CoNFIGurING wINdowS ClIENT CoMpuTErS For wIrElESS NETworK SECurITy Wireless LAN security is provided through a myriad of solutions.. Whatever your feelings are about this, it is a fact t
Trang 1attacks One possible example includes jamming the wireless network, thereby forcing clients to lose their connections with authorized APs Dur-ing this time, rogue APs can be made available operatDur-ing at a higher power than the authorized APs When the jamming attack is stopped, the clients will tend to associate back to the AP that is presenting the strongest signal Now the attacker owns all of the network clients attached to his rogue APs The attack continues from there
In some cases, you find that RF jamming is not always intentional and may be the result of other, non-hostile, sources such as a nearby communications tower or another wireless LAN that is also operating in the same frequency range Baby monitors, cordless telephones, microwave ovens, and many other consumer products may also be sources of possible interference
You can take some comfort in knowing that although a jamming attack
is relatively easy and inexpensive to pull off, it is not the preferred means
of attack The only real victory with a jamming attack for most hackers is temporarily taking your wireless network offline
CoNFIGurING wINdowS ClIENT CoMpuTErS For wIrElESS NETworK SECurITy
Wireless LAN security is provided through a myriad of solutions Some
of these mechanisms are internal to Windows itself, while others are third-party solutions or part of the IEEE 802.11 standard In this
sec-tion, we will be focusing primarily on using WEP, WPA, and 802.1x-based
security on Windows XP Professional computers and Windows Vista Whatever security mechanism you should decide to implement, you must ensure that you are diligent about getting it done right There is rarely a second chance for security, especially when it comes to securing a wireless LAN
windows xp professional
Windows XP has been hailed as the OS of choice for wireless LAN users Whatever your feelings are about this, it is a fact that Windows
XP brings excellent support for 802.11 wireless networks and 802.1x
security to the mainstream The only flaw in Windows XP’s solution is that it can in some cases take the majority of control away from a user – sometimes this can be a good thing, though Configuring WEP and
802.1x security on a Windows XP Professional computer is outlined in
Exercise 5.1
Trang 2Configuring Windows Client Computers for Wireless Network Security 217
ExErcisE 5.1 Enabling WEP and 802.1x security in Windows xP
Professional
Click
1 Start | Settings | Control Panel | Network Connections.
Double-click your wireless LAN connection
2
Click the
3 Properties button and switch to the Wireless tab, shown
in Figure 5.14
To configure a new connection, click
information, including the WEP key
FIGurE 5.14 The Wireless Tab.
Trang 3If your network uses a dynamic keying server, then you need only
5
to select the key provided for you automatically instead of speci-fying the WEP key specifics
Click
6 OK when you have entered all of the required information.
To configure 802.1
the Authentication tab, shown in Figure 5.15.
Select
8 Enable network access control using IEEE 802.1x Select
your EAP type from the drop-down list Most commonly, this is
going to be Smart Card or other Certificate By clicking Properties
you can configure the certificate and certificate authority (CA) to be used for this authentication
FIGurE 5.15 Configuring 802.1x Security.
Trang 4Configuring Windows Client Computers for Wireless Network Security 219
FIGurE 5.16 Windows Vista Network Icon.
For increased security, ensure that the Authenticate as computer
9
when computer information is available and Authenticate as guest
when user or computer information is unavailable options are not
selected Click OK to accept the settings.
windows vista Business
Windows Vista makes it very simple to connect to a wireless network
and provide security for that connection Exercise 5.2 shows the steps for
connecting to a wireless network in Vista Business
ExErcisE 5.2 Enabling WPA in Windows VisTA Business
From the desktop, right click on the
Figure 5.16
Choose
2 Connect to a Network.
Choose the appropriate wireless network from the list as in
3
Figure 5.17
When prompted for the network key, enter that key as shown in
4
Figure 5.18
When prompted choose from Home, Work, or Public as network type
5
Trang 5Figure 5.17
Choosing the Correct
Wireless Network.
Figure 5.18
Prompted for Passkey.
Trang 6Summary of Exam Objectives 221
SITE SurvEyS
A site survey is part of an audit done on wireless networks Site surveys allow
system and network administrators to determine the extent to which their
wireless networks extend beyond the physical boundaries of their buildings
Typically, a site survey uses the same tools an attacker uses, such as a sniffer
and a WEP cracking tool (for 802.11 network site surveys) The sniffer can
be either Windows-based (such as NetStumbler) or UNIX/Linux-based (such
as Kismet) For WEP cracking, AirSnort is recommended
Another tool that can be useful is a directional antenna such as a Yagi
antenna or a parabolic dish antenna Directional and parabolic dish
anten-nas allow for the reception of weak signals from greater distances by
pro-viding better amplification and gain on the signal These antennas allow
wireless network auditors the ability to determine how far an attacker can
realistically be from the source of the wireless network transmissions to
receive from and transmit to the network
Finally, another tool that is useful for site surveys is a GPS locator This
provides for the determination of the geographical latitude and longitude of
areas where wireless signal measurements are taken Using GPS, auditors
can create a physical map of the boundaries of the wireless network
SuMMAry oF ExAM oBJECTIvES
Wireless LANs are attractive to many companies and home users because
of the increased productivity that results from the convenience and
flex-ibility of being able to connect to the network without the use of wires
WLANs are especially attractive when they can reduce the costs of having to
install cabling to support users on the network For these and other reasons,
WLANs have become very popular in the past few years However, wireless
LAN technology has often been implemented poorly and without due
con-sideration being given to the security of the network For the most part, these
poor implementations result from a lack of understanding of the nature of
wireless networks and the measures that can be taken to secure them
Exam warning
Site surveys are not likely to appear on the Network exam However, you should be
aware of them for your daily tasks, and the information is presented here in the event
that you do see a question about some of the tools used to conduct these surveys
Remember that the tools used to conduct site surveys and audits are essentially the
same tools an attacker uses to gain access to a wireless network.
Trang 7WLANs are inherently insecure because of their very nature; the fact that they radiate radio signals containing network traffic that can be viewed and potentially compromised by anyone within range of the signal With the proper antennas, the range of WLANs is much greater than is commonly assumed Many administrators wrongly believe that their networks are secure because the interference created by walls and other physical obstruc-tions combined with the relative low power of wireless devices will contain the wireless signal sufficiently Often, this is not the case
There are a number of different types of wireless networks that can be potentially deployed These include HomeRF, Bluetooth, 802.11n, 802.11g, 802.11b, and 802.11a networks The most common type of WLAN in use today is based on the IEEE 802.11g standard
The 802.11b standard defines the operation of WLANs in the 2.4 to 2.4835 GHz unlicensed Industrial, Scientific and Medical (ISM) band 802.11b devices use DSSS to achieve transmission rates of up to 11 Mbps All 802.11b devices are half-duplex devices, which mean that a device cannot send and receive at the same time In this, they are like hubs and therefore require mechanisms for contending with collisions when multiple stations are transmitting at the same time To contend with collisions, wireless net-works use CSMA/CA
The 802.11a and 802.11g standards define the operation of wireless net-works with higher transmission rates 802.11a devices are not compatible with 802.11b because they use frequencies in the 5 GHz band Furthermore, unlike 802.11b networks, they do not use DSSS 802.11g uses the same ISM frequencies as 802.11b and is backward compatible with 802.11b devices The 802.11 standard defines the 40-bit WEP protocol as an optional component to protect wireless networks from eavesdropping WEP is imple-mented in the MAC sublayer of the data link layer (Layer 2) of the OSI model
WEP is insecure for a number of reasons The first is that, because it encrypts well-known and deterministic IP traffic in Layer 3, and it is vulnerable to plaintext attacks That is, it is relatively easy for an attacker to figure out what the plaintext traffic is (for example a DHCP exchange) and compare that with the ciphertext, providing a powerful clue for cracking the encryption
Another problem with WEP is that it uses a relatively short (24-bit) IV to encrypt the traffic Because each transmitted frame requires a new IV, it is possible to exhaust the entire IV key space in a few hours on a busy network, resulting in the reuse of IVs This is known as IV collisions IV collisions can also be used to crack the encryption Furthermore, IVs are sent in the clear form with each frame, introducing another type of vulnerability
Trang 8The final stake in the heart of WEP is the fact that it uses RC4 as the
encryption algorithm The RC4 algorithm is well known and recently it was
discovered that it uses a number of weak keys Airsnort and Wepcrack are two
well-known open-source tools that exploit the weak key vulnerability of WEP
Although WEP is not secure, it does nonetheless potentially provide
a good barrier, and its use will slow down determined and knowledgeable
attackers WEP should always be implemented The security of WEP is
also dependent on how it is implemented Because the IV key space can be
exhausted in a relatively short amount of time, static WEP keys should be
changed on a frequent basis
The response to the weaknesses in WEP is the use of WIFI Protected
Access (WPA) that has a longer IV, a stronger algorithm, and a longer key
The use of WPA over WEP is suggested
The best defense for a wireless network involves the use of multiple
secu-rity mechanisms to provide multiple barriers that will slow down attackers,
making it easier to detect and respond to attacks This strategy is known as
defense-in-depth.
Securing a wireless network should begin with changing the default
con-figurations of the wireless network devices These concon-figurations include the
default administrative password and the default SSID on the AP
The SSID is a kind of network name, analogous to an SNMP community
name or a VLAN ID In order for the wireless clients to authenticate and
associate with an AP, they must use the same SSID as the one in use on the
AP It should be changed to a unique value that does not contain any
infor-mation that could potentially be used to identify the company or the kind of
traffic on the network
By default, SSIDs are broadcast in response to beacon probes and can
be easily discovered by site survey tools such as NetStumbler and Windows
XP It is possible to turn off SSID on some APs Disabling SSID broadcasts
creates a closed network If possible, SSID broadcasts should be disabled,
although this will interfere with the ability of Windows XP to automatically
discover wireless networks and associate with them However, even if SSID
broadcasts are turned off, it is still possible to sniff the network traffic and
see the SSID in the frames
Wireless clients can connect to APs using either open system or shared
key authentication Although shared key authentication provides protection
against some denial of service (DoS) attacks, it creates a significant
vulner-ability for the WEP keys in use on the network and should not be used
MAC filtering is another defensive tactic that can be employed to
pro-tect wireless networks from unwanted intrusion Only the wireless
sta-tion that possess adaptors that have valid MAC addresses are allowed to
Summary of Exam Objectives
Trang 9communicate with the AP However, MAC addresses can be easily spoofed and maintaining a list of valid MAC addresses may be impractical in a large environment
A much better way of securing WLANs is to use 802.1x 802.1x was
orig-inally developed to provide a method for port-based authentication on wired networks However, it was found to have significant application in wireless
networks With 802.1x authentication, a supplicant (a wireless
worksta-tion) has to be authenticated by an authenticator (usually a RADIUS server) before access is granted to the network itself The authentication process takes place over a logical uncontrolled port that is used only for the authen-tication process If the authenauthen-tication process is successful, access is granted
to the network on the logical controlled port
802.1x relies on Extensible Authentication Protocol (EAP) to perform the authentication The preferred EAP type for 802.1x is EAP-TLS EAP-TLS
provides the ability to use dynamic per user, session-based WEP keys, elimi-nating some of the more significant vulnerabilities associated with WEP However, to use EAP-TLS, you must deploy a Public Key Infrastructure (PKI)
to issue digital X.509 certificates to the wireless clients and the RADIUS server
Other methods that can be used to secure wireless networks include plac-ing wireless APs on their own subnets in wireless DMZs (WDMZ) The WDMZ can be protected from the corporate network by a firewall or router Access to the corporate network can be limited to VPN connections that use either PPTP or L2TP
New security measures continue to be developed for wireless networks Future security measures include TKIP and Message Integrity Code (MIC) This section should be a summary of what was presented in the chapter, but actually talks about several new concepts that were not covered through-out the chapter
ExAM oBJECTIvES FAST TrACK
Radio Frequency and Antenna Behaviors and Characteristics Gain occurs when a signal has its strength increased, such as by
■
■
passing it through an amplifier
Loss is the exact opposite of gain and occurs when a signal has its
■
■
strength decreased, either intentionally through the use of a device such as an attenuator or unintentionally such as through resistance losses in a cable
Trang 10Exam Objectives Fast Track 225
Reflection occurs when an electromagnetic RF wave has impacted
■
■
upon a surface that has a much larger cross section than that of the
wave itself
When a wave is refracted, it passes through a medium and changes
■
■
course with some of the original wave being reflected away from the
original wave’s path
Absorption results when an electromagnetic wave has impacted
■
■
an object that does not pass it on through any means (reflection,
refraction, or diffraction)
When an incoming electromagnetic wave hits a surface that is
■
■
small compared to its wavelength, scattering will occur
The Fresnel Zone is an elliptical region extending outward from the
■
■
visual LOS that can cause signal loss through reflection, refraction,
and scattering
wireless Network Concepts
The most predominant wireless technologies consist of Wireless
■
■
Access Protocol (WAP) and IEEE 802.11 Wireless LAN
Wireless Equivalent Privacy (WEP) is the security method used
■
■
in IEEE 802.11 WLANs and WTLS provides security in WAP
networks
WEP provides for two key sizes: 40-bit and 104-bit secret keys
■
■
These keys are concatenated to a 24-bit IV to provide either a 64 or
128-bit key for encryption
WEP uses the RC4 stream algorithm to encrypt its data
■
■
802.11 networks use two types of authentication: open system
■
■
authentication and shared key authentication
There are two types of 802.11 networks modes: ad-hoc and
infra-■
■
structure Ad-hoc 802.11 networks are peer-to-peer in design and
can be implemented by two clients with wireless network cards
The infrastructure model of 802.11 uses APs to provide wireless
connectivity to a wired network beyond the AP
To protect against some rudimentary attacks that insert known
■
■
text into the stream to attempt to reveal the key stream, WEP