Home > Articles > Cisco Network Technology > Security > Wireless Security

Wireless Security

  • Sample Chapter is provided courtesy of Cisco Press.
  • Date: Jul 16, 2004.

Chapter Description

Tom M. Thomas explains the basics of setting up security for a wireless network. He warns technicians of the various ways in which a wireless network can be breached, and provides help in protecting against those attacks.

From the Book

Network Security First-Step

Network Security First-Step

$34.95

Wireless Security

You might be wondering why someone would want to use a wireless connection with all the insecurities that seem to go along with it. All is not lost, thanks to something known as Wired Equivalent Protocol, or is it Wireless Encryption Protocol—or it might even be Wired Equivalent Privacy. There seems to be some debate over exactly what WEP stands for among "industry experts." Regardless of how you spell or say it, WEP is an encryption algorithm that can be invoked to encrypt the transmissions between the wireless user and his Wireless access point (WAP).

From its inception, the 802.11b standard was not meant to contain a comprehensive set of enterprise level security tools. Still, the standard includes some basic security measures that can be employed to help make a network more secure. With each security feature, the potential exists for making the network either more secure or more open to attack.

Working on the layered defense concept, the following sections look first at how a wireless device connects to an access point and how you can apply security at the first possible point.

Service Set Identifier (SSID)

By default, the access point broadcasts the SSID every few seconds in beacon frames. Although, this makes it easy for authorized users to find the correct network, it also makes it easy for unauthorized users to find the network name. This feature is what allows most wireless network detection software to find networks without having the SSID upfront.

SSID settings on your network should be considered the first level of security and should be treated as such. In its standards-adherent state, SSID might not offer any protection against who gains access to your network, but configuring your SSID to something not easily guessable can make it more difficult for intruders to know what exactly they are seeing.

If you have your SSID configured to be any of the defaults cited in Table 8-1, you should change the SSID immediately.

Table 8-1 Default Wireless SSIDs

Manufacturer

Default SSID

3Com

101, comcomcom

Addtron

WLAN

Cisco

Tsunami, WaveLAN Network

Compaq

Compaq

Manufacturer

Default SSID

Dlink

WLAN

Intel

101, 195, xlan, intel

Linksys

Linksys, wireless

Lucent/Cabletron

RoamAbout

NetGear

Wireless

SMC

WLAN

Symbol

101

Teletronics

any

Zcomax

any, mello, Test

Zyxel

Wireless

Others

Wireless


A complete listing of manufacturers' SSIDs and even other networking equipment default passwords can be found at http://www.cirt.net/. As you can see, the SSIDs are readily available on the Internet, so it is a good idea to turn off SSID broadcasting as your first step.

Device and Access Point Association

Before any other communications take place between a wireless client and a wireless access point, the two must first begin a dialogue. This process is known as associating. When 802.11b was designed, the IEEE added a feature to allow wireless networks to require authentication immediately after a client device associates with the access point, but before the access point transmission occurs. The goal of this requirement was to add another layer of security. This authentication can be set to either shared key authentication or open key authentication.

You need to use open key authentication because shared key is flawed; although that is counter-intuitive, this recommendation is based on the understanding that other encryption will be used.

Wired Equivalent Privacy (WEP)

There is a lot of misconception surrounding WEP, so let's clear that up right away. WEP is not, nor was it ever meant to be, a security algorithm. WEP was never designed to protect your data from script kiddies or from more intelligent attackers who want to discover your secrets. WEP is not designed to repel; it simply makes sure that you are not less secure because you are not keeping your data in a wire. The problem occurs when people see the word "encryption" and make assumptions. WEP is designed to make up for the inherent insecurity in wireless transmission, as compared to wired transmission. WEP makes your data as secure as it would be on an unencrypted, wired Ethernet network. That is all it is designed to do, period; now your misconceptions are gone and you can move on. WEP can be typically configured in three possible modes:

  • No encryption mode

  • 40-bit encryption

  • 128-bit encryption

WEP is an optional, agreed-upon encryption standard that is configured before the wireless user's connection to the WAP. After it is configured on the both the WAP and the user's end, all communications sent through the air are encrypted, thereby providing a secure link that is reasonably difficult to break, although recently developed hacker tools are gaining ground on this front. A side benefit of using WEP is that users wanting to connect to a WAP using WEP must have it enabled previously on their machine and have the "passphrase" or "key" that is shared between the end user and access point.

Wired Equivalent Privacy (WEP) was intended to give wireless users the security equivalent of being on a wired network. With WEP turned on, when each packet is transmitted from one access point to a client device, each packet is first encrypted by taking the packet's data and a secret 40-bit number and passing them both through a encryption algorithm called RC4. The resulting encrypted packet is then transmitted to the client device. When the client device receives the WEP encrypted packet, it uses the same 40-bit number to pass the encrypted data through RC4 algorithm backward, resulting in the client receiving the data. Of course this process occurs in reverse and a client device is transmitting data to an access point. The encryption key used in this example was 40-bit, but 128-bit is also supported and, given the misconceptions and flaws with WEP, it is recommended that you always use the 128-bit encryption because it is better than 40-bit.

WEP Limitations and Weaknesses

WEP protects the wireless traffic by combining the "secret" WEP key with a 24-bit number (Initialization Vector, or IV), randomly generated, to provide encryption services. The 24-bit IV is combined with either the 40-bit or 104-bit WEP pass phrase to give you a possible full 128 bits of encryption strength and protection—or does it? There are a few issues surrounding the flawed current implementation of WEP:

  • WEP's first weakness is the straightforward numerical limitation of the 24-bit Initialization Vector (IV), which results in 16,777,216 (224) possible values. This might seem large, but you know from discussions in Chapter 4, "Security Protocols," that this number is deceiving. The problem with this small number is that eventually the values and thus the keys start repeating themselves; this is how attackers can crack the WEP key.

  • The second weakness is that of the possible 16 million values, not all of them are good. For example, the number 1 would not be very good. If an attacker can use a tool to find the weak IV values, the WEP can be cracked.

  • WEP's third weakness is the difference between the 64-bit and 128-bit encryption. Perception would indicate that the 128-bit should be twice as secure, right? Wrong. Both levels still use the same 24-bit IV, which has inherent weaknesses. Therefore, if you think going to 128-bit is more secure, in reality, you will gain absolutely no increase in the security of your network.

Of course, freely available tools can accomplish all these things and are ready for the attackers to download and use as discussed in the section, "Essentials First: Wireless Hacking Tools," later in the chapter. Using WEP is better than nothing; however, layering the security of any part of your network is the key to safety and security, as has been established in all earlier chapters. Extensible Authentication Protocol (EAP) is the next level of security and is discussed in the correspondingly titled section.

MAC Address Filtering

MAC address filtering is another way people have tried to secure their networks over and above the 802.11b standards. A network card's MAC address is a 12-digit hexadecimal number that is unique to each and every network card in the world. Because each wireless Ethernet card has its own individual MAC address, if you limit access to the AP to only those MAC addresses of authorized devices, you can easily shut out everyone who should not be on your network.

However, MAC Address filtering is not completely secure and, if you solely rely upon it, you will have a false sense of security. Consider the following:

  • Someone will have to keep a database of the MAC address of every wireless device in your network. If there are only 10–20 devices, it is not a problem. However, if you must keep track of hundreds of MAC addresses, this will become a nightmare quickly.

  • MAC addresses can be changed, so a determined attacker can use a wireless sniffer to figure out a MAC address that is allowed through and set his PC to match it to consider it valid. Note that encryption takes place at about Layer 2, so MAC addresses will still be visible to a packet sniffer.

Extensible Authentication Protocol (EAP)

802.1X is a standard regarding port level security that the IEEE ratified. This ratification was initially intended to standardize security on wired network ports, but it was also found to be applicable to wireless networking. Extensible Authentication Protocol (EAP) is a Layer 2 (MAC address layer) security protocol that exists at the authentication stage of the security process and, coupled with the security measures discussed thus far, provides a third and final layer of security for your wireless network. Using 802.1X, when a device requests access to the AP, the following steps occur with EAP:

  1. The access point requests authentication information from the client.

  2. The user then supplies the requested authentication information.

  3. AP then forwards the client supplied authentication information to a standard RADIUS server for authentication and authorization.

  4. Upon authorization from the RADIUS server, the client is allowed to connect and transmit data.

The four commonly used EAP methods in use today are

  • EAP-MD5

  • EAP-Cisco Wireless (also known as LEAP)

  • EAP-TLS

  • EAP-TTLS

The following sections provide a quick overview of each EAP method.

EAP-MD5

EAP-MD5 relies on an MD5 hash of a username and password to pass authentication information to the RADIUS server. EAP-MD5 offers no key management or dynamic WEP key generation, thus requiring the use of static WEP keys. This version of EAP does have some limitations:

  • Because there is no dynamic WEP key generation available, the added use of EAP provides no increased security over WEP. Attackers can still sniff your airborne traffic and decrypt the WEP key.

  • EAP-MD5 does not provide for a means for the client device to ensure that it is transmitting to the proper access point. A client could erroneously transmit to a rogue access point.

Because EAP-MD5 offers no other features over the standard 802.1X, EAP-MD5 is considered the least secure of all the common EAP standards.

LEAP (EAP-Cisco)

EAP-Cisco Wireless, or LEAP as it is more commonly known, is a standard developed by Cisco in conjunction with the 802.1X standard and is the basis for much of the ratified version of EAP. Like EAP-MD5, LEAP accepts a username and password from the wireless device and transmits them to the RADIUS server for authentication. Cisco added additional support beyond what the standard required, resulting in several security benefits as follows:

  • LEAP authenticates the client; one-time WEP keys are dynamically generated for each client connection. This means that every client on your wireless network is using a different dynamically generated WEP key that no one knows—not even the user.

  • LEAP supports a RADIUS feature called session timeouts, which requires clients to log in again every few minutes. Fortunately, this is all handled without the user having to do anything. Couple this feature with dynamic WEP keys, and your WEP keys will change so often that attackers will not be able to determine the key in time.

  • LEAP conducts mutual authentication from client-to-access point and access point-to-client; this stops attackers from introducing rogue access points into your network.

There is presently a single known limitation to running LEAP.

MS-CHAPv1 is used for both the client and access point authentication and is known to have vulnerabilities.

NOTE

Not everyone has a RADIUS server that is ready to utilize LEAP; however, Cisco access points can be configured with a feature called local AAA Authentication on a per user basis. This allows the user database to reside in the AP instead of RADIUS and works well if you have only a limited number of users.

EAP-TLS

Microsoft developed EAP-TLS, which is outlined in RFC 2716. Instead of username/password combinations, EAP-TLS uses X.509 certificates to handle authentication. EAP-TLS relies on transport layer security to pass PKI information to EAP. Like LEAP, EAP-TLS offers the following:

  • Dynamic one-time WEP key generation

  • Mutual authentication

The drawbacks of EAP-TLS include the following:

  • PKI is required to use EAP-TLS; however, most companies do not deploy PKI.

  • Microsoft Active Directory with a certificate server can be used; however, change is difficult in this model.

  • If you are using Open LDAP or Novell Directory Services, you need a RADIUS server; again, not everyone has immediate access to one.

  • If you have implemented PKI using VeriSign certificates, all the fields required by EAP-TLS are not present.

Unless you are ready to follow the implementation of EAP-TLS exactly as Microsoft has laid it out, you should probably look for another method.

EAP-TTLS

Funk Software (http://www.funk.com/) pioneered EAP-TTLS as an alternative to EAP-TLS. The wireless access point still identifies itself to the client with a server certificate, but the users now send their credentials in username/password form. EAP-TTLS then passes the credentials in any number of administrator specified challenge-response mechanisms (PAP, CHAP, MS-CHAPv1, MS-CHAPv2, PAP/Token Card, or EAP). The only challenges to EAP-TTLS are

  • The slightly less secure than dual certificates of EAP-TLS

  • The upcoming standard developed by Microsoft and Cisco that works exactly the same way—Protected EAP (PEAP)

Increasing Wireless Security

As discussed, there are some possible means of securing your wireless network beyond WEP. It is unlikely, however, that anyone has a RADIUS server ready and waiting to be used; therefore, you need to identify steps you can take immediately to increase the security of your wireless network. The attention on the pitfalls of wireless LANs has inspired some organizations to ban wireless LANs altogether. However, security-conscious organizations are fortifying their wireless LANs with a layered approach to security that includes the following:

  • Putting the wireless network behind its own routed interface so you can shut off access to at a single choke point if necessary

  • Discovery of rogue access points and potential associated vulnerabilities

  • Physical and logical access point security to ensure that someone cannot walk up to an access point and alter its configuration without your knowledge

  • Changing the SSID and then picking a random SSID that gives away nothing about your company or network

  • Disabling active SSID broadcasting

  • Rotating your broadcast keys every ten minutes or less

  • Encryption and authentication, which might include a virtual private network over wireless

  • Using 802.1X for key management and authentication

  • Looking over the available EAP protocols and deciding which is right for your environment

  • Setting the session to time out every ten minutes or less

  • Establishing and enforcing wireless network security policies

  • Implementing proactive security measures that include intrusion protection

As shown in Figure 8-6, these steps and recommendations can be illustrated as a phased approach, which enforces the concept of first knowing what the vulnerabilities are and moving forward from that point.

Figure 6Figure 8-6 Stages of Securing Your Wireless Network




7. Essentials First: Wireless Hacking Tools | Next Section Previous Section

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020