MODULE 30
Wireless Hardening
In the last module, we discussed the different wireless attacks that can be conducted on a wireless network. We talked about attacks such as rogue access points, jamming, evil twins, and Bluetooth attacks, among others. In previous modules, we discussed how to harden networks and hosts against the different types of attacks that they can be subjected to. It’s just as important to harden wireless access points and clients as well, to reduce the risk and effectiveness of wireless attacks.
In this module, we’ll talk about hardening wireless networks. We’ll discuss how to configure wireless access points and hosts securely, by locking down wireless protocols, using authentication methods, and other configuration items. We’ll talk about the overall security considerations with wireless networks, such as antenna types, transmit power, and placement; site surveys, and other issues important to the general security posture of wireless networks.
Wireless security is made up of the different components of both wireless and wired networks, such as devices, protocols, authentication and encryption methods, and secure configurations. We’re going to look at each of these in turn and discuss how to secure them effectively against attack. First, let’s take a look at wireless security protocols and discuss the best way to use them to secure wireless traffic.
Wireless Security Protocols
When wireless networking was first adopted in the consumer and business markets, no secure wireless protocols were available to prevent eavesdropping and traffic interception. As people became more security conscious, they realized that they needed encryption and authentication protection on wireless networks, as they had on wired networks. Even though the wireless medium is different, security was still a necessity. This resulted in the development of several security protocols, with varying degrees of effectiveness, which have been slowly implemented in wireless networks over the years. As technologies have improved, these wireless security protocols have improved as well, including newer and more secure methods of authenticating devices and encrypting traffic. In the next few sections, we’ll discuss the different wireless security protocols, their advantages and disadvantages, and how you should implement them in your wireless network.
WEP
Wired networks have the advantage of having both ends of a cable terminated and protected, as well as the length of the cable usually routed inside a ceiling or wall, making it difficult for someone to access if they wanted to cut the cable or tap into it to intercept data. A hacker has to tap into the cable or plug into the switch or wall jack to access a wired network, unless they can get to it from the outside through a firewall or external network. In wireless networks, there are no physical barriers on the medium. Radio waves propagate throughout the air beyond the barriers of walls of the facility and the company’s network, and they can be intercepted by anyone, even someone outside the company.
We discussed Wired Equivalent Privacy (WEP) in the previous module and pointed out that it was the first attempt at using a wireless security protocol to secure wireless networks. WEP was an effort of the Wi-Fi Alliance to bring wireless networks up to the same level of security and privacy as wired networks. Before WEP, wireless traffic was not encrypted at all, making it easy for someone to intercept data simply by receiving the radio signals from the clients or wireless access points. WEP sought to change all that by providing some measure of authentication and encryption. WEP was first implemented in 802.11b standard networks, the version of the early IEEE wireless standards that was most widely adopted by consumers and businesses.
WEP uses both 64-bit and 128-bit keys, which are actually very small key sizes compared to other types of security protocols. The 802.11b standard requires a 64-bit key, although later versions of WEP could use the longer key length. In actual practice, however, the key length is limited to 40 bits and 104 bits, respectively, due to the 24-bit initialization vector (IV) WEP requires to seed its keys. This IV is also considered smaller than what is preferred in a security protocol. WEP also uses static keys that do not change once they are used for a particular communications session. Unfortunately, WEP also uses small passwords as its keys, which consist of 6- (for 40-bit keys) or 10-character (for 104-bit keys) passwords, adding to its problems.
The wireless industry considers WEP obsolete and told manufacturers to stop supporting WEP in all wireless devices back in 2012.
WEP has been repeatedly broken, starting with very shortly after it was implemented, as it has several security flaws that make it unsuitable for modern wireless networks. It is usually found on legacy devices that use older 802.11b network cards and software. These legacy devices usually can’t support more modern, secure wireless security protocols, hardware, and applications. These devices should be replaced as soon as possible, since they provide an attacker a way into the wireless network and possibly into any networks to which it is connected. If WEP must be used, due to backward-compatibility with equipment or applications that can’t be easily or quickly replaced, a mitigation for this risk is to use another security protocol, such as IPsec or SSH, to protect traffic between WEP-enabled devices. This can create performance issues, however, and adds to the security complexity of the network, so this should be a last resort solution.
RC4
Earlier in the book we discussed symmetric protocols. You may remember that RC4 is the primary streaming protocol that you should know for the exam. RC4 was built into WEP as its encryption protocol and was very efficient because, as a streaming protocol, it rapidly encrypts 1 bit at a time, rather than entire blocks, of plaintext at a time. It uses a wide range of key sizes, from 40-bit to 2048-bit keys.
Wireless devices often have an encryption setting that lets you choose between Advanced Encryption Standard (AES), Temporal Key Integrity Protocol (TKIP), and mixed mode. In mixed mode, both AES and TKIP are supported. It is not recommended.
RC4 alone is not necessarily a weak protocol and is found in other secure protocol implementations beyond WEP. However, WEP poorly implemented the RC4 protocol, adding to the already numerous security flaws found in its design. For this reason, as well as the issues involved with small initialization vectors, small key size, and static key repetition, WEP is not suitable for use in modern wireless networks and should be avoided whenever possible.
WPA
Wi-Fi Protected Access (WPA) was introduced in 2003 when the industry recognized the inherent security flaws in WEP and realized they needed to do something very quickly to stem the growing problem of unsecured wireless networks using WEP. The IEEE began developing a new security protocol standard for wireless networks, known as 802.11i, but the standard was delayed for various reasons. The Wi-Fi Alliance went ahead and implemented what was really a stopgap measure in the interim to replace WEP. The result was WPA, which was implemented in newer 802.11g wireless networks.
WPA has several advantages over WEP, including the use of dynamic keys and larger key sizes. WPA, also unlike WEP, requires either no authentication, authentication to a RADIUS server (Enterprise Mode – WPA-ENT), or the use of a pre-shared key. Originally conceived for personal or small business infrastructure networks, this setup is called WPA-Personal (sometimes referred to as WPA-PSK, for Pre-shared Key), and can be used to authenticate wireless client devices and wireless access points mutually. WPA-Enterprise, robust but complex and hard to use, was developed for larger infrastructures and requires the use of the 802.1X authentication protocol, which we will cover a bit later in the module.
Figure 30-1 lists the different protocol options found on wireless routers.
Figure 30-1 Wireless protocol choices on a wireless network
TKIP
We briefly mentioned the Temporal Key Integrity Protocol (TKIP) in the previous module as well, and it is the protocol used in WPA for generating encryption keys. TKIP makes it possible to use dynamic keys, which are generated on a per-packet basis. This means the keys are not repeated for different transmissions, but require a different encryption key on each individual packet. TKIP allows for the use of 128-bit keys and uses a 48-bit initialization vector. TKIP also uses an improved implementation of the same RC4 stream cipher that WEP uses, although much more securely, for backward-compatibility with legacy WEP.
WPA2
Wi-Fi Protected Access, version 2, was the name of the final official implementation of the 802.11i wireless security protocol standard developed by the IEEE. It offers several improvements over the original WPA, but is backward-compatible due to its inclusion of TKIP in its protocol suite. WPA2 primarily uses AES as its symmetric encryption protocol of choice, abandoning RC4. Like WPA, WPA2 also has two different implementations: WPA2-Personal (using a pre-shared key), and WPA2-Enterprise, which work the same way as they do in WPA. A WPA/WPA2 passphrase can be from 8 to 63 case-sensitive ASCII characters, or 64 hexadecimal characters. Now, this passphrase is not the actual WPA/WPA2 key; the passphrase is used to generate the 256-bit pre-shared key that must be entered into all wireless devices on the same wireless network. Note that this is different from the way WEP implements its passwords; the WPA/WPA2 passphrase is not the key itself.
AES
The Advanced Encryption Standard is used by a wide variety of encryption applications. It was adopted as the official encryption standard for the United States by the National Institute of Standards and Technology (NIST), after an open competition with several different competing algorithms. AES uses the Rijndael encryption algorithm and is considered much stronger than previous symmetric algorithms used in wireless networking, such as RC4.
AES is the preferred encryption algorithm used in WPA2 and uses a particular process, or mode, within WPA2 to encrypt traffic. This mode is called the Counter-mode (CTR) Cipher Block Chaining Message Authentication Code Protocol (CMC-MAC) or, adding it all together, CCMP. CCMP uses a 128-bit key and 128-bit block size (since it is a block symmetric cipher, as opposed to the streaming RC4 symmetric cipher used in WEP and WPA), as well as 48-bit IVs. The larger IV sizes help prevent replay attacks from being conducted against WPA2.
So What Do We Use?
If you’re installing an 802.11 network, the Wi-Fi Alliance states that you must use either WPA2-ENT or WPA2-PSK with a robust password. On all my PSK networks I make a point to use a 15 to 20-character length password. Here’s one of my favorites (please don’t hack me): ioncelivedinsedalia.
Wireless Authentication
We’ve spent some time discussing wireless encryption, as well as wireless authentication, between a simple wireless client and its access point. Most of the discussion has been very general and could apply to small home wireless networks, small business networks, and even, to a degree, large enterprise-level wireless networks. Now let’s take a moment to talk about the enterprise side of wireless networking, which usually involves more complex authentication methods and may involve using a wireless network to connect into a larger corporate wired network. We’ll talk about different authentication methods and protocols that are primarily used in enterprise infrastructures, particularly when using the more advanced features of WPA and WPA2.
The built-in wireless client in Windows usually lacks the features to connect to 802.1X wireless networks. Third-party clients are often required.
802.1X
802.1X is an IEEE standard, just like the 802.3 Ethernet standards and 802.11 wireless networking standards. The great thing is that, while 802.1X is probably most seen on corporate wireless networks as the preferred form of authentication, it is not a wireless standard at all and can be used in wired networks as well. This actually makes it easier for wireless and wired networks to interoperate, since they can use the same authentication methods and can connect to each other quite easily. 802.1X is called a port-based access control method and can use a wide variety of different security protocols. In that respect, it’s more of a security authentication framework than a protocol itself, since it allows various protocols to be used for authentication.
802.1X uses some interesting terms you may need to be familiar with for the exam. First, a wireless client device is known as a supplicant in an 802.1X environment. A wireless access point that uses 802.1X authentication methods is called the authenticator, and the source providing the authentication services to the wireless network is called the authentication server. 802.1X is interoperable with a number of remote access services and protocols, such as RADIUS and TACACS+, as well as centralized authentication databases such as Active Directory. This enables wireless clients to authenticate to traditional infrastructures using these different types of services.
Remember from our previous discussion on WPA and WPA2 that they both can use pre-shared keys for the personal versions of their implementation, or 802.1X for the enterprise implementation. This is the context we’re speaking in now. When using this type of enterprise implementation, you can not only authenticate WPA and WPA2 devices with each, but you can also require the users themselves to authenticate with the network they are connecting to. So not only are you certain that unauthorized devices can’t connect to the network, but the user operating it as well must be authorized. 802.1X has the ability to use several different types of authentication protocols, including the Extensible Authentication Protocol (EAP) and its variants, which we’ll discuss next.
EAP
Like the 802.1X authentication protocol, EAP isn’t so much a protocol as a security framework that provides for varied authentication methods. Many different protocols actually fit into the EAP framework, and that’s really why it was devised in the first place. EAP recognizes that there are several different authentication methods, including certificate-based authentication and other multifactor authentication methods, such as smart cards and so on. EAP can still allow the traditional username/password combination of authentication as well. EAP also allows for mutual authentication between devices as well as directory-based authentication services. There are several different variations of EAP, some older, and some more suitable for use than others. These include EAP-TLS, Protected EAP (PEAP), EAP-MD5, and even the old MS-CHAPv2 used in older Microsoft clients, now known as EAP MS-CHAPv2. Let’s talk about a couple of these variants, PEAP and LEAP.
PEAP
Protected EAP (PEAP) is a version of EAP that uses Transport Layer Security (TLS). It was originally invented to correct problems with EAP and was developed as an open protocol by different vendors, such as Microsoft, RSA, and Cisco. PEAP is similar to an earlier version of EAP known as EAP-TLS and requires a digital certificate on the server side of a connection to create a secure TLS tunnel. There are different versions of PEAP, depending upon the implementation and operating system, but all typically use digital certificates or smart cards for authentication.
LEAP
Lightweight Extensible Authentication Protocol (LEAP) is a proprietary protocol developed by Cisco and used in their wireless LAN devices for authentication. LEAP uses dynamic WEP keys and provides for mutual authentication between wireless clients and a centralized radius server. LEAP requires wireless clients to reauthenticate periodically, and when they do, they must use a new WEP key. While this older version of EAP was meant to address some of the issues with WEP, it also had similar security issues. Cisco has since replaced LEAP with other versions to address some of the security flaws, and now LEAP is not widely used. (See Figure 30-2.)
Figure 30-2 Configuring 802.1X on a Windows wireless client
Wireless Security Considerations
In addition to secure protocols and authentication methods, you should be aware of other wireless security considerations when securing your wireless networks. Some of these have to do with other configuration options on the access point, such as Service Set Identifier (SSID) broadcasting and media access control (MAC) filtering. Others have to do with physical aspects of wireless security, such as antenna type and placement, as well as power levels. In the following sections, we will discuss how to tackle these other security considerations and the importance of doing site surveys to ensure the security of your wireless networks.
SSID Broadcasting
The SSID is the wireless network name. This name is usually broadcast out to let wireless clients know that it exists. Nontechnical users rely on SSID broadcasting to locate and connect to networks. Early on in the wireless revolution, standard security practices held that in order to secure a wireless network, you should keep the SSID from broadcasting; this was a practice called SSID hiding or cloaking. This practice prevented casual wireless snooping and was meant to keep unauthorized people from connecting to a wireless network. The theory was that if they couldn’t see the network name, they couldn’t connect to it. However, these days, most wireless network clients can pick up all of the nearby wireless networks, even if they have cloaked SSIDs. And you can easily install software on a wireless client that can tell you what the wireless SSID is, simply because wireless clients can also broadcast SSID information out. Even if people can’t see the network name, they will see that an unknown wireless network does exist. Then a determined hacker can connect to it.
In reality, SSID cloaking is not really an effective security measure, simply because it’s very easy to detect that the wireless network exists through other means. So it may keep out the average 9-year-old hacker or a nontechnical person, but it probably won’t keep out a determined malicious attacker. In addition to cloaking SSIDs, many security administrators also recommend renaming the SSIDs from the default wireless access point name that is usually broadcast when you first install an access point. This may be a good idea to help users connect to the correct network, but from a security perspective it isn’t really effective and may actually confuse users, causing them not to be able to connect to a wireless network. Cloaking is typically not an effective security measure, but you can use it in addition to using more secure methods such as WPA2.
MAC Filtering
Remember that the MAC address is burned into every single network card manufactured, including wireless network cards, and these addresses are used the same way. Remember that the MAC address is a 12-digit hexadecimal number that identifies the manufacturer of the card and the individual card itself. Because it can identify the individual network card, and by extension the client, some administrators filter wireless network access by the MAC address of the client. Most wireless access points have the ability to do MAC filtering, either allowing or denying a particular MAC address (and the host that has the MAC address) on the network.
MAC filtering is frequently used as a security measure, since it can deny access to wireless network cards that are listed in a table on the access point. However, you should know that it’s quite simple to spoof a MAC address, so, like SSID cloaking, this isn’t a very effective security measure and should not be used by itself to protect a wireless network.
The other part about MAC filtering is that if you are going to use it as a security measure (in conjunction with other more secure measures, hopefully), you should configure MAC filtering to allow certain MAC addresses only, rather than attempt to deny certain MAC addresses. This is simply because you can deny only what you know about; of course, it’s difficult to deny a MAC address that you don’t know exists. So MAC address filtering should be used on a default deny basis (deny all), with only a few addresses as exceptions. Figure 30-3 shows my home WAP’s MAC filtering settings.
Figure 30-3 Configuring MAC filtering
Antenna Types
Standard 802.11 wireless implementations use different antenna types, which have different performance and security considerations. You may see different types and shapes of antennas; the way they are constructed can help determine the antenna’s gain and directional capabilities. Gain increases wireless signals but also increases radiofrequency (RF) noise and interference proportionally, so there’s a trade-off between signal strength and noise.
Although you can use antennas that transmit or receive in one or two different directions, most 802.11 wireless antennas are omnidirectional and transmit in all horizontal directions to multiple receivers; this is keeping in line with the point-to-multipoint architecture that wireless networks use. Uni- or semi-directional antennas may help from either a security or performance standpoint, since they can be directed toward a particular access point or direction and will send and receive signals in that direction only.
Antennas are also designed and made based upon the intended frequency band; earlier antennas were specific to either the 2.4 GHz (802.11b/g/n standards), or the 5 GHz (for the 802.11a/n/ac wireless networks) frequency bands. Some antennas can also transmit a stronger signal based upon how are they constructed. Figure 30-4 shows examples of typical wireless antennas. More modern antennas, however, are actually included inside wireless access points and clients, rather than as cumbersome extensions that are easily broken, and Figure 30-5 displays the difference between a newer access point with internal antennas and an older one with external antennas.
Figure 30-4 Examples of wireless antennas
Figure 30-5 Internal and external antennas
Antenna Placement
Antenna placement is important not only in making sure that people are able to get a strong enough signal to access the wireless network, but also for security reasons. An antenna located too close to an outer wall of a facility makes the wireless signal easier to pick up outside a facility, which makes it easier for wardrivers and others to pick up your wireless signal and attempt to hack your network. Ideally, both for performance and security reasons, antenna placement within a facility should be centralized; in other words, antennas should be centrally located throughout different areas of the facility so that they can adequately span all areas of coverage within a facility, without being too close to exterior walls or the roof whenever possible.
Power Level Controls
You may be tempted to think that boosting the power on your wireless access point gives you better performance and enables your clients to connect to your network with a stronger signal. You’d be right about that, except for a couple of things. The first thing is that raising the power levels on your wireless access point beyond a specified level may be illegal in certain areas. Most wireless access points have preset power levels, usually a balance between what’s legally acceptable in its intended region and performance requirements. However, it isn’t too difficult to download nonstandard firmware or software that allows you to change those power levels, sometimes beyond the legal limit allowed in your area. The second thing is that the higher power levels on your access points can adversely affect the security on your network. This is because the more powerful your signal, the farther out that signal is going to be transmitted. So, in addition to all of your authorized clients being able to see the wireless network, get a really good signal, and connect to it, unauthorized people (read: hackers or people looking for free Internet connectivity) will also be able to do the same thing.
In addition to antenna placement being limited to centralized areas within your facility, your antenna power levels should also be reduced to the lowest acceptable point at which users can still receive a strong signal from the network. This prevents the signal from leaving your facility as much as possible. You may even have to lower the power levels and simply provide more access points throughout the facility to keep the signals confined to the immediate area, as a sort of trade-off. It’s probably not realistic to think that you’re going to be fully able to limit stray signals, but limiting them to as short a distance as possible outside your facility can definitely help your security posture, since any would-be hacker may have to get unacceptably close to your building to hack into or connect to your network.
Captive Portals
Captive portals (Figure 30-6) are usually seen on enterprise wireless networks, rather than small office-home office (SOHO) networks. You also may see captive portals in hotels or other businesses that provide wireless network access to customers. Captive portals serve a couple of different functions. First, it may be impractical to share a pre-shared key or device certificate with everyone who is authorized to use the wireless network (think airport customers or hotel guests, for example), but the wireless network may still require some sort of authentication. A captive portal setup allows a wireless client to connect to the wireless network and reach only a single web site, where the users must authenticate to the wireless network before they are allowed to use it any further. A business may provide wireless access for its external partners or customers rather than allowing them to use its interior corporate wireless network. The captive portal would help serve such a function in this case. It allows for authentication and can assist in accounting for wireless network access that has been paid for by a customer. For authorized employees connecting to a corporate network, a captive portal can also serve as a type of network access control, since an otherwise authorized wireless device may have to use certain protocols or have certain requirements present to connect to the network (patches, antivirus signatures, and so on).
Figure 30-6 Mike’s own captive portal
Site Surveys
The site survey is a technical assessment of the area in which a wireless network will be installed and operating. Usually, a site survey is performed before the wireless network is even installed, although sometimes it might be performed periodically when looking at network performance or before expanding the wireless network to accommodate new access points or additional capacity. Site surveys help technical personnel understand the different issues that may be present in an area where the wireless network will be operational. These issues may affect considerations such as area coverage, network growth, access point and antenna placement, required power levels, and even network capacity (level of usage of the wireless network). Some of these issues include proximity to potential interference sources (such as other wireless networks), environmental and physical considerations (physical obstacles that may limit wireless signals, such as buildings, for example), and, of course, potential security issues (public areas where wardriving may happen, for instance). Figure 30-7 illustrates some of the data collected during a survey when using a wireless or RF survey tool.
Figure 30-7 Viewing the Wi-Fi spectrum when performing a site survey
When conducting a site survey, a technician usually measures potential coverage distances, identifies obstacles that may block wireless signals, and performs various tests to see where antenna and access point placement will be optimal. The technician will usually map out the area and identify potential sources of interference, such as power cabling, cell towers, or other radio frequency producing sources. Technicians also should plan for capacity, meaning that they need to know how many users will be connecting to the wireless network at any given time, and what types of data or applications they will be using over the wireless network. Although this might not seem like a security consideration, remember that availability of data is directly tied to security (remember the CIA triad: confidentiality, accountability, integrity). Once the site survey has been accomplished, the technician usually provides recommendations to managers and the team that will be installing or expanding the wireless network, so they can configure it optimally for both performance and security.
VPN over Wireless
People in your organization may have occasion to travel, especially if they are members of the sales force or managers who have to attend meetings in offsite locations. Very often they will find themselves in hotels or working at customer or partner sites that do not have secure wireless connections. This may be due to resources, legacy equipment, or lack of trained security or networking personnel on site. In any case, your employees may need to connect securely to your organization’s network to perform their job functions while working remotely. Obviously, you don’t want them to send sensitive data over unsecure wireless networks, where the data may be intercepted and compromised. One solution to this problem is to use virtual private networking (VPN) technologies to secure wireless connections from your mobile employees back to the corporate infrastructure.
Remember from the discussions on VPNs earlier in the book that you can use different protocols and technologies to implement a VPN. As a quick refresher, a site-to-site VPN involves two different VPN concentrators at both the main and the remote sites that connect the two locations together. Clients on either side of the VPN concentrator connect to each other just as they would if they were in the same building over a wired network; however, they are simply going through the VPN concentrator in their own office, which sends encrypted traffic to the other VPN concentrator at the other location. Most the time, this type of VPN will use either wired or leased lines from the local telecom provider or ISP to provide the Internet connection that the VPN will use. It’s usually the mobile clients (client VPN connections) that may use wireless networks, and those are the ones you really have to worry about.
You should set up a VPN concentrator on the perimeter of your corporate network infrastructure specifically for these mobile clients. It should require both authentication and encryption for all traffic it receives from the mobile clients. On the client side, you may have to set up VPN client software (in the case of VPN connections secured with L2TP and IPsec), and configure the correct settings in the software. Secure Sockets Layer (SSL) VPN connections don’t really require much configuration on the client side, other than possibly installing client side digital certificates, making it so they can easily connect to the corporate VPN via a secure web browsing session. SSL VPN portals are more limited in functionality than when VPN client software is used; the mobile users are limited to what functions they can perform on the secure portal, instead of their computer becoming a virtual member of the corporate network, as is the case when using client VPN software. In either case, however, the connection is much more secure than it would be if the user is forced to use an unsecure wireless network.
Troubleshooting Wireless Security Issues
Most wireless security issues can be traced to three or four different items, usually configuration issues on either the wireless client or the wireless access point. In this section, we’ll discuss the different wireless security configuration issues you might encounter, as well as how to correct them, or at least mitigate the risk involved if they can’t be immediately corrected. These issues involve wireless protocols, authentication, and encryption issues.
Wireless Protocol Issues
Wireless protocol issues can cause a variety of problems with security and connectivity in a wireless network. The first major issue can relate to connectivity, in that different protocols with different configurations on either the client or the access point side can make the clients and access points not communicate properly. For example, if you are using a legacy client with an 802.11b network card in it, it won’t be able to communicate with a modern wireless access point that uses only WPA or WP2. The solution is to get rid of the legacy client, of course, and use one that can communicate using the newer wireless security protocols. If that’s not possible, then you might be tempted to lower the security settings on the wireless access point to the level of the client. In the case of WEP, that’s really a bad idea for a couple of different reasons. First, of course, it lowers the security posture of the entire wireless network and requires you to lower all of the security levels on the different wireless clients as well. Second, newer wireless access points don’t even support legacy WEP (and in some cases even legacy WPA).
The second issue with wireless protocols is, of course, security. Even when all clients support the more advanced wireless security protocols, there may be reasons why you have to default to using WPA versus WPA2, for example. If this is the case, you should also use other mitigations, such as complex passphrases and other secure protocols (SSL, SSH, and IPsec come to mind, of course) to protect traffic over the wireless network. You should use the highest security protocol level you can that is supported by both the access point and the clients. Speaking of complex passphrases, that’s one of the few weaknesses of WPA and WPA2; weak passphrases can result in weak keys, which can be captured and cracked. From a troubleshooting perspective, make sure that all of the different wireless clients and access points use the same pre-shared key if you’re using the personal implementation of either protocol.
Authentication Issues
Authentication issues can also plague wireless networks. If you are using pre-shared keys, make sure that they all match on all the different devices that connect to the wireless network. Also make sure that the same security protocol is configured in all devices, since that can affect authentication as well. If you are using the enterprise implementation of WPA or WPA2, make sure that your 802.1X devices are set up and configured properly. Since 802.1X authentication also allows you to mutually authenticate both users and devices to the enterprise network, make sure that users also have the right authentication methods configured on their devices (including usernames and passwords, smart cards and pins, biometric authentication, certificate-based authentication, and so on). Enterprise implementation of wireless networks adds several levels of complexity to the infrastructure, so you may have to look beyond wireless clients and access points when troubleshooting authentication issues.
Encryption Issues
We’ve discussed encryption troubleshooting throughout this entire book; troubleshooting encryption with wireless networks is really not much different from troubleshooting it on wired networks. On all devices, encryption methods must be configured identically, including settings for the encryption protocol used, key negotiation, and any passphrases or certificates that are used in the encryption process. You should start with the infrastructure devices first, and make sure the settings are what you need them to be for the entire network. Of course, you must configure them to be compatible with the lowest common level of encryption settings supported on the client devices; if this setting doesn’t meet your security standards, you should consider upgrading the client devices to support a higher level of security. You should also configure password or passphrase settings on the network infrastructure devices, as required. Then you should move to each client device in turn, and make sure that security settings match or are interoperable with the security settings on the network infrastructure devices. If the settings are incompatible, encryption may not take place between devices; as a matter of fact, incompatible encryption settings may even cause the devices not to communicate at all.
In a smaller network that uses pre-shared keys, there’s not really much to configure on either the access point or client side, other than making sure that the pre-shared key is identical in case, length, and characters. When using the enterprise version of WPA or WPA2, the additional levels of complexity require you to make sure that you’re using the correct 802.1X protocol, such as EAP, LEAP, and so on, including the correct configuration settings for each. Any remote services (TACACS+ or RADIUS, for example) or directory services integration that provides for centralized authentication when using 802.1X (such as Active Directory) will also have to be looked at and configured properly.
Module 30 Questions and Answers
Questions
1. Which of the following was the first attempt at developing a security protocol for early wireless networks?
A. WPA2
B. WPA
C. WEP
D. RC4
2. Which of the following was a temporary protocol developed to bridge the gap between WEP and the IEEE 802.11i standard?
A. WPA
B. WPA2
C. EAP
D. TKIP
3. How many characters can a WPA/WPA2 passphrase be? (Choose two.)
A. 6 or 10 characters
B. 64 hexadecimal characters
C. 8 to 63 ASCII characters
D. 64 ASCII characters
4. Which of the following symmetric algorithms used in wireless protocols uses CCMP mode?
A. AES
B. RC4
C. TKIP
D. WEP
5. You are trying to set up a wireless network in your enterprise infrastructure and would like to set up secure authentication methods so the wireless network can authenticate to the enterprise wired network. You want to provide for mutual authentication, certificate-based authentication, and centralized directory services. Which of the following combinations would allow you to create such an authentication infrastructure for your wireless network?
A. WPA
B. 802.1X with WPA2 pre-shared keys
C. LEAP
D. 802.1X and EAP
6. Which of the following protocols creates a secure TLS tunnel?
A. LEAP
B. PEAP
C. 802.1X
D. AES
7. Which of the following are not necessarily considered to be secure methods to use when hardening a wireless network? (Choose two.)
A. WPA2-Personal
B. WPA-Enterprise
C. SSID cloaking
D. MAC filtering
8. All of the following are valid concerns when considering the performance and security of wireless antennas, except:
A. Placement
B. Encryption
C. Type
D. Transmit power
9. Which of the following items should be examined when performing a wireless site survey? (Choose all that apply.)
A. Antenna placement
B. Authentication protocols
C. Physical environment
D. Capacity planning
10. Which of the following configuration settings must match on all wireless devices in order for them to communicate securely? (Choose two.)
A. Authentication
B. Encryption
C. Power levels
D. MAC address
Answers
1. C. WEP was the first attempt at developing a security protocol for early wireless networks.
2. A. WPA was a temporary protocol developed to bridge the gap between WEP and the IEEE 802.11i standard.
3. B, C. A WPA/WPA2 passphrase can be either 8 to 63 ASCII characters or 64 hexadecimal characters.
4. A. AES is the symmetric algorithm used in WPA2 that uses CCMP mode.
5. D. 802.1X and EAP is the combination that would allow you to create an authentication scheme for the enterprise wireless network.
6. B. PEAP is a form of EAP that creates a secure TLS tunnel to protect its traffic.
7. C, D. Neither SSID cloaking nor MAC filtering are considered to be secure methods to use alone when hardening a wireless network.
8. B. Encryption is not a valid concern when considering the performance and security of wireless antennas.
9. A, C, D. All of these items should be examined when performing a wireless site survey.
10. A, B. Authentication and encryption settings must match on all wireless devices in a wireless network in order for them to communicate securely.