chapter 7 panko and panko business data networks and security, 9 th edition © 2013 pearson panko...
TRANSCRIPT
Wireless LANs IIChapter 7
Panko and PankoBusiness Data Networks and Security, 9th Edition© 2013 Pearson
Revised August 2013
Chapters 1–4: Introductory Material
Chapter 5: Switched Ethernet LANs
Chapter 6: 802.11 Standards and Operation
Chapter 7: 802.11 Security, 802.11 Management, Other Local Wireless Technologies
Chapters 8–9: TCP/IP Internetworking
Chapter 10: Wide Area Networks
Chapter 11: Applications© 2013 Pearson 2
Where We Are
802.11 Security
802.11 LAN management
Other local wireless technologies
© 2013 Pearson 3
Drive-By Hackers◦ Sit outside the corporate premises and read
network traffic
◦ Can send malicious traffic into the network
◦ Easily done with readily downloadable software
War Drivers◦ Merely discover unprotected access points—
become drive-by hackers only if they break in
◦ War driving per se is not illegal
© 2013 Pearson 4
7.1: WLAN Security Threats
Unprotected Access Points
◦ Drive by hackers can associate with any unprotected access point.
◦ They gain access to the local area network without going through the site firewall.
© 2013 Pearson 5
7.1: WLAN Security Threats
Rogue Access Points
◦ Unauthorized access points that are set up by a department or an individual
◦ Often have very poor security, making drive-by hacking easier
◦ Often operate at high power, attracting many hosts to their low-security service
© 2013 Pearson 6
7.1: WLAN Security Threats
© 2013 Pearson 7
7.2: Core 802.11 Security Standards
802.11 core security protocols protect communication between a wireless client and a legitimate access
point.
They provide encryption for confidentiality, authentication, and other cryptographic protections.
© 2013 Pearson 8
7.2: Core 802.11 Security Standards802.11 core security
protocols protect only wireless client–
access point communication.
Only Provide Security Between the Wireless Station and the Wireless Access Point◦ Client (and perhaps access point)
authentication
◦ Encryption of messages for confidentiality
© 2013 Pearson 9
7.3: 802.11 Core Security Standards
Wired Equivalent Privacy (WEP)◦ Initial rudimentary security provided with
802.11 in 1997.
◦ Everyone shared the same secret encryption key, and this key could not be changed automatically.
◦ Because secret key was shared, it did not seem to be secret. Users often gave the key out freely because it
did not seem secret (everybody knew it)
◦ Key initially could be cracked in 1 to 2 hours; now can be cracked in 3 to 10 minutes using readily available software.
© 2013 Pearson 10
7.3: 802.11 Core Security Standards
Wireless Protected Access (WPA)◦ Created by the Wi-Fi Alliance
Normally certifies interoperability of 802.11 equipment
Created WPA as a stop-gap security standard in 2002 until 802.11i was finished
© 2013 Pearson 11
7.3: 802.11 Core Security Standards
Wireless Protected Access (WPA)◦ Designed for upgrading old equipment
WPA uses a subset of 802.11i that can run on older wireless NICs and access points.
WPA added simpler security algorithms for functions that could not run on older machines.
◦ Equipment that cannot be upgraded to WPA should be discarded.
© 2013 Pearson 12
7.3: 802.11 Core Security Standards
802.11i (WPA2)
◦ Uses AES-CCMP with 128-bit keys for confidentiality and key management.
◦ 802.11i is the gold standard in 802.11 security.
◦ But companies have large installed bases of WPA-configured equipment, so they are hesitant to upgrade.
◦ WPA has now been partially cracked, and this is leading many firms to upgrade.
© 2013 Pearson 13
7.3: 802.11 Core Security Standards
© 2013 Pearson 14
7.3: 802.11 Core Security Standards
WEP Initial core security standard.Easily cracked today.
WPA Has been partially cracked.Large installed base makes upgrading the entire network to 802.11i expensive.
802.11i (WPA2)
Today’s preferred standard.Extremely strong.
Both WPA and 802.11i have two modes of operation.◦ 802.1X mode for large organizations
Uses a central authentication server for consistency
Authentication server also provides key management
Wi-Fi Alliance calls it Enterprise Mode
© 2013 Pearson 15
7.4: 802.1X and PSK Modes
© 2013 Pearson 16
7.5: 802.1X Mode for 802.11i and WPA
802.1X Mode (See Figure 7-5)
◦ 802.1X in WPA and 802.11i protects client-access point communication with an extensible authentication protocol.
© 2013 Pearson 17
7.5: 802.1X Mode for 802.11i (and WPA)
EAP must be protected.No problem with UTP.
Big problem for wireless.
For wireless, EAP had to be extended.
WPA and 802.11i have two modes◦ 802.1X mode is for firms with many access
points
Authentication is done on a central authentication server
◦ Pre-Shared Key mode for homes or small firms
For homes or small businesses with a single access point.
Access point does all authentication and key management.
Wi-Fi Alliance calls this personal mode.© 2013 Pearson 18
7.4: 802.1X and PSK Modes
© 2013 Pearson 19
7.6: 802.11i and WPA in Pre-Shared Key Mode
© 2013 Pearson 20
7.6: 802.11i and WPA in Pre-Shared Key Mode
Both WPA and 802.11i have two modes of operation.◦ Pre-Shared Key mode for homes or small firms
Session keys are keys for a single connection by a device
Giving each user a different session key makes cryptanalysis (breaking a key) almost impossible because too little traffic is generated with each session key.
The next time the device connects to the access point, it will receive a different session key.
© 2013 Pearson 21
7.4: 802.1X and PSK Modes
Both WPA and 802.11i have two modes of operation.◦ Pre-Shared Key mode for homes or small firms
However ….
Pre-shared key is generated by typing a passphrase (not just a short password)
To generate a secure PSK, the pass phrase must be at least 20 characters long.
Otherwise, as bad as WEP
© 2013 Pearson 22
7.4: 802.1X and PSK Modes
Can use 802.1X mode?
Can use PSK mode?
WPA Yes Yes
802.11i Yes Yes
© 2013 Pearson 23
7.4: 802.1X and PSK Modes
Both WPA and 802.11i use both modes.This is not surprising because WPA was
derived from 802.11i.
Protect communication between a wireless host and an access point
VPNs needed to protect client-to-server communication end to end
802.11i core security protocol is recommended
Small firms & homes use 802.11i in PSK mode
Large firms use 802.11i in 802.1X mode with an authentication server
Core Security Protocols
© 2013 Pearson 24
The core security protocol will not protect against all security threats
Evil twin access points
WPS exploitation (PSK mode only)
Wireless denial-of-service (DoS) attacks
Additional measures are needed
Core Security Protocols
© 2013 Pearson 25
Sits outside the premises or in a wireless hot spot◦ A PC with software to emulate an access point◦ Entices the wireless client to associate with it
© 2013 Pearson 26
7.7: Evil Twin Access Point
Establishes a second connection with a legitimate access point
◦ All traffic between the wireless client and network servers passes through the evil twin.
© 2013 Pearson 27
7.7: Evil Twin Access Point
This is a classic man-in-the-middle attack.
Attacks on confidentiality because evil twin reads all traffic.◦ Client encrypts traffic.
◦ Evil twin decrypts it and reads it.
◦ Evil twin reencrypts it and sends it on.
Evil twin can also send attack by itself impersonating the user.◦ Attack does not pass through the border
firewall.
© 2013 Pearson 28
7.7: Evil Twin Access Point
Virtual Private Networks (VPNs)◦ End-to-end encryption with a pre-shared client-server
secret◦ The secret is never transmitted so cannot be intercepted.
© 2013 Pearson 29
7.8: Using a VPN to Counter Evil Twins
Sending wireless host◦ Encrypts the packet for the VPN connection
◦ Encrypts the encrypted packet again for the 802.11i connection with the evil twin
◦ Sends the packet
Evil Twin◦ Decrypts the 802.11i encryption
◦ Still cannot read the packet because it does not know the VPN key, which is never transmitted
7.8: Using a VPN to Counter Evil Twins
© 2013 Pearson 30
Usually just called WPS
A threat in PSK mode only
Protocol to make it easier to connect clients to access points
Client types an 8-digit number for that device
Access point accepts then number for authentication
Wi-Fi Protected Setup
© 2013 Pearson 31
Very popular
Created by the Wi-Fi Alliance, not the 802 Committee
Wi-Fi Protected Setup
© 2013 Pearson 32
Created by the Wi-Fi Alliance, not the IEEE
Designed poorly
8-digit code can be cracked in about 5,500 attempts◦ Easy to do with automated attacks
Only solution is to turn off WPS at the router◦ Many routers cannot even turn it off
Again, a problem for PSK but not 802.1X
Wi-Fi Protected Setup
© 2013 Pearson 33
Either overloads the access point with traffic or
Sends a command to get a client to disassociate from an access point
Uncommon but dangerous
Denial-of-Service (DoS) Attacks
© 2013 Pearson 34
802.11 Security
802.11 LAN management
Other local wireless technologies
© 2013 Pearson 35
Access Points Placement in a Building◦ Must be done carefully for good coverage and
to minimize interference between access points.
◦ Lay out 30-meter to 50-meter radius circles on blueprints.
◦ Adjust for obvious potential problems such as brick walls.
◦ In multistory buildings, must consider interference in three dimensions.
© 2013 Pearson 36
7.9: WLAN Management
Access Points Placement in a Building
◦ Install access points and do site surveys to determine signal quality.
◦ Adjust placement and signal strength as needed.
◦ In commercial access points, signal strength and other configuration information can be actively controlled.
© 2013 Pearson 37
7.9: WLAN Management
Remote Access Point Management
◦ The manual labor to manage many access points can be very high.
◦ They must be managed efficiently through automation.
© 2013 Pearson 38
7.9: WLAN Management
© 2013 Pearson 39
7.10: Wireless Access Point Management Alternatives
Remote Access Point Management◦ Desired NETWORK functionality:
Notify the WLAN administrators of failures immediately.
Support remote access point adjustment.
Should provide continuous transmission quality monitoring.
Allow software updates to be pushed out to all access points or WLAN switches.
Work automatically whenever possible.
© 2013 Pearson 40
7.9: WLAN Management
Remote Access Point Management◦ Desired SECURITY functionality:
Notify administrator of rogue access points. Notify administrator of evil twin access points. Notify the administrator of flooding denial-of-
service attacks. Notify the administrator of disassociate
message denial-of-service attacks. Instantly deny access to selected stations
under selected conditions.
© 2013 Pearson 41
7.9: WLAN Management
Decibels
Box
© 2013 Pearson
Expressing ratios of transmission power◦ Attenuation of signal during propagation (-)◦ Amplification of signal so it will travel farther
(+)
Multiples of 3 dB (decibels)◦ +3 dB X2 (times two) power◦ +6 dB X4 power◦ +9 dB ?◦ -3 dB ½ power◦ -6 dB ?
The Basic Picture
© 2013 Pearson 43
Expressing ratios of transmission power◦ Attenuation of signal during propagation (-)◦ Amplification of signal so it will travel farther
(+)
Units of 10 dB◦ +10 dB X10 power
◦ +20 dB ? ?
◦ -10 dB ?
◦ -20 dB ?
The Basic Picture
© 2013 Pearson 44
Power is measured in Watts (W)◦ Milliwatt (mW) = 1/1000 of a Watt
Transmitted power is 12 mW◦ Attenuation during travel is -6 dB
◦ Final transmission power: ?
Radio power is 2 mW◦ Antenna amplifies signal by 9 dB
◦ Final transmission power: ?
The Basic Picture
© 2013 Pearson 45
In radio engineering, you often have to express the ratio of two signal powers, P1 and P2.
◦ P1 is the initial power, P2 the final power
◦ Amplification makes P2 larger than P1
◦ Attenuation makes P2 smaller than P1
◦ Connector loss makes transmitted power P2 smaller than P1
Expressing Power Ratios in Decibels (dB)
© 2013 Pearson 46
In general, simple ratios are easy to understand.
However, P1 and P2 can vary by orders of magnitude, giving numbers that are difficult to interpret by reading.
Radio engineers express signal ratios in a logarithmic scale, decibels (dB).
Power Ratios as Decibels (dB)
© 2013 Pearson 47
Suppose you have amplification, so that while P1 is 20 milliwatts (mW), P2 is 80 mW.
Use the Excel LOG10() function.
Power Ratios as Decibels (dB)
© 2013 Pearson
48
If P2 > P1,
then the ratiois greaterthan 1,
and the dB valueis positive
Suppose you have attenuation, so that while P1 is 30 milliwatts (mW), P2 is 1.3 mW.
Use the Excel LOG10() function.
Power Ratios as Decibels (dB)
© 2013 Pearson 49
If P2 < P1,
then the ratiois lessthan 1,
and the dB valueis negative
Suppose you have amplification, so that while P1 is 20 milliwatts (mW), P2 is 30 mW.
◦ What is LdB?
Power Ratios as Decibels (dB)
© 2013 Pearson 50
Suppose you have a loss of power of 30% at a coupler between the radio and the antenna.
◦ How would you compute LdB?
Power Ratios as Decibels (dB)
© 2013 Pearson 51
A doubling of power is 3.0103 dB◦ This is almost
exactly 3.
◦ Use 3 in estimates.
◦ Fill in the two missing dB values.
Power Ratios as Decibels (dB)
© 2013 Pearson 52
Ratio N (as in 2N)
dB
16 4
8 3 9 dB
4 2 6 dB
2 1 3 dB
1 0 0 dB
1/2 -1 -3 dB
1/4 -2 -6 dB
1/8 -3
A factor of 10 increase is 10 dB◦ This is exactly 10.
◦ Fill in the two missing dB values.
Power Ratios as Decibels (dB)
© 2013 Pearson 53
Ratio N (as in 2N)
dB
10,000 4
1,000 3 30 dB
100 2 20 dB
10 1 10 dB
1 0 0 dB
1/10 -1 -10 dB
1/100 -2 -20 dB
1/1,000 -3
dB gives power ratios.
dBm gives absolute power, relative to 1 milliwatt (mW).
◦ P1 = 1 mW
What is the dBm for 2 mW?
What is the dBm for 0.01 mW?
What is the dBm for 1 Watt?
Power in dBm
© 2013 Pearson 54
Power ratios multiply◦ Initial power = 1 Watt
◦ Loss of power at antenna coupler = .5
◦ Loss of power due to attenuation = 90%
◦ Loss of power due to wall = 75%
◦ What is the final power?
Decibels
© 2013 Pearson 55
Decibels add◦ Initial power = 1 Watt (30 dBm)
◦ Loss of power at antenna coupler = .5 (-3 dB)
◦ Loss of power due to attenuation = 90% (-10 dB)
◦ Loss of power due to wall = 75% (-6 dB)
◦ What is the final power?
Decibels
© 2013 Pearson 56
Converting decibels back to power ratios
Decibels
© 2013 Pearson 57
Converting decibels back to power ratios◦ What is the power ratio for 30 dB?
◦ What is the power ratio for -8 dB? (Do it in a spreadsheet.)
Decibels
© 2013 Pearson 58
802.11 Security
802.11 LAN management
Other local wireless technologies
© 2013 Pearson 59
802.11i Bluetooth
Near Field Communi-cation (NFC)
Ultrawideband (UWB)
Use Wi-Fi Direct gives direct communication between two wireless devices
Personal area networks (PANs) around a desk or a person’s body
Very near communication between two wireless hosts
Extremely high speed, short distance communication
7.12: Other Wireless Technologies
© 2013 Pearson 60
Wi-Fi Direct
Bluetooth
Near Field Communi-cation (NFC)
Ultrawideband (UWB)
Typical Speed
20-300 Mbps
2 Mbps 106, 212, or 424 kbps
100 Mbps
Service Range
30-50 m 10 m 10 cm 10 m
Requires Wall Power
Yes No No Yes
Service Band
2.4 and 5 GHz
2.4 GHz 13.56 kHz UWB channels typically span multiple entire service bands
7.12: Other Wireless Technologies
© 2013 Pearson 61
For Personal Area Networks (PANs)
◦ Devices on a person’s body and nearby (earphone, mobile phone, netbook computer, etc.)
◦ Devices around a desk (computer, mouse, keyboard, printer)
© 2013 Pearson 62
Bluetooth
Cable Replacement Technology
◦ For example, with a Bluetooth phone, you can print wirelessly to a nearby Bluetooth-enabled printer.
◦ Does not use access points.
© 2013 Pearson 63
Bluetooth
7.13 Bluetooth Modes of Operation
© 2013 Pearson 64
Classic Bluetooth
High-Speed Bluetooth
Low-Energy Bluetooth
Principal Benefit
Good performance at low power
High-speed transfers available when needed
Ultra-long battery life and ultra-fast setup times
Speed Up to 3 Mbps Up to about 24 Mbps
Up to 200 kbps
Expected Duty Cycle
Low to High Low to High Very Low
Power Required
Low High Very Low
Distance ~10 m ~30 m ~15 m
7.14: Bluetooth Operation
© 2013 Pearson 65
7.14: Bluetooth Operation
© 2013 Pearson 66
A device, in this case the Desktop, can be simultaneously a master and a slave.
7.14: Bluetooth Operation
© 2013 Pearson 67
Headset
Bluetooth Profiles◦ 802.11 did not have to develop application
standards. Many standards already existed.
◦ But standards did not exist for new short-distance applications such as printing to a printer.
◦ The Bluetooth Special Interest Group had to develop various standards in addition to radio transmission standards.
◦ It called these Bluetooth profiles.
7.14: Bluetooth Operation
© 2013 Pearson 68
7.14: Bluetooth Operation
© 2013 Pearson 69
Bluetooth Profiles
Pairing◦ When two devices first encounter each other,
they must go through a negotiation process.
◦ This negotiation process is called pairing.
The text uses the obsolete term peering
◦ It involves the exchange of device information.
◦ It may involve authentication.
◦ It may also involve one or both of the device owners explicitly deciding if the two devices should be allowed to communicate.
7.15 Bluetooth Pairing and Binding
© 2013 Pearson 70
Service Discovery Profile (SDP)◦ Peering uses the Service Discovery Profile (SDP).
◦ Normally, a device is in discoverable mode.
◦ If it receives a Service Discovery Protocol request, it will send information about itself:
Name Device class Bluetooth profiles supported Technical information such as manufacturer’s
name
7.15: Bluetooth Peering and Binding
© 2013 Pearson 71
Binding◦ After peering is complete, the two devices are
bound.
◦ They can begin communicating.
◦ If they are brought together later, they are still bound.
◦ They will begin communication without the peering process.
◦ This allows fast setup.
◦ The owner of either device can end the binding.
7.15: Bluetooth Peering and Binding
© 2013 Pearson 72
802.11 Wi-Fi uses 20 MHz or wider channels in the 2.4 GHz and 5 GHz bands.
Bluetooth operates only in the 2.4 GHz band.
Bluetooth divides the band into 79 channels, each 1 MHz wide.◦ For spread spectrum transmission, hops
between channels every few frames
7.16: Frequency Hopping Spread Spectrum
© 2013 Pearson 73
Bluetooth radios hop among the frequencies up to 1,600 times per second.
These radios avoid channels where other devices (including 802.11 devices) are active.
7.16: Frequency Hopping Spread Spectrum
© 2013 Pearson 74
7.17: Near Field Communication (NFC)
© 2013 Pearson 75
Payment of bus fares (already popular in some countries)
Retail payments, including loyalty points and coupons (beginning to be popular)
Opening car doors, turning on the ignition
Building door entry control
Sharing business cards between mobile devices
NFC posters with tap points for more information
…
7.18: Possible NFC Apps
© 2013 Pearson 76
Radio frequency ID (RFID) tags contain information about an item.
A passive RFID tag has no internal power source.
When read by an NFC device, the power of the reading request gives power for the response!
13.56 kHz was specified by ISO/IEC for passive RFID tags long before NFC standards were created.
With sensitive antennas, NFC transmission can be eavesdropped upon from a distance.
Possible NFC Apps
© 2013 Pearson 77
Enormously wide channels
Very low power per hertz to avoid interfering with other transmissions
Very high speeds over short distances (~10 m)
7.20 Ultrawideband Transmission
© 2013 Pearson 78
Threats◦ Eavesdropping
◦ Data modification
◦ Impersonation
◦ Denial-of-service attacks
7.21 Security in Emerging Wireless Technologies
© 2013 Pearson 79
Cryptological Security
◦Some local wireless technologies have no cryptological security.
◦Example: Near field communication for reading passive ID tags.
◦They rely on short transmission distances to foil eavesdroppers.
◦Directional antennas and amplifiers can defeat this.
7.21 Security in Emerging Wireless Technologies
© 2013 Pearson 80
Strength of Security
◦Some have reasonably good security.
◦Example: Bluetooth
◦However, still not as strong as 802.11i and WPA security.
7.21 Security in Emerging Wireless Technologies
© 2013 Pearson 81
Device Loss or Theft
◦In this age of bring your own device (BYOD) to work, this is a serious problem.
◦Information on most devices isprotected only by short PINs …
◦If they have PINs at all
◦Sometimes there are ways to bypass the initial lock screen
7.21 Security in Emerging Wireless Technologies
© 2013 Pearson 82
Maturity
◦In general, new security technologies take some time to mature.
◦During this period, they often have vulnerabilities that must be fixed quickly.
◦User companies must master security for each new technology.
7.21 Security in Emerging Wireless Technologies
© 2013 Pearson 83
© 2013 Pearson 84
Where We’ve Been
802.11 Security
802.11 LAN management
Other local wireless technologies
Chapter 5 dealt with single wired switched networks.
Chapters 6 and 7 dealt with single wireless networks.
Single networks operate at Layers 1 and 2 and so use OSI standards
Chapters 8 and 9 deal with internets at Layers 3 and 4, where the IETF’s TCP/IP standards dominate.
© 2013 Pearson 85
Where We’re Going
86© 2013 Pearson