Given a scenario, implement appropriate wireless security measures. This chapter describes wireless network encryption protocols, MAC address filtering, device placement, and signal strength. We cover wireless security in great detail in our Certified Wireless Security Professional – CWSP course.
Encryption Protocols
Security is an essential aspect of wireless networks because such networks are a shared and open medium with no default protection so everyone can access it. The solution to confidentiality issues is to encrypt the data that flows through a Wi-Fi environment so that only people who are authorized can transmit and receive data.
The original 802.11 standard was not built with great security features in mind. The first WLAN security mechanism was Wireless Equivalent Privacy (WEP) and it emerged with the 802.11b standard. WEP offers different levels of encryption, with keys of 64 or 128 bits in size. WEP is a faulty security mechanism and it is vulnerable to several types of attacks because it is built on the RC4 protocol. A series of WEP vulnerabilities were made public in 2001, which makes this a less preferable encryption protocol. If an attacker gathers enough packets, he will easily discover the entire WEP key.
Wi-Fi Protected Access (WPA) became available in 2003 and was intended as an intermediate measure in anticipation of the availability of the more secure and complex WPA2. WPA uses dynamic key management, adds a stronger encryption cipher, and is built on the EAP/802.1X mechanism. It uses the Temporal Key Integrity Protocol (TKIP) and the initialization vector has been increased to 48 bits (more than 500 trillion key combinations). Some of the WPA characteristics include the following:
- It is used with RADIUS in the enterprise
- It uses an encrypted hash
- Every packet gets a unique encryption key
The recommended WLAN security protocol is WPA2, based on the 802.11i architecture. WPA2 can be integrated with the 802.1X architecture that can work on top of either an 802.3 (wired) or an 802.11 (wireless) environment. This allows individual users and devices to authenticate using the Extensible Authentication Protocol (EAP) and an authentication server (RADIUS or TACACS+). WPA2 and 802.11i also involve the Robust Security Network (RSN) concept that is used to keep track of the associations to the access points.
Some of the key differences between WPA and WPA2 include the following:
- RC4 encryption is replaced by AES
- TKIP is replaced by CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
For confidentiality, integrity, and origin authentication, you should go beyond the Data Encryption Standard (DES) algorithm and look at the Advanced Encryption Standard (AES) for strong encryption at the enterprise level (128 bit, 256 bit, or beyond).
Another security design issue you have to deal with is unauthorized access. In wireless networks there are no physical boundaries so attackers can gain access from outside the physical security perimeter. They can introduce rogue access points or soft access points on laptops or handheld devices that can breach security policies. As wireless signals are not easily controlled or contained, this could create security issues for the network.
MAC address security can be used to allow only certain devices to associate with the access points but this cannot prevent MAC address spoofing techniques. Another solution involves MAC address filtering but this is not very scalable when dealing with a large number of wireless clients. The most efficient solution to this problem is using 802.1X port-based authentication, which will be described in a subsequent section.
Another important security aspect in WLAN networks involves controlling WLAN access to servers. Just as you would place DNS servers that are accessible from the Internet in a DMZ segment, you should apply the same strategy to RADIUS/TACACS+ and DHCP servers used in the wireless LAN solution. These servers should be placed into their own VLAN that has a strictly controlled network access policy. These servers should also be protected against Denial of Service (DoS) attacks using Intrusion Prevention System (IPS) solutions.
MAC Address Filtering
As you already know, MAC (Media Access Control) is a Layer 2 address assigned to each network card or interface (either wired or wireless). MAC address filtering involves administrating who will have access to the network based on the Layer 2 address of the devices. This ensures that unauthorized users cannot access network resources and it provides a granular control mechanism within the environment.
As traffic flows through a wireless network, associated MAC addresses are never encrypted so they can be easily discovered through a standard wireless LAN analysis. However, MAC address filtering must be used with caution because MAC addresses can be spoofed. This means that an unauthorized user can scan the network to see what the allowed legitimate Layer 2 addresses are and can then change its wireless network interface card MAC to an authorized value to gain access to network resources.
MAC address filtering is recommended in association with other security techniques to provide optimal protection of the network.
MAC Filtering – DD-WRT
To exemplify the MAC address filtering technique, we will analyze how this is performed in a common open source wireless router operating system, namely DD-WRT.
The first step is to access the wireless network menu and enter the “MAC Filter” submenu. The next step is to enable MAC address filtering functionality by selecting “Enable” and “Prevent clients listed from accessing the wireless network,” as shown in Figure 27.1 below:
Figure 27.1 – DD-WRT – MAC Filtering General Menu
The last step in this process is to edit the MAC Filter List and insert the MAC addresses of unauthorized users you want to block, as shown in Figure 27.2 below:
Figure 27.2 – DD-WRT – MAC Filter List
Device Placement and Signal Strength
Details about wireless access point placement and general design considerations have been covered in Chapter 9.
If you are administering a wireless network, you will want the signal to cover the entire user area but you do not want it to span across the network boundaries and be accessible by outside users. For security reasons, you should set the signal of the access points as low as possible. To determine how low you should set the signal, you must perform a site survey and test various values until you obtain the optimal level.
The recommendation is to use this security technique in association with other features because this alone might not offer the best results. If an attacker wants to access the wireless network, he can use powerful high-gain antennas to listen for the signal from outside the company premises, even if a normal user can’t hear it.
Other Wireless LAN Security and Design Considerations
An RF site survey should be accomplished in the WLAN design phase and this should be accomplished by certified wireless professionals. The RF site survey consists of five steps:
- Define the customer’s requirements
- Identify coverage areas and user density
- Determine the preliminary locations and requirements of the access points (including necessary antenna types and wired connections)
- Accomplish the actual survey and identify elements that might interfere with the WLAN signal and components
- Document the process (including access point locations, data, and signal rates)
From a design standpoint you might also be in a situation of having to configure and plan an outdoor wireless mesh configuration. This includes several components:
- The wireless control system
- Wireless LAN controllers
- External access point bridge (rooftop access points)
- Outdoor mesh access points
An important design for outdoor wireless mesh scenarios refers to the existence of a 2 to 3 ms latency value per hop, so the recommendation is to have fewer than four hops to ensure a good level of performance. Another recommendation is to have no more than 20 mesh access point nodes per external access point bridge for best performance.
The most important wireless campus design considerations include the following:
- The number of APs: Sufficient access points should be included to ensure RF coverage for all the wireless clients in all enterprise areas. Cisco recommends 20 data devices per access point.
- The placement of APs: Access points should be placed in the central locations of different enterprise areas to ensure proper user connectivity.
- Power options for APs: Access points can be powered by traditional methods or by using PoE (Power over Ethernet) capabilities.
- The number of WLCs: The number of wireless LAN controllers depends on the redundancy model chosen and (based on the client requirements) the number of access points. The recommended redundancy model is deterministic redundancy.
- The placement of WLCs: Wireless LAN controllers should be placed in secured wiring closets, server rooms, or data centers. WLCs can be placed in a central location or they can be distributed throughout the campus Distribution Layer. Inter-controller roaming should be minimized.
Summary
Security is an essential aspect of wireless networks because such networks are a shared and open medium with no default protection so everyone can access it. The solution to confidentiality issues is to encrypt the data that flows through a Wi-Fi environment so that only people who are authorized can transmit and receive data.
The original 802.11 standard was not built with great security features in mind. The first WLAN security mechanism was WEP (Wireless Equivalent Privacy) and it emerged with the 802.11b standard. WEP offers different levels of encryptions, with keys of 64 or 128 bits in size.
WPA (Wi-Fi Protected Access) became available in 2003 and was intended as an intermediate measure in anticipation of the availability of the more secure and complex WPA2. WPA uses dynamic key management, adds a stronger encryption cipher, and is built on the EAP/802.1X mechanism. It uses the Temporal Key Integrity Protocol (TKIP), and the initialization vector has been increased to 48 bits (more than 500 trillion key combinations). Some of the WPA characteristics include the following:
- It is used with RADIUS in the enterprise
- It uses an encrypted hash
- Every packet gets a unique encryption key
Some of the key differences between WPA and WPA2 include the following:
- RC4 encryption is replaced by AES
- TKIP is replaced by CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
MAC address filtering involves administrating who will have access to the network based on the Layer 2 address of the devices. This ensures that unauthorized users cannot access network resources and it provides a granular control mechanism within the environment.
If you are administering a wireless network, you will want the signal to cover the entire user area but you do not want it to span across the network boundaries and be accessible by outside users. For security reasons, you should set the signal of the access points as low as possible.
Read the SecureW2 wireless security notes.
Configure wireless security labs in our 101 Labs – CompTIA Network+ book.