Cisco Wireless LAN Security By Krishna Sankar, Sri Sundaralingam, Andrew Balinsky, Darrin Miller Publisher : Cisco Press Pub Date : November 15, 2004 ISBN : 1-58705-154-0 Pages : 456 Expert guidance for securing your 802.11 networks Learn best practices for securely managing, operating, and scaling WLANs Comprehend the security-related technological underpinnings of WLANs Explore new security protocols in 802.11i and WPA and learn how they prevent attacks Review centralized deployment models for wired/wireless integration Deepen your knowledge of defense by understanding the tools that attackers use to perform reconnaissance and to attack authentication and encryption mechanisms Understand how to design secure WLANs to support enterprise applications with the new standards and practices detailed in this book Table of • Contents • Index Reference the next generation authentication standards and protocols Find out about mobility, hotspots, and campus wireless networks Grasp Open Authentication, MAC-based authentication, shared key authentication, EAP authentication protocols, WEP, WPA, and 802.11i Cisco Wireless LAN Security is an in-depth guide to wireless LAN technology and security, introducing the key aspects of 802.11 security by illustrating major wireless LAN (WLAN) standards that can protect the entire network Because a WLAN is less effective as an isolated piece of the network, this book emphasizes how to effectively integrate WLAN devices into the wired network while maintaining maximum security Cisco Wireless LAN Security covers the spectrum of WLAN security, including protocols and specifications, vulnerabilities and threats, and, especially, deployment patterns and design guidelines With a unique combination of theory and practice, this book addresses fundamental wireless concepts, such as WEP, and innovations, such as EAP, switching, and management Each chapter includes detailed illustrations, checklists, design templates, and other resources You will also find generic wireless deployment patterns based on real-world customer installations and functional examples of architecture, design, and best practices Whether you currently design, configure, implement, and maintain WLANs or simply want to explore wireless security issues, Cisco Wireless LAN Security has everything you need to understand how to create a seamlessly secure, impenetrable 802.11 network This book is part of the Networking Technology Series from Cisco Press, which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers Cisco Wireless LAN Security By Krishna Sankar, Sri Sundaralingam, Andrew Balinsky, Darrin Miller Publisher : Cisco Press Pub Date : November 15, 2004 Table of • ISBN : 1-58705-154-0 Contents Pages : 456 • Index Copyright About the Authors About the Technical Reviewers Acknowledgments Icons Used in This Book Introduction Who Should Read this Book? How this Book is Organized Chapter 1 Securing WLANs Overview WLAN: A Perspective Wireless LAN Components and Terminology WLAN Standards WLAN Security WLAN Security Domain Conceptual Model Navigating this Book and Chapter Contexts Summary Chapter 2 Basic Security Mechanics and Mechanisms Security Mechanics Authentication and Identity Protocols Summary Chapter 3 WLAN Standards Standards Organizations, Position, Context, and Influence Hardware/Radio/Waves and Modulation FCC Regulations Brief Discussion on Relevant Standards Summary Chapter 4 WLAN Fundamentals WLAN: Elements and Characteristics WLAN Basic Topology WLAN Building Blocks WLAN State Diagram Basic Choreography Summary Chapter 5 WLAN Basic Authentication and Privacy Methods Authentication Mechanics Open Authentication MAC-Based Authentication Shared-Key Authentication WEP Privacy Mechanics Summary Chapter 6 Wireless Vulnerabilities Attacker Objectives Reconnaissance Attacks DoS Attacks Authentication Attacks WEP Keystream and Plaintext Recovery WEP Key Recovery Attacks Attacks on EAP Protocols Rogue APs Ad-Hoc Mode Security Summary Chapter 7 EAP Authentication Protocols for WLANs Access Control and Authentication Mechanisms EAP PEAP 802.1x: Introduction and General Principles Cisco LEAP (EAP-Cisco Wireless) EAP-FAST Summary Chapter 8 WLAN Encryption and Data Integrity Protocols IEEE 802.11i Encryption Protocols Key Management WPA and Cisco Protocols Security Problems Addressed Summary Chapter 9 SWAN: End-to-End Security Deployment Overview of SWAN Security Features WLAN Deployment Modes and Security Features SWAN Infrastructure Authentication Radio Management and Wireless Intrusion Detection SWAN Fast Secure Roaming (CCKM) Local 802.1x RADIUS Authentication Service Summary Chapter 10 Design Guidelines for Secure WLAN WLAN Design Fundamentals General Security Recommendations New WLAN Deployments Integration with Existing WLAN Deployments SWAN Central Switch Design Considerations Admission Control Design Summary Chapter 11 Operational and Design Considerations for Secure WLANs Rogue AP Detection and Prevention WLAN Services Scaling Enterprise Guest Access Summary Chapter 12 WLAN Security Configuration Guidelines and Examples Cisco Enterprise Class Wireless LAN Products WLAN Security Methods: Configuration Guidelines and Examples SWAN Nonswitching Deployment: Configuration Guidelines and Examples Securing Bridge-to-Bridge Links Secure WLAN Management Configuration Guidelines SWAN Central Switching Deployment: Configuration Guidelines and Examples Summary Chapter 13 WLAN Deployment Examples Large Enterprise Deployment Examples Vertical Deployment Examples Small and Medium Businesses and SOHO WLAN Deployments Hotspot (Public WLAN) Deployment Examples Summary Appendix A Resources and References General Tools Defensive Tools Cryptography and Cryptanalysis Wireless Standards and Associations Index Copyright Cisco Wireless LAN Security Krishna Sankar, Sri Sundaralingam, Andrew Balinsky, Darrin Miller Copyright© 2005 Cisco Systems, Inc Cisco Press logo is a trademark of Cisco Systems, Inc Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 First Printing November 2004 Library of Congress Cataloging-in-Publication Number: 2003100133 Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized Cisco Press or Cisco Systems, Inc cannot attest to the accuracy of this information Airopeek is a trademark of WildPackets, Inc Sniffer is a trademark of Network Associates Technology, Inc Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark Warning and Disclaimer This book is designed to provide information about wireless LANs Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied The information is provided on an "as is" basis The authors, Cisco Press, and Cisco Systems, Inc shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it The opinions expressed in this book belong to the authors and are not necessarily those of Cisco Systems, Inc Corporate and Government Sales Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales For more information, please contact: U.S Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside the U.S., please contact: International Sales international@pearsoned.com Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community Readers' feedback is a natural continuation of this process If you have any comments regarding how we could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us through e-mail at feedback@ciscopress.com Please make sure to include the book title and ISBN in your message We greatly appreciate your assistance Publisher John Wait Editor-in-Chief John Kane Executive Editor Brett Bartow Acquisition Editor Michelle Grandin Cisco Representative Anthony Wolfenden Cisco Press Program Manager Nannette M Noble Production Manager Patrick Kanouse Development Editor Ginny Bess Munroe Senior Copy Editor Amy Lepore Technical Editors Brian Cox, David Pollino, Dr Peter Welcher, and Nancy Cam-Winget Editorial Assistant Tammi Barnett Cover Designer Louisa Adair Project Management Argosy Publishing Composition Prospect Hill Publishing Services Indexer Eric T Schroeder Proofreader Karen A Gill Corporate Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands channel allocation IEEE 802.11e IEEE 802.11f IEEE 802.11h IEEE 802.11k LAN/MAN layered framework for authentication WLANs 2nd 3rd WPA START message state diagrams state transitions static WEP configuration status codes stickiness Structured Wireless Aware Network [See SWAN] success/failure frames (EAP) supplicants third-party SWAN (Cisco Structured Wireless Aware Network) 2nd 802.11x RADIUS authentication service central switching deployment 2nd fast secure roaming infrastructure authentication nonswitching deployment radio management rogue AP detection 2nd security WLAN deployment central switching deployment mode nonswitching deployment mode security features switches (wireless aware) symmetric encryption symmetric key encryption Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [X] TACACS+ protocol accounting authentication authorization transactions TACACS, administrator authentication Task Group i (TGi) tcpdump 2nd TEAP (Tunneled EAP) TEK (Temporal Encryption Key) Temporal Encryption Key (TEK) Temporal Key (TK) TGi (Task Group i) third-party supplicants threat mitigation combined VPN/embedded security design integration with legacy devices VPN overlays three-party model three-way handshakes (CHAP) timing TK (Temporal Key) TKIP decapsulation encapsulation key mixing algorithm Michael MIC overview packet construction preventing reply attacks TKIP Sequence Counter (TSC) TLS (Transport Level Security) 2nd EAP-TLS EAP-TTLS TLV frame format (PEAP) TPC (Transmit Power Control) 2nd traffic injection transactions RADIUS protocol TACACS+ protocol Transmit Power Control (TPC) 2nd trees [See attack trees] troubleshooting rogue APs manually network-based SWAN WDS server configuration trust model (open authentication) TSC (TKIP Sequence Counter) Tunneled EAP (TEAP) Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [X] university WLAN deployment example upgrading, integrating design with existing WLAN deployments Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [X] vertical market WLAN deployment financial WLAN deployment examples healthcare WLAN deployment examples manufacturing WLAN deployment examples retail WLAN example 1 challenges security WDS and AAA infrastructure retail WLAN example 2 university WLAN deployment example void11 2nd VoIP (Voice over IP), large enterprise WLAN deployment VPNs (virtual private networks) IPSec overlays best practices central switch design combined with embedded security design design fundamentals technologies threat mitigation vulnerabilities EAP MAC-based authentication open authentication shared-key authentication WEP wireless networks Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [X] WarBSD 2nd wardriving WarLinux 2nd WDS (Wireless Domain Services) websites cryptography and cryptoanalysis general tools IEEE resources IETF resources WiFi Alliance 2nd Wellenreiter 2nd WEP (Wired Equivalent Privacy) 2nd 3rd 4th CCMP CCM algorithm decapsulation encapsulation decapsulation encapsulation ICV IEEE 802.11i IVs key management key recovery attacks dictionary-based EAP protocols Fluhrer-Mantin-Shamir attack keys keystream and plaintext recovery uses for recovered keystreams pre-WEP devices privacy mechanics processing model RC4 seed TKIP decapsulation encapsulation key mixing algorithm Michael MIC packet construction preventing reply attacks vulnerabilities WEP-only devices wep_crack and wep_decrypt WEPCrack 2nd WGBs (workgroup bridges) Wi-Fi Alliance websites 2nd Wi-Fi Protected Access [See WPA] Wireless Domain Services (WDS) Wireless LAN Association (WLANA) Wireless LAN Services Module (WLSM) 2nd Wireless LAN Solution Engine (WLSE) wireless LANs [See WLANs] wireless networks security ad-hoc mode authentication attacks DoS attacks DoS attacks: disassociation and deauthentication DoS attacks: transmit duration reconnaissance attacks rogue APs supplicants vulnerabilities wireless service provider (WSP) wireless-aware routers wireless-aware switches WLANA (Wireless LAN Association) WLANs (wireless LANs) authentication basic topology Cisco Enterprise class Catalyst 6500 Wireless LAN Services Module Cisco Aironet 802.22b/a/g Cisco Aironet AP1100 AP Cisco Aironet AP1200 AP Cisco Aironet AP350 AP Cisco Aironet BR1410 AP Cisco Aironet BR350 AP Cisco Secure ACS WLSE components deauthentication deploying financial WLAN examples healthcare WLAN examples large enterprise examples manufacturing WLAN examples university example vertical market examples deployment modes security features SWAN central switching deployment mode SWAN nonswitching deployment mode designing admission control AP management AP recommendations application support authentication support client recommendations combined VPN/embedded security design device support embedded security solutions infrastructure recommendations mobility multigroup access network services placement new deployments radio coverage security policies VPN overlays elements and characteristics enterprise guest access frames 2nd associations frames beacon frames MAC frame management probe request frames probe response frames reassociations frames integration with existing systems limitations medium enterprise deployment example public reason codes security bridge-to-bridge links HTML GUI configuration pages IOS CLI configuration 2nd management configuration standards security domain conceptual model services IEEE 802.11 state transitions services scaling RADIUS best practices VPN best practices small office deployment example SOHO deployment example standards 2nd 3rd state diagram status codes SWAN WEP WLSE (Cisco Wireless LAN Solution Engine) 2nd WLSM (Wireless LAN Services Module) 2nd WPA (Wi-Fi Protected Access) 2nd 3rd compared to IEEE 802.11 WPA upgradeable devices WPA-DOT1x configuration debug information WPA-PSK configuration WSP (wireless service provider) Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [X] XOR (exclusive OR) XTACACS protocol ... How this Book is Organized Chapter 1 Securing WLANs Overview WLAN: A Perspective Wireless LAN Components and Terminology WLAN Standards WLAN Security WLAN Security Domain Conceptual Model Navigating this Book and Chapter Contexts... ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet... Cryptography and Cryptanalysis Wireless Standards and Associations Index Copyright Cisco Wireless LAN Security Krishna Sankar, Sri Sundaralingam, Andrew Balinsky, Darrin Miller Copyright© 2005 Cisco Systems, Inc Cisco Press logo is a trademark of Cisco Systems, Inc