Post on 26-Dec-2015
Wireless LANs IIChapter 7
802.11 Security
802.11 LAN management
Other local wireless technologies
© 2013 Pearson 2
Drive-By Hackers◦ Sit outside the corporate premises and read
network traffic
◦ Can send malicious traffic into the network
◦ Easily done with readily downloadable software
War Drivers◦ Merely discover unprotected access points—
become drive-by hackers only if they break in
◦ War driving per se is not illegal
© 2013 Pearson 3
7.1: WLAN Security Threats
Unprotected Access Points
◦ Drive by hackers can associate with any unprotected access point.
◦ They gain access to the local area network without going through the site firewall.
© 2013 Pearson 4
7.1: WLAN Security Threats
Rogue Access Points
◦ Unauthorized access points that are set up by a department or an individual
◦ Often have very poor security, making drive-by hacking easier
◦ Often operate at high power, attracting many hosts to their low-security service
© 2013 Pearson 5
7.1: WLAN Security Threats
© 2013 Pearson 6
7.2: Core 802.11 Security Standards
Core security protocols protect communication between a wireless client and a legitimate access
point.They provide encryption for confidentiality and other
cryptographic protections.
© 2013 Pearson 7
7.2: Core 802.11 Security Standards802.11 core security
protocols protect only wireless client–
access point communication.
Provide Security Between the Wireless Station and the Wireless Access Point◦ Client (and perhaps access point)
authentication
◦ Encryption of messages for confidentiality
© 2013 Pearson 8
7.3: 802.11 Core Security Standards
Wired Equivalent Privacy (WEP)◦ Initial rudimentary security provided with
802.11 in 1997.
◦ Everyone shared the same secret encryption key, and this key could not be changed automatically.
◦ Because secret key was shared, it did not seem to be secret. Users often gave out freely
◦ Key initially could be cracked in 1 to 2 hours; now can be cracked in 3 to 10 minutes using readily available software.
© 2013 Pearson 9
7.3: 802.11 Core Security Standards
Wireless Protected Access (WPA)◦ The Wi-Fi Alliance
Normally certifies interoperability of 802.11 equipment
Certified equipment may display the Wi-Fi name on their boxes
Created WPA as a stop-gap security standard in 2002 until 802.11i was finished
© 2013 Pearson 10
7.3: 802.11 Core Security Standards
Wireless Protected Access (WPA)◦ Designed for upgrading old equipment
WPA uses a subset of 802.11i that can run on older wireless NICs and access points.
WPA added simpler security algorithms for functions that could not run on older machines.
◦ Equipment that cannot be upgraded to WPA should be discarded.
© 2013 Pearson 11
7.3: 802.11 Core Security Standards
802.11i (WPA2)
◦ Uses AES-CCMP with 128-bit keys for confidentiality and key management.
◦ 802.11i is the gold standard in 802.11 security.
◦ But companies have large installed bases of WPA-configured equipment, so they are hesitant to upgrade.
◦ WPA has now been partially cracked, and this is leading many firms to upgrade.
© 2013 Pearson 12
7.3: 802.11 Core Security Standards
© 2013 Pearson 13
7.3: 802.11 Core Security Standards
WEP Initial core security standard.Easily cracked today.
WPA Has been partially cracked.Large installed base makes upgrading the entire network to 802.11i expensive.
802.11i (WPA2)
Today’s preferred standard.Extremely strong.
Both WPA and 802.11i have two modes of operation.◦ 802.1X mode
For large organizations
Uses a central authentication server for consistency
Authentication server also provides key management
Wi-Fi Alliance calls it Enterprise Mode
© 2013 Pearson 14
7.4: 802.1X and PSK Modes
Both WPA and 802.11i have two modes of operation.◦ 802.1X mode
802.1X standard protects communication with an extensible authentication protocol.
Several EAP versions exist with different security protections.
Firm implementing 802.1X must choose one.
Protected EAP (PEAP) is popular because Microsoft favors it.
© 2013 Pearson 15
7.4: 802.1X and PSK Modes
Both WPA and 802.11i have two modes of operation.◦ Pre-Shared Key mode for homes or small firms
For homes or small businesses with a single access point.
Access point does all authentication and key management.
All users must know an initial pre-shared key (PSK).
Each, however, is later given a unique key.
© 2013 Pearson 16
7.4: 802.1X and PSK Modes
Both WPA and 802.11i have two modes of operation.◦ Pre-Shared Key mode
If the pre-shared key is weak, it is easily cracked.
Pass phrases that generate keys must be at least 20 characters long.
Wi-Fi Alliance calls this personal mode.
© 2013 Pearson 17
7.4: 802.1X and PSK Modes
Can use 802.1X mode?
Can use PSK mode?
WPA Yes Yes
802.11i Yes Yes
© 2013 Pearson 18
7.4: 802.1X and PSK Modes
Both WPA and 802.11i use both modes.This is not surprising because WPA was
derived from 802.11i.
© 2013 Pearson 19
7.5: 802.1X Mode for 802.11i and WPA
802.1X Mode (See Figure 7-5)
◦ 802.1X in WPA and 802.11i protects client-access point communication with an extensible authentication protocol.
© 2013 Pearson 20
7.5: 802.1X Mode for 802.11i (and WPA)
EAP must be protected.No problem with UTP.
Big problem for wireless.
For wireless, EAP had to be extended.
802.1X Mode (See Figure 7-5)◦ 802.1X standard protects communication with
an extensible authentication protocol.
Several EAP versions exist with different security protections.
Firm implementing 802.1X must choose one.
Protected EAP (PEAP) is popular because Microsoft favors it.
© 2013 Pearson 21
7.5: 802.1X Mode for 802.11i (and WPA)
© 2013 Pearson 22
7.6: 802.11i and WPA in Pre-Shared Key Mode
© 2013 Pearson 23
7.6: 802.11i and WPA in Pre-Shared Key Mode
WEP◦ Used the same shared key for everyone.
◦ It was used for a great deal of traffic.
◦ This made the key easy to break.
PSK Mode in 802.11i◦ Only uses the shared initial key for initial
communication, so can’t be cracked.
◦ Only a few people share this key so won’t give it out.
◦ Each host then gets a different shared session key.
◦ Too little traffic is sent with this key to be cracked.
© 2013 Pearson 24
7.6: Shared Keys
Sits outside the premises or in a wireless hot spot◦ A PC with software to emulate an access point◦ Entices the wireless client to associate with it
© 2013 Pearson 25
7.7: Evil Twin Access Point
Establishes a second connection with a legitimate access point
◦ All traffic between the wireless client and network servers passes through the evil twin.
© 2013 Pearson 26
7.7: Evil Twin Access Point
This is a classic man-in-the-middle attack.
Attacks on confidentiality because evil twin reads all traffic.◦ Client encrypts traffic.
◦ Evil twin decrypts it and reads it.
◦ Evil twin reencrypts it and sends it on.
Evil twin can also send attack packets, which do not pass through the border firewall.
© 2013 Pearson 27
7.7: Evil Twin Access Point
Virtual Private Networks (VPNs)◦ End-to-end encryption with a pre-shared client-server
secret◦ The secret is never transmitted so cannot be intercepted.
© 2013 Pearson 28
7.8: Using a VPN to Counter Evil Twins
Usually just called WPS
Protocol to make it easier to connect clients to access points
Very popular
Created by the Wi-Fi Alliance, not the 802 Committee
Wi-Fi Protected Setup
© 2013 Pearson 29
Designed poorly
Pre-shared keys can be cracked in about 5,500 attempts◦ Easy to do with automated attacks
Only solution is to turn off WPS at the router◦ Many routers cannot even turn it off
A problem for PSK but not 802.1X
Wi-Fi Protected Setup
© 2013 Pearson 30
Either overloads the access point with traffic
Or sends a command to get a client to disassociate from an access point
Uncommon but dangerous
Denial-of-Service (DoS) Attacks
© 2013 Pearson 31
802.11 Security
802.11 LAN management
Other local wireless technologies
© 2013 Pearson 32
Access Points Placement in a Building◦ Must be done carefully for good coverage and
to minimize interference between access points.
◦ Lay out 30-meter to 50-meter radius circles on blueprints.
◦ Adjust for obvious potential problems such as brick walls.
◦ In multistory buildings, must consider interference in three dimensions.
© 2013 Pearson 33
7.9: WLAN Management
Access Points Placement in a Building
◦ Install access points and do site surveys to determine signal quality.
◦ Adjust placement and signal strength as needed.
◦ In commercial access points, signal strength and other configuration information can be actively controlled.
© 2013 Pearson 34
7.9: WLAN Management
Remote Access Point Management
◦ The manual labor to manage many access points can be very high.
◦ They must be managed efficiently through automation.
© 2013 Pearson 35
7.9: WLAN Management
© 2013 Pearson 36
7.10: Wireless Access Point Management Alternatives
Remote Access Point Management◦ Desired networking functionality:
Notify the WLAN administrators of failures immediately.
Support remote access point adjustment.
Should provide continuous transmission quality monitoring.
Allow software updates to be pushed out to all access points or WLAN switches.
Work automatically whenever possible.
© 2013 Pearson 37
7.9: WLAN Management
Remote Access Point Management◦ Desired security functionality:
Notify administrator of rogue access points. Notify administrator of evil twin access points. Notify the administrator of flooding denial-of-
service attacks. Notify the administrator of disassociate
message denial-of-service attacks. Instantly deny access to selected stations
under selected conditions.
© 2013 Pearson 38
7.9: WLAN Management
Decibels
Box
© 2013 Pearson
Expressing ratios of transmission power◦ Attenuation of signal during propagation (-)◦ Amplification of signal so it will travel farther
(+)
Multiples of 3 dB (decibels)◦ +3 dB X2 (times two) power◦ +6 dB X4 power◦ +9 dB ?◦ -3 dB ½ power◦ -6 dB ?
The Basic Picture
© 2013 Pearson 40
Expressing ratios of transmission power◦ Attenuation of signal during propagation (-)◦ Amplification of signal so it will travel farther
(+)
Units of 10 dB◦ +10 dB X10 power
◦ +20 dB ? ?
◦ -10 dB ?
◦ -20 dB ?
The Basic Picture
© 2013 Pearson 41
Power is measured in Watts (W)◦ Milliwatt (mW) = 1/1000 of a Watt
Transmitted power is 12 mW◦ Attenuation during travel is -6 dB
◦ Final transmission power: ?
Radio power is 2 mW◦ Antenna amplifies signal by 9 dB
◦ Final transmission power: ?
The Basic Picture
© 2013 Pearson 42
In radio engineering, you often have to express the ratio of two signal powers, P1 and P2.
◦ Amplification may make P2 larger than P1, the original signal strength.
◦ Attenuation may make P2 smaller than P1, the original signal strength.
◦ Connector loss may make transmitted power P2 smaller than P1, the original signal strength.
Expressing Power Ratios in Decibels (dB)
© 2013 Pearson 43
In general, simple ratios are easy to understand.
However, P1 and P2 can vary by orders of magnitude, giving numbers that are difficult to interpret by reading.
Radio engineers express signal ratios in a logarithmic scale, decibels (dB).
Power Ratios as Decibels (dB)
© 2013 Pearson 44
Suppose you have amplification, so that while P1 is 20 milliwatts (mW), P2 is 80 mW.
Use the Excel LOG10() function.
Power Ratios as Decibels (dB)
© 2013 Pearson
45
If P2 > P1,
then the ratiois greaterthan 1,
and the dB valueis positive
Suppose you have attenuation, so that while P1 is 30 milliwatts (mW), P2 is 1.3 mW.
Use the Excel LOG10() function.
Power Ratios as Decibels (dB)
© 2013 Pearson 46
If P2 < P1,
then the ratiois lessthan 1,
and the dB valueis negative
Suppose you have amplification, so that while P1 is 20 milliwatts (mW), P2 is 30 mW.
◦ What is LdB?
Power Ratios as Decibels (dB)
© 2013 Pearson 47
Suppose you have a loss of power of 30% at a coupler between the radio and the antenna.
◦ How would you compute LdB?
Power Ratios as Decibels (dB)
© 2013 Pearson 48
A doubling of power is 3.0103 dB◦ This is almost
exactly 3.
◦ Use 3 in estimates.
◦ Fill in the two missing dB values.
Power Ratios as Decibels (dB)
© 2013 Pearson 49
Ratio N (as in 2N)
dB
16 4
8 3 9 dB
4 2 6 dB
2 1 3 dB
1 0 0 dB
1/2 -1 -3 dB
1/4 -2 -6 dB
1/8 -3
A factor of 10 increase is 10 dB◦ This is exactly 10.
◦ Fill in the two missing dB values.
Power Ratios as Decibels (dB)
© 2013 Pearson 50
Ratio N (as in 2N)
dB
10,000 4
1,000 3 30 dB
100 2 20 dB
10 1 10 dB
1 0 0 dB
1/10 -1 -10 dB
1/100 -2 -20 dB
1/1,000 -3
dB gives power ratios.
dBm gives absolute power, relative to 1 milliwatt (mW).
◦ P1 = 1 mW
What is the dBm for 2 mW?
What is the dBm for 0.01 mW?
What is the dBm for 1 Watt?
Power in dBm
© 2013 Pearson 51
Power ratios multiply◦ Initial power = 1 Watt
◦ Loss of power at antenna coupler = .5
◦ Loss of power due to attenuation = 90%
◦ Loss of power due to wall = 75%
◦ What is the final power?
Decibels
© 2013 Pearson 52
Decibels add◦ Initial power = 1 Watt (30 dBm)
◦ Loss of power at antenna coupler = .5 (-3 dB)
◦ Loss of power due to attenuation = 90% (-10 dB)
◦ Loss of power due to wall = 75% (-6 dB)
◦ What is the final power?
Decibels
© 2013 Pearson 53
Converting decibels back to power ratios
Decibels
© 2013 Pearson 54
Converting decibels back to power ratios◦ What is the power ratio for 30 dB?
◦ What is the power ratio for -8 dB? (Do it in a spreadsheet.)
Decibels
© 2013 Pearson 55
802.11 Security
802.11 LAN management
Other local wireless technologies
© 2013 Pearson 56
802.11i Bluetooth
Near Field Communi-cation (NFC)
Ultrawideband (UWB)
Use Wi-Fi Direct gives direct communication between two wireless devices
Personal area networks (PANs) around a desk or a person’s body
Very near communication between two wireless hosts
Extremely high speed, short distance communication
7.12: Other Wireless Technologies
© 2013 Pearson 57
Wi-Fi Direct
Bluetooth
Near Field Communi-cation (NFC)
Ultrawideband (UWB)
Typical Speed
20-300 Mbps
2 Mbps 106, 212, or 424 kbps
100 Mbps
Service Range
30-50 m 10 m 10 cm 10 m
Requires Wall Power
Yes No No Yes
Service Band
2.4 and 5 GHz
2.4 GHz 13.56 kHz UWB channels typically span multiple entire service bands
7.12: Other Wireless Technologies
© 2013 Pearson 58
For Personal Area Networks (PANs)
◦ Devices on a person’s body and nearby (earphone, mobile phone, netbook computer, etc.)
◦ Devices around a desk (computer, mouse, keyboard, printer)
© 2013 Pearson 59
Bluetooth
Cable Replacement Technology
◦ For example, with a Bluetooth phone, you can print wirelessly to a nearby Bluetooth-enabled printer.
◦ Does not use access points.
© 2013 Pearson 60
Bluetooth
7.13 Bluetooth Modes of Operation
© 2013 Pearson 61
Classic Bluetooth
High-Speed Bluetooth
Low-Energy Bluetooth
Principal Benefit
Good performance at low power
High-speed transfers available when needed
Ultra-long battery life and ultra-fast setup times
Speed Up to 3 Mbps Up to about 24 Mbps
Up to 200 kbps
Expected Duty Cycle
Low to High Low to High Very Low
Power Required
Low High Very Low
Distance ~10 m ~30 m ~15 mSetup Time < 6 s Not Given < 3 ms
7.14: Bluetooth Operation
© 2013 Pearson 62
7.14: Bluetooth Operation
© 2013 Pearson 63
A device, in this case the Desktop, can be simultaneously a master and a slave.
7.14: Bluetooth Operation
© 2013 Pearson 64
Headset
Bluetooth Profiles◦ 802.11 did not have to develop application
standards. Many standards already existed.
◦ But standards did not exist for new short-distance applications such as printing to a printer.
◦ The Bluetooth Special Interest Group had to develop various standards in addition to radio transmission standards.
◦ It called these Bluetooth profiles.
7.14: Bluetooth Operation
© 2013 Pearson 65
7.14: Bluetooth Operation
© 2013 Pearson 66
Bluetooth Profiles
Peering◦ When two devices first encounter each other,
they must go through a negotiation process.
◦ This negotiation process is called peering.
◦ It involves the exchange of device information.
◦ It may involve authentication.
◦ It may also involve one or both of the device owners explicitly deciding if the two devices should be allowed to communicate.
7.15 Bluetooth Peering and Binding
© 2013 Pearson 67
Service Discovery Profile (SDP)◦ Peering uses the Service Discovery Profile (SDP).
◦ Normally, a device is in discoverable mode.
◦ If it receives a Service Discovery Protocol request, it will send information about itself:
Name
Device class
Bluetooth profiles supported
Technical information such as manufacturer’s name
7.15: Bluetooth Peering and Binding
© 2013 Pearson 68
Binding◦ After peering is complete, the two devices are
bound.
◦ They can begin communicating.
◦ If they are brought together later, they are still bound.
◦ They will begin communication without the peering process.
◦ This allows fast setup.
◦ The owner of either device can end the binding.
7.15: Bluetooth Peering and Binding
© 2013 Pearson 69
802.11 Wi-Fi uses 20 MHz or 40 MHz channels in the 2.4 GHz and 5 GHz bands.
Bluetooth operates in the 2.4 GHz band.
Bluetooth divides the band into 79 channels, each 1 MHz wide.
7.16: Frequency Hopping Spread Spectrum
© 2013 Pearson 70
Bluetooth radios hop among the frequencies up to 1,600 times per second.
These radios avoid channels where other devices (including 802.11 devices) are active.
7.16: Frequency Hopping Spread Spectrum
© 2013 Pearson 71
7.17: Near Field Communication (NFC)
© 2013 Pearson 72
Payment of bus fares (already popular in some countries)
Opening car doors
Turning on the ignition
Building door entry control
Sharing business cards
Continued…
7.18: Possible NFC Apps
© 2013 Pearson 73
Sharing webpages between mobile devices
Retail payments, including loyalty points and coupons (beginning to be popular)
NFC posters with tap points for more communication
Passive Radio Frequency ID (RFID) Tags
7.18: Possible NFC Apps
© 2013 Pearson 74
Radio frequency ID tags contain information about an item.
A passive RFID tag has no internal power source.
When read by an NFC device, the power of the reader request gives power for the response.
13.56 kHz was specified by ISO/IEC for passive RFID tags long before NFC standards were created.
With sensitive antennas, NFC transmission can be eavesdropped upon from a distance.
7.19 Passive Radio Frequency ID Tags
© 2013 Pearson 75
Enormously wide channels
Very low power per hertz to avoid interfering with other transmissions
Very high speeds over short distances (~10 m)
7.20 Ultrawideband Transmission
© 2013 Pearson 76
Threats◦ Eavesdropping
◦ Data modification
◦ Impersonation
◦ Denial-of-service attacks
7.21 Security in Emerging Wireless Technologies
© 2013 Pearson 77
Cryptological Security
◦Some local wireless technologies have no cryptological security.
◦Example: Near field communication for reading passive ID tags.
◦They rely on short transmission distances to foil eavesdroppers.
◦Directional antennas and amplifiers can defeat this.
7.21 Security in Emerging Wireless Technologies
© 2013 Pearson 78
Strength of Security
◦Some have reasonably good security.
◦Example: Bluetooth
◦However, still not as strong as 802.11i and WPA security.
7.21 Security in Emerging Wireless Technologies
© 2013 Pearson 79
Device Loss or Theft
◦In this age of bring your own device (BYOD) to work, this is a serious problem.
◦Most devices are protected only by short PINs.
7.21 Security in Emerging Wireless Technologies
© 2013 Pearson 80
Maturity
◦In general, new security technologies take some time to mature.
◦During this period, they often have vulnerabilities that must be fixed quickly.
◦User companies must master security for each new technology.
7.21 Security in Emerging Wireless Technologies
© 2013 Pearson 81
© 2013 Pearson 82
Where We’ve Been
802.11 Security
802.11 LAN management
Other local wireless technologies