Wireless Network (WLAN) Security
Both residential and business wireless local area networks (WLANs) have proliferated around the world and are often an inviting target for attackers, whether those attackers want to compromise your data or resources, or simply get free access to the Internet.
The CISSP candidate should understand the basic WLAN components and architectures, and various WLAN security protocols and their vulnerabilities.
WLAN components and architectures
The basic components of a WLAN (also known as a WiFi network) include client devices, wireless network cards, and wireless access points (APs).
Client devices and wireless cards
Client devices in a WLAN include desktop and laptop PCs, PDAs, and other mobile devices (such as smartphones, iPhones, medical devices, and barcode scanners). Wireless network interface cards (WNICs), or wireless cards, come in a variety of form factors such as PCI adapters, PC cards, and USB adapters, or they are built into wireless-enabled devices, such as laptop PCs, PDAs, and smartphones.
Access points (APs)
Wireless access points (APs) are transceivers that connect wireless clients to the wired network. Access points are base stations for the wireless network. They’re essentially hubs (or routers) operating in Half-Duplex mode — they can only receive or transmit at a given time; they can’t do both at the same time. Wireless access points also need antennas so that they can transmit and receive data. The four basic types of wireless antennas include
Omni-directional: The most common type of wireless antenna, omni-directional antennas are essentially short poles that transmit and receive wireless signals with equal strength in all directions around a horizontal axis.
Parabolic: Also known as dish antennas, parabolic antennas are directional dish antennas made of meshed wire grid or solid metal. Parabolic antennas are used to extend wireless ranges over great distances.
Sectorized: Similar in shape to omni-directional antennas, sectorized antennas have reflectors that direct transmitted signals in a specific direction (usually a 60- to 120-degree pattern) to provide additional range and decrease interference in a specific direction.
Yagi: Similar in appearance to a small aerial TV antenna, yagi antennas are used for long distances in point-to-point or point-to-multipoint wireless applications.
Access points and the wireless cards that connect to them must use the same WLAN 802.11 standard or be backward-compatible. See the section “WLAN technologies and protocols,” earlier in this chapter, for a list of the 802.11 specifications.
Access points (APs) can operate in one of three modes:
Root mode: The default configuration for most APs. The AP is directly connected to the wired network, and wireless clients access the wired network via the wireless access point. Also known as infrastructure mode.
Repeater mode: The AP doesn’t connect directly to the wired network, but instead provides an upstream link to another AP, effectively extending the range of the WLAN. Also known as stand-alone mode.
Bridge mode: A rare configuration that isn’t supported in most APs. Bridge mode is used to connect two separate wired network segments via a wireless access point.
Ad hoc is a type of WLAN architecture that doesn’t have any APs. The wireless devices communicate directly with each other in a peer-to-peer network.
WLAN security techniques and protocols
Security on wireless networks, as with all security, is best implemented by using a defense-in-depth approach. Security techniques and protocols include SSIDs, WEP, and WPA.
Service Set Identifier (SSID)
An SSID is a name (up to 32 characters) that uniquely identifies a wireless network. A wireless client must know the SSID to connect to the WLAN. However, most APs broadcast their SSID (or the SSID can be easily sniffed), so the security provided by an SSID is largely inconsequential.
Wired Equivalent Privacy (WEP)
As its name implies, WEP was originally conceived as a security protocol to provide the same level of confidentiality that wired networks have. However, significant weaknesses were quickly uncovered in the WEP protocol.
WEP uses an RC4 stream cipher for confidentiality and a CRC-32 checksum for integrity. WEP uses either a 40-bit or 104-bit key with a 24-bit initialization vector (IV) to form a 64-bit or 128-bit key. (See Chapter 8 for more on stream ciphers, checksums, and initialization vectors.) Because of the relatively short initialization vector used (and other flaws), WEP keys can be easily cracked by readily available software in a matter of minutes.
WEP supports two methods of authentication:
Open System authentication: Doesn’t require a wireless client to present credentials during authentication. After the client associates with the access point, WEP encrypts the data that’s transmitted over the wireless network.
Shared Key authentication: Uses a four-way handshake to authenticate and associate the wireless client with the access point, then encrypts the data.
Despite its many security flaws, WEP is still widely used in both residential and business networks as the default security protocol. WEP security can be enhanced by using tunneling protocols such as IPSec and SSH (see Chapter 8), but other security protocols are available to enhance WLAN security, as discussed in the following section.
WiFi Protected Access (WPA and WPA2)
WPA and WPA2 provide significant security enhancements over WEP and were introduced as a quick fix to address the flaws in WEP while the 802.11i wireless security standard was being developed.
WPA uses the Temporal Key Integrity Protocol (TKIP) to address some of the encryption problems in WEP. TKIP combines a secret root key with the initialization vector by using a key-mixing function. WPA also implements a sequence counter to prevent replay attacks and a 64-bit message integrity check. Despite these improvements, WPA that uses TKIP is now considered insufficient because of some well-known attacks.
WPA and WPA2 also support various EAP extensions (see the section “Remote access,” earlier in this chapter) to further enhance WLAN security. These extensions include EAP-TLS (Transport Layer Security), EAP-TTLS (Tunneled Transport Layer Security), and Protected EAP (PEAPv0 and v1).
Further security enhancements were introduced in WPA2. WPA2 uses the AES-based algorithm Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), which replaces TKIP and WEP to produce a fully secure WLAN protocol.