CWNA Guide to Wireless LANs, Second Edition Chapter Eight Wireless LAN Security and Vulnerabilities Objectives • Define information security • Explain the basic security protections for IEEE 802.11 WLANs • List the vulnerabilities of the IEEE 802.11 standard • Describe the types of wireless attacks that can be launched against a wireless network CWNA Guide to Wireless LANs, Second Edit Security Principles: What is Information Security? • Information security: Task of guarding digital information – Ensures protective measures properly implemented – Protects confidentiality, integrity, and availability (CIA) on the devices that store, manipulate, and transmit the information through products, people, and procedures CWNA Guide to Wireless LANs, Second Edit Security Principles: What is Information Security? (continued) Figure 8-1: Information security components CWNA Guide to Wireless LANs, Second Edit Security Principles: Challenges of Securing Information • Trends influencing increasing difficultly in information security: – Speed of attacks – Sophistication of attacks – Faster detection of weaknesses • Day zero attacks – Distributed attacks • The “many against one” approach • Impossible to stop attack by trying to identify and block source CWNA Guide to Wireless LANs, Second Edit Security Principles: Categories of Attackers • Six categories of attackers: – Hackers • Not malicious; expose security flaws – – – – – Crackers Script kiddies Spies Employees Cyberterrorists CWNA Guide to Wireless LANs, Second Edit Security Principles: Categories of Attackers (continued) Table 8-1: Attacker profiles CWNA Guide to Wireless LANs, Second Edit Security Principles: Security Organizations • Many security organizations exist to provide security information, assistance, and training – Computer Emergency Response Team Coordination Center (CERT/CC) – Forum of Incident Response and Security Teams (FIRST) – InfraGard – Information Systems Security Association (ISSA) – National Security Institute (NSI) – SysAdmin, Audit, Network, Security (SANS) Institute CWNA Guide to Wireless LANs, Second Edit Basic IEEE 802.11 Security Protections • Data transmitted by a WLAN could be intercepted and viewed by an attacker – Important that basic wireless security protections be built into WLANs • Three categories of WLAN protections: – Access control – Wired equivalent privacy (WEP) – Authentication • Some protections specified by IEEE, while others left to vendors CWNA Guide to Wireless LANs, Second Edit Access Control • Intended to guard availability of information • Wireless access control: Limit user’s admission to AP – Filtering • Media Access Control (MAC) address filtering: Based on a node’s unique MAC address Figure 8-2: MAC address CWNA Guide to Wireless LANs, Second Edit 10 Open System Authentication Vulnerabilities (continued) • Vulnerabilities (continued): – If an attacker cannot capture an initial negotiation process, can force one to occur – SSID can be retrieved from an authenticated device – Many users not change default SSID • Several wireless tools freely available that allow users with no advanced knowledge of wireless networks to capture SSIDs CWNA Guide to Wireless LANs, Second Edit 27 Open System Authentication Vulnerabilities (continued) Figure 8-12: Forcing the renegotiation process CWNA Guide to Wireless LANs, Second Edit 28 Shared Secret Key Authentication Vulnerabilities • Attackers can view key on an approved wireless device (i.e., steal it), and then use on own wireless devices • Brute force attack: Attacker attempts to create every possible key combination until correct key found • Dictionary attack: Takes each word from a dictionary and encodes it in same way as passphrase – Compare encoded dictionary words against encrypted frame CWNA Guide to Wireless LANs, Second Edit 29 Shared Secret Key Authentication Vulnerabilities (continued) • AP sends challenge text in plaintext – Attacker can capture challenge text and device’s response (encrypted text and IV) • Mathematically derive keystream CWNA Guide to Wireless LANs, Second Edit 30 Shared Secret Key Authentication Vulnerabilities (continued) Table 8-2: Authentication attacks CWNA Guide to Wireless LANs, Second Edit 31 Address Filtering Vulnerabilities Table 8-3: MAC address attacks CWNA Guide to Wireless LANs, Second Edit 32 WEP Vulnerabilities • Uses 40 or 104 bit keys – Shorter keys easier to crack • WEP implementation violates cardinal rule of cryptography – Creates detectable pattern for attackers – APs end up repeating IVs • Collision: Two packets derived from same IV – Attacker can use info from collisions to initiate a keystream attack CWNA Guide to Wireless LANs, Second Edit 33 WEP Vulnerabilities (continued) Figure 8-13: XOR operations CWNA Guide to Wireless LANs, Second Edit 34 WEP Vulnerabilities (continued) Figure 8-14: Capturing packets CWNA Guide to Wireless LANs, Second Edit 35 WEP Vulnerabilities (continued) • PRNG does not create true random number – Pseudorandom – First 256 bytes of the RC4 cipher can be determined by bytes in the key itself Table 8-4: WEP attacks CWNA Guide to Wireless LANs, Second Edit 36 Other Wireless Attacks: Man-in-theMiddle Attack • Makes it seem that two computers are communicating with each other – Actually sending and receiving data with computer between them – Active or passive Figure 8-15: Intercepting transmissions CWNA Guide to Wireless LANs, Second Edit 37 Other Wireless Attacks: Man-in-theMiddle Attack (continued) Figure 8-16: Wireless man-in-the-middle attack CWNA Guide to Wireless LANs, Second Edit 38 Other Wireless Attacks: Denial of Service (DoS) Attack • Standard DoS attack attempts to make a server or other network device unavailable by flooding it with requests – Attacking computers programmed to request, but not respond • Wireless DoS attacks are different: – Jamming: Prevents wireless devices from transmitting – Forcing a device to continually dissociate and reassociate with AP CWNA Guide to Wireless LANs, Second Edit 39 Summary • Information security protects the confidentiality, integrity, and availability of information on the devices that store, manipulate, and transmit the information through products, people, and procedures • Significant challenges in keeping wireless networks and devices secure • Six categories of attackers: Hackers, crackers, script kiddies, computer spies, employees, and cyberterrorists CWNA Guide to Wireless LANs, Second Edit 40 Summary (continued) • Three categories of default wireless protection: access control, wired equivalent privacy (WEP), and authentication • Significant security vulnerabilities exist in the IEEE 802.11 security mechanisms • Man-in-the-middle attacks and denial of service attacks (DoS) can be used to attack wireless networks CWNA Guide to Wireless LANs, Second Edit 41 ... discovered CWNA Guide to Wireless LANs, Second Edit 14 WEP: Cryptography (continued) Figure 8-5: Cryptography CWNA Guide to Wireless LANs, Second Edit 15 WEP: Implementation • IEEE 802.11 cryptography... networks to capture SSIDs CWNA Guide to Wireless LANs, Second Edit 27 Open System Authentication Vulnerabilities (continued) Figure 8-12: Forcing the renegotiation process CWNA Guide to Wireless LANs, ... Employees Cyberterrorists CWNA Guide to Wireless LANs, Second Edit Security Principles: Categories of Attackers (continued) Table 8-1: Attacker profiles CWNA Guide to Wireless LANs, Second Edit Security