CWSP Notes

CWSP Notes

CH1: Security Fundamentals

Objectives:

3.1 – Describe how wireless network security solutions may vary for different wireless network implementations including small businesses, home offices, large enterprises, public networks and remote access.

Stages of Wireless Security

WLAN installation should be designed with a secure foundation that provides Confidentiality, Integrity, and Authentication.

WEP – Wired Equivalent Privacy – 40-bit or 104-bit key to protect from casual eavesdropping

Also used 24-bit initialization vector

802.11i (2004) rolled into 802.11-2012 standard provided the concept of robust security network association (RSNA).  An RSNA is defined as an association between a pair of stations (STAs) which includes a 4-way handshake between the STAs.  

STA – logical entity that is a singly addressable instance of a medium access control and physical layer interface to the wireless medium

Pre-RSNA – allow WEP cipher suite using RC4 for data confidentiality, 802.11 Open System or Shared Key authentication methods, and a single, weak Integrity Check Value (ICV) algorithm

IEEE 802.11-2012 defines two classes of security algorithms: Robust Security Networks and Pre-RSNA networks

IEEE 802.11-2012 standard RSNA

  • Enhanced authentication mechanisms for STAs
  • Key management (generation and distribution) algorithms
  • Strong cryptographic key establishment
  • Enhanced data cryptographic encapsulation mechanisms, such as Counter mode with Cipher-block chaining Message authentication code Protocol (CCMP)
  • An optional data cryptographic encapsulation mechanism, Temporal Key Integrity Protocol (TKIP)
  • Fast basic service set (BSS) transition (FT) mechanism
  • Enhanced cryptographic encapsulation mechanisms for robust management frames

Transitional security network (TSN) is identified by the indication in the robust security network information element (RSN-IE or RSNE) of Beacon frames in which the group cipher suite in use is WEP.

CWNA Security Review

IEEE 802.11 Open System Authentication

Open System authentication consists of two 802.11 management frames.  These frames are not a request and response but merely identified as Authentication.  

IEEE 802.11 Shared Key Authentication

Defined in original 802.11 standard in 1997 as a way to provide both 802.11 authentication and data encryption which was accomplished through WEP.  Uses four management frames with a challenge key sent in plain or clear text in the second frame

Wi-Fi Protected Access (WPA) and WPA2

Wi-Fi Alliance created a pre-802.11i certification known as Wi-Fi Protected Access (WPA).  

WPA Personal Mode – passphrase can be a maximum of 63 ASCII characters in length. From the passphrase that is entered into the device, an algorithm is used to create a 256-bit pre-shared key.  Uses TKIP/RC4 as the encryption cipher methods

WPA2 Personal Mode

Provided the capability of using a stronger method to secure 802.11 wireless networks.  WPA2 can use CCMP/AES as the encryption and cipher methods but allows for TKIP/RC4 for backward compatibility for 

older devices.

WPA- and WPA2-Personal can be cracked with offline dictionary attacks if two things are true: a weak passphrase is used and the 4-way handshake can be captured.

WPA and WPA2 enterprise mode is a more robust method of securing enterprise networks.  Uses 802.1X which provides port based access control and Extensible Authentication Protocol (EAP).  User-based access control and provides better authentication method. The same encryption and ciphers are used as in personal mode, TKIP/RC4 and CCMP/AES; however the key generation and implementation process is what makes the difference.

Institute of Electrical and Electronics Engineers (IEEE) – nonprofit organization responsible for generating a variety of technology standards, including those related to information technology.  World’s largest technical professional society. WLAN standards since 1997 includes 802.1X

Wi-Fi Alliance – created to promote the technology and to provide interoperability testing of WLAN equipment.

Internet Engineering Task Force (IETF) – responsible for creating Internet standards and promoting Internet technology and usage.  A Request for Comments (RFC) is a document created by engineers and scientists and designed to define innovation and technology that works with the internet.  RFC’s include RADIUS, EAP, and IPSec

Wi-Fi Alliance’s security testing includes WPA-Personal, WPA-Enterprise, WPA2-Personal, WPA2-Enterprise, Wi-Fi Protected Setup (WPS), and many different EAP types.

In addition to these certifications, Voice-Enterprise defines the requirements for voice quality, mobility, power save mechanisms and of course wireless security.

http://www.wi-fi.org/search_products.php

Cipher Suite – A set of one or more algorithms designed to provide data confidentiality, data authenticity or integrity, and/or replay protection

Encryption – To alter a data stream using a secret code or algorithm so as to be unintelligible to unauthorized parties.

Defense-in-depth or layered security – network resources are properly secured

Best practices for devices connecting to public Wi-Fi:

  • Use VPN connection
  • Secure all login accounts with strong passwords
  • Ensure firewall software is installed, enabled, properly configured, and up-to-date
  • Ensure anti-virus software is installed, enabled, and up-to-date
  • Ensure OS is patched and all service packs are installed
  • Secure any open file system shares that may be enabled
  • Disable file and print sharing features if not needed or used

The simplest method of acquiring user account information at a public hotspot is to use social engineering or eavesdropping.  Shoulder surfing is a common method for acquiring such credentials. Additionally, an Evil Twin AP could be configured to capture credentials from a rogue captive portal (also called Wi-Fi Phishing).

The Application Layer

Interface to the user.  Internet web browsers and file transfer programs reside.

Protocols (HTTP, FTP, POP, SNMP)

The Network Layer

Two common types of VPN protocols are:

  • Point-to-Point Tunneling Protocol (PPTP)
  • Layer 2 Tunneling Protocol (L2TP)

PPTP is considered legacy.

L2TP provides only a tunneling mechanism.  With L2TP, the most common choice of encryption is Internet Protocol Security (IPSec), which provides authentication and encryption for each IP packet in a data stream.

The Data Link Layer

The MAC sub-layer header info cannot be encrypted, so encryption must occur within the data payload of the data frames that traverse the air.  Layer 2 security includes WEP, TKIP/RC4, CCMP/AES, and IEEE 802.1X/EAP.

802.11w-2009 introduced management frame protection.  This does not encrypt the MAC headers of frames and only applies to certain management frames.  The only frames protected are deauthentication, disassociation, and robust action frames.  

The Physical Layer

Vulnerabilities include eavesdropping on unsecured communications, and causing intentional RF interference (known as jamming).

Security Analysis Basics

Attack Surface – inclusive of all areas that can potentially be attacked.  Wireless entry and wired entry

To prevent wireless attacks best practices include user training, using encryption, and securing the administration interface.  802.1X and EAP 

Data Flow analysis is the analysis of data as it enters, traverses, and is removed from your network.  For wireless security, the focus is on the flow of data from four perspectives: the data entry point, network traversal, live storage points, and backup storage points.

Three basic levels of data sensitivity: Public, Private, Highly private

CH2: Wireless Security Challenges

Objectives:

1.1 – Describe general network attacks common to wired and wireless networks, including DoS, phishing, protocol weaknesses and configuration error exploits.

1.2 – Recognize common attacks and describe their impact on WLANs, including PHY and MAC DoS, hijacking, unauthorized protocol analysis and eavesdropping, social engineering, man-in-the-middle, authentication and encryption cracks and rogue hardware.

1.5 – Explain and demonstrate the security vulnerabilities associated with public access or other unsecured wireless networks, including the use of a WLAN for spam transmission, malware injection, information theft, peer-to-peer attacks and Internet attacks.

WLAN Discovery: Passive

Passive discovery uses Beacon management frames which are transmitted at regular intervals usually every 100 time units where one time unit is equal to 1,024us.  The average beacon interval is 100 times 1,024us or approximately 100ms. Beacon management frames contain a frame body which includes fixed fields and information elements including security information elements.

Devices certified for WPA will include a WPA information element which identifies supported security features including the authentication methods, passphrase or 802.1X/ EAP and the encryption type which is TKIP and RC4 stream cipher.

Devices that are certified for WPA2 will include a RSN information element which identifies the supported security features including the authentication methods, passphrase or 802.1X/ EAP, and the encryption type which is Counter Mode Cipher Block Chaining Message Authentication Code Protocol, Counter Mode CBC-MAC (CCMP) and the Advanced Encryption Standard (AES) block cipher.  

The Beacon management frame includes the following basic information of interest to attackers:

  • Capability Information – info related to operational modes, BSS or IBSS and other capabilities
  • SSID – name of the BSS/ESS
  • Supported Rates – list of rates supported and further expanded by the Extended Supported Rates field
  • RSN-IE – Shows the security capabilities of the network from a robust security perspective

WLAN Discovery: Active

Active scanning uses a Probe Request management frame (by clients) and a Probe Response management frame (by AP).  Probe Request and Response frames contain a frame body with fixed fields and information elements. Some of the info with Probe Request frames is the SSID, supported rates and extended supported rates.  Probe Response frame contains SSID, supported rates, security related info such as WPA and RSN information elements. The Probe Response frame is a directed management frame and is sent to the MAC address of the device that sent the request.

*************************************************************************************

When using a spectrum analyzer to locate rogue devices, look at the amplitude of the energy in the FFT view.  When using a protocol analyzer to locate rogue devices, use the signal strength value in frames from the target devices.

************************************************************************************

Wardriving is the term used to describe the act of performing a mass WLAN discovery activity while logging the discovered AP location information to a file for later analysis.  

Network scanning applications

InSSIDer – Wi-Fi discovery application

Kismet – listen only RF monitor mode, Linux-based

NetStumbler – issue probe requests to APs

Public Access Wi-Fi Databases:

Some attacks that may be common with both wired and wireless networks include:

  • Denial of Service (DoS) attacks
  • Phishing attacks
  • Protocol weaknesses
  • Configuration error exploits

SSID Hiding removes the information found in the SSID information element from Beacon management frames and Probe Response frames sent from the AP.

SSID Field is included in:

  • Beacon Management Frames
  • Probe Request
  • Probe Response
  • Association Request
  • Reassociation Request

From IEEE 802.11-2012:

8.2.4.3.4 BSSID field

“The Value of all 1s is used to indicate the wildcard BSSID.  The wildcard value is not used in the BSSID field except where explicitly permitted in this standard.”

10.1.4.3.2 Sending a probe response

“STAs, subject to criteria below, receiving Probe Request frames shall respond with a probe response only if

The Address 1 field in the probe request is the broadcast address or the specific MAC address of the STA, and either item b) or item c) below.

The STA is a mesh STA and the Mesh ID in the probe request is the wildcard Mesh ID or the specific Mesh ID of the STA.

The STA is not a mesh STA and

The SSID in the probe request is the wildcard SSID, the SSID in the probe request is the specific SSID of the STA, or the specific SSID of the STA is included in the SSID List element, and

The Address 3 field in the probe request is the wildcard BSSID or the BSSID of the STA.

“Probe Response frames shall be sent as directed frames to the address of the STA that generated the probe request.  The SSID List element shall not be included in a Probe Request frame in an IBSS.”

MAC address spoofing is the process of altering a MAC address in an attacker’s computer so that it matches a valid MAC address on the network.  Several MAC Spoofing utilities are freely available, including: SMAC, MAC Makeup, A-MAC Address, Nmap, Systems Lizard

MAC addresses may also be reset with simple tools that are available by default on most computer OSs

Linux: ifconfig eth0 hw ether 03:a0:04:d3:00:11

FreeBSD: ifconfig bge0 link 03:a0:04:d3:00:11

From IEEE 802.11-2012:

11.2.3.2 Open System authentication

Open System authentication is a null authentication algorithm.  Any STA requesting Open System authentication may be authenticated if dot11AuthenticationAlgorithm at the recipient STA is set to Open System authentication.  A STA may decline to authenticate with another requesting STA. Open System authentication is the default authentication algorithm for pre-RSNA equipment.

Open System authentication utilizes a two-message authentication transaction sequence.  The first message asserts identity and requests authentication. The second message returns the authentication result.  It the result is successful the STAs shall be declared mutually authenticated.

In the description in 11.2.3.2.2 and 11.2.3.2.3, the STA initiating the authentication exchange is referred to as the requester, and the STA to which the initial frame in the exchange is addressed is referred to as the responder.  The specific items in each of the messages described in the following subclauses are defined in 8.3.3.11, Table 8-28, and Table 8-29.

From IEEE 802.11-2012

11.2.2.1 WEP overview

WEP-40 was defined as a means of protecting (using a 40-bit key) the confidentiality of data exchanged among authorized users of a WLAN from casual eavesdropping.  Implementation of WEP is optional. The same algorithms have been widely used with a 104-bit key instead of a 40-bit key in fielded implementations; this is called WEP-104.  The WEP cryptographic encapsulation and decapsulation mechanics are the same whether a 40-bit or a 104-bit key is used. Therefore WEP can refer to either WEP-40 or WEP-104.

WEP characteristics: RC4 stream cipher, static preshared keys, manual key mgmt, weak implementation

WEP has a 24-bit initialization vector (IV) as part of the encryption and decryption process.  Length would be 64-bit or 128-bit. The key can be made up of either hexadecimal or ASCII characters.  The 24-bit IV transmitted across the wireless medium in cleartext makes the WEP key vulnerable to intrusion.

Unlike Open System authentication which uses WEP only for data encryption, Shared Key authentication requires the use of WEP for both 802.11 authentication and for data encryption.  Shared Key Authentication uses 4 frames for 802.11 association. WEP-encrypted communication follows.

In order for Shared Key authentication to function, the same WEP key must be installed on all stations that are part of the wireless service set.

From IEEE 802.11-2012:

11.2.3.3 Shared Key authentication

Shared Key authentication seeks to authenticate STAs as either a member of those who know a shared secret key or a member of those who do not.

Shared Key authentication can be used if and only if WEP has been selected and shall not be used otherwise.

This mechanism uses a shared key delivered to participating STAs via a secure channel that is independent of IEEE Std 802.11.  This shared key is set in a write-only MIB attribute with the intent to keep the key value internal to the STA.

802.11 Shared Key authentication weaknesses:

  • Requires the use of WEP
  • Uses a clear/ plain text challenge message
  • Result is a weak authentication mechanism

EAP-MD5

Weak EAP type developed for use on the wired network to test basic connectivity between EAP participants.  Does not provide dynamic encryption key management or mutual authentication or any characteristic that would provide security for a wireless network.  

Proprietary LEAP

Cisco developed Lightweight Extensible Authentication Protocol.  Cisco Compatible Extensions (CCX) technology allowed non-Cisco manufacturers to develop code that allowed their devices to use LEAP on the client devices side.  Username was passed in clear text and did not use any tunneling mechanisms. MSCHAPv2 hash used for exchange of credentials. EAP-Fast replaced LEAP.

Eavesdropping

Unencrypted wireless traffic is easily intercepted by any and all nearby users with a protocol analyzer.

 Any device that can “hear” the WLAN traffic will be able to collect information that traverses the wireless medium.  

Social Engineering

Social engineering is a method used by intruders to gather information which may in turn provide an intruder the ability to circumvent an installed wireless security solution.

Social Engineering Toolkit

  • Spear-Phishing – send emails with attached file payload
  • Website Attacks – utilize multiple web-based attacks to compromise site visitors
  • Infection Media Generator – create USB or DVD autorun modules with a Metasploit payload
  • Creating a Payload and Listener – setup a payload to provide re-entry to compromised systems
  • Mass Mail – send emails to mass numbers through private mail server or junk Gmail account
  • Arduino Attacks – used to program Arduino hardware for attack purposes
  • Wireless APs – used to setup fake APs and captive portals to capture user info or infect client
  • QR Code Generator – generates QRcodes that can redirect to attack sites
  • Powershell – take advantage of Powershell’s power in modern Windows systems to perform attacks
  • Third-Party – several add-ons to extend the features of the toolkit

RF DoS – occurs with the RF that is used for intended communications is impacted by external RF sources preventing wireless communication to occur.  intentional or unintentional. PHY DoS. The best tool to identify is RF spectrum analyzer or WIPS.

Layer 2 MAC DoS include using Deauthentication management frames and Disassociation management frames.  Can be identified and mitigated with protocol analyzers or WIPS.

Peer-to-Peer network communications is the result of one wireless client device connecting to another client wireless device.  Attacks include data theft and accessing the client device directly because of weak security on the client system.

Man in the Middle attack is the result of an intruder placing an unauthorized wireless device between a wireless AP and wireless client device that is authorized to connect to and use the wireless network.  

Management Interface Exploits when configuration defaults are used

*************************************************************************************

Management interface exploits can be prevented by implementing proper staging and management procedures.  Staging includes all tasks during the initial setup of the equipment. Management procedures should be performed over secure channels.  Always use encrypted protocols such as HTTPS and SSH.

************************************************************************************

Authentication Cracking

Some authentication protocols that are weak and vulnerable:

  • 802.11 shared key authentication
  • WPA & WPA2 Personal Mode
  • LEAP
  • EAP-MD5
  • PPTP point to point tunneling protocol
  • PAP, CHAP, MSCHAP, MSCHAPv2

When using WPA and WPA2-Personal you must use a strong and long PSK.  Preferably 20 characters and not comprised of words. Use a mixture of uppercase letters, lowercase letters, and digits.  If you add in special characters it will just be that much stronger.

Public Access Networks are subject to a variety of network security threats including:

  • Spam transmission
  • Malware injection
  • Information theft
  • Peer-to-peer attacks
  • Various Internet attacks

Some of the configurations to lesson these attacks include:

  • peer-to-peer blocking
  • Firewall config
  • Port blocking
  • Protocol blocking

The user also has the responsibility of securing the devices they use.  This includes using up-to-date anti-virus software, proper firewall configurations, strong passwords, securing any shares and using VPN technology.

Recommended best practices include:

  • Upgrade the security suite
  • Replace legacy solutions
  • Upgrade firmware

CH3: Security Policy 

2.1 – Explain the purpose and goals of security policies including password policies, acceptable use policies, WLAN access policies, personal device policies, device management (APs, infrastructure devices and clients) and security awareness training for users and administrators.

2.2 – Summarize the security policy criteria related to wireless public access network use including user risks related to unsecured access and provider liability.

2.3 – Describe how devices and technology used from outside an organization can impact the security of the corporate network including topics like BYOD, social networking and general MDM practices.

1.4 – Describe and perform risk analysis and risk mitigation procedures, including asset management, risk ratings, loss expectancy calculations and risk management planning.

Corporate Security Policy is  a very important written document that contains detailed information about protecting the integrity of corporate and computer networking operations.

SANS Institute www.sans.org Security Policy templates

The following reasons for creating a security policy are important:

Maintain desired level of network security

Uphold compliance

Legal Protection

Asset Documentation

Procedural Continuity

Authority

Steps involved in creating a wireless security policy

Perform risk assessment

Define and document vulnerabilities and countermeasures

Obtain support from management

Provide communications among the departments or individuals that will be involved

Provide ongoing monitoring and security auditing

Plan response, forensics,enforcement,and reporting tactics in advance of a policy security breach

Revise and fine-tune the policy as needed

Publish all changes and provide an educational forum to keep users apprised of current status

************************************************************************************

Management must support the security development process and they must support enforcement of the policies for them to have a significant impact and to result in a more secure environment.

************************************************************************************

************************************************************************************

Loss expectancy is a standardized calculation used in risk management.  Annualized Loss Expectancy (ALE) is a result of the Single Loss Expectancy (SLE) multiplied by the Annual Rate of Occurrence (ARO).

************************************************************************************

When the policy document is created, based on risk assessment, ensure the following:

  • It is accessible to all relevant parties via a public file share or on each user’s computer 
  • It is marketed/ promoted/ distributed within the company
  • It is kept up-to-date
  • It’s importance is defined

Management buy-in offers the following benefits:

  • Provides authority
  • Allows for enforcement of technical policy requirements
  • Allows commitment of resources
  • Commitment to disciplinary behaviour when violations occur

Training of end users and administrators should include:

  • Security awareness training should be provided
  • Identify and report social engineering
  • Abide by password policy
  • Prevent rogue APs and clients
  • Understand repercussions to policy violations
  • Acceptable Use and Abuse
  • Remote networking procedures
  • Create security awareness

The response plan should address items such as the following:

  • Forensic data analysis
  • How to respond to rogue APs
  • Analyzing system logs
  • Accounting services
  • What immediate reaction is taken with a compromised network infrastructure
  • What authorities are notified and involved
  • To whom do end-users and admins report security violations

Enforcement criteria that should be included within the security policy functions:

  • Use of passwords
  • Amount and frequency of training focused on the use of the chosen security module and awareness of social engineering attacks
  • The methods to be used in order to provide awareness of security risks and vulnerabilities of WLAN implementation
  • Definition of acceptable and unacceptable use of the WLAN
  • Employees should be made aware that any or all of their WLAN traffic may be captured, filtered, and analyzed
  • The procedures used to implement and enforce the security policy must be consistent
  • Creation and maintenance of WLAN security checklist and a change management program

Suggestions for monitoring:

  • 24 x 7 x 365 monitoring
  • Implement WIPS
  • Periodic and automatic report generation
  • Enable appropriate alarms and notifications

During the auditing process:

  • Test for known weaknesses
  • Authentication cracking
  • Social engineering
  • Rogue devices
  • Generate detailed audit reports
  • Ensure compliance with industry regulations and guidelines

Review and Revise involves:

  • Perform a policy review
  • Perform and internal/external audit
  • Modify the policy based on results

Password policy considerations:

  • Password length
  • Mixed alphanumeric with uppercase and lowercase and special characters
  • Password change policies
  • Password sharing policies
  • Password access policies
  • Password storage policies

Additional Policies:

  • Acceptable Use – defines the intended use cases for the provided system
  • WLAN access policy – defines who can access the WLAN and how they can access it
  • Personal device or BYOD policy – defines the allowed use of personal devices and may include requirements such as onboarding and mobile device management
  • Physical security policies – policies related to the protection of the devices and the environment and may include requirements such as security gates/doors, locks, enclosures, and cameras

Items that should be addressed in a BYOD policy:

  • Allowed and supported device types
  • Supported mobile operating systems
  • Device provisioning and enrollment methods
  • Containerization to separate corporate and personal data
  • Allowed apps, distribution methods, and app stores used
  • Remote device management
  • Location services capabilities
  • Data encryption methods
  • Remote access security, VPN, and public access networks
  • Firmware, operating system updates and software patches or hot-fixes

CH4: Authentication 

1.3 – Execute the preventative measures required for common vulnerabilities on wireless infrastructure devices, including weak/default passwords on wireless infrastructure equipment and misconfiguration of wireless infrastructure devices by administrative staff.

3.4 – Identify the purpose and characteristics of IEEE 802.1X and EAP and the processes used including EAP types (PEAP, EAP-TLS, EAP-TTLS, EAP-FAST, and EAP-SIM), AAA servers (RADIUS) and certificate management.

3.9 – Understand additional security features in WLAN infrastructure and access devices, including management frame protection, Role-Based Access Control (RBAC), Fast BSS transition (pre-authentication and OKC), physical security methods and Network Access Control (NAC).

Consider the following when choosing a credential solution:

  • The method used to protect the credentials
  • The storage location of the credentials
  • The access method of the credential store

The generic credentials available are:

  • Something you know (information:password, pin)
  • Something you have (physical objects: smartcards, keys)
  • Something you are (biometric: thumb scanners, retina scanners)

Credential types: Username & password, certificates, biometrics, tokens, PACs (privilege attribute certs)

Passphrase-based Security

ASCII-based passphrases will be converted to a 256-bit pre-shared key (PSK) using a conversion hash.  The 802.11-2012 standard provides a passphrase-to-PSK mapping process.  

WPA & WPA2 personal mode authentication happens by means of a shared pairwise master (PMK).  Both the supplicant and authenticator are configured with the same passphrase (or HEX ASCII), which is converted into a PMK.  The PMK is then used for dynamic encryption key generation during the 4-way handshake. Because the PMK is used as an input to dynamic encryption keys, if the PMK on both devices does not match, shared encryption keys will not be generated and the 4-way handshake will fail.

When a passphrase is used, rather than directly entering a hexadecimal PSK, the passphrase is converted into a PSK by the following method:

PMK=PRF(passphrase, ssid, ssidLength, 4096, 256)  

In this formula, PRF refers to a pseudo-random function that is calculated against the string comprised of the passphrase, SSID, and the SSIDlength and it is hashed 4096 times to generate a value of 256 bits, which then becomes the PMK.  The PMK is never transmitted across the unbounded wireless medium.

The PMK is used to generate a subsequent key known as the pairwise transient key (PTK).  The derivation of the PTK is done by exchanging MAC addresses and randomly generated tokens known as nonces between the supplicant and the authenticator using the RSNA-defined 4-way handshake.  The first two frames in the 4-way handshake contain all of the information required to create the PTK except the PMK.

You can identify the PSK authentication when the AKM Suite type is equal to 00-0f-AC:02

TKIP enhancements over WEP included a longer initialization vector (48 bits instead of 24 bits) and an improved integrity check.  In most cases all that was required was to upgrade the firmware for devices.

WPA provided an interoperability certification for TKIP technology.

*************************************************************************************

TKIP uses a per-MPDU TKIP sequence counter (TSC) to prevent replay attacks.  A replay attack occurs when a frame is retransmitted, with or without modification.

*************************************************************************************

The RSN information element contained within certain wireless management frames, defines an Authentication Key Management Suite List field, which specifies the type of authentication supported in a network.  If the field is populated with “00-0F-AC:02” it delineates PSK-based authentication.

From IEEE 802.11-2012:

M.4.1 Introduction

“Keys derived from the passphrase provide relatively low levels of security, especially with keys generated from short passwords, since they are subject to dictionary attack.  Use of the key hash [pass-phrase-to-PSK mapping process] is recommended only where it is impractical to make use of a stronger form of user authentication. A key generated from a passphrase of less than about 20 characters is unlikely to deter attacks.”

The mapping algorithm is provided as a recommended practice.  The IEEE 802.11i Task Group also detailed the weaknesses that this feature brings to the PSK mechanism.  A passphrase typically has about 2.5* bits of security per character, so the passphrase mapping coverts an n octet password into a key with about 2.5n+12** bits of security.  Because of this, any dictionary-based brute force exploint can be modified to recover the hashed passphrase from the 4-way handshake. This vulnerability does not exist if hexadecimal PSKs are used directly.

This is due to the practice by most users of selecting easily-remembered key words that do not contain a mix of alphanumeric and special characters in their makeup.  Because of this, an eight character passphrase (64 bits) would only contain 20-bits of entropy.

**Mixing in the SSID adds an additional (approx.) 12-bits of entropy.

Authentication – who a network user is

Authorization – what a network user can do

Accounting – what a network user did while connected

*************************************************************************************

RADIUS servers can use return list attributes to set group membership and this can be used to implement appropriate security profiles for authenticated users of the WLAN.

*************************************************************************************

Mutual authentication is a method used for two entities to authenticate each other such as, a client device and an authentication server.  Mutual authentication is required for dynamic encryption key generation.

EAP-MD5 does not provide mutual authentication and should never be used.

Authorization can be allowed on a per-user or per-group basis and may include:

  • Access Control Lists (ACL) – What can the authenticated user do
  • Stateful firewalls – Allowing or restricting network services and ports
  • Bandwidth controls – How much data can a user transmit or receive i.e. 5 Mbps
  • Time controls – What days and/or hours can the network be accessed
  • Location permissions – What can be done based on the user login location
  • Traffic filters – Restricting or allowing certain types of network traffic based on specified criteria
  • QoS policies – Specifies quality of service capabilities

************************************************************************************

RADIUS supports ACCESS-REQUEST and ACCESS-ACCEPT packets to use for service authorization.  When a RADIUS server receives an ACCESS-REQUEST packet, which includes a list of desired access rights, it must respond with an ACCESS-ACCEPT packet if all desired attributes are acceptable or an ACCESS-REJECT packet if one or more attributes are not acceptable.

************************************************************************************

Role-based access control (RBAC) refers to the general process of applying roles or groups to users.  Then filters, rules, and permissions are applied to a security policy. Finally, a security policy is mapped to a specific group or role.  In the end, a user is assigned a security policy through its role. The security policy sets the rights or permissions of the user.

RBAC requirements should include:

  • Defining network access roles
  • Assigning authentication parameters to each role
  • Assigning authorization parameters to each role

RADIUS supports network accounting via default port 1813 or 1646 as specified in RFC 2866, and must be enabled on both the AAA client and the AAA server.

Network Access Control (NAC) is a security posture assessment tool.  

Actions performed by a NAC solution may include:

  • Ensures all appropriate policies and security mechanisms are met by endpoints
  • Policies are applied to enforce security on a network
  • Enforce requirements like antivirus software version and scans, OS updates, security patches, firewalls, user restrictions, etc.
  • Authentication and authorization
  • Posture assessment
  • Quarantine
  • Remediation

Three primary authentication components of WPA-Enterprise and WPA2-Enterprise are:

  • Remote Authentication Dial-In User Service (RADIUS)
  • IEEE 802.1X – Port-based access control
  • Extensible Authentication Protocol (EAP)

RADIUS allows for centralized authentication services and acts as the authentication server (AS).

RADIUS is based on UDP.  Port 1812 for authentication ops.  Port 1813 for accounting ops.

IEEE 802.1X is the standard that defines port-based access control.  It specifies the roles of the components used in the authentication process.  In a wireless network, these components are:

  • The supplicant
  • The authenticator
  • The authentication server

************************************************************************************

RADIUS servers have digital certificates used to authenticate the RADIUS server itself.  These certificates can be self-signed or provided by a trusted third-party.

************************************************************************************

Configuring an enterprise RADIUS server.  Configurations must be performed in three or four areas:

  • Configure the client by selecting the WLAN profile, configuring the security parameters including EAP type, and selecting the certificate
  • Configure the WLAN Controller or AP with the IP address, correct port, and shared secret of the RADIUS server
  • Configure the RADIUS server by adding the approved APs or network subnet.  Specific EAP and RADIUS services must also be selected, configured, and enabled on the RADIUS server.
  • Depending upon the user database, additional configurations may be required for database compatibility and functionality

WLAN infrastructure configuration includes:

  • The network name (SSID)
  • 802.1X/EAP authentication
  • The encryption scheme that will be used
  • Any SSID specific settings
  • Configuration of a RADIUS server

RADIUS-specific parameters include:

  • An IP address
  • The shared secret
  • Authentication and accounting ports
  • Other required and optional parameters

A digital certificate is a data file that is exchanged between the authenticating entities.  Digital certificates are created, distributed, and authenticated by trusted certificate authorities (CA), which, in an enterprise deployment, are part of a Public Key Infrastructure (PKI).  The CA certificate should be installed in the local store of trusted roots on all client devices so that certificates issued from the CA will be trusted as well.

Several forms of EAP rely on transaction layer security (TLS) based protocol variants to provide authentication.  TLS is based on the secure sockets layer (SSL) protocol originally developed by Netscape. TLS leaves the decisions on how to initiate handshaking and how to authenticate credentials such as digital certificates and secret keys, to the protocol designers.  These credentials may be exchanged during or following the TLS handshake procedure.

TLS provides the mechanism to allow the client and server to authenticate each other and to negotiate an encryption algorithm and cryptographic keys, while guaranteeing privacy through the use of asymmetric cryptography and secure message integrity.  TLS negotiations are secure from eavesdropping, hijacking and man-in-the-middle intrusions.

Reasons to use EAP with 802.1X include:

  • Maturity and interoperability
  • User-based authentication and authorization
  • Dynamic encryption key management (generation and distribution)
  • Flexible authentication (many EAP types available)

************************************************************************************

When using 802.1X virtual ports, the uncontrolled port is used for authentication to allow data communications across the controlled port after such successful authentication.

************************************************************************************

The first step to creating an RSNA is to become 802.11 authenticated and associated, during which each STA receives the other’s Robust Security Network IE that describes their respective capabilities and requirements.

The second step to creation of an RSNA is for the supplicant and authentication server to complete the mutual 802.1X/EAP authentication and for the authentication server to pass the PMK to the Authenticator.

IEEE 802.1X Framework

IETF RFC 5347 defines EAP

************************************************************************************

EAP over LAN (EAPoL) packets are used across the medium between the wireless client STAs and the AP/controller.  Encapsulated EAP over RADIUS is used between the AP/controller and the authentication server (RADIUS).

*************************************************************************************

EAP is a Layer 2 authentication protocol used by 802.3 and 802.11 as a flexible replacement for PAP and CHAP under PPP.

The third step in creating a RSNA is for the two STAs to have a matching pairwise master key (PMK).  The PMK will be used to generate the pairwise transient key (PTK) for encryption purposes. Gaining the shared PMK is accomplished in one of two ways:

  • Out-of-band – uses a preshared key entered on both STAs directly or create from a passphrase
  • In-band – uses 802.1X/EAP with RADIUS infrastructure where the 802.1X/EAP mechanism creates the PMK

The final step in creating a RSNA is the 4-way handshake, which results in the availability of the unicast and broadcast/multicast encryption keys on both the supplicant and the authenticator.  At the conclusion of the handshake, each STA will have derived the same PTK. This PTK is used to secure unicast traffic and it is used to exchange a group temporal key (GTK) to secure broadcast and multicast traffic.

*************************************************************************************

The order of communication is ANonce, SNonce with MIC, transmission of the GTK and a final message to verify installation of the PTK sent from the supplicant to the authenticator.

*************************************************************************************

EAP Types

EAP-LEAP is Cisco Systems proprietary and was cracked in early 2004.  EAP-FAST was Cisco’s replacement for LEAP and was used in the short term after it was released.  

EAP-TLS – client and server certificates required

TTLS (EAP-MSCHAP-v2) – only server certificates required

PEAPv0 (EAP-MSCHAP-v2) – only server certificates required

PEAPv0 (EAP-TLS) – client and server certificates required

PEAPv1 (EAP-GTC) – used with token card and directory-based authentication systems and only server certificates required

EAP-SIM – EAP for GSM Subscriber Identity Module- mobile communicators

EAP-AKA – for use with the UMTS Subscriber Identity Module – mobile communications

EAP-MD5 requires no digital certificates at all, it does not provide mutual authentication and it does not use tunneled authentication.  It may be good for testing the links in the authentication chain, but it should not be trusted for any real-world authentication scenarios.

*************************************************************************************

PEAP supports three different common internal methods on WLANs: MSCHAPv2, EAP-TLS and EAP-GTC.  EAP-GTC is used with PEAPv1.

*************************************************************************************

PEAP

Phase 1 – establishment of the TLS tunnel

Phase 2 – client authentication happens inside the TLS tunnel and is specific to the PEAP implementation

Client authentication may include the use of a username and hashed passphrase (EAP-MSCHAPv2), a client certificate (EAP-TLS), or a token card (EAP-GTC), among others (such as POTP).

PEAPv0/EAP-MSCHAPv2

Phase 1 – establishment of the encrypted TLS tunnel and server authentication

Phase 2 – client authentication and derivation of the session keys. built into the Microsoft Windows OS

Cisco LEAP provides mutual authentication, data encryption, and per-user/per-session keys, dynamic key rotation at intervals, and a strong MIC.  Weak. Requires only username/password credentials for authentication. Username passed in clear text and a MD4 hash is used. Cracked in early 2004

EAP-FAST is Cisco’s response to the vulnerabilities found in LEAP.  EAP-FAST consists of three phases (0-2).  

Phase 0 – provisioning Protected Access Credentials (PACs)  manually or MS-CHAPv2

Phase 1 – building a TLS tunnel for encrypting the client credentials sent to auth server

Phase 2 – supplicant authenticates to the authentication server

EAP-TLS

EAP-TLS requires that the supplicant and authentication server have their own x.509 certificates installed.  Two modes: normal and tunneled. Supports mutual authentication and encryption key generation either through proprietary mechanisms or through the 802.11 4-way handshake.

EAP-TTLS/EAP-MSCHAPv2

EAP-TTLS supports the 802.11 4-way handshake, uses a TLS tunnel for encrypted user credential exchange, and supports various legacy authentication protocols inside the TLS tunnel such as MD5, PAP, CHAP, MS-CHAP, and MS-CHAPv2.  

CH5: Authentication and Key Management 

3.2 – Understand and explain 802.11 Authentication and Key Management (AKM) components and processes including encryption keys, handshakes and pre-shared key management.

3.3 – Define and differentiate among the 802.11-defined secure networks, including pre-RSNA security, Transition Security Networks (TSN) and Robust Security Networks (RSN) and explain the relationship of these networks to terms including RSNA, WPA and WPA2.

RSN – Robust Security Network identified by the indication in the RSN information element of Beacon frames that the group cipher suite specified is not WEP.

RSNA – Robust Security Network Association is the type of association used by a pair of stations (STAs) if the procedure to establish authentication or association between them includes the 4-way Handshake

Pre-RSNA – type of association used by a pair of stations if the procedure for establishing authentication or association between them did not include the 4-way handshake.

TSN – Transition Security network allows the creation of pre-robust security network associations as well as RSNAs. Identified by the indication in the RSN information element of Beacon frames that the group cipher suite in use is WEP.

MSK – Master Session Key.  Keying material that is derived between EAP peer and exported by the EAP method to the Authentication Server (AS).  This key is at 64 octets in length.

PMK – Pairwise Master Key.  The highest order key used within this standard.  May be derived from a key generated by an EAP method or may be obtained directly from a PSK

PTK – Pairwise Transient Key.  A value that is derived from the pairwise master key (PMK), Authenticator address (AA), Supplicant Address (SPA), Authenticator nonce (ANonce), and Supplicant nonce (SNonce) using the pseudo-random function (PRF) and that is split up into as many as five keys, i.e., temporal encryption key, two temporal message integrity code (MIC) keys, EAPOL-key encryption key (KEK), EAPOL-key confirmation key (KCK).

GMK – Group Master Key. An auxiliary key that may be used to derive a group temporal key (GTK)

GTK – Group Temporal Key.  A random value, assigned by the broadcast/multicast source, which is used to protect broadcast/multicast medium access control (MAC) protocol data units (MPDUs) from that source.  The GTK may be derived from a group master key (GMK).

KCK – EAPOL-Key confirmation key used to integrity-check an EAPOL-Key frame

KEK – EAPOL-Key encryption key used to encrypt the Key Data field in an EAPOL-Key frame

PMKSA – Pairwise Master Key Security Association.  The context resulting from a successful IEEE 802.1X authentication exchange between the peer and Authentication Server or from a preshared key.

PMKID – Pairwise Master Key Identifier.  The PMK is an identifier of a security association.

PMKID=HMAC-SHA1-128(PMK, “PMK Name” || AA || SPA)

PTKSA – Pairwise Transient Key Security Association.  The context resulting from a successful 4-way handshake exchange between the peer and Authenticator.

GTKSA – Group Temporal Key Security Association.  The context resulting from a successful group temporal key GTK distribution exchange via either a Group Key Handshake or a 4-Way Handshake

RSN Information Element is a set of frame fields included in certain WLAN management frames that are part of a RSN.  The RSN IE defines the cipher suites used and authentication key management suites that are required and supported in the RSN.  

*************************************************************************************

The RSN IE is important as it defines the security parameters of the BSS.  It is included in beacon, probe response, association request and reassociation request frames.

*************************************************************************************

*************************************************************************************

The AKM Suite List field defines whether PSK or Enterprise (802.1X) authentication and key management is used.  Stated differently, it defines whether Personal or Enterprise WPA or WPA2 is in use.

*************************************************************************************

The Cipher Suite Type or Cipher Suite OUI always starts with 00-0F-AC and is followed by a number indicating the actual suite.  Suite values include:

00 – Use the Group Suite

01 – WEP-40

02 – TKIP

04 – CCMP

05 – WEP – 104

AKM Suite List

00-0F-AC-__

01=802.1X

02=PSK

PMKID is a unique identifier created for each PMKSA that has been established between the AP and the client when an RSNA is created.  Only used when fast secure transition features are enabled on the service set. PMKID field visible only in Association Request and Reassociation Request management frames.

From IEEE 802.11-2012: 

4.3.4.3 Robust security network association (RSNA) 

“An RSNA depends upon the use of an EAP method that supports mutual authentication

of the AS and the STA, such as those that meet the requirements in IETF RFC 4017.” 

RFC 3748, Section 7.10 (Emphasis Added) 

“In order to provide keying material for use in a subsequently negotiated cipher

suite, an EAP method supporting key derivation MUST export a Master Session Key

(MSK) of at least 64 octets, and an Extended Master Session Key (EMSK) of at

least 64 octets. EAP Methods deriving keys MUST provide for mutual

authentication between the EAP peer and the EAP Server.” 

RFC 3748, Section 7.2.1 

“Mutual authentication This refers to an EAP method in which, within an interlocked

exchange, the authenticator authenticates the peer and the peer authenticates

the authenticator. Two independent one-way methods, running in opposite

directions do not provide mutual authentication as defined here.” 

From IEEE 802.11-2012: 

11.1.6 RSNA assumptions and constraints 

“When IEEE 802.1X authentication is used, the specific EAP method used performs

mutual authentication. This assumption is intrinsic to the design of RSN in

IEEE 802.11 LANs and cannot be removed without exposing both the STAs to

man-in-the-middle attacks. EAP-MD5 is an example of an EAP method that does not

meet this constraint (see IETF RFC 3748 [B26]). Furthermore, the use of EAP

authentication methods where server and client credentials cannot be

differentiated reduces the security of the method to that of a PSK due to the

fact that malicious insiders can masquerade as servers and establish a

man-in-the-middle attack. 

“In particular, the mutual authentication requirement implies an unspecified prior

enrollment process (e.g., a long-lived authentication key or establishment of

trust through a third party such as a certification authority), as the STA must

be able to identify the ESS or IBSS as a trustworthy entity and vice versa. The

STA shares authentication credentials with the AS utilized by the selected AP

or, in the case of PSK, the selected AP. The SSID provides an unprotected

indication that the selected AP’s authentication entity shares credentials with

the STA. Only the successful completion of the IEEE 802.1X EAP or PSK

authentication, after association, can validate any such indication that the AP

is connected to an authorized network or service provider.” 

From IEEE 802.11-2012: 

11.6.6.1 General 

4-Way Handshake 

“RSNA defines a protocol using IEEE 802.1X EAPOL-Key frames called the 4-Way

Handshake. The handshake completes the IEEE 802.1X authentication process. The

information flow of the 4-Way Handshake is as follows: 

Message 1: Authenticator → Supplicant: EAPOL-Key(0,0,1,0,P,0,0,ANonce,0,DataKD_M1) where DataKD_M1 = 0 or PMKID for PTK generation, or PMKID KDE (for sending SMKID) for STK generation Message 2: Supplicant → Authenticator: EAPOL-Key(0,1,0,0,P,0,0,SNonce,MIC,DataKD_M2) where DataKD_M2 = RSNIE for creating PTK generation or peer RSNIE, Lifetime KDE, SMKID KDE (for sending

SMKID) for STK generation 

Message 3: Authenticator → Supplicant: EAPOL-Key(1,1,1,1,P,0,KeyRSC,ANonce,MIC,DataKD_M3)

where DataKD_M3 = RSNIE,GTK[N] for creating PTK generation or initiator RSNIE,

Lifetime KDE for STK generation 

Message 4: Supplicant → Authenticator: EAPOL-Key(1,1,0,0,P,0,0,0,MIC,DataKD_M4)

where DataKD_M4 = 0.” 

The RSN-IE element has an element ID of 48 and is present in the following different management frames:

Beacon frames (sent by AP)

Probe Response frames (sent by AP)

Association Request frames (sent by Client)

Reassociation Request frames (sent by Client)

All 802.11 radios will use one cipher(pairwise) suite for unicast encryption and another cipher (group) for encrypting multicast/broadcast traffic.  The following are the different cipher suite values:

00-0F-AC-04 (CCMP) is the default

00-0F-AC-02 (TKIP) is optional

00-0F-AC-01 (WEP-40)

00-0F-AC-05 (WEP-104)

Three AKM suite values depending on Authentication method used:

00-0F-AC-01 (802.1X)

00-0F-AC-02 (PSK)

00-0F-AC-03 (FT over 802.1X)

CH6: Encryption 

3.2 – Understand and explain 802.11 Authentication and Key Management (AKM) components and processes including encryption keys, handshakes and pre-shared key management.

Encryption is defined as the process of modifying information (data) with an algorithm called a cipher that results in unreadable or meaningless data to those without the key used in the algorithm.

Encryption algorithm – mathematical procedures used to obscure information so it appears as seemingly meaningless data to an unintended recipient without a key.  AES RC4, RC5, RC6

Hash function or hashing algorithm – a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an accidental or intentional change to the data will change the hash value

Cipher suite – a named combination of authentication, encryption, and message authentication code algorithms used to negotiate the security settings for a network connection

Stream cipher – a symmetric key cipher where plaintext bits are combined with a pseudorandom cipher bit stream (keystream), typically by an exclusive-or (xor) operation.  In a stream cipher, the plaintext digits are encrypted one at a time, and the transformation of successive digits varies during the encryption.

Block cipher – a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation.

Symmetric key encryption – a class of algorithms for cryptography that use trivially related, often identical, cryptographic keys for both decryption and encryption

Asymmetric key encryption – a class of algorithms for cryptography that use separate key pairs for encryption and decryption.  Key pairs are typically deployed as shared public and secret private keys.

RC4 developed by Ron Rivest of RSA Security in 1987.  Used with WEP and TKIP. Plain text IV

AES uses Rijndael algorithm and is a block cipher that was established by the U.S. National Institute of Standards and Technology (NIST) in 2001 to replace the older 1970s DES encryption algorithm.  AES has a block size of 128 bits and can use three different key lengths, 128-bit, 192-bit and 256-bits.  

WEP encapsulates the MPDU data payload with a 4 octet IV and a 4 octet ICV and extends the length of the MPDU by a total of 8 octets.  Frame expansion from 2304 bytes to 2312 bytes.

WEP weaknesses include:

  • Brute Force Attacks – key guessing method that attempts every possible key to crack encryption
  • Dictionary Attacks – relies on humans using words as passwords or common strings as passwords
  • Weak IV Attacks – faulty implementation of RC4, prepended to static WEP key, plaintext
  • Re-Injection Attacks – re-injected ARP packets onto the wireless LAN forces clients to reply
  • Storage Attacks – methods used to recover WEP or WPA keys from their storage locations

FPGAs – Field Programmable Gate Arrays were add-on boards for hardware acceleration

Dynamic WEP does not use static keys instead uses the 802.1X framework to produce dynamic encryption keys.  Non-standard

TKIP/WPA added four new algorithms to WEP

  • Michael – Message Integrity Check (MIC) to prevent forgery attacks
  • 48-bit IV and IV sequence counter to prevent replay attacks
    • MPDUs received out-of-order are dropped by receiver
  • Per-packet key mixing of the IV to de-correlate IVs from weak keys
    • 48-bit IV called TKIP Sequence Counter (TSC) updated each packet
    • 2  48 frames allowed per single temporal key would require 100 years to exhaust
  • Dynamic re-keying mechanism to change encryption and integrity keys
    • Temporal key, transmitter address, and TSC combined into per-packet key
    • Split into 104-bit RC4 key and 24-bit IV for WEP compatibility

TKIP adds the additional overhead of an extended IV of 4 octets and an additional MIC of 8 octets inside of WEP’s encapsulation which is a total of 12 additional octets.  Total encryption becomes 20 octets per frame vs 12 octets from WEP. Max frame body becomes 2324 octets

Michael is the name of the integrity algorithm used with TKIP that enhances the legacy ICV mechanism.  Niels Ferguson is Michael’s designer. Michael is meant to improve integrity protection while remaining backwards compatible with millions of limited-feature legacy radios.  20 bits of effective security strength

CCMP is based on the CCM of the AES encryption algorithm.  CCM combines CTR (counter) mode for data confidentiality and CBC-MAC for authentication and integrity.  CCM protects the integrity of both the MPDU Data field and selected portions of the 802.11 MPDU header. The AES algorithm is defined in FIPS PUB 197-2001.  All AES processing used within CCMP uses AES with a 128-bit key and a 128-bit block size.

WPA2:

  • Replaces RC4 with AES (Rijndael algorithm) in Counter mode (for data privacy) with Cipher Block Chaining-Message Authentication Code (CBC-MAC) for data authenticity – CCMP/AES
  • Uses 128-bit encryption key size, and encrypts in 128-bit fixed length blocks
  • 48-bit IV (called Packet Number or PN) derived from AES Key
  • Encryption and MIC calculation proceed in parallel
  • Per-packet keys unnecessary due to strength of AES cipher
  • 8-byte MIC considered much stronger than Michael
  • Separate chip used to perform computation-intensive AES ciphering

2304 bytes – prior to 802.11n

2313 bytes – WEP added 8 octets

2324 bytes – TKIP added 12 octets in addition to the 8 octets with WEP

2320 bytes – pre-802.11n deployments.  CCMP adds only an additional 16 bytes of overhead to the frame body, 8 octets for the CCMP header and another 8 octets for the MIC.

*************************************************************************************

The CWSP exam no longer tests on frame overhead knowledge when considering WEP, TKIP, and CCMP.  This has been removed from the exam because organizations should only be using CCMP moving forward.  It is provided here for current operational knowledge only.

*************************************************************************************

Frame body sizes vary greatly now with 802.11n and 802.11ac and aggregation features.  You will not be tested on frame sizes on the CWSP exam at all.

TKIP highest achievable data rate is only 54 Mbps

CH7: Security Design Scenarios 

3.5 – Recognize and understand the common uses of VPNs in wireless networks, including remote APs, VPN client access, WLAN controllers and cloud architectures.

3.8 – Explain the role, importance, and limiting factors of VLANs and network segmentation in an 802.11 WLAN infrastructure.

3.10 – Explain the purpose, methodology, features, and configuration of guest access networks and BYOD support, including segmentation, guest management, captive portal authentication and device management.

3.6 – Describe, demonstrate, and configure centrally-managed client-side security applications, including VPN client software and policies, personal firewall software, mobile device management (MDM) and wireless client utility software.

VPN technology can consist of different configurations such as, client-to-server or site-to-site (gateway-gateway) and also include various protocols such as:

Point-to-point tunneling protocol (PPTP)

Layer 2 tunneling protocol (L2TP) with Internet Protocol Security (IPSec) – L2TP/IPSec

Internet Protocol Security (IPSec)

Transport Layer Security (TLS), Secure Sockets Layer (SSL) – SSL/TLS

Secure Shell (SSH)

Datagram Transport Layer Security (DTLS)

Point-to-Point Tunneling Protocol (PPTP) was developed by a vendor consortium that included Microsoft.  Included in OS since Win95. Uses Microsoft Point-to-Point Encryption (MPPE-128) Protocol for encryption.  Operates at Layer 2 and uses generic routing encapsulation (GRE) tunneling to encapsulate point-to-point protocol (PPP) packets.  PPTP on a wireless network with MS-CHAPv2 or v1 should be avoided.

L2TP is the combination of two different tunneling protocols: Cisco’s Layer 2 Forwarding (Layer 2F) and Microsoft’s Point-to-Point Tunneling (PPTP).  L2TP defines the tunneling process, which requires some level of encryption in order to function. With L2TP, a popular choice of encryption is Internet Protocol Security (IPSec), which provides authentication and encryption for each IP packet in a data stream.  L2TP/IPSec is a very common VPN solution in use today.

IPSec is a VPN protocol designed to authenticate and encrypt packets using the Layer 3 Internet Protocol.  IPSec includes two possible implementations:

  • Authenticated Header (AH) – This provides only authentication
  • Encapsulation Security Payload (ESP) – This provides encryption for the data payload in addition to authentication and integrity verification

ESP operates in two modes:

  • Transport mode – client-server or site-to-site communications.  Endpoint devices will encrypt/decrypt the data between each endpoint
  • Tunneled mode – able to communicate from one private IP address directly to another private IP address because the devices build a virtual tunnel.

Secure Socket Tunneling Protocol (SSTP) implements HTTPS on TCP port 443 in order to allow passage through common firewall configurations.  EAP-TLS is a common authentication protocol used with this VPN solution because it allows the passing of PPP traffic over the connection.

*************************************************************************************

When IPSec is used for VPN establishment, ISAKMP packets can be seen using a protocol analyzer.  While the packets are encrypted, it can be determined that IPSec is in use.

*************************************************************************************

A client-server VPN solution consists of three components:

Client side (endpoint)

Network infrastructure (public or private)

Server side (endpoint)

Three steps in creating a VPN:

Perform the required authentication

Build the virtual tunnel

Encrypt the data

Tunneling is the process of encapsulating one IP packet within another IP packet.  

The original packet becomes the payload of the second packet

The source and destination IP addresses of the second packet typically point to the virtual IP address of the VPN client software (source) and the IP address of the VPN endpoint (destination)

Split tunnels were designed to reduce the processing overhead incurred by VPN usage.  In a split tunnel scenario, traffic sent to and from the private network is protected by VPN but all other traffic, including local LAN activity and web-based activities are not encapsulated within secure tunnels.

Common applications used by all wireless LAN end users.

Wireless LAN admin should define:

  • Wired network resources commonly accessed by wireless LAN users
  • Quality of service (QoS) level required by each application

Common devices used to access the wireless LAN.

Wireless LAN admin should define:

  • Security mechanisms (WEP/WPA, WPA2/802.1x/EAP, VPN) supported by each device type
  • Wired network resources commonly accessed by wireless LAN device groups
  • QoS level needed by each device group

Two standard deployment strategies are:

  • Segmentation by user groups: Segmentation of the wireless LAN user community and enforcement of specific access-security policies per user group. 
  • Segmentation by device types:  Segmentation of the wireless LAN to allow different devices with different access-security “levels” to access the wireless network.

Implementation criteria such as those listed above are then defined to include:

  • Use of policy filters to map wired policies to the wireless side
  • Use of 802.1x to control user access to VLANs using either RADIUS-based VLAN assignment or RADIUS-based SSIC access control
  • Use of separate VLANs to implement different Classes of Service (CoS)

Cisco Best Practices

  • Limit broadcast and multicast traffic to the access point and bridge by enabling VLAN filtering and Internet Group Management Protocol (IGMP) snooping on the switch ports.  On the 802.1q trunks to the access point and bridge, filter to allow only active VLANs in the ESS. Enabling IGMP snooping prevents the switch from flooding all switch ports with Layer 3 multicast traffic.
  • Map wireless security policies to the wired infrastructure with ACLs and other mechanisms
  • AP does not support VTP or GVRP.  Must use wired infrastructure to maintain and manage the wired VLANs
  • Enforce network security policies via Layer 3 ACLs on the “guest” and management VLANS.
    • could implement ACLs on wired infrastructure to force all “guest” VLAN traffic to the Internet gateway
    • should restrict user access to the native/default VLAN of the access points and bridges with the use of Layer 3 ACLs and policies on the wired infrastructure
  • May impose RADIUS-based VLAN access control using 802.1X or MAC address auth mechanisms
    • RADIUS-based SSID access control
    • RADIUS-based VLAN assignment

CH8: Secure Roaming 

3.9 – Understand additional security features in WLAN infrastructure and access devices, including management frame protection, Role-Based Access Control (RBAC), Fast BSS transition (pre-authentication and OKC), physical security methods and Network Access Control (NAC).

PMKSA – Pairwise Master Key Security Association.  The context resulting from a successful 802.1X authentication exchange between the peer and Authentication Server (AS) or from a preshared key (PSK).

PMKID – Pairwise Master Key Identifier.  The PMKID is an identifier of a security association.

PMKID = HMAC-SHA1-128(PMK, “PMK Name”||AA||SPA)

PTKSA – Pairwise Transient Key Security Association.  The context resulting from a successful 4-Way Handshake exchange between the peer and Authenticator.

Best practices recommends roam times to be less than 150ms max

Slow Roam Process:

Open System authentication

Association

802.1X/EAP authentication

4-way handshake

VOIP systems require less than 150ms unidirectional delay.  ITU-T recommends in Recommendation G.114 that the round trip time (RTT) or round trip delay not exceed 300ms in a telephony network.

Basic Roaming Review

Basic roaming works in one of three primary ways:

  • Layer 2 roaming across APs within a single controller or without a controller
  • Layer 2 roaming across APs connected to separate controllers
  • Layer 3 roaming

Vendors recommend cell overlaps ranging from 15 to 30 percent

Wi-Fi Certified Voice-Personal certification

Voice – Personal: Voice over Wi-Fi – extends beyond interoperability testing to test the performance of products and help ensure that they deliver good voice quality over the Wi-Fi link

  • Packet loss of less than 1 percent
  • Less than 50 milliseconds of latency
  • Less than 50 milliseconds of maximum jitter

Wi-Fi Alliance certifications must be met to be considered for testing for the cert above:

  • 802.11a, 802.11b, or 802.11g
  • WPA2-Personal (notice WPA-Personal is not allowed)
  • WMM
  • WMM-Power Save (this is only required for APs and is optional for client STAs)

Wi-Fi Voice-Enterprise Certification (2012)

Target performance of a Voice-Enterprise certified solution is 50ms handovers (roams), although breaks of up to 100ms may be acceptable.

Requires that some 802.11r technologies be implemented as well as 802.11e (QoS) and 802.11k (radio resource measurements) to allow for effective VoIP operations.

************************************************************************************

Troubleshooting roaming problems for voice communications on Wi-Fi requires specific hardware and software.  A protocol analyzer and multiple supported adapters may be used in such cases. Additionally, multiple laptops could be used with later merging of the separate protocol captures.

************************************************************************************

Preauthentication is an IEEE standardized fast secure roaming (FSR) method.  Preauthentication must be performed over the Ethernet medium. EAPoL frames use non-standard Ethertype values and are treated as standard data frames and forwarded to the distribution system (DS).  A special Ethertype value (88-C7) is specified for use by the 802.11 standard for wired-side (Ethernet) communications of the roam.

The strengths of preauthentication are:

  • Standardized by the IEEE
  • Can be supported on any WLAN architecture
  • Performed prior to roaming and allows for preauthentication with many different nearby APs

The weaknesses of preauthentication are:

  • Still requires 802.1X/EAP authentication after association
  • Is not an efficient solution as it preauthenticates to APs it may never touch
  • Must happen prior to the roam
  • Doesn’t scale well
  • Only trims off from less than 1ms to possibly 3ms of the roam time

PMK Caching

Pairwise master key PMK caching is also known as Fast Roam-Back

802.11 standard allows pairwise master key security associations (PMKSAs) to be cached at the AP (or WLAN controller) and on the wireless station for the purpose of fast roam-back.  

Robust Security network information element (RSN IE) of reassociation frames contains PMKID, which refers to a PMKSA shared between the client and AP.  The PMKID count and PMKID list fields are present only in reassociation frames.

Strengths of PMK caching are:

  • Standardized by IEEE
  • Can be supported by and WLAN architecture
  • No traffic overhead introduced and a simple design

Weaknesses of PMK caching are:

  • Provides fast roaming only on return to a previously associated AP
  • New AP roams still require full 802.1X/EAP authentication

Opportunistic Key Caching (OKC)

OKC is a key caching method not defined in the 802.11 standard, though having some commonality with 802.11r.  OKC is used both at the supplicant and authenticator for fast roaming. The PMK and PMKID are retrieved from the initial AP with which the wireless station associates.  

PMKID=HMAC-SHA1-128(PMK, “PMK Name”||AA||SPA)

AA – authenticator’s MAC address usually a RADIUS server

SPA – supplicant’s MAC address

The strengths of OKC are:

  • A good solution until Voice-Enterprise (802.11r) solutions are available and implemented
  • Scales well
  • Only requires a single initial 802.1X/EAP authentication

Weaknesses are:

  • Not standardized
  • Not all clients support it
  • Not implemented in a compatible way across all vendors

802.11-2012 (802.11r) Fast Transition (FT)

Pairwise Master Key (PMK): top-level key used in the standard.  Derived from a key generated by EAP or from a pre-shared key (PSK) in smaller implementations

Pairwise Transient Key (PTK): key derived from the PMK, Authenticator (AP) address (AA), supplicant (client) address (SPA), Authenticator nonce (SNonce).  A pseudo-random function is used to generate up to five keys. The five keys are the EAPOL-Key confirmation key, the EPOL-Key encryption key, the temporal encryption key and two temporal message integrity code keys

Group Master Key (GMK): A supporting key that may be used to generate a group temporal key.  The GMK may be regenerated within the AP periodically to reduce the exposure of the group temporal key.

Group Temporal Key (GTK): The key used to protect broadcast or multicast MPDUs on a wireless link.

PMKSA exists between the authentication server and the STA

PTKSA exists between the AP and the STA once 4-way handshake is complete

802.11r

Fast basic service set (BSS) transition: A station (STA) movement that is from one BSS in one extended service set (ESS) to another BSS within the same ESS and that minimizes the amount of time that data connectivity is lost between the STA and the distribution system (DS).

Fast basic service set (BSS) transition (FT) 4-way handshake: A pairwise key management protocol used during FT initial mobility domain association.  This handshake confirms mutual possession of a pairwise master key, the PMK-R1, by two parties and distributes a group temporal key (GTK).

Fast basic service set (BSS) transition (FT) initial mobility domain association: The first association or first reassociation procedure within a mobility domain, during which a station (STA) indicates its intention to use the FT procedures.

Mobility domain: A set of basic service sets (BSSs), within the same extended service set (ESS), that support fast BSS transitions between themselves and that are identified by the set’s mobility domain identifier (MDID).

Over-the-air fast basic service set (BSS) transition (FT): An FT method in which the station (STA) communicates over a direct IEEE 802.11 link to the target AP (AP).

Over-the-DS (distribution system) fast basic service set (BSS) transition (FT): An FT method in which the station (STA) communicates with the target AP (AP) via the current AP.

A single PMK is not considered in an 802.11r implementation as a sole entity, such as was introduced in 802.11i.  Fast transition key hierarchy:

  • PMK-R0: The first level (top-level) PMK.  The PMK-RO is derived from the master session key (MSK) when 802.1X/RADIUS is used or from the pre-shared key (PSK) when personal implementations are used.
  • PMK-R1: The second level PMK.  The PMK-R1 keys are derived from the PMK-R0 key

It a FT implementation, the PTK is derived directly from the PMK-R1

Strengths of 802.11-2012 FT are:

  • Standard based fast roaming
  • Voice-Enterprise certification requires them
  • The most efficient method available today
  • Eventually we will see heavy support for it

Weaknesses of 802.11-2012 FT are:

  • Has been very slow to market given its 8+ year life
  • Wi-Fi Alliance Voice-Enterprise certification only began in 2012
  • Introduces many new terms and concepts requiring enhances education

Strengths of SCA roaming are:

  • As to roaming, one of the best in-use solutions today
  • Infrastructure devices have full control over roaming actions
  • Transitions are imperceptible to the client STA

Weaknesses of SCA roaming are:

  • Proprietary to the given vendor
  • Requires SCA, which many feel is an inefficient architecture in comparison to multiple channel architecture (MCA)

CH9: Network Monitoring 

3.7 – Describe and demonstrate the use of secure infrastructure management protocols, including HTTPS, SNMP, secure FTP protocols, SCP and SSH.

3.9 – Understand additional security features in WLAN infrastructure and access devices, including management frame protection, Role-Based Access Control (RBAC), Fast BSS transition (pre-authentication and OKC), physical security methods and Network Access Control (NAC).

4.1 – Explain the importance of ongoing WLAN monitoring and the necessary tools and processes used as well as the importance of WLAN security audits and compliance reports.

4.2 – Understand how to use protocol and spectrum analyzers to effectively evaluate secure wireless networks including 802.1X authentication troubleshooting, location of rogue security devices and identification of non-compliant devices.

4.3 – Understand the command features and components of a Wireless Intrusion Prevention Systems (WIPS) and how they are used in relation to performance, protocol, spectrum and security analysis.

4.4 – Describe the different types of WLAN management systems and their features, including network discovery, configuration management, firmware management, audit management, policy enforcement, rogue detection, network monitoring, user monitoring, event alarms and event notifications.

4.5 – Describe and implement compliance monitoring, enforcement, and reporting.  Topics include industry requirements, such as PCI-DSS and HIPAA, and general government regulations.

SSH2 provides the following benefits in a secure networking application: 

Public and private key authentication or username and password authentication. 

Data signing through the use of public and private key pairs. 

Private key passphrase association. 

Multiple encryption algorithms are supported such as AES, 3DES and DES. 

Encryption key rotation. 

Data integrity enforced through hashing algorithms. 

Data compression may be supported. 

A well thought out and designed monitoring system will provide valuable information that will

allow information technology (IT) professionals the ability to: 

Conduct security audits and locate vulnerabilities 

Maintain regulatory compliance 

Maintain proper performance levels 

Verify network availability 

WIPS features:

  • Use of hardware sensors for monitoring
  • 24x7x365 monitoring
  • Mitigation features (containment, blocking, notifications, etc)
  • Provide notifications of threats through a variety of mechanisms
  • Detection of threats to the wireless infrastructure such as denial of service (DoS) attacks and rogue APs
  • Built-in reporting systems
  • Integrated RF spectrum analysis to monitor and view the RF spectrum
  • Validate compliance with corporate security policy and legislative compliance
  • Capable of retaining collected data for further forensic investigation
  • Location of RF devices

**********************************************************************************

For RF location features to work in most WIPS solutions, the RF environment must be properly sampled with a calibration process during installation and configuration.

**********************************************************************************

Functional Policy defines technical aspects of network security.  Functional policy includes:

  • Password policy
  • Acceptable use policy
  • Authentication and encryption policy
  • Wireless LAN access policy
  • Wireless LAN monitoring policy
  • Endpoint device policy
  • Personal device policy

Examples of legislated security requirements include the following:

  • Directive 8100.2 (DoD)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Sarbanes-Oxley (SOX)
  • Gramm-Leach-Bliley Act (GLBA)
  • Payment Card Industry (PCI) Data Security Standard (DSS)

********************************************************************************

To ensure that an assessment of network security is exhaustive, the auditor should start with a list of wireless security solutions in use.  Each solution should be tested for strength and proper configuration.

********************************************************************************

********************************************************************************

Wi-Fi client devices are uniquely identified based on their MAC addresses.  If a user inserts a USB Wi-Fi adapter and uses it instead of the built-in adapter of a laptop, for example, he may not be able to access the network as the WIPS system may not recognize client computers, but rather it may recognize the adapters in those computers.

*********************************************************************************

Three common phases of rogue management:

  • Rogue detection – Rogue devices detected by RRM scanning, their attempts to associate, or with RF spectrum activity.  The different WIPS solutions will do this in varied ways.
  • Classification – rogues can be classified as wired or unwired by many systems. 
  • Mitigation/Containment – switch ports can be shutdown, the location of the rogue can be identified and the rogue can be contained – usually through the use of deauthentication frames.

************************************************************************************

WNMS solutions may use SNMPv3 to execute secure configuration commands against APs and other devices when supported.

A WNMS can identify and display authentication types in use on a per-association basis.

A WNMS can be configured with graphical floor plans that encompass multiple floors of multiple buildings.  The WNMS can then display coverage maps and identify user locations.

************************************************************************************

************************************************************************************

When using a WLAN protocol analyzer, special drivers are typically used.  These drivers may not offer the full supplicant feature set of the normal use-case drivers.  After performing protocol analysis, it is important to revert drivers back to the standard use-case drivers for network access.

************************************************************************************

802.11 users specialized frames for:

  • Data (10)
  • Control (01)
  • Management (00)

802.3 frames support a maximum MSDU payload size of 1500 bytes or octets (jumbo frames aside)

802.11 frames support a maximum MSDU payload size of 2304 bytes (larger in 11n and 11ac)

**********************************************************************************

The right adapter must be chosen to perform protocol analysis with a given software solution.  Most internal adapters do not work with most protocol analyzers for Wi-Fi frame captures and USB adapters are often used for this reason.

***********************************************************************************