All About Wireless LAN Network Security

Wireless LAN Network Security

This is the most important article about the Wireless LAN Network Security, threats for wireless LANs are also explained. If you are the network professional you must read this full in order to understand the about the wireless LAN security. Also the security mechanisms of a wireless LAN are also described. For securing your Wireless LAN Network, you must aware with the wireless network threats. So first we will see some of the most common WLAN threats.

WLAN Security Threats

The difficulties of keeping a wired network secure are multiplied with a wireless network. Security must be a priority for anyone who uses or manages networks.
A WLAN is open to anyone within the scope of an AP with the corresponding credentials to associate with it. With a wireless NIC and knowledge of decoding techniques, an attacker will not have to physically enter the workspace to gain access to a WLAN.
People outside the company, dissatisfied employees and even other employees may involuntarily generate the attacks. Wireless networks are specifically vulnerable to several threats, including the following:

• Wireless intruders
• Unauthorized Applications
• Data interception
• DoS attacks

There are other threats, such as MAC address impersonation attacks from an AP or wireless client, decoding attacks and infrastructure attacks.

DoS attack

Wireless DoS attacks can be the result of the following:

• Misconfigured devices : configuration errors can disable WLAN. For example, an administrator may accidentally modify a configuration and disable the network, or an intruder with administrator privileges may intentionally disable a WLAN.
• A malicious user intentionally interferes with wireless communication: his goal is to disable the wireless network completely or to the point that no legitimate device can access the medium.
• Accidental interference : WLANs operate in the unlicensed frequency bands and, therefore, all wireless networks, regardless of security features, may suffer interference from other wireless devices.

Accidental interference can come from devices such as microwave ovens, cordless phones, baby monitors, among others. The 2.4 GHz band is more prone to interference than the 5 GHz band.
To minimize the risk of a DoS attack due to mis-configured devices or malicious attacks, protect all devices and passwords, create backup copies and ensure that all configuration changes are incorporated outside of operating hours.

Accidental interference only occurs when another wireless device is added.
The best solution is to control the WLAN to detect any interference problem and address it when it appears. Because the 2.4 GHz band is more prone to interference, the 5 GHz band could be used in areas with a tendency to interference.
The illustration shows how a cordless phone or even a microwave can interfere with WLAN communication.
Cisco CleanAir technology allows devices to identify and locate sources of interference that are not 802.11. Create a network that has the ability to automatically adjust to changes in the environment.

DoS attacks on administration frames

While unlikely, a malicious user could intentionally initiate a DoS attack using RF blockers that cause accidental interference .

They are more likely to try to manipulate management frames to consume AP resources and keep channels too busy to support legitimate user traffic.
Administration frames can be manipulated to create various types of DoS attack. The two types of attacks common to administration frames include the following:

• A supplanted disconnection attack : this occurs when an attacker sends a series of "disassociation" commands to wireless clients within a BSS.

These commands cause all clients to disconnect. Upon disconnection, wireless clients immediately attempt to re-associate, which creates a traffic burst. The attacker continues to send disassociation frames, and the cycle repeats.

• A saturation with CTS : this occurs when an attacker takes advantage of the CSMA / CA contention method to monopolize bandwidth and deny all other wireless clients access to the AP. To achieve this, the attacker repeatedly saturates the BSS with Ready to send (CTS) frames to a false STA. All other wireless clients that share the RF medium receive the CTS and retain their transmissions until the attacker stops transmitting the CTS frames.

In following figure, it is shown how a wireless client and an AP use CSMA / CA normally to access the medium.

In Image, it is shown how an attacker saturates with CTS by sending this type of frames to a fake wireless client.

All other clients must now wait for the duration specified in the CTS frame. However, the attacker continues to send CTS frames; Therefore, other customers wait indefinitely. The attacker now controls the medium.

Solutions

To mitigate many of these attacks, Cisco developed a variety of solutions, including Cisco's Administration Frame Protection (MFP) feature, which also provides proactive and complete protection against impersonation of frames and devices.
The Cisco Adaptive Wireless IPS contributes to this solution through an early detection system that compares the attacker's signatures.
The IEEE 802.11 committee also released two standards regarding wireless security.

• The 802.11i standard , which is based on the Cisco MFP feature, specifies security mechanisms for wireless networks.
• The 802.11w administration frame protection standard addresses the problem of handling these frames.

Unauthorized Access Points

An unauthorized AP is an AP or a wireless router that:

• It was connected to a business network without explicit authorization or against company policy.

Anyone with access to the facilities can install (maliciously or unintentionally) an inexpensive wireless router that can allow access to protected network resources.

• An attacker connected or enabled it to capture client data, such as client MAC addresses (wireless and wired), or to capture and camouflage data packets, gain access to network resources or initiate a man-in- attack. the-middle (middleman).

To avoid installing unauthorized APs, organizations must use monitoring software to actively monitor the radio spectrum for unauthorized APs . In the example of the screenshot of the Cisco Prime Infrastructure network management software in the illustration, an RF map is shown in which the location of an intruder with an impersonated MAC address is identified.

Cisco Prime is a network management software that works with other management software to provide a common look and central location of all network information. Normally, it is implemented in very large organizations.

Man in-the-middle Attack

One of the most sophisticated attacks that a malicious user can use is called "a man-in-the-middle taque " (MITM, intermediary). There are several ways to create a MITM attack.
A popular wireless MITM attack is called an " intrusive network AP attack ", in which an attacker enters an unauthorized AP and configures it with the same SSID as that of a legitimate AP. The locations that offer free Wi-Fi, such as airports, cafes and restaurants, are hotbeds for this type of attack, due to open authentication.

• Clients that connect to a wireless network would see two APs that offer wireless access.
• Those near the unauthorized AP detect the strongest signal and are more likely to associate with this intrusive network AP.
• User traffic is now sent to the unauthorized AP, which in turn captures the data and forwards it to the legitimate AP.
• The return traffic of the legitimate AP is sent to the unauthorized AP, captured and forwarded to the unsuspecting STA.
• The attacker can steal the user's password and personal information, gain access to the network and compromise the user's system.

For example, in Image, a malicious user is in Juan's Cafeteria and wants to capture the traffic of unsuspecting wireless clients. The attacker launches software that allows his laptop to become an intrusive network AP with the same SSID and the same channel as the legitimate wireless router.
A user sees two available wireless connections, but chooses the unauthorized AP and associates with it. The attacker captures user data and forwards it to the legitimate AP, which in turn directs return traffic to the intrusive network AP. The intrusive network AP captures return traffic and forwards the information to the unsuspecting user.

Coping with a MITM attack

Beating an MITM attack depends on the sophistication of the WLAN infrastructure and the monitoring of network monitoring activity. The process begins with the identification of legitimate devices in the WLAN.
To do this, users must be authenticated. Once all legitimate devices are known, the network can be monitored for abnormal devices or traffic.
WLANs from companies that use advanced technology WLAN devices provide tools to administrators who work together as a wireless intrusion prevention (IPS) system.
These tools include scanners that identify ad hoc networks and unauthorized APs , as well as radio resource management (RRM), which controls the RF band to monitor AP activity and load. An AP that is busier than usual warns the administrator about possible unauthorized traffic.

WLAN Protection  Authentication & Encryption

Without strict security measures, installing a WLAN is equivalent to placing Ethernet ports everywhere, even outdoors.
To address threats related to keeping wireless intruders away and protecting data, two security features were initially used:

• SSID concealment : APs and some wireless routers allow the SSID signal frame to be disabled. Wireless clients must manually identify the SSID to connect to the network.
• MAC address filtering : An administrator can allow or deny wireless access to clients manually based on the physical hardware MAC address.
• While these two features can deter most users, the reality is that neither SSID concealment nor MAC address filtering could deter a skilled intruder.

SSIDs are easily discovered, even if APs do not broadcast them, and MAC addresses can be supplanted. The best way to protect a wireless network is to use authentication and encryption systems.
Two types of authentication were introduced with the original 802.11 standard:

• Open system authentication : any wireless client should be able to connect easily, and this method should only be used in situations where security is not a concern, such as in places that provide free Internet access, such as cafes, hotels and remote areas.
• Authentication via shared key : provides mechanisms such as WEP, WPA or WPA2 to authenticate and encrypt data between a wireless client and AP. However, the password must be previously shared between the two parties for them to connect.

Authentication methods using shared key for Wireless LAN Network Security

As shown in above Image, there are three authentication techniques using a shared key:

• Privacy comparable to wired networks (WEP)
• Wi-Fi Protected Access (WPA)
• IEEE 802.11i / WPA2

WEP is no longer recommended . It was found that the shared WEP keys have errors and, therefore, should never be used. To counteract the weakness of shared WEP keys, the first approach of companies was to test techniques, such as concealment of SSIDs and filtering of MAC addresses. It was found that these techniques are also too weak.
After the weaknesses of a WEP-based security, there was a period of interim security measures. Providers such as Cisco, who want to respond to the demand for better security, developed their own systems and, at the same time, helped with the evolution of the 802.11i standard . On the road to 802.11i, the TKIP encryption algorithm was created , which joined the Wi-Fi Alliance WPA security method.
Modern wireless networks should always use the 802.11i / WPA2 standard. WPA2 is the Wi-Fi version of 802.11i and, therefore, the terms WPA2 and 802.11i are often used interchangeably.
Since 2006, any device that has the Wi-Fi Certified logo is WPA2 certified.

 Encryption methods For Wireless Sercurity

Encryption is used to protect data. If an intruder captures encrypted data, you cannot decrypt it for a reasonable period.
The IEEE 802.11i standard and the Wi-Fi Alliance WPA and WPA2 standards use the following encryption protocols:

• Temporary Key Integrity Protocol (TKIP) : is the encryption method used by WPA.

Provides support for legacy WLAN equipment that addresses the original failures associated with the 802.11 WEP encryption method. Use WEP, but encrypt layer 2 content using TKIP and perform a message integrity check (MIC) on the encrypted package to ensure that the message was not altered.

• Advanced Encryption Standard (AES) : is the encryption method used by WPA2.

It is the preferred method, as it aligns with the IEEE 802.11i industry standard. AES performs the same functions as TKIP, but it is a more secure encryption method. It uses the Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) protocol, which allows target hosts to recognize whether the encrypted and unencrypted bits were altered.
Due to the vulnerability of WPA2, the WiFi Alliance announced that in 2018 WPA 3 will be launched. You can read about some WLAN improvements on this link .

Authentication of a Home User

WPA and WPA2 support two types of authentication:

• Personnel : designed for home or small office networks; Users are authenticated using a previously shared key (PSK). Wireless clients authenticate with the AP using a previously shared password. No special authentication server is required.
• Enterprise (Enterprise) : designed for enterprise networks, but requires a remote user telephone authentication service (RADIUS) server.

While its configuration is more complicated, it provides additional security. The RADIUS server must authenticate the device and then users must authenticate using the 802.1X standard, which uses the Extensible Authentication Protocol (EAP).

 Authentication in the company Wireless LAN Network Security

On networks that have more stringent security requirements, additional authentication or login is required to grant access to wireless clients.
Enterprise security mode options require a RADIUS server with authentication, authorization and accounting (AAA).
These fields are necessary to provide the AP with the information required to contact the AAA server:

• IP address of the RADIUS server : this is the address of the RADIUS server that can be reached.
• UDP port numbers: The officially assigned UDP port numbers are 1812 for RADIUS authentication and 1813 for RADIUS accounting, but they can also work through UDP port numbers 1645 and 1646.
• Shared key : used to authenticate the AP with the RADIUS server.

The shared key is not a parameter that must be configured in a STA. It is only required on the AP to authenticate with the RADIUS server.

Note : no password field is indicated, because authentication and user authorization itself are handled by the 802.1X standard, which provides end-users with centralized server-based authentication.

The 802.1X login process uses EAP to communicate with the AP and the RADIUS server . The EAP is a structure to authenticate access to the network. You can provide a secure authentication mechanism and negotiate a secure private key that can then be used for a wireless encryption session using TKIP or AES encryption.