CWSP Chapter 1: Security Fundamentals

Any WLAN implementation should be designed with a secure foundation that provides Confidentiality, Integrity, and Availability. You can easily remember these functional pieces from the acronym CIA. In the early days of standards‐based wireless networking, the notion of what constituted good wireless security was flawed, and the only option to secure WLAN communications was Wired Equivalent Privacy (WEP). A 40‐bit key was used to protect the wireless network from casual eavesdropping. In addition to the key, WEP also used a 24‐bit Initialization Vector (IV) as part of the encryption and decryption process. This 24‐bit IV was relatively short, cryptographically speaking, allowing the IV to be reused with the same key and therefore causing WEP to be vulnerable to intrusion if enough frames with unique IVs were captured. You’ll often see the 40‐bit key and the 24‐bit initialization vector together referred to as the 64‐bit WEP key. Though optional, some manufacturers allowed for the use of a 104‐bit key. Again, the 24‐bit IV was used, and it was common to see the two components referred to as the 128‐bit WEP key.

802.11i has since been rolled into 802.11‐2012 and carried into 802.11‐2016. This amendment provided the still‐current concept of the robust security network association (RSNA). An RSNA is defined as an association between a pair of stations (STAs), which includes a 4‐way handshake between the STAs. The STA designator includes stations that are either APs or client devices, which is an important point to remember. An RSNA does not allow the use of legacy 802.11 Shared Key Authentication and only allows devices to connect to the network using 802.11 Open System Authentication.

Eventually, the 802.11i security amendment also introduced a new term: Pre‐RSNA. It’s important to note that the Pre‐RSNA networks allow use of the legacy WEP cipher suite (using the Rivest Cipher 4 (RC4) algorithm) for data confidentiality, 802.11 Open System or Shared Key authentication methods and a single, weak Integrity Check Value (ICV) algorithm. Again, we’ve already established that WEP was weak; therefore, Pre‐RSNA is also weak.

With the advent of the 802.11‐2012 standard (which was superseded by 802.11‐2016), two classes of security algorithms used with standard‐based 802.11 wireless networking were defined: 1. Robust Security Networks (RSNs) – which will allow only RSNAs and do not allow WEP 2. Pre‐RSNA Networks – which do allow WEP

The 802.11‐2016 standard (which supersedes 802.11‐2012) allows STAs to operate simultaneously with pre‐RSNA and RSNA algorithms, but RSNA forbids the use of Shared Key 802.11 authentication, which Pre‐RSNA allows. For RSNA, only the Open System Authentication mechanism can be used.

The 802.11‐2016 standard RSNA defines several security features in addition to those of pre‐RSNA networks, including:

  • Enhanced authentication mechanisms for STAs
  • Key management (generation and distribution) algorithms
  • Strong cryptographic key establishment
  • Enhanced cipher suite solution in Counter Mode with Cipher‐Block Chaining Message Authentication Code Protocol (CCMP) with the use of Advanced Encryption Standard (AES)
  • An optional, transitional cipher suite, Temporal Key Integrity Protocol (TKIP) with the use of RC4
  • Fast basic service set (BSS) transition (FT) mechanisms
  • Enhanced cryptographic encapsulation mechanisms for robust management frames

Transitional security networks (TSNs) allows for both RSNA‐level security and Pre‐ RSNA‐level security. A TSN is identified by the indication in the Robust Security Network information element (RSN‐IE or RSNE) of Beacon frames.

It is also important to understand the various wireless vulnerabilities that exist for the different types of WLAN deployments, and that new vulnerabilities will come along periodically. Whether the WLAN is a home, small office, or enterprise installation, all WLANs have their share of weaknesses for personal, and business uses. Some vulnerabilities are common across all scenarios (like malicious jamming), while others are more specific to individual types of environments. We will address personal and small business wireless environments first.

Considerations for Personal Network usage Threat Assessment.

  • Anonymous intruders may perform illegal computer activities through open wireless networks.
  • Intruders may compromise a home user’s privacy
  • Intruders may learn financial, medical and personal information for use in identity theft
  • Intruders may tamper with home user’s files and information
  • Intruders may insert malware, viruses, root kits, or backdoors onto the home user’s network
  • Intruders could camp on the personal network and use so much bandwidth that the rightful owner’s performance suffers

Network Extension

Keep in mind that early wireless networks were more of an extension to an existing wired network infrastructure with a limited number of APs and a small number of users, whereas today Wi‐Fi may be the dominant access method for many networked environments. Since most wireless installations occur at the edge of a wired LAN infrastructure, any weaknesses in the wireless segments can lead to the exploitation of vulnerabilities on the wired segments as well. WLANs have become a tightly integrated network access resource, often with the same privileges as given to users of the wired LAN.

Network targets for intruders may include:

  • Databases
  • Application Servers
  • Management Devices
  • File Servers

CWNA Security Review

IEEE 802.11 Open System Authentication

Open System Authentication is a required component for 802.11 devices to connect to a WLAN and is considered a null authentication algorithm. Open System authentication consists of two 802.11 management frames. These frames are not a request and response but merely identified as Authentication. For the most part, this authentication will always be successful from the device’s perspective. Simply put, a device says, “I’d like to communicate with you,” and the other device says, “and I would like to talk with you as well.” Though the mechanism is called Authentication, it’s also more or less guaranteed, and there is no credential checking or other vetting used. Without any other additional authentication mechanisms, Open System Authentication will allow all information sent across the air to be in clear or plain text and, therefore, remains vulnerable to eavesdropping. Most wireless hotspots will use only Open System Authentication (to provide ease of connection), and users will have to supply additional authentication methods or encryption solutions such as virtual private networks (VPNs) to secure their wireless transmissions.

Where other authentication and encryption mechanisms are used, like with 802.1X, it can be confusing that “Open” System Authentication is still in play. It’s a fundamental 802.11 construct that stays with us even when the wireless network it’s used on is not “open.”

WEP

As mentioned earlier in the chapter, WEP was intended as an early way to protect information on a wireless network from casual eavesdropping using a 40‐bit key and a 24‐bit initialization vector (IV). From the perspective of “best practices,” WEP, TKIP, and Shared Key authentication are all mechanisms deemed to be outdated and ineffective for securing 802.11 networks. They are deprecated as of the latest 802.11‐2016 standard. When something is “deprecated” in networking or programming, it means that you are strongly encouraged to find other ways of accomplishing what the deprecated feature does because it has been proven to be faulty in some significant way or will soon be replaced and removed. Network equipment vendors may decline to provide support for deprecated features.

802.11 Shared Key Authentication

This wireless authentication method is NOT WPA/WPA‐2 PSK, or pre‐shared key usage, despite what its nomenclature may imply.

Shared Key Authentication was defined in the original 802.11 standard in 1997 as a way to provide both 802.11 authentication and data encryption, which was accomplished through the use of WEP.

Unlike Open System authentication, which uses two 802.11 management frames, Shared Key authentication requires four 802.11 management frames. With a challenge string sent in clear text in the second frame, Shared Key authentication can easily be exploited allowing for unauthorized users to authenticate to the wireless network and view user data that should actually be secured.

Wi-Fi Protected Access WPA & WPA2

The Wi‐Fi Alliance created a pre‐802.11i stop‐gap certification known as Wi‐Fi Protected Access (WPA). While 802.11i was being developed, WPA was introduced as a temporary security method. It can take quite a while for amendments to the 802.11 standard to be written and adopted, and the Wi‐Fi Alliance did well bridging the gap between poor security and the more robust mechanisms that would eventually follow when it created the WPA certification.

The original WPA interoperability certification was based on the fact that Temporal Key Integrity Protocol (TKIP) provided an enhancement to WEP on pre‐RSNA equipment and allowed for the protection of 802.11 data frames. Equipment that supported legacy WEP and was capable of TKIP. The 802.11i amendment was ratified in 2004. Given the success of the WPA certification in bringing a new level of security awareness, the Wi‐Fi Alliance created a post‐802.11i certification known as WPA2. Based on the 802.11i amendment to the standard, the WPA2 certification requires support for CCMP/AES and optionally allows TKIP/RC4 for backward compatibility for legacy clients. In 2018, WLAN security took another leap forward with WPA3.

Wi-Fi Protected Access WPA Personal Mode

WPA personal mode (WPA‐Personal) was created to provide individual users with an easy, but stronger, way to secure their 802.11 wireless networks versus past methodologies. Greater security was accomplished by entering a passphrase (used to create a pre‐shared key) on all wireless devices that would be part of the same BSS. A passphrase can be a maximum of 63 ASCII characters in length. From the passphrase that is entered into the device, an algorithm is used to create a 256‐bit pre‐shared key (PSK). Although this key is secure, using a weak passphrase can make the wireless network vulnerable to intrusion. It is very common for users to pick a short and easily guessed passphrase, of which we will learn more about the dangers later in the book. A WPA network will use TKIP/RC4 as the cipher suite and encryption method. WPA‐ Personal mode is also called WPA Pre‐Shared Key (WPA‐PSK) based on the use of a single key for all 4‐way handshakes (of which you will learn detail later in the book). WPA was better than WEP, but more could be done to secure individual users’ WLAN connectivity.

Wi-Fi Protected Access 2 WPA2 Personal Mode

A WPA2 network can use CCMP/AES as the cipher suite and encryption method for securing wireless communications but allows for optional TKIP/RC4 support for backward compatibility for older devices. A WPA2 passphrase uses the same concepts as WPA but allows for stronger security. As noted earlier, 802.11 associations for devices that are capable of CCMP/AES will be classified as RSNAs. WPA2 Personal Mode is currently the general standard mechanism for securing home and many small‐business wireless network environments, as well as many high‐roaming scenarios with mobile devices not supporting fast roaming methods.

Wi-Fi Protected Access 3 WPA3 Personal Mode

WPA3‐Personal is the latest in the series of frameworks that seek to secure individual. However, PSK has been replaced with SAE, which stands for Simultaneous Authentication of Equals. The user still enters a passphrase, but the SAE cryptography characteristics provide a higher degree of protection against dictionary attacks – even offline attacks. It also allows users to enter less sophisticated, easier‐to‐remember passwords and protects data even if a password was compromised through a technique called Forward Secrecy.

Wi-Fi Protected Access WPA & WPA Enterprise Mode.

WPA and WPA2 enterprise modes (WPA‐ and WPA2‐Enterprise) are far more robust methods of securing enterprise wireless networks. Compared to Personal Mode, these modes use a much more sophisticated process to secure 802.11 wireless communications. Enterprise Mode relies on another IEEE standard, 802.1X, which provides port‐based access control and uses Extensible Authentication Protocol (EAP), which is an Internet Engineering Task Force (IETF) standard. WPA/WPA2 Enterprise Mode provides user‐based access control and a much better authentication process for large wireless networks. The same cipher suites and encryption methods, TKIP/RC4 and CCMP/AES, are used as in Personal Mode; however, the enhanced key generation and implementation process are what makes the two modes different.

WPA3-Enterprise Mode

the Wi‐Fi Alliance developed WPA3. It’s a major security upgrade for the WLAN industry and is expected to propagate in parallel with the new 802.11ax standard (expected to ratify in 2020).

Industry Organizations

Standardization and certification are as important to network security as they are to the basic operations of wireless networks. While proprietary solutions may provide some security advantages due to their secrecy, standardized security mechanisms are central to modern WLANs and the development of widely deployed wireless products. The three main industry organizations responsible for the standards‐based approach that has become the hallmark of the wireless industry are discussed here: IEEE, Wi‐Fi Alliance, and IETF.

Institute of Electrical and Electronics Engineers (IEEE)

The IEEE is a nonprofit organization responsible for generating a variety of technology standards. Most important of these to the CWSP is the 802.11 standard. The IEEE has also given us the 802.3 Ethernet standard and the 802.1X Network Access Control standard. Both are also very important to the wireless professional.

Internet Engineering Task Force (IETF)

The IETF is responsible for creating Internet standards and promoting Internet technology and usage through the adoption of Request for Comment (RFC) documents. An RFC is a document created by engineers and scientists and designed to define innovation and technology that works with the Internet. If an RFC is approved by the IETF, it will eventually become an Internet standard. These RFC’s include Remote Authentication Dial‐In User Service (RADIUS), EAP, and Internet Protocol Security (IPSec). As with the IEEE, the IETF has interests far beyond wireless, but many of their initiatives end up being widely used in LAN, WLAN, and WAN applications.

Wi-Fi Alliance

The Wi‐Fi Alliance was created to both promote wireless networking technology and to provide interoperability testing of WLAN equipment. The Wi‐Fi Alliance is responsible for many WLAN interoperability certifications and has been instrumental in the growth and mass adoption of wireless as a network access method. The security certifications of the Wi‐Fi Alliance include WPA‐Personal, WPA‐ Enterprise, WPA2‐Personal, WPA2‐Enterprise, WPA3‐Personal, WPA3‐Enterprise, Wi‐ Fi Protected Setup (WPS), and many different EAP types.

Product Certificates

Product certificates provide a quick and easy reference to determine which security. Using devices that are certified by the Wi‐Fi Alliance will help ensure interoperability between manufacturers and provide a higher quality user experience along with easier support. Using devices that are certified by the Wi‐Fi Alliance will help ensure interoperability between manufacturers and provide a higher quality user experience along with easier support. To search for Wi‐Fi certified devices, enter the following link into your web browser: https://www.wi‐fi.org/product‐finder. From this web page, you can search by certificate ID, device model number, keyword, company, category, and other criteria.

Terminology

Understanding the basic definitions for the following terms will ease the learning process throughout this book:

AAA ‐ Authentication, Authorization, and Accounting (AAA) is a set of separate security functions performed on WLANs to identify and validate a user identity (Authentication), apply specific policies and privileges to his/her network access (Authorization), and monitor the actions performed while this user is associated to the network (Accounting).

Access Control ‐ The prevention of unauthorized use of resources. Access Control is a generic networking term referring to the mechanisms by which access to network resources is controlled.

Authentication ‐ The service that identifies a STA as a member of a group of STAs authorized to join or associate with another STA. Authentication validates user identity to determine permission.

CIA‐ Confidentiality, Integrity, and Availability

Cipher Suite ‐ A set of one or more algorithms designed to provide data confidentiality, data authenticity or integrity, and/or replay protection. Encryption ‐ To alter a data stream using a secret code or algorithm so as to be unintelligible to unauthorized parties.

RADIUS ‐ Remote Authentication Dial‐In User Service (RADIUS) is an authentication protocol used to provide centralized AAA services for a network. RSN – A Robust Security Network (RSN) is a network that allows only robust security network associations (RSNAs) by the exclusion of WEP.

SAE‐ Simultaneous Authentication of Equals. Introduced in WPA3‐Personal, replaces PSK with new key‐handling methodology derived to prevent KRACK attack and similar.

802.1X/EAP ‐ An enterprise authentication mechanism in which port‐based access control (802.1X) is employed with a form of the Extensible Authentication Protocol (EAP) to authenticate STAs.

VPN‐ Virtual Private Network‐ (simplified) an encrypted secure, virtual extension of the corporate network to a remote client

WPA‐Personal ‐ Security certification specified by the Wi‐Fi Alliance in which passphrase‐based authentication is paired with the TKIP cipher suite for encryption.

WPA‐Enterprise ‐ Enterprise security certification specified by the Wi‐Fi Alliance in which 802.1X/EAP authentication is paired with the TKIP cipher suite for encryption.

WPA2‐Personal ‐ Security certification specified by the Wi‐Fi Alliance in which passphrase‐based authentication is paired with the AES‐CCMP cipher suite for encryption, with optional TKIP support.

WPA2‐Enterprise ‐ Enterprise security certification specified by the Wi‐Fi Alliance in which 802.1X/EAP authentication is paired with the AES‐CCMP cipher suite for encryption, with optional TKIP support.

WPA3‐ Personal‐ Security certification specified by the Wi‐Fi Alliance in which Simultaneous Authentication of Equals (SAE) replaces PSK functionality. Optional at the time of this writing.

WPA3‐Enterprise‐ Enterprise security certification specified by the Wi‐Fi Alliance, which requires Management Frame Protection (MFP), disallows legacy security types and uses GCMP‐256 encryption. Is optional at time of this writing.

Home Office Security

The wireless security solution that you ultimately choose will depend on several factors which include the number of APs, number, and type of client devices, and the intended use of the wireless network. Home and home office installations typically consist of one wireless AP and a limited number of devices that will associate to the network. For modest wireless networks like this, WPA2 passphrase (or WPA3 SAE) will be adequate. Indeed, this is currently far and away the most common way to secure home networks.

Using a strong passphrase and following general wireless security best practices will usually suffice for this type of network. Manufacturers of home‐based WLAN equipment will sometimes try to ease the process of securing wireless home routers by providing default security mechanisms including pre‐supplied passphrases. Depending on how it is implemented, this could be a security risk. As a best practice, reconfigure the WLAN AP or router to use a strong passphrase with a mix of more than fifteen characters. In addition to this best practice, consider the following important list:

  • Change all default settings including the SSID, passphrase and device login credentials
  • Do not use WEP
  • Use only client devices that will support WPA2, minimally
  • Use only CCMP/AES
  • Always use strong passphrases and change them often
  • Change your passphrase if you lose a client device
  • Be mindful of how family members share your passphrase with visitors
  • Disable Wi‐Fi Protected Setup (WPS) features as many implementations introduce vulnerabilities
  • Periodically upgrade devices to the latest firmware versions that are available

Small Business Security

Small business wireless may require more than one AP. Depending on the number of APs and connected wireless devices, the same security best practices as applied to home office security may be applicable here. Small business Wi‐Fi might be controller‐ based or cloud‐based, which could provide the opportunity to use stronger security mechanisms such as 802.1X/EAP. In addition to the home office security best practices, small business security should only use WPA2 for CCMP/AES. Most client devices used in these environments will support WPA2. If they don’t, then they should be scrutinized for replacement with something more robust.

Large Enterprise Security

Large enterprise wireless networks require careful planning in order to ensure successful deployment, and wireless security plays a major role in that planning. At this scale, security needs are much more policy‐driven. 802.1X addresses port‐based access control and helps to provide a secure, scalable, and manageable security solution for enterprise wireless networks. 802.1X works in conjunction with an appropriate EAP (authentication protocol) method to allow for user‐based security. User‐based security allows an administrator to restrict access to a WLAN and its resources by creating users in a centralized database or accessing a typical X.500 compliant server with an existing user database. Anyone trying to join the network will be required to authenticate as one of the users by supplying a valid username and password or other valid credentials. After successful authentication, the user will be able to gain access to resources to which they have been assigned appropriate permissions based on their role or organizational group. Wireless devices that use 802.1X technology are identified using different terminology than that used in 802.11 standards‐based wireless networking. This terminology is used frequently by the wireless professional in their daily work and includes three key terms:

Supplicant ‐ the wireless client device or the device requesting authentication

Authenticator ‐ the wireless AP, WLAN controller or the device/system providing access to the network

Authentication server ‐ the device or system providing the actual authentication, commonly a RADIUS server

When implementing security for any sized business, it is essential that the network resources themselves are adequately secured as they are common targets of network attacks. That is, you should not rely on just the WPA2‐Personal or Enterprise authentication and encryption provided by the WLAN as your only security. A cohesive, well‐documented security strategy should be implemented appropriately throughout the network. This is often called defense‐in‐depth or layered security.

Public Network Security

One common wireless network implementation is the publicly available Wi‐Fi hotspot. This type of network is usually available at airports, hotels, restaurants, coffee shops, retail stores, on airplanes, and at many public settings. In many cases, these wireless networks are available for free, or in exchange for targeted marketing as a value‐added service to the patrons of the establishment that provides goods or services. Occasionally, the hotspot provider will charge a fee for wireless network access. The hotspot model typically involves users connecting their devices to an unsecured wireless AP in order to use Internet resources or even to access corporate network resources across the Internet. Usually, the hotspot framework prioritizes ease‐of‐use over providing wireless security, and so Confidentiality, Integrity, and Availability aren’t provided.

Remote Access Security

Many organizations allow employees to work from remote locations such as home, satellite offices, and while traveling. In some instances, there may not be an office to go to, and all employees work remotely. When a remote user connects remotely to a company network, that network, for the most part, is now extended to the remote location.

Security and OSI Model

Security techniques work at various levels of the Open System Interconnection (OSI) model from the lowest, the Physical Layer, to the highest, the Application layer. As you likely know by now, 802.11 is primarily concerned with Layers 1 and 2. At the same time, different layers may be leveraged for specific security strategies.

The Application Layer

The Application layer is considered the interface to the user and is frequently referred to as Layer 7. This is where the protocols for common applications such as email, Internet web browsers, and file transfer programs reside. Some common Application layer protocols include Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Post Office Protocol (POP) and Simple Network Management Protocol (SNMP) among others. These protocols provide no significant stand‐alone security and many transfer information in plain or cleartext. Clear text transmissions create severe concerns for WLAN communications when you consider that they are sent through the air using RF. Many Application layer protocols can use the Secure Sockets Layer (SSL) protocol alongside the Application layer protocols to provide for secure network communications using Internet Protocol (IP), but whether they do or not can be hit‐or‐miss, depending on the way the application was written. Because so many of these applications transmit in the clear, using encryption on the WLAN is essential in modern business. Some organizations are now using Application layer firewalls to help control the traffic at Layer 7. It’s important to note that these firewalls will not typically assist with WLAN security per se.

The Network Layer

Although WLAN technology operates at the Physical and Data Link Layers, the Network Layer still plays a role with respect to wireless security because of the networking protocols that reside at this layer. There are various VPN technologies available, and as with wireless networking, some are more secure than others. Two common examples of VPN protocols are:

  • Point‐to‐Point Tunneling Protocol (PPTP)
  • Layer 2 Tunneling Protocol (L2TP)

Somewhat analogous to how WEP and TKIP are viewed, PPTP is considered a weaker legacy VPN technology that can introduce security vulnerabilities when used with wireless networking. L2TP itself provides only a tunneling mechanism and gets its security from integration with an encryption protocol. With L2TP, the most common choice of encryption is IPSec, which provides authentication and encryption for each IP packet in the data stream.

The Data Link Layer

Layer 2 has a particular significance in the context of WLAN communications. The Data Link Layer is actually made up of two sub‐layers‐ Media Access Control (MAC) and Logical Link Control (LLC). We’ll focus our discussion here on the MAC sub‐layer but know that the LLC also exists (and is pivotal to the integration between 802.11 wireless and 802.3 Ethernet). The MAC sub‐layer is where bit‐level communication is accomplished through MAC addressing and framing. The MAC sub‐layer adds the MAC header and will allow for various WLAN security mechanisms. The header information cannot be encrypted regardless of what 802.11 methodology is employed, which is a very important point of reference. For secure wireless communications, encryption must occur within the data payload of the frames that traverse the air. Layer 2 security types include those mentioned earlier in this chapter‐ WEP, TKIP/RC4, CCMP/AES, GCMP‐256 in WPA3 and 802.1X/EAP, though some of these have been deprecated. Using legacy or unsecured Layer 2 security mechanisms has been the cause of many real‐world WLAN security‐related issues.

802.11w‐2009 (now part of 802.11‐2016) introduced management frame protection. However, this does not encrypt the MAC headers of frames, and it only applies to specific management frames. The only frames protected are deauthentication, disassociation, and robust action frames. Data frames do not include this protection. The new WPA3 security certification requires that devices implement management frame protection

The Physical Layer

Potential vulnerabilities include eavesdropping on unsecured communications, as previously mentioned, and intentional RF interference (known as jamming). Jamming can be a denial of service attack unto itself, or it can be a component of more sophisticated attacks. In addition to the risks associated with Wi‐Fi’s unbounded medium, the wired network infrastructure at Layer 1 can also be a security concern for wireless networking. This includes unsecured physical layer wired ports that connect to Layer 2 switches, and that can be used to introduce rogue (not authorized) APs into the networking environment. Good practice includes securing unused switch ports through a variety of methods.

Security Analysis Basics

Threats include the individuals or groups who wish to attack your network and the systems they use to perform the attacks. Vulnerabilities are the points where your system is weak or might be able to be penetrated. You must consider both to implement and sustain an effective wireless solution. Keep in mind that your vulnerabilities, potential hackers, and penetration tools will all change over the life of a given WLAN.

Attack Surface

The attack surface is inclusive of all areas that can potentially be attacked. Even small networks can have a sizeable attack surface, depending on network topology and services in use. For large network environments with sizable LAN, WLAN, and WAN components, it can take a fair amount of time and analysis to fully realize your attack surface.Attack surface reduction is a security best practice and is the process of reducing the number of areas where your system can be attacked.

Attack surface reduction is about reducing the likelihood of attack by reducing the number of attack points. You can sum it up like this: If you do not need a particular technology or capability for some beneficial business purpose, do not use it or leave it in place for others to use. There are two general wireless device points of entry to consider when contemplating attack surface reduction: wireless entry and wired entry. The wireless attack surface includes any components on the network with a radio interface. This includes all access points, wireless routers, wireless bridges, and other wireless devices. One common attack method is the rogue (self‐installed or unauthorized) AP or wireless router that lures users to a wireless cell that they should not be on.

To prevent wireless attacks, we rely on best practices for the administrative side of wireless security. These include user training, using strong encryption, and securing the management interfaces of all network devices. In more advanced implementations, consider the use of 802.1X and EAP for authentication and encryption on the wired ports, which generally involves a centralized authentication, authorization, and accounting server (RADIUS).

The AP’s wired uplink is often overlooked when configuring wireless networks. To understand the potential impact of ignoring the wired side of wireless networking, consider that the Ethernet port can be used to access the AP for a number of nefarious purposes. If they can gain access, an attacker could modify configuration settings, harvest network information, and possibly exploit the underlying operating system on the AP for more sophisticated attacks.

This simple‐ but significant‐ security attack was possible because the default administrative login for the wireless router had not been changed. If the principles of attack surface reduction had been employed, the attacker would not have been able to reach the wireless router in the first place. Attack surface reduction, applied to this scenario, demands that the Ethernet port in the spare office be disabled until it is needed. With the port disabled, the attacker could not have used the port to obtain an IP address and then reach the wireless router to reconfigure it. Beyond the open Ethernet port being problematic, the router using a default credential setting and even standard HTTP ports, are also weaknesses here. These may all sound fairly simple to combat, but it’s easy to overlook critical basics that can lead to trouble.

Data Flow

Data flow analysis is the scrutiny of data as it enters, traverses, and is removed from your network. You aren’t generally concerned with the departure point from the network in most wireless implementations, though that is an important concern for your overall network security strategy. For wireless networking security, in particular, the focus is on the flow of data from four perspectives: the data entry point, network traversal, live storage points, and backup storage points. The data entry point is where data starts its network journey, usually entered by a user on a laptop computer, a desktop computer, or even a web‐based interface operating across the Internet. Regardless of which type of device serves as the entry point, you must focus on how that device connects to the network. If a wireless connection is in use, you must consider how to secure this data as it traverses the air. Before we discuss the Network Traversal component of Data Flow, let’s consider the types of data that are typically present on a wireless network and what we need to keep in mind about each. Remember that the level of security needed depends on the type of data in play. If you only use the wireless network for general Internet access, you might not need advanced security techniques like VPNs and 802.1X/EAP.

Public data is that which anyone can see and access. You might want to limit the ability of users to modify the data, but viewing the data is not a concern (and is usually made public for mass consumption). If a client uses only public data, you do not need to be as concerned about the security of the connection. Here common‐sense wireless security practices should suffice, like the use of WPA2. Private data might include human resource information, non‐sensitive trade secrets, and other data inappropriate for sharing with the public. Here you generally combine common‐sense wireless security measures with non‐wireless network controls to keep “inside” data restricted to access by employees only. Highly private data is described as information that only a select few should see. This data almost always requires advanced security mechanisms such as VPNs for all wireless connections carrying the data and possibly the use of certificates, the strongest EAP methods with 802.1X, and a PKI (public key infrastructure).

How data gets protected is driven by the sensitivity and value of the data.

Once the data leaves the point of entry (the wireless client device, in our case), it traverses the network and passes through many networked components along the way. During this data flow, transmissions can be interrupted with the potential for interception by an attacker if the traversal points are not secured properly. Part of data flow analysis is investigating these connection points as well as the medium between them for ease of access to those who might do harm.

Two wireless traversal points are included in this example. The first is between the wireless laptop client and the AP connected to the wired network. The second is between the two wireless bridges that link the two individual wired networks. Both of these wireless connections need to be secured to provide complete security to the data flow (assuming that the wired path is secure). If you enable WPA2‐Personal on the AP but do nothing to secure the wireless bridges, you’ve only addressed one of the two wireless security concerns. Though bridges usually have a narrow RF propagation pattern, this characteristic is not considered a security feature as an attacker can still position his device between the two bridges and sniff the traffic from the air if it is not strongly encrypted as well. The concept of “sniffing” the traffic means to pull the packets into your device even though they might not be intended for you. Sniffing packets is used in wired and wireless networks alike for both legitimate support and for hacking. The packets, frames, and data payloads have value to both the good guys and the bad.

The main purpose of network traversal analysis is to ensure that eavesdroppers cannot easily gain useful access to your data. Because we can’t stop people that we can’t see from listening to the RF, it’s critical that we use encryption to protect the WLAN. Encryption renders any packets that do get captured, useless, to those who may be sniffing. This precaution helps secure data in transit, however, and does not protect against data theft during storage, which is discussed next.

To protect against the scenario where attackers discover a method for associating and authenticating with your wireless network (in other words, they’ve breached the network access portion of your security), you should use secure authorization at the point of live storage on the storage device. Create users and groups, as supported by your network operating system or storage device, and then assign proper permissions to those users and groups. Because the attackers are not members of one of these groups and are not one of these individuals, they should not be able to access the data. The final point of attack is the storage media you use for data backup. Many organizations use physical backup devices that are connected directly to the live storage device. Sometimes organizations transfer the data across the network to an external backup device. In these scenarios, just as when securing the wireless laptop client connections earlier, you must ensure that the traversal path is secure by securing all wireless links in the path