To understand today’s security methods we must first understand the original methods!
This step occurs before association and is often confused with standard authentication using username/password combinations. You could probably compare it with plugging a wired device into a switch and switchport negotiation taking place.
Open System Authentication
Only pre-RSNA (Robust Secure Network Authentication) method used. RSNA will be covered later but is part of the 802.11i standard and extremely important!
This is used in a standard BSS or an IBSS for adhoc WLANs,
There are two frames exchanged during Open System Auth before association then takes place – A request to join and a response (yes / no) from the device advertising the network,
A device discovers the SSID it wishes to join through various scanning methods and then sends out the request.
The Access Point then responds with an answer.
If this is yes – the device then proceeds to send an association request and the Access Point will respond yes/no again.
There is no sensitive information exchanged at this point and all packets are sniffable and open.
WEP can be used with Open System Authentication but that is for encrypting data after the authentication and association has taken place.
With modern methods this has been replaced by other encryption methods (802.1X/EAP) and Open System Authentication is still used for the initial connectivity.
Shared Key Authentication
With this method, static WEP keys are configured on the client and the Access Point.
These must match in order for authentication to work
This is very unsecure as the static key can easily be derived from the cleartext challenge and encrypted response (frames 2 and 3 below)
This time there are 4 frames sent before association
- (Client to AP) Auth Request
- (AP to Client) Cleartext Challenge
- (Client to AP) Encrypted response using WEP keys
- (AP to Client) Confirmation of correct keys and successful authentication
Available as 64-bit or 18-bit.
Uses ARC4 cipher to encrypt.
Static keys must match as mentioned earlier.
In order to ensure integrity, an Integrity Check Value (ICV) is used.
There is also an Initialization Vector (IV) per frame which is used tio identify which WEP key to use for encryption/decryption.
There is a lot more information that I won’t summarise here.
VPNs were common prior to improved security with 802.1X and 802.11i
Layer 3 VPNs in particular were used along with WEP to secure conns
These were still vulnerable to attack due to the Layer 2 and 3 traffic still being vulnerable
This meant hackers could compromise the security of the connection (tunnel) before it is established
There are 3 major Layer 3 VPN types:
- PPTP – Point-to-Point Tunneling Protocol
- IPsec – Internet Protocol Security
- L2TP – Layer 2 Tunnelling Protocol
There is certainly more information on each VPN type but until I’ve delved deeper into the book I’m going to leave it there. This chapter is discussing legacy security and therefore it may not be as relevant.
This is fairly easy – you can create a filter list based of client MAC address to grant/prevent access to a network.
This is extremely un-secure as it is very easy to spoof anyone’s MAC address even within the properties of your own NIC
Basically the same as VLANs – this preventative method is/was used to separate different types of traffic to reduce the security risk.
Hiding the SSID is possible on most Access Points these days but not recommended as a hardy security solution.
The belief used to be that if you couldn’t see the network then that would ensure it was secure however hackers can very easily find hidden networks through monitoring un-encrypted beacons/probes between devices.
Some devices don’t support connecting to hidden SSIDs.
There is also overhead for connecting devices to hidden SSIDs – either by issuing manual connection instructions or setting up Group Policy for your domain machines to join (though that’s fairly low level of effort).