions or part of the IEEE 802.11 standard. In this sec- tion, we will be focusing primarily on using WEP, WPA, and 802.1x-based security on Windows XP Professional computers and Windows Vista. Whatever security mechanism you should decide to implement, you must ensure that you are diligent about getting it done right. There is rarely a second chance for security, especially when it comes to securing a wireless LAN. Windows XP Professional Windows XP has been hailed as the OS of choice for wireless LAN users. Whatever your feelings are about this, it is a fact that Windows XP brings excellent support for 802.11 wireless networks and 802.1x security to the mainstream. The only flaw in Windows XP’s solution is that it can in some cases take the majority of control away from a user – sometimes this can be a good thing, though. Configuring WEP and 802.1x security on a Windows XP Professional computer is outlined in Exercise 5.1. Configuring Windows Client Computers for Wireless Network Security 217 EXERCISE 5.1 Enabling WEP and 802.1x Security In Windows XP Professional Click 1. Start | Settings | Control Panel | Network Connections. Double-click your wireless LAN connection.2. Click the 3. Properties button and switch to the Wireless tab, shown in Figure 5.14. To configure a new connection, click 4. Add. Configure all required information, including the WEP key. FIGURE 5.14 The Wireless Tab. CHAPTER 5: Wireless Networking 218 If your network uses a dynamic keying server, then you need only 5. to select the key provided for you automatically instead of speci- fying the WEP key specifics. Click 6. OK when you have entered all of the required information. To configure 802.17. x security on the network connection, change to the Authentication tab, shown in Figure 5.15. Select 8. Enable network access control using IEEE 802.1x. Select your EAP type from the drop-down list. Most commonly, this is going to be Smart Card or other Certificate. By clicking Properties you can configure the certificate and certificate authority (CA) to be used for this authentication. FIGURE 5.15 Configuring 802.1x Security. Configuring Windows Client Computers for Wireless Network Security 219 FIGURE 5.16 Windows Vista Network Icon. For increased security, ensure that the Authenticate as computer 9. when computer information is available and Authenticate as guest when user or computer information is unavailable options are not selected. Click OK to accept the settings. Windows Vista Business Windows Vista makes it very simple to connect to a wireless network and provide security for that connection. Exercise 5.2 shows the steps for connecting to a wireless network in Vista Business. EXERCISE 5.2 Enabling WPA in Windows VISTA Business From the desktop, right click on the 1. network icon as shown in Figure 5.16. Choose 2. Connect to a Network. Choose the appropriate wireless network from the list as in 3. Figure 5.17. When prompted for the network key, enter that key as shown in 4. Figure 5.18. When prompted choose from Home, Work, or Public as network type.5. Chapter 5: Wireless Networking 220 Figure 5.17 Choosing the Correct Wireless Network. Figure 5.18 Prompted for Passkey. Summary of Exam Objectives 221 SITE SURVEYS A site survey is part of an audit done on wireless networks. Site surveys allow system and network administrators to determine the extent to which their wireless networks extend beyond the physical boundaries of their buildings. Typically, a site survey uses the same tools an attacker uses, such as a sniffer and a WEP cracking tool (for 802.11 network site surveys). The sniffer can be either Windows-based (such as NetStumbler) or UNIX/Linux-based (such as Kismet). For WEP cracking, AirSnort is recommended. Another tool that can be useful is a directional antenna such as a Yagi antenna or a parabolic dish antenna. Directional and parabolic dish anten- nas allow for the reception of weak signals from greater distances by pro- viding better amplification and gain on the signal. These antennas allow wireless network auditors the ability to determine how far an attacker can realistically be from the source of the wireless network transmissions to receive from and transmit to the network. Finally, another tool that is useful for site surveys is a GPS locator. This provides for the determination of the geographical latitude and longitude of areas where wireless signal measurements are taken. Using GPS, auditors can create a physical map of the boundaries of the wireless network. SUMMARY OF EXAM OBJECTIVES Wireless LANs are attractive to many companies and home users because of the increased productivity that results from the convenience and flex- ibility of being able to connect to the network without the use of wires. WLANs are especially attractive when they can reduce the costs of having to install cabling to support users on the network. For these and other reasons, WLANs have become very popular in the past few years. However, wireless LAN technology has often been implemented poorly and without due con- sideration being given to the security of the network. For the most part, these poor implementations result from a lack of understanding of the nature of wireless networks and the measures that can be taken to secure them. Exam Warning Site surveys are not likely to appear on the Network exam. However, you should be aware of them for your daily tasks, and the information is presented here in the event that you do see a question about some of the tools used to conduct these surveys. Remember that the tools used to conduct site surveys and audits are essentially the same tools an attacker uses to gain access to a wireless network. CHAPTER 5: Wireless Networking 222 WLANs are inherently insecure because of their very nature; the fact that they radiate radio signals containing network traffic that can be viewed and potentially compromised by anyone within range of the signal. With the proper antennas, the range of WLANs is much greater than is commonly assumed. Many administrators wrongly believe that their networks are secure because the interference created by walls and other physical obstruc- tions combined with the relative low power of wireless devices will contain the wireless signal sufficiently. Often, this is not the case. There are a number of different types of wireless networks that can be potentially deployed. These include HomeRF, Bluetooth, 802.11n, 802.11g, 802.11b, and 802.11a networks. The most common type of WLAN in use today is based on the IEEE 802.11g standard. The 802.11b standard defines the operation of WLANs in the 2.4 to 2.4835 GHz unlicensed Industrial, Scientific and Medical (ISM) band. 802.11b devices use DSSS to achieve transmission rates of up to 11 Mbps. All 802.11b devices are half-duplex devices, which mean that a device cannot send and receive at the same time. In this, they are like hubs and therefore require mechanisms for contending with collisions when multiple stations are transmitting at the same time. To contend with collisions, wireless net- works use CSMA/CA. The 802.11a and 802.11g standards define the operation of wireless net- works with higher transmission rates. 802.11a devices are not compatible with 802.11b because they use frequencies in the 5 GHz band. Furthermore, unlike 802.11b networks, they do not use DSSS. 802.11g uses the same ISM frequencies as 802.11b and is backward compatible with 802.11b devices. The 802.11 standard defines the 40-bit WEP protocol as an optional component to protect wireless networks from eavesdropping. WEP is imple- mented in the MAC sublayer of the data link layer (Layer 2) of the OSI model. WEP is insecure for a number of reasons. The first is that, because it encrypts well-known and deterministic IP traffic in Layer 3, and it is vulnerable to plaintext attacks. That is, it is relatively easy for an attacker to figure out what the plaintext traffic is (for example a DHCP exchange) and compare that with the ciphertext, providing a powerful clue for cracking the encryption. Another problem with WEP is that it uses a relatively short (24-bit) IV to encrypt the traffic. Because each transmitted frame requires a new IV, it is possible to exhaust the entire IV key space in a few hours on a busy network, resulting in the reuse of IVs. This is known as IV collisions. IV collisions can also be used to crack the encryption. Furthermore, IVs are sent in the clear form with each frame, introducing another type of vulnerability. 223 The final stake in the heart of WEP is the fact that it uses RC4 as the encryption algorithm. The RC4 algorithm is well known and recently it was discovered that it uses a number of weak keys. Airsnort and Wepcrack are two well-known open-source tools that exploit the weak key vulnerability of WEP. Although WEP is not secure, it does nonetheless potentially provide a good barrier, and its use will slow down determined and knowledgeable attackers. WEP should always be implemented. The security of WEP is also dependent on how it is implemented. Because the IV key space can be exhausted in a relatively short amount of time, static WEP keys should be changed on a frequent basis. The response to the weaknesses in WEP is the use of WIFI Protected Access (WPA) that has a longer IV, a stronger algorithm, and a longer key. The use of WPA over WEP is suggested. The best defense for a wireless network involves the use of multiple secu- rity mechanisms to provide multiple barriers that will slow down attackers, making it easier to detect and respond to attacks. This strategy is known as defense-in-depth. Securing a wireless network should begin with changing the default con- figurations of the wireless network devices. These configurations include the default administrative password and the default SSID on the AP. The SSID is a kind of network name, analogous to an SNMP community name or a VLAN ID. In order for the wireless clients to authenticate and associate with an AP, they must use the same SSID as the one in use on the AP. It should be changed to a unique value that does not contain any infor- mation that could potentially be used to identify the company or the kind of traffic on the network. By default, SSIDs are broadcast in response to beacon probes and can be easily discovered by site survey tools such as NetStumbler and Windows XP. It is possible to turn off SSID on some APs. Disabling SSID broadcasts creates a closed network. If possible, SSID broadcasts should be disabled, although this will interfere with the ability of Windows XP to automatically discover wireless networks and associate with them. However, even if SSID broadcasts are turned off, it is still possible to sniff the network traffic and see the SSID in the frames. Wireless clients can connect to APs using either open system or shared key authentication. Although shared key authentication provides protection against some denial of service (DoS) attacks, it creates a significant vulner- ability for the WEP keys in use on the network and should not be used. MAC filtering is another defensive tactic that can be employed to pro- tect wireless networks from unwanted intrusion. Only the wireless sta- tion that possess adaptors that have valid MAC addresses are allowed to Summary of Exam Objectives CHAPTER 5: Wireless Networking 224 communicate with the AP. However, MAC addresses can be easily spoofed and maintaining a list of valid MAC addresses may be impractical in a large environment. A much better way of securing WLANs is to use 802.1x. 802.1x was orig- inally developed to provide a method for port-based authentication on wired networks. However, it was found to have significant application in wireless networks. With 802.1x authentication, a supplicant (a wireless worksta- tion) has to be authenticated by an authenticator (usually a RADIUS server) before access is granted to the network itself. The authentication process takes place over a logical uncontrolled port that is used only for the authen- tication process. If the authentication process is successful, access is granted to the network on the logical controlled port. 802.1x relies on Extensible Authentication Protocol (EAP) to perform the authentication. The preferred EAP type for 802.1x is EAP-TLS. EAP-TLS provides the ability to use dynamic per user, session-based WEP keys, elimi- nating some of the more significant vulnerabilities associated with WEP. However, to use EAP-TLS, you must deploy a Public Key Infrastructure (PKI) to issue digital X.509 certificates to the wireless clients and the RADIUS server. Other methods that can be used to secure wireless networks include plac- ing wireless APs on their own subnets in wireless DMZs (WDMZ). The WDMZ can be protected from the corporate network by a firewall or router. Access to the corporate network can be limited to VPN connections that use either PPTP or L2TP. New security measures continue to be developed for wireless networks. Future security measures include TKIP and Message Integrity Code (MIC). This section should be a summary of what was presented in the chapter, but actually talks about several new concepts that were not covered through- out the chapter. EXAM OBJECTIVES FAST TRACK Radio Frequency and Antenna Behaviors and Characteristics Gain occurs when a signal has its strength increased, such as by passing it through an amplifier. Loss is the exact opposite of gain and occurs when a signal has its strength decreased, either intentionally through the use of a device such as an attenuator or unintentionally such as through resistance losses in a cable. Exam Objectives Fast Track 225 Reflection occurs when an electromagnetic RF wave has impacted upon a surface that has a much larger cross section than that of the wave itself. When a wave is refracted, it passes through a medium and changes course with some of the original wave being reflected away from the original wave’s path. Absorption results when an electromagnetic wave has impacted an object that does not pass it on through any means (reflection, refraction, or diffraction). When an incoming electromagnetic wave hits a surface that is small compared to its wavelength, scattering will occur. The Fresnel Zone is an elliptical region extending outward from the visual LOS that can cause signal loss through reflection, refraction, and scattering. Wireless Network Concepts The most predominant wireless technologies consist of Wireless Access Protocol (WAP) and IEEE 802.11 Wireless LAN. Wireless Equivalent Privacy (WEP) is the security method used in IEEE 802.11 WLANs and WTLS provides security in WAP networks. WEP provides for two key sizes: 40-bit and 104-bit secret keys. These keys are concatenated to a 24-bit IV to provide either a 64 or 128-bit key for encryption. WEP uses the RC4 stream algorithm to encrypt its data. 802.11 networks use two types of authentication: open system authentication and shared key authentication. There are two types of 802.11 networks modes: ad-hoc and infra- structure. Ad-hoc 802.11 networks are peer-to-peer in design and can be implemented by two clients with wireless network cards. The infrastructure model of 802.11 uses APs to provide wireless connectivity to a wired network beyond the AP. To protect against some rudimentary attacks that insert known text into the stream to attempt to reveal the key stream, WEP . solutions. Some of these mechanisms are internal to Windows itself, while others are third-party solutions or part of the IEEE 802.11 standard. In this sec- tion, we will be focusing primarily on. Network. Figure 5.18 Prompted for Passkey. Summary of Exam Objectives 221 SITE SURVEYS A site survey is part of an audit done on wireless networks. Site surveys allow system and network administrators. poorly and without due con- sideration being given to the security of the network. For the most part, these poor implementations result from a lack of understanding of the nature of wireless