3.4 Wireless Security Settings

Question 1

• An organization’s wireless network can contain confidential
information
– Not everyone is allowed access
• Authenticate the users before granting access
– Who gets access to the wireless network?
– Username, password, multi-factor authentication
• Ensure that all communication is confidential
– Encrypt the wireless data
• Verify the integrity of all communication
– The received data should be identical to the
original sent data
– A message integrity check (MIC)

Answer 1

Securing a wireless network

Question 2

• All wireless computers are radio transmitters and receivers
– Anyone can listen in
• Solution: Encrypt the data - Everyone has an encryption key
• Only people with the right key can transmit and listen
– WPA2 and WPA3

Answer 2

Wireless encryption

Question 3

• Wi-Fi Protected Access II (WPA2)
– WPA2 certification began in 2004
• CCMP block cipher mode
– Counter Mode with Cipher Block Chaining
– Message Authentication Code Protocol, or
– Counter/CBC-MAC Protocol
• CCMP security services
– Data confidentiality with AES
– Message Integrity Check (MIC) with CBC-MAC

Answer 3

WPA2 and CCMP

Question 4

• Wi-Fi Protected Access 3 (WPA3) - Introduced in 2018
• GCMP block cipher mode
– Galois/Counter Mode Protocol
– A stronger encryption than WPA2
• GCMP security services
– Data confidentiality with AES
– Message Integrity Check (MIC) with
– Galois Message Authentication Code (GMAC)

Answer 4

WPA3 and GCMP

Question 5

• WPA2 has a PSK brute-force problem
– Listen to the four-way handshake
– Some methods can derive the PSK hash without
the handshake
– Capture the hash
• With the hash, attackers can brute force the
pre-shared key (PSK)
• This has become easier as technology improves
– A weak PSK is easier to brute force
– GPU processing speeds
– Cloud-based password cracking
• Once you have the PSK, you have everyone’s
wireless key
– There’s no forward secrecy

Answer 5

The WPA2 PSK problem

Question 6

• WPA3 changes the PSK authentication process
– Includes mutual authentication
– Creates a shared session key without sending that
key across the network
– No more four-way handshakes, no hashes,
no brute force attacks
– Adds perfect forward secrecy
• Simultaneous Authentication of Equals (SAE)
– A Diffie-Hellman derived key exchange with an
authentication component
– Everyone uses a different session key, even with
the same PSK
– An IEEE standard - the dragonfly handshake

Answer 6

SAE

Question 7

• Gain access to a wireless network
– Mobile users
– Temporary users
• Credentials
– Shared password / pre-shared key (PSK)
– Centralized authentication (802.1X)
• Configuration
– Part of the wireless network connection
– Prompted during the connection process

Answer 7

Wireless authentication methods

Question 8

• Configure the authentication on your wireless
access point / wireless router
• Open System
– No password is required
• WPA3-Personal / WPA3-PSK
– WPA3 with a pre-shared key
– Everyone uses the same key
– Unique WPA3 session key is derived from the PSK using SAE
(Simultaneous Authentication of Equals)
• WPA3-Enterprise / WPA3-802.1X
– Authenticates users individually with an
authentication server (i.e., RADIUS)

Answer 8

Wireless security modes

Question 9

• Authentication to a network - Common on wireless networks
• Access table recognizes a lack of authentication
– Redirects your web access to a captive portal page
• Username / password - And additional authentication factors
• Once proper authentication is provided, the
web session continues
– Until the captive portal removes your access

Answer 9

Captive Portal

Question 10

• Wi-Fi Protected Setup
– Originally called Wi-Fi Simple Config
• Allows “easy” setup of a mobile device
– A passphrase can be complicated to a novice
• Different ways to connect
– PIN configured on access point must be entered
on the mobile device
– Push a button on the access point
– Near-field communication -
– Bring the mobile device close to the access point

Answer 10

Using WPS

Question 11

• December 2011 - WPS has a design flaw
– It was built wrong from the beginning
• PIN is an eight-digit number
– Really seven digits and a checksum
– Seven digits, 10,000,000 possible combinations
• The WPS process validates each half of the PIN
– First half, 4 digits. Second half, 3 digits.
– First half, 10,000 possibilities,
second half, 1,000 possibilities
• It takes about four hours to go through all of them
– Most devices never considered a lockout function
– Brute force lockout features are now the norm

Answer 11

The WPS hack

Question 12

• We’ve created many authentication methods
through the years
– A network administrator has many choices
• Use a username and password
– Other factors can be included
• Commonly used on wireless networks
– Also works on wired networks

Answer 12

Wireless authentication

Question 13

• Extensible Authentication Protocol (EAP)
– An authentication framework
• Many different ways to authenticate based on
RFC standards
– Manufacturers can build their own EAP methods
• EAP integrates with 802.1X
– Prevents access to the network until the
authentication succeeds

Answer 13

EAP

Question 14

• IEEE 802.1X
– Port-based Network Access Control (NAC)
– You don’t get access to the network until you
authenticate
• Used in conjunction with an access database
– RADIUS, LDAP, TACACS+

Answer 14

IEEE 802.1X

Question 15

• Supplicant
– The client
• Authenticator
– The device that provides access
• Authentication server
– Validates the client credentials

Answer 15

IEEE 802.1X and EAP

Question 16

• EAP Flexible Authentication via Secure Tunneling
– Authentication server (AS) and supplicant share a
protected access credential (PAC) (shared secret)
• Supplicant receives the PAC
• Supplicant and AS mutually authenticate and
negotiate a Transport Layer Security (TLS) tunnel
• User authentication occurs over the TLS tunnel
• Need a RADIUS server
– Provides the authentication database and
EAP-FAST services

Answer 16

EAP-FAST

Question 17

• Protected Extensible Authentication Protocol
– Protected EAP
– Created by Cisco, Microsoft, and RSA Security
• Also encapsulates EAP in a TLS tunnel
– AS uses a digital certificate instead of a PAC
– Client doesn’t use a certificate
• User authenticates with MSCHAPv2
– Authenticates to Microsoft’s MS-CHAPv2 databases
• User can also authenticate with a GTC
– Generic Token Card, hardware token generator

Answer 17

PEAP

Question 18

• EAP Transport Layer Security
– Strong security, wide adoption
– Support from most of the industry
• Requires digital certificates on the AS and
all other devices
– AS and supplicant exchange certificates for
mutual authentication
– TLS tunnel is then built for the user
authentication process
• Relatively complex implementation
– Need a public key infrastructure (PKI)
– Must deploy and manage certificates to
all wireless clients
– Not all devices can support the use of digital certificates

Answer 18

EAP-TLS

Question 19

• EAP Tunneled Transport Layer Security
– Support other authentication protocols
in a TLS tunnel
• Requires a digital certificate on the AS
– Does not require digital certificates on every device
– Builds a TLS tunnel using this digital certificate
• Use any authentication method inside the TLS tunnel
– Other EAPs
– MSCHAPv2
– Anything else

Answer 19

EAP-TTLS

Question 20

• Use RADIUS with federation
– Members of one organization can authenticate to
the network of another organization
– Use their normal credentials
• Use 802.1X as the authentication method
– And RADIUS on the backend - EAP to authenticate
• Driven by eduroam (education roaming)
– Educators can use their normal authentication
when visiting a different campus
– https://www.eduroam.org/

Answer 20

RADIUS Federation

Question 21

• Determine existing wireless landscape
– Sample the existing wireless spectrum
• Identify existing access points
– You may not control all of them
• Work around existing frequencies
– Layout and plan for interference
• Plan for ongoing site surveys
– Things will certainly change
• Heat maps - Identify wireless signal strengths

Answer 21

Site surveys

Question 22

• Signal coverage
• Potential interference
• Built-in tools
• 3rd-party tools
• Spectrum analyzer

Answer 22

Wireless survey tools

Question 23

• Wireless networks are incredibly easy to monitor
– Everyone “hears” everything
• You have to be quiet
– You can’t hear the network if you’re busy transmitting
• Some network drivers won’t capture wireless information
– You’ll need specialized adapters/chipsets and drivers
• View wireless-specific information
– Signal-to-noise ratio, channel information, etc.
• Try it yourself! - https://www.wireshark.org

Answer 23

Wireless packet analysis

Question 24

• Overlapping channels
– Frequency conflicts - use non-overlapping channels
– Automatic or manual configurations

Answer 24

Channel selection and overlaps

Question 25

• Minimal overlap
– Maximize coverage, minimize the number
of access points
• Avoid interference
– Electronic devices (microwaves)
– Building materials
– Third-party wireless networks
• Signal control
– Place APs where the users are
– Avoid excessive signal distance

Answer 25

Access point placement

Question 26

• Wireless controllers
– Centralized management of wireless access points
– Manage system configuration and performance
• Securing wireless controllers
– Control access to management console
– Use strong encryption with HTTPS
– Automatic logout after no activity
• Securing access points
– Use strong passwords
– Update to the latest firmware

Answer 26

Wireless infrastructure security