Ethical Hacking: Wireless Network Security StandardsBy Mike Danseglio
Watch these Ethical Hacking videos, and you’ll understand skills like network sniffing, wireless security, hijacking, and more. With these tactics of ethical hacking you’ll learn security techniques through the mind of an attacker.
As I previously mentioned, there are a lot of standards in the wireless network security arena and I wanted to explain a few of these to you. I will not explain them in extraordinary depth because we could probably spend several days talking about a couple of these, but enough depth so you understand the weak spots. You will understand the exploit potential and it will make your attacks certainly a lot easier and your profiling a lot quicker. First, open wireless networking.
Open Wireless Networking
Open wireless networking is just what it sounds like. It means any client can connect. Generally speaking, any client can access data and can use the Internet and the back end network.
This is not really common in any enterprise or even in most homes, but it is common in places like a coffee shops, restaurants or airport lounges. Oftentimes those will actually have a portal based authentication on the back end, but that’s pretty weak security as well. You will see in a moment how that actually works.
Wired Equivalent Privacy
The first big network standard for wireless security was WEP or the Wired Equivalent Privacy. WEP was designed specifically to be roughly equivalent with wired networking, hence the name, but it had a lot of flaws. One of the most notable flaws allows pretty quick and pretty easy brute force attacks.
WPA and WPA2
A few years ago, WiFi Protected Access, WPA and its successor, WPA2, came around.
WPA and WPA2 were actually designed to be backwards compatible with most devices that implemented WEP. WPA2 explicitly was backwards compatible with WPA devices. Most of the devices, in fact most of the devices for the last six or seven years that have been manufactured for WiFi use, will support all of these standards.
Some older devices, 2005 and before, may require either a firmware update or they may not work with the newer security standards. Sometimes I hear administrators complain that “my devices are not new enough to use WPA2.” Most of the time, they actually are if the devices have been made in the last five or six years; they’re probably going to work just fine with WPA and WPA2.
Because WPA and WPA2, among other things, extended the password size and extended the cryptographic keys that are used behind it for data protection, the standards were altered to make it easier for home users and small business users to configure WiFi with similar kinds of high end security.
Therefore they came up with a standard for WiFi Protected Setup or WPS, which if you’ve ever looked at a wireless access point you’ve seen a button on the front for setup or a button on the side for a setup.
That button enables WiFi Protected Setup. Essentially it enables an easy quick little pin that you can establish on both sides of the wireless network that enables a very strong password on the back end without the user having to remember it and type it in or an administrator to deploying it.
So it makes security a little bit more convenient at the the expense of getting to push a button and bypass almost all security.
On the other hand, we have a couple of bits of technology for WiFi that have been around for quite a while. One standard is the service set identifier or SSID. This is most typically the network name you see when you are running Windows and you have a wireless network card that comes up with a list of wireless networks. Those are usually SSIDs.
SSIDs are a friendly name for the network, making it easier for the user to figure out which network to connect to and making it easier for an administrator to configure the wireless client. Not terribly long ago a lot of administrators thought to themselves, “Well, if I disable the SSID from being broadcasted, which means clients that have Windows or any operating system, won’t see it pop up on their list, they’ll never connect to it.” Well, that doesn’t really work because the SSID is not necessarily a secret and it doesn’t really stop anything from happening.
No wireless attacker worth their salt is going to worry about whether an SSID is being broadcast or not. In fact, all of the attack tools that you are going to see ignore the fact that SSID is either broadcast or not broadcast. This just makes it a touch harder for legitimate users to connect. Basing security on SSID broadcast disable is really all that does.
Media Access Control Authentication
Similarly, with Media Access Control authentication, just like on a wired network, wireless clients have a MAC number associated with their network device. That’s great because it helps the network identify which hosts are which hosts and route the traffic appropriately.
Also, like on the wired network, you can spoof MAC addresses in an incredibly easy fashion. In fact, there are command lines for it. There are automatic tools for it. There are scripts for it. It’s in the interface in Windows. MAC authentication is a trivial operation.
Maybe 10 or 15 years ago it was a little harder because you might have had to have gone into the BIOS or into a configuration setting that was not readily available. But today, wireless MAC authentication is super easy to spoof.
In fact, in most hotels and airports and things like that, they’re controlling the access to the network by MAC ID. They assume that clients will not change their MAC ID. An attacker that does change their MAC ID to one that looks like it’s already authenticated is pretty much on the network in most cases.
8021X Port and Portal-based Authentication
Finally, we have 8021X, port and portal‑based authentication. This is a little bit more hard core of a network security standard. This is a pretty deep piece of security technology. It’s harder to get around this type of wireless network security. What happens is clients have to prove their identity. They have to provide authentication and authorization information to the wireless network which then checks on a back end server, either a radius server or diameter server. This needs to be done to find out if this client is authorized to be on the wireless network and if they are, are they providing the proper credentials.
That’s fantastic for an administrator. It’s also a nightmare to set up and most administrators and networks don’t use 8021X at all, just because of the complexity. It often times requires PKI or it requires some type of enrollment. It’s actually really difficult to do. Then again, as an administrator, if I was setting up a wireless network, this would be the way I would do it because it’s going to protect against a variety of attacks.
About the Author
Mike Danseglio has worked in the IT field for more than 20 years. He is an award-winning author, public speaker, and instructor on a variety of technology topics including security, virtualization, cloud computing, wireless and wired networking, and IT lifecycle processes. His operations experience includes managing the Xbox LIVE operations team, the largest cloud computing operations team in the world, and consulting on operations efficiency with countless clients around the world. Mike has published several books (including two for O’Reilly) and numerous papers. He is a frequent conference speaker and classroom instructor on IT operations, computer security, and technology frameworks. Mike holds a number of certifications and accreditations including Certified Information Systems Security Professional (CISSP) practitioner and instructor.
Author's Website: http://www.nextdirectiontech.com/