The Integrated Guide to Network Security 1.5
Network Security 1.5Given a scenario, troubleshoot security issues related to wireless networking...As you read about each of these methods and protocols, realize that there are security implications and weaknesses to each, and diligence and vigilance are your two most powerful attributes. Anyone with the right gear can see all of the packets that go across WiFi, so encryption is vital. "They" may get your packets, but with the right encryption they can’t read it (or at least, make it so laborious that they’ll move on). WPAWiFi Protected AccessThis improvement over WEP improves the way security keys are handled. WEP only offered one set of keys, but WPA could use TKIP (see below for more information) to change the keys dynamically. If a hacker got it, it became harder to catch the key. With WEP and by monitoring a decent amount of traffic, a hacker could quite easily find the keys used. But with WPA, the constant key-changing made it more difficult.This was really an interim solution between WEP and when WPA2 could be fully developed.Be familiar with: IEEE 802.11, WPA-PSK, WPA-Enterprise WPA2WiFi Protected Access 2This is an improvement over WPA. Any new wireless devices have to pass WPA2 certification in order to bear the WiFi trademark. This uses AES for encryption and uses CCMP (see below for more information) to replace TKIP.Be familiar with: WPA2-Enterprise, CCMP WEPWired Equivalent PrivacyJokingly referred to as “Weak Encryption Protocol,” WEP operates at Layers 1 & 2 (data link & physical) of the OSI model. It became a standard in 1999, but by 2001, it was old news that it could be cracked.The flaw is that the 24-bit IV (Initialization Vector), which sort-of encrypted the plaintext transmissions. The plaintext could be discerned by capturing a bunch of packets.WEP is deprecated (not necessarily eliminated!), so you might be hard-pressed to find a new device that offers it as an option. It might still be used in homes, but should never be used in a corporate environment.Be familiar with: CRC, 802.11b, XOR, stream cipher EAPExtensible Authentication ProtocolHere, "protocol" is a little misleading. EAP is an authentication framework, defining for other protocols how they need to work with it. As I’m thinking of how to describe it, it’s kind of like what goes inside a burrito (I could have chosen from many other things, but that’s what came to mind). What’s inside is necessary for the burrito, but it needs something to wrap it to complete it. EAP is meant to have something wrap it, e.g., TLS or PSK. It requires a secure communication channel – it doesn’t make a secure communication channel. PEAPProtected Extensible Authentication Protocol (pron. Peep) (aka, Protected EAP)This takes EAP and encapsulates it with TLS, thereby providing EAP with authentication and encryption. Remember that physical security (e.g., cabling) is gone in a wireless connection, and EAP was designed with the need for protection. LEAPLightweight Extensible Authentication ProtocolAKA Cisco-Wireless EAP, Cisco® released this in December 2010 for WLAN authentication. It can use WEP or TKIP. LEAP is for authentication, not encryption, so offline password cracking was shown to be its weakness (LEAP requires a RADIUS server to provide encryption, so it’s susceptible to man-in-the-middle attacks).Due to this weakness, a salt can be added and passwords made more complicated to decrease the chance of cracking.Be familiar with: salt, CHAP, RADIUS MAC FilterMAC (Media Access Control) Filtering (aka “GUI filtering” and “Layer 2 Address Filtering”)This is a security access control method in which the 48-bit address assigned to each network card is used to determine access to the network. In short, you tell your WiFi what MAC addresses are allowed.If you want to find out who made a computer, do an internet search for MAC OUI and you’ll find plenty of sources of identification. The first 24 bits (6 hexadecimal characters) are the vendor ID, so everything by VMware, e.g., has a certain set, by Dell another set, etc. The last 24 bits are the unique address assigned by the vendor to that particular piece of equipment. Disable SSID BroadcastThe Service Set Identifier (SSID) is a 32-alphanumeric-character identifier for the wireless network, aka “network name.” Whenever you have a wireless network, it shows up by default. If it’s hidden, the typical person won’t see your network and will have to know what the name is and manually enter the SSID and password. The existence of a WiFi network is, however, obvious with a packet sniffer like Wireshark or Ettercap. For hackers, it will pique their interest and you may be more of a target by “hiding” it. So, make sure that you have WPA2 + <option> AND a really good password in place. TKIPTemporal Key Integrity Protocol or TKIP (pronounced: Tee-Kip)This suite of algorithms wraps WEP with encapsulation (not true encryption), thereby creating WPA. It was created for a two-fold purpose: 1. To provide a layer of protection that old hardware lacked (there wasn’t a link layer to WEP hardware, so old WEP hardware could be firmware upgraded to WPA with TKIP); and 2. As an intermediary until WPA2, which provides AES encryption, could be released.Be familiar with: hash, RC4 stream CCMPCounter Mode Cipher Block Chaining Message Authentication Code Protocol, Counter Mode, or CBC-MAC Protocol, or CCM mode ProtocolThis encryption protocol provides added confidentiality by way of authentication (with this, you can add permissions based on credentials) and uses a 128-bit key. It's used in WPA2.Antenna PlacementThe radio frequencies used by WiFi weaken as they spread out and/or go further (this is called attenuation). When a radio frequency reaches twice it normal range, you get only a quarter of its energy. Because of this, you need to calculate how many antennae you’ll require and where to place them. E.g., if you’re covering a single large room or one level of a house, one WiFi router may do the trick. But, if the area to be covered spans several rooms, you may need at least one other antenna (WAP). If the required coverage spans multiple floors, then you’ll need even more.Look up layering and overlapping.Power level controlsThis is where you modify the power of the signal given off by your antenna(e). With an off-the-shelf product you can typically modify the range of the signal by using the GUI. You can set it to reach further so you don’t need more or many antennae. Or, you may want to weaken or shorten it to make it as “quiet” (i.e., unnoticeable) to the outside world as possible. To test it, walk around with your device and see how far your signal reaches. Captive PortalsThis is used by public WiFi hotspot providers (e.g., coffee shops, hotels, restaurants, a lobby) as the entry point for internet access. You have to login or accept the terms on the web page in order to use the service. Sometimes, e.g., on smartphones, you might connect to the hotspot just fine, but you can’t receive data. In order to actually get access, you have to start by opening a browser on your phone to accept the terms.Since public WiFi is typically insecure because there’s no encryption or privacy, you’ll want to stay away from doing confidential transactions on it.Antenna typesOmnidirectional – The signal pattern from this radiates sort of like a light bulb lighting up a room – a 360-degree circle, or more like a doughnut (3D), pattern. Most of the typical WiFi devices/access points have this antenna – it’s the stick-like thing jutting out of the side or back. A drawback is that there’s no way to focus the signal.Directional – This puts out a signal in a similar fashion to car headlights, limiting the coverage while increasing the distance.Parabolic – This is a type of Directional antenna. Because of the design, it captures more signals from farther away and funnels those signals into the central point of the antenna. It’s not portable. Because it’s signal is directed so well, one needs to be in front of it to get the benefit, even though the distance can be much greater. It’s not quite directional, but as for how it looks, its most popular version is a satellite dish. Another version is the wire-grid, which is a hyperbolic paraboloid (think of a Pringles®-and-waffle fries design).Be familiar with: decibels (dB), rubber duck antenna, yagi Site SurveysAKA an RF site survey or wireless survey, this is the process of planning and designing your wireless network. Like a land survey, the process is actually quite technical. You have to take into consideration things like floors, real firewalls in the building and offices around you. You want to make sure that you provide good coverage to the right people with as little overlap (e.g., frequency, channels and other WiFi) as possible. This is actually done before you choose your antennae (see previous topic).The end goal is to provide wireless access that will give the necessary coverage, network capacity, roaming and Quality of Service (QoS).Here's an example of a free Wi-Fi planning/mapping tool: http://www.ekahau.com/wifidesign/ekahau-heatmapperHere are a few tools that you can use to test your implementation:http://www.networkworld.com/article/2925081/Wi-Fi/7-free-Wi-Fi-stumbling-and-surveying-tools-for-windows-and-mac.html#slide1 VPN (Over Open Wireless)“Open” here means everybody with a little knowledge can see what you send over the WAP. HTTPS helps a little, but only on the sites that offer it, and inevitably there’s data that gets transferred that unencrypted. Enter VPN.Because VPN encrypts end-to-end, all of your data is encrypted. The VPN connection used to be enabled only with hardware such as an internal card or some network device. But it’s common practice now to use software VPN (or “soft VPN” for short).It relies on certificates that are on both your machine and the VPN concentrator on the other end. It’s not typically a free service (though the industry is working toward it – here are some examples: https://www.bestvpn.com/best-free-vpn-june-2016/), but is typically very easy to set up.There’s always a difference between a tech person using VPN, and an end-user using it. You will probably like seeing the GUI and the stats, but the end-user typically doesn’t want to see, or even know about, it. They just need it to work.
EXTRA: Here’s a list of Wireless Hacking Tools: http://resources.infosecinstitute.com/20-popular-wireless-hacking-tools-updated-for-2016/