CWSP · Security

CWSP – Chapter 2 – Legacy 802.11 Security

To understand today’s security methods we must first understand the original methods!

Authentication

This step occurs before association and is often confused with standard authentication using username/password combinations. You could probably compare it with plugging a wired device into a switch and switchport negotiation taking place.

Open System Authentication

Only pre-RSNA (Robust Secure Network Authentication) method used. RSNA will be covered later but is part of the 802.11i standard and extremely important!
This is used in a standard BSS or an IBSS for adhoc WLANs,
There are two frames exchanged during Open System Auth before association then takes place – A request to join and a response (yes / no) from the device advertising the network,
A device discovers the SSID it wishes to join through various scanning methods and then sends out the request.
The Access Point then responds with an answer.
If this is yes – the device then proceeds to send an association request and the Access Point will respond yes/no again.
There is no sensitive information exchanged at this point and all packets are sniffable and open.
WEP can be used with Open System Authentication but that is for encrypting data after the authentication and association has taken place.
With modern methods this has been replaced by other encryption methods (802.1X/EAP) and Open System Authentication is still used for the initial connectivity.

Open Authentication System
Open Authentication System

 

Shared Key Authentication

With this method, static WEP keys are configured on the client and the Access Point.
These must match in order for authentication to work
This is very unsecure as the static key can easily be derived from the cleartext challenge and encrypted response (frames 2 and 3 below)
This time there are 4 frames sent before association

  1. (Client to AP) Auth Request
  2. (AP to Client) Cleartext Challenge
  3. (Client to AP) Encrypted response using WEP keys
  4. (AP to Client) Confirmation of correct keys and successful authentication

 

Shared Key Authentication
Shared Key Authentication

 

WEP

Available as 64-bit or 18-bit.
Uses ARC4 cipher to encrypt.
Static keys must match as mentioned earlier.
In order to ensure integrity, an Integrity Check Value (ICV) is used.
There is also an Initialization Vector (IV) per frame which is used tio identify which WEP key to use for encryption/decryption.
There is a lot more information that I won’t summarise here.

VPNs

VPNs were common prior to improved security with 802.1X and 802.11i
Layer 3 VPNs in particular were used along with WEP to secure conns
These were still vulnerable to attack due to the Layer 2 and 3 traffic still being vulnerable
This meant hackers could compromise the security of the connection (tunnel) before it is established
There are 3 major Layer 3 VPN types:

  1. PPTP – Point-to-Point Tunneling Protocol
  2. IPsec – Internet Protocol Security
  3. L2TP  – Layer 2 Tunnelling Protocol

There is certainly more information on each VPN type but until I’ve delved deeper into the book I’m going to leave it there. This chapter is discussing legacy security and therefore it may not be as relevant.

MAC Filters

This is fairly easy – you can create a filter list based of client MAC address to grant/prevent access to a network.
This is extremely un-secure as it is very easy to spoof anyone’s MAC address even within the properties of your own NIC

Segementation

Basically the same as VLANs – this preventative method is/was used to separate different types of traffic to reduce the security risk.

SSID Cloaking

Hiding the SSID is possible on most Access Points these days but not recommended as a hardy security solution.
The belief used to be that if you couldn’t see the network then that would ensure it was secure however hackers can very easily find hidden networks through monitoring un-encrypted beacons/probes between devices.
Some devices don’t support connecting to hidden SSIDs.
There is also overhead for connecting devices to hidden SSIDs – either by issuing manual connection instructions or setting up Group Policy for your domain machines to join (though that’s fairly low level of effort).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s