Wireless Network Security - The Basics of Securing a Wireless LAN
Network Authentication Process
The process of a client associating and authenticating to an access point is standard. Should shared key authentication be selected at the client, there are additional packets sent confirming the keys authenticity.
The following describes EAP network authentication.
1. Client sends probe to all access points
2. Access point sends information frame with data rate etc
3. Client selects nearest matching access point
4. Client scans access point in order of 802.11a, 802.11b then 802.11g
5. Data rate is selected
6. Client associates to access point with SSID
7. With EAP network authentication the client authenticates with RADIUS server
Open Authentication
This type of security assigns a string to an access point or several access points defining a logical segmented wireless network known as a service set identifier (SSID). The client can't associate with an access point unless it is configured with that SSID. Associating with the network is as easy as determining the SSID from any client on the network. The access point can be configured to not broadcast the SSID improving security somewhat. Most companies will implement static or dynamic keys to supplement security of SSID.
Static WEP keys
Configuring your client adapter with a static wired equivalency private (WEP) key improves the security of your wireless transmissions. The access point is configured with the same 40 bit or 128 bit WEP key and during association those encrypted keys are compared. The issue is hackers can intercept wireless packets and decode your WEP key.
Dynamic WEP keys (WPA)
The deployment of dynamic encrypted WEP keys per session strengthens security with a hash algorithm that generates new key pairs at specific intervals making spoofing much more difficult. The protocol standard includes 802.1x authentication methods with TKIP and MIC encryption. Authentication between the wireless client and authentication RADIUS server allows for dynamic administration of security. It should be mentioned that each authentication type will specify Windows platform support. An example is PEAP which requires Windows XP with service pack 2, Windows 2000 with SP4 or Windows 2003 at each client.
The 802.1x standard is an authentication standard with per user and per session encryption with these supported EAP types: EAP-TLS, LEAP, PEAP, EAP-FAST, EAP-TTLS and EAP-SIM. User network authentication credentials have nothing to do with the client computer configuration. Any loss of computer equipment doesn't affect security. The encryption process is handled with TKIP an enhanced encryption standard improving WEP encryption with per packet key hashing (PPK), message integrity checking (MIC) and broadcast key rotation. The protocol uses 128 bit keys for encrypting data and 64 bit keys for authentication. The transmitter adds some bytes or MIC to a packet before encrypting it and the receiver decrypts and verifies the MIC. Broadcast key rotation will rotate unicast and broadcast keys at specific intervals. Fast reconnect is a WPA feature that is available allowing employees to roam without having to re-authenticate with the RADIUS server should they change floors or rooms. The client username and password is cached with the RADIUS server for a specified period.
EAP-FAST
• Implements symmetric key algorithm to build secure tunnel
• Client and RADIUS server side mutual authentication
• Client sends username and password credential in secure tunnel
EAP-TLS
• SSL v3 builds an encrypted tunnel
• Client side and RADIUS server side assigned PKI certificates with mutual authentication
• Dynamic per client per session keys used to encrypt data
Protected EAP (PEAP)
• Implemented at Windows clients with any EAP authentication method
• Server side RADIUS server authentication with root CA digital certificate
• Client side authentication with RADIUS server from Microsoft MS-CHAP v2 client with username and password encrypted credentials
Wireless Client EAP Network Authentication Process
1. Client associates with access point
2. Access point allows 802.1x traffic
3. Client authenticates RADIUS server certificate
4. RADIUS server sends username with password encrypted request to client
5. Client sends username with password encrypted to RADIUS server
6. RADIUS server and client derive WEP key. RADIUS server sends WEP key to access point
7. Access point encrypts 128 bit broadcast key with that dynamic session key. Sends to client.
8. Client and access point use session key to encrypt/decrypt packets
WPA-PSK
WPA pre-shared keys use some features of static WEP keys and dynamic key protocols. Each client and access point is configured with a specific static passcode. The passcode generates keys that TKIP uses to encrypt data per session. The passcode should be at least 27 characters to defend against dictionary attacks.
WPA2
The WPA2 standard implements the WPA authentication methods with Advanced Encryption Standard (AES). This encryption method is deployed with government implementations etc. where the most stringent security must be implemented.
Application Layer Passcode
SSG uses a passcode at the application layer. Client can't authenticate unless they know the passcode. SSG is implemented in public places such as hotels where the client pays for the password allowing access to the network.
VLAN Assignments
As noted companies will deploy access points with SSID assignments that define logical wireless networks. The access point SSID will then be mapped to a VLAN on the wired network that segments traffic from specific groups as they would with the conventional wired network. Wireless deployments with multiple VLANs will then configure 802.1q or ISL Trunking between access point and Ethernet switch.
Miscellaneous Settings
- Turn Microsoft File Sharing OFF
- Implement AntiVirus Software and Firewall
- Install your company VPN client
- Turn OFF Auto Connect to any wireless network
- Never use AdHoc Mode - this allows unknown laptops to connect
- Avoid signal overrun with a good site survey
- Use minimal transmit power setting
Anti Theft Option
Some access points have an anti theft option available using padlock and cabling to secure equipment while deployed in public places. This is a key feature with public implementations where access points can be stolen or there is some reason why they must be mounted below the ceiling.
Security Attacks
• Wireless packet sniffers will captures, decode and analyzes packets sent between the client computer and AP. The purpose is to decode security information.
• Dictionary attacks attempt to determine the decryption key configured on the wireless network using a list or dictionary with thousands of typical passcode phrases. The hacker captures information from the authentication process and scans each dictionary word against the password until a match is found.
• The specific mode assigned each wireless client affects security. Ad Hoc mode is the least secure option with no AP authentication. Each computer on the network can send information to an Ad Hoc neighbor computer. Select infrastructure mode where available.
• IP spoofing is a common network attack involving faking or replacing the source IP address of each packet. The network device thinks its communicating with an approved computer.
• SNMP is sometimes a source of compromised security. Implement SNMP v3 with complex community strings.
No comments:
Post a Comment