chapter 7. chapters 1–4: introductory material chapter 5: switched ethernet lans chapter 6:...

Wireless LANs IIChapter 7

Chapters 1–4: Introductory Material

Chapter 5: Switched Ethernet LANs

Chapter 6: 802.11 Standards and Operation

Chapter 7: 802.11 Security, 802.11 Management, Other Local Wireless Technologies

Chapters 8–9: TCP/IP Internetworking

Chapter 10: Wide Area Networks

Chapter 11: Applications© 2013 Pearson 2

Where We Are

802.11 Security

802.11 LAN management

Other local wireless technologies

© 2013 Pearson 3

Drive-By Hackers◦ Sit outside the corporate premises and read

network traffic

◦ Can send malicious traffic into the network

◦ Easily done with readily downloadable software

War Drivers◦ Merely discover unprotected access points—

become drive-by hackers only if they break in

◦ War driving per se is not illegal

© 2013 Pearson 4

7.1: WLAN Security Threats

Unprotected Access Points

◦ Drive by hackers can associate with any unprotected access point.

◦ They gain access to the local area network without going through the site firewall.

© 2013 Pearson 5


Rogue Access Points

◦ Unauthorized access points that are set up by a department or an individual

◦ Often have very poor security, making drive-by hacking easier

◦ Often operate at high power, attracting many hosts to their low-security service

© 2013 Pearson 6


© 2013 Pearson 7

7.2: Core 802.11 Security Standards

Core security protocols protect communication between a wireless client and a legitimate access

point.They provide encryption for confidentiality and other

cryptographic protections.

© 2013 Pearson 8

7.2: Core 802.11 Security Standards802.11 core security

protocols protect only wireless client–

access point communication.

Provide Security Between the Wireless Station and the Wireless Access Point◦ Client (and perhaps access point)

authentication

◦ Encryption of messages for confidentiality

© 2013 Pearson 9

7.3: 802.11 Core Security Standards

Wired Equivalent Privacy (WEP)◦ Initial rudimentary security provided with

802.11 in 1997.

◦ Everyone shared the same secret encryption key, and this key could not be changed automatically.

◦ Because secret key was shared, it did not seem to be secret. Users often gave out freely

◦ Key initially could be cracked in 1 to 2 hours; now can be cracked in 3 to 10 minutes using readily available software.

© 2013 Pearson 10


Wireless Protected Access (WPA)◦ The Wi-Fi Alliance

Normally certifies interoperability of 802.11 equipment

Certified equipment may display the Wi-Fi name on their boxes

Created WPA as a stop-gap security standard in 2002 until 802.11i was finished

© 2013 Pearson 11


Wireless Protected Access (WPA)◦ Designed for upgrading old equipment

WPA uses a subset of 802.11i that can run on older wireless NICs and access points.

WPA added simpler security algorithms for functions that could not run on older machines.

◦ Equipment that cannot be upgraded to WPA should be discarded.

© 2013 Pearson 12


802.11i (WPA2)

◦ Uses AES-CCMP with 128-bit keys for confidentiality and key management.

◦ 802.11i is the gold standard in 802.11 security.

◦ But companies have large installed bases of WPA-configured equipment, so they are hesitant to upgrade.

◦ WPA has now been partially cracked, and this is leading many firms to upgrade.

© 2013 Pearson 13


© 2013 Pearson 14


WEP Initial core security standard.Easily cracked today.

WPA Has been partially cracked.Large installed base makes upgrading the entire network to 802.11i expensive.

802.11i (WPA2)

Today’s preferred standard.Extremely strong.

Both WPA and 802.11i have two modes of operation.◦ 802.1X mode

For large organizations

Uses a central authentication server for consistency

Authentication server also provides key management

Wi-Fi Alliance calls it Enterprise Mode

© 2013 Pearson 15

7.4: 802.1X and PSK Modes

Both WPA and 802.11i have two modes of operation.◦ 802.1X mode

802.1X standard protects communication with an extensible authentication protocol.

Several EAP versions exist with different security protections.

Firm implementing 802.1X must choose one.

Protected EAP (PEAP) is popular because Microsoft favors it.

© 2013 Pearson 16


Both WPA and 802.11i have two modes of operation.◦ Pre-Shared Key mode for homes or small firms

For homes or small businesses with a single access point.

Access point does all authentication and key management.

All users must know an initial pre-shared key (PSK).

Each, however, is later given a unique key.

© 2013 Pearson 17


Both WPA and 802.11i have two modes of operation.◦ Pre-Shared Key mode

If the pre-shared key is weak, it is easily cracked.

Pass phrases that generate keys must be at least 20 characters long.

Wi-Fi Alliance calls this personal mode.

© 2013 Pearson 18


Can use 802.1X mode?

Can use PSK mode?

WPA Yes Yes

802.11i Yes Yes

© 2013 Pearson 19


Both WPA and 802.11i use both modes.This is not surprising because WPA was

derived from 802.11i.

© 2013 Pearson 20

7.5: 802.1X Mode for 802.11i and WPA

802.1X Mode (See Figure 7-5)

◦ 802.1X in WPA and 802.11i protects client-access point communication with an extensible authentication protocol.

© 2013 Pearson 21

7.5: 802.1X Mode for 802.11i (and WPA)

EAP must be protected.No problem with UTP.

Big problem for wireless.

For wireless, EAP had to be extended.

802.1X Mode (See Figure 7-5)◦ 802.1X standard protects communication with

an extensible authentication protocol.

Several EAP versions exist with different security protections.

Firm implementing 802.1X must choose one.

Protected EAP (PEAP) is popular because Microsoft favors it.

© 2013 Pearson 22

7.5: 802.1X Mode for 802.11i (and WPA)

© 2013 Pearson 23

7.6: 802.11i and WPA in Pre-Shared Key Mode

© 2013 Pearson 24

7.6: 802.11i and WPA in Pre-Shared Key Mode

WEP◦ Used the same shared key for everyone.

◦ It was used for a great deal of traffic.

◦ This made the key easy to break.

PSK Mode in 802.11i◦ Only uses the shared initial key for initial

communication, so can’t be cracked.

◦ Only a few people share this key so won’t give it out.

◦ Each host then gets a different shared session key.

◦ Too little traffic is sent with this key to be cracked.

© 2013 Pearson 25

7.6: Shared Keys

Sits outside the premises or in a wireless hot spot◦ A PC with software to emulate an access point◦ Entices the wireless client to associate with it

© 2013 Pearson 26

7.7: Evil Twin Access Point

Establishes a second connection with a legitimate access point

◦ All traffic between the wireless client and network servers passes through the evil twin.

© 2013 Pearson 27


This is a classic man-in-the-middle attack.

Attacks on confidentiality because evil twin reads all traffic.◦ Client encrypts traffic.

◦ Evil twin decrypts it and reads it.

◦ Evil twin reencrypts it and sends it on.

Evil twin can also send attack packets, which do not pass through the border firewall.

© 2013 Pearson 28


Virtual Private Networks (VPNs)◦ End-to-end encryption with a pre-shared client-server

secret◦ The secret is never transmitted so cannot be intercepted.

© 2013 Pearson 29

7.8: Using a VPN to Counter Evil Twins

Usually just called WPS

Protocol to make it easier to connect clients to access points

Very popular

Created by the Wi-Fi Alliance, not the 802 Committee

Wi-Fi Protected Setup

© 2013 Pearson 30

Designed poorly

Pre-shared keys can be cracked in about 5,500 attempts◦ Easy to do with automated attacks

Only solution is to turn off WPS at the router◦ Many routers cannot even turn it off

A problem for PSK but not 802.1X

Wi-Fi Protected Setup

© 2013 Pearson 31

Either overloads the access point with traffic

Or sends a command to get a client to disassociate from an access point

Uncommon but dangerous

Denial-of-Service (DoS) Attacks

© 2013 Pearson 32

802.11 Security



© 2013 Pearson 33

Access Points Placement in a Building◦ Must be done carefully for good coverage and

to minimize interference between access points.

◦ Lay out 30-meter to 50-meter radius circles on blueprints.

◦ Adjust for obvious potential problems such as brick walls.

◦ In multistory buildings, must consider interference in three dimensions.

© 2013 Pearson 34

7.9: WLAN Management

Access Points Placement in a Building

◦ Install access points and do site surveys to determine signal quality.

◦ Adjust placement and signal strength as needed.

◦ In commercial access points, signal strength and other configuration information can be actively controlled.

© 2013 Pearson 35


Remote Access Point Management

◦ The manual labor to manage many access points can be very high.

◦ They must be managed efficiently through automation.

© 2013 Pearson 36


© 2013 Pearson 37

7.10: Wireless Access Point Management Alternatives

Remote Access Point Management◦ Desired networking functionality:

Notify the WLAN administrators of failures immediately.

Support remote access point adjustment.

Should provide continuous transmission quality monitoring.

Allow software updates to be pushed out to all access points or WLAN switches.

Work automatically whenever possible.

© 2013 Pearson 38


Remote Access Point Management◦ Desired security functionality:

Notify administrator of rogue access points. Notify administrator of evil twin access points. Notify the administrator of flooding denial-of-

service attacks. Notify the administrator of disassociate

message denial-of-service attacks. Instantly deny access to selected stations

under selected conditions.

© 2013 Pearson 39


Decibels

Box

© 2013 Pearson

Expressing ratios of transmission power◦ Attenuation of signal during propagation (-)◦ Amplification of signal so it will travel farther

(+)

Multiples of 3 dB (decibels)◦ +3 dB X2 (times two) power◦ +6 dB X4 power◦ +9 dB ?◦ -3 dB ½ power◦ -6 dB ?

The Basic Picture

© 2013 Pearson 41

Expressing ratios of transmission power◦ Attenuation of signal during propagation (-)◦ Amplification of signal so it will travel farther

(+)

Units of 10 dB◦ +10 dB X10 power

◦ +20 dB ? ?

◦ -10 dB ?

◦ -20 dB ?

The Basic Picture

© 2013 Pearson 42

Power is measured in Watts (W)◦ Milliwatt (mW) = 1/1000 of a Watt

Transmitted power is 12 mW◦ Attenuation during travel is -6 dB

◦ Final transmission power: ?

Radio power is 2 mW◦ Antenna amplifies signal by 9 dB

◦ Final transmission power: ?

The Basic Picture

© 2013 Pearson 43

In radio engineering, you often have to express the ratio of two signal powers, P1 and P2.

◦ Amplification may make P2 larger than P1, the original signal strength.

◦ Attenuation may make P2 smaller than P1, the original signal strength.

◦ Connector loss may make transmitted power P2 smaller than P1, the original signal strength.

Expressing Power Ratios in Decibels (dB)

© 2013 Pearson 44

In general, simple ratios are easy to understand.

However, P1 and P2 can vary by orders of magnitude, giving numbers that are difficult to interpret by reading.

Radio engineers express signal ratios in a logarithmic scale, decibels (dB).

Power Ratios as Decibels (dB)

© 2013 Pearson 45

Suppose you have amplification, so that while P1 is 20 milliwatts (mW), P2 is 80 mW.

Use the Excel LOG10() function.


© 2013 Pearson

46

If P2 > P1,

then the ratiois greaterthan 1,

and the dB valueis positive

Suppose you have attenuation, so that while P1 is 30 milliwatts (mW), P2 is 1.3 mW.

Use the Excel LOG10() function.


© 2013 Pearson 47

If P2 < P1,

then the ratiois lessthan 1,

and the dB valueis negative

Suppose you have amplification, so that while P1 is 20 milliwatts (mW), P2 is 30 mW.

◦ What is LdB?


© 2013 Pearson 48

Suppose you have a loss of power of 30% at a coupler between the radio and the antenna.

◦ How would you compute LdB?


© 2013 Pearson 49

A doubling of power is 3.0103 dB◦ This is almost

exactly 3.

◦ Use 3 in estimates.

◦ Fill in the two missing dB values.


© 2013 Pearson 50

Ratio N (as in 2N)

dB

16 4

8 3 9 dB

4 2 6 dB

2 1 3 dB

1 0 0 dB

1/2 -1 -3 dB

1/4 -2 -6 dB

1/8 -3

A factor of 10 increase is 10 dB◦ This is exactly 10.

◦ Fill in the two missing dB values.


© 2013 Pearson 51

Ratio N (as in 2N)

dB

10,000 4

1,000 3 30 dB

100 2 20 dB

10 1 10 dB

1 0 0 dB

1/10 -1 -10 dB

1/100 -2 -20 dB

1/1,000 -3

dB gives power ratios.

dBm gives absolute power, relative to 1 milliwatt (mW).

◦ P1 = 1 mW

What is the dBm for 2 mW?

What is the dBm for 0.01 mW?

What is the dBm for 1 Watt?

Power in dBm

© 2013 Pearson 52

Power ratios multiply◦ Initial power = 1 Watt

◦ Loss of power at antenna coupler = .5

◦ Loss of power due to attenuation = 90%

◦ Loss of power due to wall = 75%

◦ What is the final power?

Decibels

© 2013 Pearson 53

Decibels add◦ Initial power = 1 Watt (30 dBm)

◦ Loss of power at antenna coupler = .5 (-3 dB)

◦ Loss of power due to attenuation = 90% (-10 dB)

◦ Loss of power due to wall = 75% (-6 dB)

◦ What is the final power?

Decibels

© 2013 Pearson 54

Converting decibels back to power ratios

Decibels

© 2013 Pearson 55

Converting decibels back to power ratios◦ What is the power ratio for 30 dB?

◦ What is the power ratio for -8 dB? (Do it in a spreadsheet.)

Decibels

© 2013 Pearson 56

802.11 Security



© 2013 Pearson 57

802.11i Bluetooth

Near Field Communi-cation (NFC)

Ultrawideband (UWB)

Use Wi-Fi Direct gives direct communication between two wireless devices

Personal area networks (PANs) around a desk or a person’s body

Very near communication between two wireless hosts

Extremely high speed, short distance communication

7.12: Other Wireless Technologies

© 2013 Pearson 58

Wi-Fi Direct

Bluetooth

Near Field Communi-cation (NFC)

Ultrawideband (UWB)

Typical Speed

20-300 Mbps

2 Mbps 106, 212, or 424 kbps

100 Mbps

Service Range

30-50 m 10 m 10 cm 10 m

Requires Wall Power

Yes No No Yes

Service Band

2.4 and 5 GHz

2.4 GHz 13.56 kHz UWB channels typically span multiple entire service bands

7.12: Other Wireless Technologies

© 2013 Pearson 59

For Personal Area Networks (PANs)

◦ Devices on a person’s body and nearby (earphone, mobile phone, netbook computer, etc.)

◦ Devices around a desk (computer, mouse, keyboard, printer)

© 2013 Pearson 60

Bluetooth

https://www.bluetooth.org/

Cable Replacement Technology

◦ For example, with a Bluetooth phone, you can print wirelessly to a nearby Bluetooth-enabled printer.

◦ Does not use access points.

© 2013 Pearson 61

Bluetooth

https://www.bluetooth.org/

7.13 Bluetooth Modes of Operation

© 2013 Pearson 62

Classic Bluetooth

High-Speed Bluetooth

Low-Energy Bluetooth

Principal Benefit

Good performance at low power

High-speed transfers available when needed

Ultra-long battery life and ultra-fast setup times

Speed Up to 3 Mbps Up to about 24 Mbps

Up to 200 kbps

Expected Duty Cycle

Low to High Low to High Very Low

Power Required

Low High Very Low

Distance ~10 m ~30 m ~15 mSetup Time < 6 s Not Given < 3 ms

Bluetooth Profiles◦ 802.11 did not have to develop application

standards. Many standards already existed.

◦ But standards did not exist for new short-distance applications such as printing to a printer.

◦ The Bluetooth Special Interest Group had to develop various standards in addition to radio transmission standards.

◦ It called these Bluetooth profiles.


© 2013 Pearson 66

Peering◦ When two devices first encounter each other,

they must go through a negotiation process.

◦ This negotiation process is called peering.

◦ It involves the exchange of device information.

◦ It may involve authentication.

◦ It may also involve one or both of the device owners explicitly deciding if the two devices should be allowed to communicate.

7.15 Bluetooth Peering and Binding

© 2013 Pearson 68

Service Discovery Profile (SDP)◦ Peering uses the Service Discovery Profile (SDP).

◦ Normally, a device is in discoverable mode.

◦ If it receives a Service Discovery Protocol request, it will send information about itself:

Name

Device class

Bluetooth profiles supported

Technical information such as manufacturer’s name

7.15: Bluetooth Peering and Binding

© 2013 Pearson 69

Binding◦ After peering is complete, the two devices are

bound.

◦ They can begin communicating.

◦ If they are brought together later, they are still bound.

◦ They will begin communication without the peering process.

◦ This allows fast setup.

◦ The owner of either device can end the binding.

7.15: Bluetooth Peering and Binding

© 2013 Pearson 70

802.11 Wi-Fi uses 20 MHz or 40 MHz channels in the 2.4 GHz and 5 GHz bands.

Bluetooth operates in the 2.4 GHz band.

Bluetooth divides the band into 79 channels, each 1 MHz wide.

7.16: Frequency Hopping Spread Spectrum

© 2013 Pearson 71

Bluetooth radios hop among the frequencies up to 1,600 times per second.

These radios avoid channels where other devices (including 802.11 devices) are active.

7.16: Frequency Hopping Spread Spectrum

© 2013 Pearson 72

Payment of bus fares (already popular in some countries)

Opening car doors

Turning on the ignition

Building door entry control

Sharing business cards

Continued…

7.18: Possible NFC Apps

© 2013 Pearson 74

Sharing webpages between mobile devices

Retail payments, including loyalty points and coupons (beginning to be popular)

NFC posters with tap points for more communication

Passive Radio Frequency ID (RFID) Tags

7.18: Possible NFC Apps

© 2013 Pearson 75

Radio frequency ID tags contain information about an item.

A passive RFID tag has no internal power source.

When read by an NFC device, the power of the reader request gives power for the response.

13.56 kHz was specified by ISO/IEC for passive RFID tags long before NFC standards were created.

With sensitive antennas, NFC transmission can be eavesdropped upon from a distance.

7.19 Passive Radio Frequency ID Tags

© 2013 Pearson 76

Enormously wide channels

Very low power per hertz to avoid interfering with other transmissions

Very high speeds over short distances (~10 m)

7.20 Ultrawideband Transmission

© 2013 Pearson 77

Threats◦ Eavesdropping

◦ Data modification

◦ Impersonation

◦ Denial-of-service attacks

7.21 Security in Emerging Wireless Technologies

© 2013 Pearson 78

Cryptological Security

◦Some local wireless technologies have no cryptological security.

◦Example: Near field communication for reading passive ID tags.

◦They rely on short transmission distances to foil eavesdroppers.

◦Directional antennas and amplifiers can defeat this.


© 2013 Pearson 79

Strength of Security

◦Some have reasonably good security.

◦Example: Bluetooth

◦However, still not as strong as 802.11i and WPA security.


© 2013 Pearson 80

Device Loss or Theft

◦In this age of bring your own device (BYOD) to work, this is a serious problem.

◦Most devices are protected only by short PINs.


© 2013 Pearson 81

Maturity

◦In general, new security technologies take some time to mature.

◦During this period, they often have vulnerabilities that must be fixed quickly.

◦User companies must master security for each new technology.


© 2013 Pearson 82

Chapter 5 dealt with single wired switched networks.

Chapters 6 and 7 dealt with single wireless networks.

Single networks operate at Layers 1 and 2 and so use OSI standards

Chapters 8 and 9 deal with internets at Layers 3 and 4, where the IETF’s TCP/IP standards dominate.

© 2013 Pearson 84

Where We’re Going

chapter 7. chapters 1–4: introductory material chapter 5: switched ethernet lans chapter 6:...

Documents

wireless access point

wireless protected access

unprotected access points

legitimate access point

poor security

core security protocols

wireless station

lowsecurity service