Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
By default, wireless security is nonexistent on access points and clients. The original 802.11
committee just didn’t imagine that wireless hosts would one day outnumber bounded media
hosts, but that’s truly where we’re headed. Also, and unfortunately, just as with the IPv4
routed protocol, engineers and scientists didn’t add security standards that are robust enough
to work in a corporate environment. So, we’re left with proprietary solution add-ons to aid us
5. 4 Compare and contrast wireless security features and capabilities of WPA security 297
in our quest to create a secure wireless network. And no—I’m not just sitting here bashing the
standards committees because the security problems we’re experiencing were also created by
the U.S. government because of export issues with its own security standards. Our world is a
complicated place, so it follows that our security solutions are going to be as well.
A good place to start is by discussing the standard basic security that was added into the
original 802.11 standards and why those standards are way too flimsy and incomplete to
enable us to create a secure wireless network relevant to today’s challenges.
Open Access
All Wi-Fi Certified wireless LAN products are shipped in "open-access" mode, with their security
features turned off. While open access or no security may be appropriate and acceptable
for public hot spots such as coffee shops, college campuses, and maybe airports, it’s definitely
not an option for an enterprise organization, and likely not even adequate for your private
home network.
Security needs to be enabled on wireless devices during their installation in enterprise environments.
It may come as quite a shock, but some companies actually don’t enable any WLAN
security features. Obviously, the companies that don’t are exposing their networks to tremendous
risk!
The reason that the products are shipped with open access is so that any person who knows
absolutely nothing about computers can just buy an access point, plug it into their cable or
DSL modem, and voilĂ —they’re up and running. It’s marketing, plain and simple, and simplicity
sells.
SSIDs, WEP, and MAC Address Authentication
What the original designers of 802.11 did to create basic security was include the use of Service
Set Identifiers (SSIDs), open or shared-key authentication, static Wired Equivalency Protocol
(WEP), and optional Media Access Control (MAC) authentication. Sounds like a lot, but none
of these really offers any type of serious security solution—all they may be close to adequate
for is use on a common home network.
SSID is a common network name for the devices in a WLAN system that create the wireless
LAN. An SSID prevents access by any client device that doesn’t have the SSID. The thing is, by
default, an access point broadcasts its SSID in its beacon many times a second. And even if SSID
broadcasting is turned off, a bad guy can discover the SSID by monitoring the network and just
waiting for a client response to the access point. Why? Because, believe it or not, that information,
as regulated in the original 802.11 specifications, must be sent in the clear—how secure!
Two types of authentication were specified by the IEEE 802.11 committee: open and
shared-key authentication. Open authentication involves little more than supplying the correct
SSID—but it’s the most common method in use today. With shared-key authentication,
the access point sends the client device a challenge-text packet that the client must then encrypt
with the correct WEP key and return to the access point. Without the correct key, authentication
will fail and the client won’t be allowed to associate with the access point. But sharedkey
authentication is still not considered secure because all an intruder has to do to get around
298 Chapter 5 Explain and select the appropriate administrative tasks
this is detect both the clear-text challenge and the same challenge encrypted with a WEP key
and then decipher the WEP key. Surprise—shared key isn’t used in today’s WLANs because
of clear-text challenge.
With open authentication, even if a client can complete authentication and associate with
an access point, the use of WEP prevents the client from sending and receiving data from the
access point unless the client has the correct WEP key. A WEP key is composed of either 40
or 128 bits and, in its basic form, is usually statically defined by the network administrator on
the access point and all clients that communicate with that access point. When static WEP keys
are used, a network administrator must perform the time-consuming task of entering the same
keys on every device in the WLAN. Obviously, we now have fixes for this because this would
be administratively impossible in today’s huge corporate wireless networks!
Last, client MAC addresses can be statically typed into each access point, and any of them
that show up without that MAC addresses in the filter table would be denied access. Sounds
good, but of course all MAC layer information must be sent in the clear—anyone equipped
with a free wireless sniffer can just read the client packets sent to the access point and spoof
their MAC address.
WEP can actually work if administered correctly. But basic static WEP keys are no longer
a viable option in today’s corporate networks without some of the proprietary fixes that run
on top of it. So let’s talk about some of these now.
WPA or WPA 2 Pre-Shared Key
Although this is another form of basic security that’s really just an add-on to the specifications,
WPA or WPA2 Pre-Shared Key (PSK) is a better form of wireless security than any other basic
wireless security method mentioned so far. I did say basic.
The PSK verifies users via a password or identifying code (also called a passphrase) on both
the client machine and the access point. A client only gains access to the network if its password
matches the access point's password. The PSK also provides keying material that TKIP
or AES uses to generate an encryption key for each packet of transmitted data. While more
secure than static WEP, PSK still has a lot in common with static WEP in that the PSK is stored
on the client station and can be compromised if the client station is lost or stolen even though
finding this key isn’t all that easy to do. It’s a definite recommendation to use a strong PSK
passphrase that includes a mixture of letters, numbers, and nonalphanumeric characters.
Wi-Fi Protected Access (WPA) is a standard developed in 2003 by the Wi-Fi Alliance,
formerly known as WECA. WPA provides a standard for authentication and encryption of
WLANs that’s intended to solve known security problems existing up to and including the
year 2003. This takes into account the well-publicized AirSnort and man-in-the-middle
WLAN attacks. Of course, now we’ll use WPA2 to help us with today’s security issues.
WPA is a step toward the IEEE 802.11i standard and uses many of the same components,
with the exception of encryption—802.11i (WPA2) uses AES-CCMP encryption. The IEEE
802.11i standard replaced Wired Equivalent Privacy (WEP) with a specific mode of the
Advanced Encryption Standard (AES) known as the Counter Mode Cipher Block Chaining-
Message Authentication Code (CBC-MAC) protocol (CCMP). This allows AES-CCMP to
provide both data confidentiality (encryption) and data integrity.
299
WPA’s mechanisms are designed to be implementable by current hardware vendors, meaning
that users should be able to implement WPA on their systems with only a firmware/software
modification.
The IEEE 802.11i standard has been sanctioned by WPA and is termed WPA
version 2.
Exam Objectives
Remember the two types of original 802.11 authentication. Two types of authentication
were specified by the IEEE 802.11 committee: open and shared-key authentication
Remember the standard developed by the Wi-Fi Alliance. Wi-Fi Protected Access (WPA) is
a standard developed by the Wi-Fi Alliance that provides a standard for authentication and
encryption of WLANs.
No comments:
Post a Comment