chapter 7 panko and panko business data networks and security, 9 th edition © 2013 pearson panko...

Wireless LANs IIChapter 7

Panko and PankoBusiness Data Networks and Security, 9th Edition© 2013 Pearson

Revised August 2013

Chapters 1–4: Introductory Material

Chapter 5: Switched Ethernet LANs

Chapter 6: 802.11 Standards and Operation

Chapter 7: 802.11 Security, 802.11 Management, Other Local Wireless Technologies

Chapters 8–9: TCP/IP Internetworking

Chapter 10: Wide Area Networks

Chapter 11: Applications© 2013 Pearson 2

Where We Are

802.11 Security

802.11 LAN management

Other local wireless technologies

© 2013 Pearson 3

Drive-By Hackers◦ Sit outside the corporate premises and read

network traffic

◦ Can send malicious traffic into the network

◦ Easily done with readily downloadable software

War Drivers◦ Merely discover unprotected access points—

become drive-by hackers only if they break in

◦ War driving per se is not illegal

© 2013 Pearson 4

7.1: WLAN Security Threats

Unprotected Access Points

◦ Drive by hackers can associate with any unprotected access point.

◦ They gain access to the local area network without going through the site firewall.

© 2013 Pearson 5


Rogue Access Points

◦ Unauthorized access points that are set up by a department or an individual

◦ Often have very poor security, making drive-by hacking easier

◦ Often operate at high power, attracting many hosts to their low-security service

© 2013 Pearson 6


© 2013 Pearson 7

7.2: Core 802.11 Security Standards

802.11 core security protocols protect communication between a wireless client and a legitimate access

point.

They provide encryption for confidentiality, authentication, and other cryptographic protections.

© 2013 Pearson 8

7.2: Core 802.11 Security Standards802.11 core security

protocols protect only wireless client–

access point communication.

Only Provide Security Between the Wireless Station and the Wireless Access Point◦ Client (and perhaps access point)

authentication

◦ Encryption of messages for confidentiality

© 2013 Pearson 9

7.3: 802.11 Core Security Standards

Wired Equivalent Privacy (WEP)◦ Initial rudimentary security provided with

802.11 in 1997.

◦ Everyone shared the same secret encryption key, and this key could not be changed automatically.

◦ Because secret key was shared, it did not seem to be secret. Users often gave the key out freely because it

did not seem secret (everybody knew it)

◦ Key initially could be cracked in 1 to 2 hours; now can be cracked in 3 to 10 minutes using readily available software.

© 2013 Pearson 10


Wireless Protected Access (WPA)◦ Created by the Wi-Fi Alliance

Normally certifies interoperability of 802.11 equipment

Created WPA as a stop-gap security standard in 2002 until 802.11i was finished

© 2013 Pearson 11


Wireless Protected Access (WPA)◦ Designed for upgrading old equipment

WPA uses a subset of 802.11i that can run on older wireless NICs and access points.

WPA added simpler security algorithms for functions that could not run on older machines.

◦ Equipment that cannot be upgraded to WPA should be discarded.

© 2013 Pearson 12


802.11i (WPA2)

◦ Uses AES-CCMP with 128-bit keys for confidentiality and key management.

◦ 802.11i is the gold standard in 802.11 security.

◦ But companies have large installed bases of WPA-configured equipment, so they are hesitant to upgrade.

◦ WPA has now been partially cracked, and this is leading many firms to upgrade.

© 2013 Pearson 13


© 2013 Pearson 14


WEP Initial core security standard.Easily cracked today.

WPA Has been partially cracked.Large installed base makes upgrading the entire network to 802.11i expensive.

802.11i (WPA2)

Today’s preferred standard.Extremely strong.

Both WPA and 802.11i have two modes of operation.◦ 802.1X mode for large organizations

Uses a central authentication server for consistency

Authentication server also provides key management

Wi-Fi Alliance calls it Enterprise Mode

© 2013 Pearson 15

7.4: 802.1X and PSK Modes

© 2013 Pearson 16

7.5: 802.1X Mode for 802.11i and WPA

802.1X Mode (See Figure 7-5)

◦ 802.1X in WPA and 802.11i protects client-access point communication with an extensible authentication protocol.

© 2013 Pearson 17

7.5: 802.1X Mode for 802.11i (and WPA)

EAP must be protected.No problem with UTP.

Big problem for wireless.

For wireless, EAP had to be extended.

WPA and 802.11i have two modes◦ 802.1X mode is for firms with many access

points

Authentication is done on a central authentication server

◦ Pre-Shared Key mode for homes or small firms

For homes or small businesses with a single access point.

Access point does all authentication and key management.

Wi-Fi Alliance calls this personal mode.© 2013 Pearson 18


© 2013 Pearson 19

7.6: 802.11i and WPA in Pre-Shared Key Mode

© 2013 Pearson 20

7.6: 802.11i and WPA in Pre-Shared Key Mode

Both WPA and 802.11i have two modes of operation.◦ Pre-Shared Key mode for homes or small firms

Session keys are keys for a single connection by a device

Giving each user a different session key makes cryptanalysis (breaking a key) almost impossible because too little traffic is generated with each session key.

The next time the device connects to the access point, it will receive a different session key.

© 2013 Pearson 21


Both WPA and 802.11i have two modes of operation.◦ Pre-Shared Key mode for homes or small firms

However ….

Pre-shared key is generated by typing a passphrase (not just a short password)

To generate a secure PSK, the pass phrase must be at least 20 characters long.

Otherwise, as bad as WEP

© 2013 Pearson 22


Can use 802.1X mode?

Can use PSK mode?

WPA Yes Yes

802.11i Yes Yes

© 2013 Pearson 23


Both WPA and 802.11i use both modes.This is not surprising because WPA was

derived from 802.11i.

Protect communication between a wireless host and an access point

VPNs needed to protect client-to-server communication end to end

802.11i core security protocol is recommended

Small firms & homes use 802.11i in PSK mode

Large firms use 802.11i in 802.1X mode with an authentication server

Core Security Protocols

© 2013 Pearson 24

The core security protocol will not protect against all security threats

Evil twin access points

WPS exploitation (PSK mode only)

Wireless denial-of-service (DoS) attacks

Additional measures are needed

Core Security Protocols

© 2013 Pearson 25

Sits outside the premises or in a wireless hot spot◦ A PC with software to emulate an access point◦ Entices the wireless client to associate with it

© 2013 Pearson 26

7.7: Evil Twin Access Point

Establishes a second connection with a legitimate access point

◦ All traffic between the wireless client and network servers passes through the evil twin.

© 2013 Pearson 27


This is a classic man-in-the-middle attack.

Attacks on confidentiality because evil twin reads all traffic.◦ Client encrypts traffic.

◦ Evil twin decrypts it and reads it.

◦ Evil twin reencrypts it and sends it on.

Evil twin can also send attack by itself impersonating the user.◦ Attack does not pass through the border

firewall.

© 2013 Pearson 28


Virtual Private Networks (VPNs)◦ End-to-end encryption with a pre-shared client-server

secret◦ The secret is never transmitted so cannot be intercepted.

© 2013 Pearson 29

7.8: Using a VPN to Counter Evil Twins

Sending wireless host◦ Encrypts the packet for the VPN connection

◦ Encrypts the encrypted packet again for the 802.11i connection with the evil twin

◦ Sends the packet

Evil Twin◦ Decrypts the 802.11i encryption

◦ Still cannot read the packet because it does not know the VPN key, which is never transmitted

7.8: Using a VPN to Counter Evil Twins

© 2013 Pearson 30

Usually just called WPS

A threat in PSK mode only

Protocol to make it easier to connect clients to access points

Client types an 8-digit number for that device

Access point accepts then number for authentication

Wi-Fi Protected Setup

© 2013 Pearson 31

Very popular

Created by the Wi-Fi Alliance, not the 802 Committee


© 2013 Pearson 32

Created by the Wi-Fi Alliance, not the IEEE

Designed poorly

8-digit code can be cracked in about 5,500 attempts◦ Easy to do with automated attacks

Only solution is to turn off WPS at the router◦ Many routers cannot even turn it off

Again, a problem for PSK but not 802.1X


© 2013 Pearson 33

Either overloads the access point with traffic or

Sends a command to get a client to disassociate from an access point

Uncommon but dangerous

Denial-of-Service (DoS) Attacks

© 2013 Pearson 34

802.11 Security



© 2013 Pearson 35

Access Points Placement in a Building◦ Must be done carefully for good coverage and

to minimize interference between access points.

◦ Lay out 30-meter to 50-meter radius circles on blueprints.

◦ Adjust for obvious potential problems such as brick walls.

◦ In multistory buildings, must consider interference in three dimensions.

© 2013 Pearson 36

7.9: WLAN Management

Access Points Placement in a Building

◦ Install access points and do site surveys to determine signal quality.

◦ Adjust placement and signal strength as needed.

◦ In commercial access points, signal strength and other configuration information can be actively controlled.

© 2013 Pearson 37


Remote Access Point Management

◦ The manual labor to manage many access points can be very high.

◦ They must be managed efficiently through automation.

© 2013 Pearson 38


© 2013 Pearson 39

7.10: Wireless Access Point Management Alternatives

Remote Access Point Management◦ Desired NETWORK functionality:

Notify the WLAN administrators of failures immediately.

Support remote access point adjustment.

Should provide continuous transmission quality monitoring.

Allow software updates to be pushed out to all access points or WLAN switches.

Work automatically whenever possible.

© 2013 Pearson 40


Remote Access Point Management◦ Desired SECURITY functionality:

Notify administrator of rogue access points. Notify administrator of evil twin access points. Notify the administrator of flooding denial-of-

service attacks. Notify the administrator of disassociate

message denial-of-service attacks. Instantly deny access to selected stations

under selected conditions.

© 2013 Pearson 41


Decibels

Box

© 2013 Pearson

Expressing ratios of transmission power◦ Attenuation of signal during propagation (-)◦ Amplification of signal so it will travel farther

(+)

Multiples of 3 dB (decibels)◦ +3 dB X2 (times two) power◦ +6 dB X4 power◦ +9 dB ?◦ -3 dB ½ power◦ -6 dB ?

The Basic Picture

© 2013 Pearson 43

Expressing ratios of transmission power◦ Attenuation of signal during propagation (-)◦ Amplification of signal so it will travel farther

(+)

Units of 10 dB◦ +10 dB X10 power

◦ +20 dB ? ?

◦ -10 dB ?

◦ -20 dB ?

The Basic Picture

© 2013 Pearson 44

Power is measured in Watts (W)◦ Milliwatt (mW) = 1/1000 of a Watt

Transmitted power is 12 mW◦ Attenuation during travel is -6 dB

◦ Final transmission power: ?

Radio power is 2 mW◦ Antenna amplifies signal by 9 dB

◦ Final transmission power: ?

The Basic Picture

© 2013 Pearson 45

In radio engineering, you often have to express the ratio of two signal powers, P1 and P2.

◦ P1 is the initial power, P2 the final power

◦ Amplification makes P2 larger than P1

◦ Attenuation makes P2 smaller than P1

◦ Connector loss makes transmitted power P2 smaller than P1

Expressing Power Ratios in Decibels (dB)

© 2013 Pearson 46

In general, simple ratios are easy to understand.

However, P1 and P2 can vary by orders of magnitude, giving numbers that are difficult to interpret by reading.

Radio engineers express signal ratios in a logarithmic scale, decibels (dB).

Power Ratios as Decibels (dB)

© 2013 Pearson 47

Suppose you have amplification, so that while P1 is 20 milliwatts (mW), P2 is 80 mW.

Use the Excel LOG10() function.


© 2013 Pearson

48

If P2 > P1,

then the ratiois greaterthan 1,

and the dB valueis positive

Suppose you have attenuation, so that while P1 is 30 milliwatts (mW), P2 is 1.3 mW.

Use the Excel LOG10() function.


© 2013 Pearson 49

If P2 < P1,

then the ratiois lessthan 1,

and the dB valueis negative

Suppose you have amplification, so that while P1 is 20 milliwatts (mW), P2 is 30 mW.

◦ What is LdB?


© 2013 Pearson 50

Suppose you have a loss of power of 30% at a coupler between the radio and the antenna.

◦ How would you compute LdB?


© 2013 Pearson 51

A doubling of power is 3.0103 dB◦ This is almost

exactly 3.

◦ Use 3 in estimates.

◦ Fill in the two missing dB values.


© 2013 Pearson 52

Ratio N (as in 2N)

dB

16 4

8 3 9 dB

4 2 6 dB

2 1 3 dB

1 0 0 dB

1/2 -1 -3 dB

1/4 -2 -6 dB

1/8 -3

A factor of 10 increase is 10 dB◦ This is exactly 10.

◦ Fill in the two missing dB values.


© 2013 Pearson 53

Ratio N (as in 2N)

dB

10,000 4

1,000 3 30 dB

100 2 20 dB

10 1 10 dB

1 0 0 dB

1/10 -1 -10 dB

1/100 -2 -20 dB

1/1,000 -3

dB gives power ratios.

dBm gives absolute power, relative to 1 milliwatt (mW).

◦ P1 = 1 mW

What is the dBm for 2 mW?

What is the dBm for 0.01 mW?

What is the dBm for 1 Watt?

Power in dBm

© 2013 Pearson 54

Power ratios multiply◦ Initial power = 1 Watt

◦ Loss of power at antenna coupler = .5

◦ Loss of power due to attenuation = 90%

◦ Loss of power due to wall = 75%

◦ What is the final power?

Decibels

© 2013 Pearson 55

Decibels add◦ Initial power = 1 Watt (30 dBm)

◦ Loss of power at antenna coupler = .5 (-3 dB)

◦ Loss of power due to attenuation = 90% (-10 dB)

◦ Loss of power due to wall = 75% (-6 dB)

◦ What is the final power?

Decibels

© 2013 Pearson 56

Converting decibels back to power ratios

Decibels

© 2013 Pearson 57

Converting decibels back to power ratios◦ What is the power ratio for 30 dB?

◦ What is the power ratio for -8 dB? (Do it in a spreadsheet.)

Decibels

© 2013 Pearson 58

802.11 Security



© 2013 Pearson 59

802.11i Bluetooth

Near Field Communi-cation (NFC)

Ultrawideband (UWB)

Use Wi-Fi Direct gives direct communication between two wireless devices

Personal area networks (PANs) around a desk or a person’s body

Very near communication between two wireless hosts

Extremely high speed, short distance communication

7.12: Other Wireless Technologies

© 2013 Pearson 60

Wi-Fi Direct

Bluetooth

Near Field Communi-cation (NFC)

Ultrawideband (UWB)

Typical Speed

20-300 Mbps

2 Mbps 106, 212, or 424 kbps

100 Mbps

Service Range

30-50 m 10 m 10 cm 10 m

Requires Wall Power

Yes No No Yes

Service Band

2.4 and 5 GHz

2.4 GHz 13.56 kHz UWB channels typically span multiple entire service bands

7.12: Other Wireless Technologies

© 2013 Pearson 61

For Personal Area Networks (PANs)

◦ Devices on a person’s body and nearby (earphone, mobile phone, netbook computer, etc.)

◦ Devices around a desk (computer, mouse, keyboard, printer)

© 2013 Pearson 62

Bluetooth

https://www.bluetooth.org/

Cable Replacement Technology

◦ For example, with a Bluetooth phone, you can print wirelessly to a nearby Bluetooth-enabled printer.

◦ Does not use access points.

© 2013 Pearson 63

Bluetooth

https://www.bluetooth.org/

7.13 Bluetooth Modes of Operation

© 2013 Pearson 64

Classic Bluetooth

High-Speed Bluetooth

Low-Energy Bluetooth

Principal Benefit

Good performance at low power

High-speed transfers available when needed

Ultra-long battery life and ultra-fast setup times

Speed Up to 3 Mbps Up to about 24 Mbps

Up to 200 kbps

Expected Duty Cycle

Low to High Low to High Very Low

Power Required

Low High Very Low

Distance ~10 m ~30 m ~15 m

Bluetooth Profiles◦ 802.11 did not have to develop application

standards. Many standards already existed.

◦ But standards did not exist for new short-distance applications such as printing to a printer.

◦ The Bluetooth Special Interest Group had to develop various standards in addition to radio transmission standards.

◦ It called these Bluetooth profiles.


© 2013 Pearson 68

Pairing◦ When two devices first encounter each other,

they must go through a negotiation process.

◦ This negotiation process is called pairing.

The text uses the obsolete term peering

◦ It involves the exchange of device information.

◦ It may involve authentication.

◦ It may also involve one or both of the device owners explicitly deciding if the two devices should be allowed to communicate.

7.15 Bluetooth Pairing and Binding

© 2013 Pearson 70

Service Discovery Profile (SDP)◦ Peering uses the Service Discovery Profile (SDP).

◦ Normally, a device is in discoverable mode.

◦ If it receives a Service Discovery Protocol request, it will send information about itself:

Name Device class Bluetooth profiles supported Technical information such as manufacturer’s

name

7.15: Bluetooth Peering and Binding

© 2013 Pearson 71

Binding◦ After peering is complete, the two devices are

bound.

◦ They can begin communicating.

◦ If they are brought together later, they are still bound.

◦ They will begin communication without the peering process.

◦ This allows fast setup.

◦ The owner of either device can end the binding.

7.15: Bluetooth Peering and Binding

© 2013 Pearson 72

802.11 Wi-Fi uses 20 MHz or wider channels in the 2.4 GHz and 5 GHz bands.

Bluetooth operates only in the 2.4 GHz band.

Bluetooth divides the band into 79 channels, each 1 MHz wide.◦ For spread spectrum transmission, hops

between channels every few frames

7.16: Frequency Hopping Spread Spectrum

© 2013 Pearson 73

Bluetooth radios hop among the frequencies up to 1,600 times per second.

These radios avoid channels where other devices (including 802.11 devices) are active.

7.16: Frequency Hopping Spread Spectrum

© 2013 Pearson 74

Payment of bus fares (already popular in some countries)

Retail payments, including loyalty points and coupons (beginning to be popular)

Opening car doors, turning on the ignition

Building door entry control

Sharing business cards between mobile devices

NFC posters with tap points for more information

…

7.18: Possible NFC Apps

© 2013 Pearson 76

Radio frequency ID (RFID) tags contain information about an item.

A passive RFID tag has no internal power source.

When read by an NFC device, the power of the reading request gives power for the response!

13.56 kHz was specified by ISO/IEC for passive RFID tags long before NFC standards were created.

With sensitive antennas, NFC transmission can be eavesdropped upon from a distance.

Possible NFC Apps

© 2013 Pearson 77

Enormously wide channels

Very low power per hertz to avoid interfering with other transmissions

Very high speeds over short distances (~10 m)

7.20 Ultrawideband Transmission

© 2013 Pearson 78

Threats◦ Eavesdropping

◦ Data modification

◦ Impersonation

◦ Denial-of-service attacks

7.21 Security in Emerging Wireless Technologies

© 2013 Pearson 79

Cryptological Security

◦Some local wireless technologies have no cryptological security.

◦Example: Near field communication for reading passive ID tags.

◦They rely on short transmission distances to foil eavesdroppers.

◦Directional antennas and amplifiers can defeat this.


© 2013 Pearson 80

Strength of Security

◦Some have reasonably good security.

◦Example: Bluetooth

◦However, still not as strong as 802.11i and WPA security.


© 2013 Pearson 81

Device Loss or Theft

◦In this age of bring your own device (BYOD) to work, this is a serious problem.

◦Information on most devices isprotected only by short PINs …

◦If they have PINs at all

◦Sometimes there are ways to bypass the initial lock screen


© 2013 Pearson 82

Maturity

◦In general, new security technologies take some time to mature.

◦During this period, they often have vulnerabilities that must be fixed quickly.

◦User companies must master security for each new technology.


© 2013 Pearson 83

Chapter 5 dealt with single wired switched networks.

Chapters 6 and 7 dealt with single wireless networks.

Single networks operate at Layers 1 and 2 and so use OSI standards

Chapters 8 and 9 deal with internets at Layers 3 and 4, where the IETF’s TCP/IP standards dominate.

© 2013 Pearson 85

Where We’re Going

chapter 7 panko and panko business data networks and security, 9 th edition © 2013 pearson panko...

Documents

wireless access point

pearson panko

wireless protected access

unprotected access points

legitimate access point

poor security

pearson revised

core security protocols