Lesson 10: Installing and Configuring Wireless and Physical Access Security & Lesson 11: Deploying Secure Host, Mobile, and Embedded Systems Flashcards
Wireless networking
uses electromagnetic radio waves to carry data signals over the air. Wireless transmission methods are also referred to as “unguided media.” From a security perspective, the problem with wireless is that signals are usually relatively simple to eavesdrop. The way some wireless standards were originally implemented also opened numerous security vulnerabilities, most of which have been addressed in recent years.
Wireless networks can be configured in one of two modes:
- Ad hoc—the wireless adapter allows connections to and from other devices (a peer-to-peer WLAN). In 802.11 documentation, this is referred to as an independent basic service set (IBSS).
- Infrastructure—the adapter is configured to connect through an access point (AP) to other wireless and wired devices. In 802.11 documentation, this is referred to as a basic service set (BSS). The MAC address of the AP is used as the basic service set identifier (BSSID). More than one BSS can be grouped in an extended service set (ESS).
WLAN wireless devices
All wireless devices operating on a WLAN must be configured with the same network name, referred to as the service set identifier (SSID). When multiple access points are grouped into an extended service set, this is more properly called the extended SSID (ESSID). This just means that all the APs are configured with the same SSID.
enterprise network
An enterprise network might require the use of tens or hundreds of access points, wireless bridges, and antennas. If access points are individually managed, this can lead to configuration errors on specific access points and can make it difficult to gain an overall view of the wireless deployment, including which clients are connected to which access points and which clients or access points are handling the most traffic.
Rather than configure each device individually, enterprise wireless solutions, such as those manufactured by Cisco®, Ruckus™, or Ubiquiti, allow for centralized management and monitoring of the access points on the network. This may be achieved through use of a dedicated hardware device (a wireless controller), which typically implements the required functionality through additional firmware in a network switch.
fat AP
An access point whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller is known as a fat AP, while one that requires a wireless controller in order to function is known as a thin AP.
lightweight access point protocol (LWAPP)
Cisco wireless controllers usually communicate with the access points using the lightweight access point protocol (LWAPP). LWAPP allows an AP configured to work in lightweight mode to download an appropriate SSID, standards mode, channel, and security configuration.
control and provisioning of wireless access points (CAPWAP)
Alternatives to LWAPP include the derivative control and provisioning of wireless access points (CAPWAP) protocol or a proprietary protocol.
VLAN pooling
As well as autoconfiguring the appliances, a wireless controller can aggregate client traffic and provide a central switching and routing point between the WLAN and wired LAN. It can also assign clients to separate VLANs. Automated VLAN pooling ensures that the total number of stations per VLAN is kept within specified limits, reducing excessive broadcast traffic. Another function of a hardware controller is to supply power to wired access points, using Power over Ethernet (PoE).
Wi-Fi products work in either the 2.4 GHz band or the 5 GHz band, or both. While band selection does not have a direct effect on the confidentiality or integrity of the network, it can affect availability and performance:
- 802.11a—legacy products working in the 5 GHz band only.
- 802.11bg—legacy products working in the 2.4 GHz band only.
- 802.11n—products can be either dual band (supporting both 2.4 GHz and 5 GHz operation) or 2.4 GHz only. Most access points are dual band but many early 802.11n client adapters were single band only.
- 802.11ac—5 GHz only. Most access points supporting 802.11ac are dual band but use the 2.4 GHz band for legacy clients (802.11bgn) only. Note that better performance will be obtained by disabling support for legacy standards (especially 802.11b).
rubber ducky antennas
Most wireless devices have simple omnidirectional vertical rod-type antennas, which can receive and send a signal in all directions. The plastic-coated variants often used on access points are referred to as rubber ducky antennas. To extend the signal range, you can use a directional antenna focused at a particular point. Examples of directional antennas include the Yagi (a bar with fins) and parabolic (dish or grid) antennas. These are useful for point-to-point connections (a wireless bridge). A directional antenna may also be useful to an eavesdropper, allowing them to snoop on a network from a greater distance than might be expected. The increase in signal strength obtained by focusing the signal is referred to as the gain and is measured in dBi (decibel isotropic).
access point and antenna placement
When considering access point and antenna placement, a device supporting the Wi-Fi standard should have a maximum indoor range of up to about 30m (100 feet), though the weaker the signal, the lower the data transfer rate. Radio signals pass through solid objects, such as ordinary brick or drywall walls, but can be weakened or blocked by particularly dense or thick material and metal. Interference from a variety of electromagnetic interference sources can also affect signal reception and strength. Other radio-based devices can also cause interference as can devices as various as fluorescent lighting, microwave ovens, cordless phones, and (in an industrial environment) power motors and heavy machinery. Bluetooth® uses the same frequency range as 2.4 GHz Wi-Fi but a different modulation technique, so interference is possible but not common.
Coverage
means that the WLAN delivers acceptable data rates to the supported number of devices in all the physical locations expected. To maximize coverage and minimize interference, position the AP as high as possible and set the channels of other nearby APs to different settings. At least 25 MHz spacing should be allowed between channels to operate without co-channel interference (CCI). In practice, therefore, in the 2.4 GHz band no more than three nearby 802.11b/g access points can have non-overlapping channels. This could be implemented, for example, by selecting channel 1 for AP1, channel 6 for AP2, and channel 11 for AP3.
channel bonding
802.11n/ac can obtain more bandwidth with the option to use two adjacent 20 MHz channels as a single 40 MHz channel (channel bonding). Channel bonding is only a practical option in the 5 GHz band, where there are 23 non-overlapping 20 MHz channels and 11 40 MHz channels. When using the 5 GHz band for 802.11a or 802.11n/ac, the best option is usually to allow the AP to auto-detect the best channel.
site survey
A site survey is the process of selecting the optimum positions for access points and antennas by analyzing the building infrastructure and testing signal strength at different locations. From a security perspective, an additional step would be to use the plan of WLAN zones to identify areas where there is leakage of signals.
shielding
Depending on the level of security required, you may then want to install shielding at strategic locations to contain the WLAN zones. For example, you might install shielding on external walls to prevent signals from escaping the building. Of course, this will block incoming signals too (including cell phone calls).
Signal strength
the amount of power used by the radio in an access point or station. Simply increasing power output is not always reliable. As you increase power, you also increase the chance of the signal bouncing, causing more interference, especially if there are multiple APs. Also, the client radio power levels should match those of the AP or they may be able to receive signals but not transmit back.
received signal strength indicator (RSSI)
shows the strength of the signal from the transmitter. RSSI is a relative indicator, usually expressed as a percentage of a nominal “perfect” signal. RSSI can be calculated differently as it is implemented by the chipset vendor. Survey tools measure signal strength in dBm, which is the ratio of the measured signal to one milliwatt. When measuring signal strength, dBm will be a negative value with values closer to zero representing better performance. A value around -65 dBm represents a good signal while anything over -80 dBm is likely to suffer packet loss or be dropped. The received signal strength must also exceed the noise level by a decent margin. Noise is also measured in dBm but here values closer to zero are less welcome as they represent higher noise levels. For example, if a signal is -65 dBm and noise is -90 dBm, the Signal to Noise Ratio (SNR) is 25 dB; if noise is -80 dBm, the SNR is 15 dB and the connection will be much, much worse.
war driving
Power levels are best set to auto-negotiate. You should also be aware of legal restrictions on power output—these vary from country to country. You may want to turn the power output on an AP down and ensure strategic AP device placement to prevent war driving. The main problem with this approach is that it requires careful configuration to ensure that there is acceptable coverage for legitimate users. You also expose yourself slightly to “evil twin” attacks, as users may expect to find the network at a given location and assume that the rogue AP is legitimate.
MAC filtering
As with a switch, MAC filtering means specifying which MAC addresses are allowed to connect to the AP. This can be done by specifying a list of valid MAC addresses, but this “static” method is difficult to keep up to date and is relatively error-prone. It is also easy for a wireless sniffer to discover valid MAC addresses and spoof them. Enterprise-class APs allow you to specify a limit to the number of permitted addresses and automatically learn a set number of valid MAC addresses.
A more practical option is to put a firewall/IDS behind the AP in order to filter traffic passing between the wired LAN and WLAN.
data emanation
As unguided media, wireless networks are subject to data emanation or signal “leakage.” A WLAN is a broadcast medium, like hub-based Ethernet.
packet sniffing
Consider how much simpler packet sniffing is on hub-based compared to switched Ethernet. Similarly, on a WLAN, there is no simple way to “limit” the signal within defined boundaries. It will propagate to the extent of the antenna’s broadcast range, unless blocked by some sort of shielding or natural barrier. Data emanation means that packet sniffing a WLAN is easy if you can get within range.
Because it is so easy to eavesdrop on communications, for Wi-Fi networks to offer confidentiality and integrity, hosts must authenticate to join the network and the transmissions must be encrypted.
Wired Equivalent Privacy (WEP)
the original encryption scheme and still supported on old and new devices. However, the encryption system, based on the RC4 cipher, is flawed and WEP should no longer be used, if at all possible. Under WEP version 1, you can select from different key sizes (64-bit or 128-bit). WEP version 2 enforces use of the 128-bit key and even allows a 256-bit key, but is still not considered secure. The main problem with WEP is the 24-bit initialization vector (IV).
The initialization vector (IV) is supposed to change the key stream each time it is used. Problems with the WEP encryption scheme are as follows:
- The IV is not sufficiently large, meaning it will be reused within the same keystream under load. This makes the encryption subject to statistical analysis to discover the encryption key and decrypt the confidential data.
- The IV is often not generated using a sufficiently random algorithm; again, assisting brute force or statistical analysis attacks.
- Packets use a checksum to verify integrity, but this is also easy to compute. This allows the attacker to “bit flip” the ciphertext and observe a corresponding bit in the plaintext.
The flaws in WEP allow attackers using WEP cracking tools, such as Aircrack-NG (https://aircrack-ng.org) or AirSnort (https://airsnort.soft112.com), to decrypt and eavesdrop traffic. These tools work by obtaining many examples of IVs. To crack WEP, a type of replay attack is used to make the access point generate lots of packets, usually by replaying ARP packets at it, and cycle through IV values quickly.
WEP is not safe to use. If devices only support WEP, the best alternative is to enhance the connection security with another security application, such as L2TP/IPSec.
first version of Wi-Fi Protected Access (WPA)
The first version of Wi-Fi Protected Access (WPA) was designed to fix the security problems with WEP. Version 1 of WPA still uses the RC4 cipher but adds a mechanism called the Temporal Key Integrity Protocol (TKIP) to make it stronger. TKIP fixes the checksum problem in WEP (Message Integrity Check), uses a larger IV (48-bit) to ensure a unique keystream, transmits it as an encrypted hash rather than in plaintext, and adds a sequence counter to resist replay attacks.