WIRELESS NETWORK SECURITY

Wireless Security
Some of the key factors contributing to the higher security risk of wireless
networks compared to wired networks include:

Channel Mobility Resources Accessibility

Wireless networking
typically involves Some wireless
broadcast Wireless devices Some wireless devices, such as
communications, are far more devices, such as sensors and robots,
which is far more portable and smartphones and may be left
susceptible to mobile than wired unattended in
tablets, have
eavesdropping and devices remote and/or
jamming than wired sophisticated
operating systems hostile locations
networks
but limited memory
and processing
Wireless networks are
resources with
which to counter This greatly
also more vulnerable to This mobility results increases their
active attacks that threats, including
in a number of risks denial of service vulnerability to
exploit vulnerabilities in
communications and malware physical attacks
protocols
 Wireless Network Threats
Accidental association Identity theft (MAC spoofing)
◦ Company wireless LANs in close proximity may create ◦ This occurs when an attacker is able to eavesdrop
overlapping transmission ranges on network traffic and identify the MAC address of
◦ A user intending to connect to one LAN may a computer with network privileges
unintentionally lock on to a wireless access point from
a neighboring network Man-in-the-middle attacks
◦ This attack involves persuading a user and an
Malicious association access point to believe that they are talking to
◦ In this situation, a wireless device is configured to each other when in fact the communication is
appear to be a legitimate access point, enabling the going through an intermediate attacking device
operator to steal passwords from legitimate users and ◦ Wireless networks are particularly vulnerable to
then penetrate a wired network through a legitimate such attacks
wireless access point
Denial of service (DoS)
Ad hoc networks ◦ This attack occurs when an attacker continually
◦ These are peer-to-peer networks between wireless bombards a wireless access point or some other
computers with no access point between them accessible wireless port with various protocol
◦ Such networks can pose a security threat due to a lack messages designed to consume system resources
of a central point of control ◦ The wireless environment lends itself to this type
of attack because it is so easy for the attacker to
direct multiple wireless messages at the target
Nontraditional networks
◦ Personal network Bluetooth devices, barcode readers,
and handheld PDAs pose a security risk in terms of Network injection
both eavesdropping and spoofing ◦ This attack targets wireless access points that are
exposed to nonfiltered network traffic, such as
routing protocol messages or network
management messages
Securing Wireless Transmissions
The principal threats to wireless transmission are eavesdropping,
altering or inserting messages, and disruption
To deal with eavesdropping, two types of countermeasures are
appropriate:
◦ Signal-hiding techniques
◦ Turn off SSID broadcasting by wireless access points
◦ Assign cryptic names to SSIDs
◦ Reduce signal strength to the lowest level that still provides requisite coverage
◦ Locate wireless access points in the interior of the building, away from windows and exterior
walls
◦ Encryption
◦ Is effective against eavesdropping to the extent that the encryption keys are secured
Securing Wireless Access Points
The main threat involving wireless access points is unauthorized access
to the network
The principal approach for preventing such access is the IEEE 802.1x
standard for port-based network access control
◦ The standard provides an authentication mechanism for devices wishing to
attach to a LAN or wireless network
◦ The use of 802.1x can prevent rogue access points and other unauthorized
devices from becoming insecure backdoors
 Securing Wireless Networks
Use encryption

Use antivirus, antispyware software and a firewall

Turn off identifier broadcasting

Change the identifier on your router from the default

Change your router’s pre-set password for administration

Allow only specific computers to access your wireless

network
Mobile Device Security
Mobile devices have become an essential element for organizations as
part of the overall network infrastructure
Prior to the widespread use of smartphones, network security was
based upon clearly defined perimeters that separated trusted internal
networks from the untrusted Internet
Due to massive changes, an organization’s networks must now
accommodate:
◦ Growing use of new devices
◦ Cloud-based applications
◦ De-perimeterization
◦ External business requirements
Security Threats
Major security concerns for mobile devices:
Use of untrusted
• The security policy for Use of untrusted content
mobile devices must be mobile devices • The security policy must
based on the be based on the • Mobile devices
assumption that any • The organization assumption that the may access
mobile device may be must assume that networks between the and use
stolen or at least not all devices are mobile device and the content that
accessed by a malicious trustworthy organization are not other
party trustworthy computing
Lack of physical Use of untrusted devices do not
security controls networks encounter

Interaction with
other systems
• It is easy to find and • An attacker can use
install third-party • Unless an organization has location information to
applications on mobile control of all the devices involved determine where the
devices and this poses the in synchronization, there is device and user are
risk of installing malicious considerable risk of the located, which may be of
software organization’s data being stored use to the attacker
in an unsecured location, plus the
Use of applications risk of the introduction of
malware Use of location
created by unknown
services
parties
© 2017 PEARSON EDUCATION, LTD., ALL RIGHTS RESERVED.
IEEE 802.11
Wireless LAN Overview
IEEE 802 is a committee that has developed standards for a wide range
of local area networks (LANs)
In 1990 the IEEE 802 Committee formed a new working group, IEEE
802.11, with a charter to develop a protocol and transmission
specifications for wireless LANs (WLANs)
Since that time, the demand for WLANs at different frequencies and
data rates has exploded
Table 18.1
IEEE 802.11 Terminology

(Table can be found on page 572 in textbook)

Wi-Fi Alliance
The first 802.11 standard to gain broad industry acceptance was 802.11b
Wireless Ethernet Compatibility Alliance (WECA)
◦ An industry consortium formed in 1999
◦ Subsequently renamed the Wi-Fi (Wireless Fidelity) Alliance
◦ Created a test suite to certify interoperability for 802.11 products
Wi-Fi
◦ The term used for certified 802.11b products
◦ Has been extended to 802.11g products
Wi-Fi5
◦ A certification process for 802.11a products that was developed by the Wi-Fi
Alliance

◦ Recently the Wi-Fi Alliance has developed

certification procedures for IEEE 802.11 security
standards
◦ Referred to as Wi-Fi Protected Access (WPA)
 Table 18.2
IEEE 802.11 Services
Association-Related Services
Transition types based on mobility:

• A station of this type is either stationary or

moves only within the direct
No transition communication range of the
communicating stations of a single BSS

• This is defined as a station movement from one BSS to

BSS another BSS within the same ESS
• In this case, delivery of data to the station requires that
the addressing capability be able to recognize the new
transition location of the station

• This is defined as a station movement from a BSS in one

ESS ESS to a BSS within another ESS
• Maintenance of upper-layer connections supported by
802.11 cannot be guaranteed
transition • Disruption of service is likely to occur
Association-Related Services
To deliver a message within a DS, the distribution service
needs to know the identity of the AP to which the
message should be delivered in order for that message to
reach the destination station
Three services relate to a station maintaining an
association with the AP within its current BSS:
◦ Association
◦ Establishes an initial association between a station and an AP
◦ Reassociation
◦ Enables an established association to be transferred from one AP to another,
allowing a mobile station to move from one BSS to another
◦ Disassociation
◦ A notification from either a station or an AP that an existing association is terminated
 IEEE 802.11i Wireless LAN
Security
There is an increased need for robust security services and mechanisms
for wireless LANs

Wired Equivalent Wi-Fi Protected Robust Security

Privacy (WEP) Access (WPA) Network (RSN)
A set of security
The privacy portion mechanisms that
Final form of the
of the 802.11 eliminates most
802.11i standard
standard 802.11 security
issues

Based on the current

Contained major
state of the 802.11i Complex
weaknesses
standard
 IEEE 802.1X
Access Control Approach
Port-Based Network Access Control
The authentication protocol that is used, the Extensible
Authentication Protocol (EAP), is defined in the IEEE
802.1X standard
802.1X uses:
◦ Controlled ports
◦ Allows the exchange of PDUs between a supplicant and other systems on the LAN
only if the current state of the supplicant authorizes such an exchange
◦ Uncontrolled ports
◦ Allows the exchange of PDUs between the supplicant and the other AS, regardless
of the authentication state of the supplicant
 Table 18.3

IEEE 802.11i
Keys for Data
Confidentiality
and
Integrity
Protocols

(Table can be found on page 586 in the

textbook)
 Pairwise Keys
Used for communication between a pair of devices, typically between a STA and an
AP
◦ These keys form a hierarchy beginning with a master key from which other keys are derived
dynamically and used for a limited period of time

Pre-shared key (PSK)

◦ A secret key shared by the AP and a STA and installed in some fashion outside the scope of
IEEE 802.11i

Master session key (MSK)

◦ Also known as the AAAK, and is generated using the IEEE 802.1X protocol during the
authentication phase

Pairwise master key (PMK)

◦ Derived from the master key
◦ If a PSK is used, then the PSK is used as the PMK; if a MSK is used, then the PMK is derived
from the MSK by truncation

Pairwise transient key (PTK)

◦ Consists of three keys to be used for communication between a STA and AP after they have
been mutually authenticated
◦ Using the STA and AP addresses in the generation of the PTK provides protection against
session hijacking and impersonation; using nonces provides additional random keying material
PTK Parts The three parts of the PTK are:

EAP Over LAN (EAPOL) Key Confirmation Key (EAPOL-KCK)

• Supports the integrity and data origin authenticity of STA-to-AP control
frames during operational setup of an RSN
• It also performs an access control function: proof-of-possession of the
PMK
• An entity that possesses the PMK is authorized to use the link
EAPOL Key Encryption Key (EAPOL-KEK)
• Protects the confidentiality of keys and other data during some
RSN association procedures

Temporal Key (TK)

• Provides the actual protection for user traffic
 Group Keys
Group keys are used for multicast
communication in which one STA sends MPDUs
to multiple STAs
◦Group master key (GMK)
◦ Key-generating key used with other inputs to derive the GTK
◦Group temporal key (GTK)
◦ Generated by the AP and transmitted to its associated STAs
◦ IEEE 802.11i requires that its value is computationally indistinguishable
from random
◦ Distributed securely using the pairwise keys that are already established
◦ Is changed every time a device leaves the network
Protected Data Transfer Phase
IEEE 802.11i defines two schemes for protecting
data transmitted in 802.11 MPDUs:
◦ Temporal Key Integrity Protocol (TKIP)
◦ Designed to require only software changes to devices that are
implemented with WEP
◦ Provides two services:
◦ Message integrity
◦ Data confidentiality
◦ Counter Mode-CBC MAC Protocol (CCMP)
◦ Intended for newer IEEE 802.11 devices that are equipped with the
hardware to support this scheme
◦ Provides two services:
◦ Message integrity
◦ Data confidentiality
IEEE 802.11i
Pseudorandom Function (PRF)
Used at a number of places in the IEEE 802.11i scheme
(to generate nonces, to expand pairwise keys, to
generate the GTK)
◦ Best security practice dictates that different pseudorandom
number streams be used for these different purposes
Built on the use of HMAC-SHA-1 to generate a
pseudorandom bit stream
 Summary
Wireless network security
◦ Network threats
◦ Security measures IEEE 802.11i wireless LAN
security
Mobile device security ◦ IEEE 802.11i services
◦ Security threats ◦ IEEE 802.11i phases of operation
◦ Security strategy ◦ Discovery phase
IEEE 802.11 wireless LAN ◦ Authentication phase
overview ◦ Key management phase
◦ Wi-Fi Alliance ◦ Protected data transfer phase
◦ IEEE 802 protocol architecture ◦ The IEEE 802.11i pseudorandom
◦ IEEE 802.11 network components function
and architectural model
◦ IEEE 802.11 services