Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Similar documents
Wireless Attacks and Countermeasures

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Chapter 24 Wireless Network Security

Security in IEEE Networks

Appendix E Wireless Networking Basics

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Wireless LAN Security. Gabriel Clothier

Wireless# Guide to Wireless Communications. Objectives

Wireless technology Principles of Security

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

CSNT 180 Wireless Networking. Chapter 7 WLAN Terminology and Technology

FAQ on Cisco Aironet Wireless Security

Wireless Network Security Spring 2016

What is a Wireless LAN? The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in Ne

What is Eavedropping?

Wireless Security Protocol Analysis and Design. Artoré & Bizollon : Wireless Security Protocol Analysis and Design

CSMC 417. Computer Networks Prof. Ashok K Agrawala Ashok Agrawala. Fall 2018 CMSC417 Set 1 1

Wireless Networking Basics. Ed Crowley

Wireless Network Security Spring 2015

5 Tips to Fortify your Wireless Network

Securing Wireless Networks by By Joe Klemencic Mon. Apr

4.4 IEEE MAC Layer Introduction Medium Access Control MAC Management Extensions

Wireless Protocols. Training materials for wireless trainers

Network Encryption 3 4/20/17

How Insecure is Wireless LAN?

Configuring Cipher Suites and WEP

Wireless Terms. Uses a Chipping Sequence to Provide Reliable Higher Speed Data Communications Than FHSS

WarDriving. related fixed line attacks war dialing port scanning

CITS3002 Networks and Security. The IEEE Wireless LAN protocol. 1 next CITS3002 help3002 CITS3002 schedule

Configuring Layer2 Security

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

CSCD 433/533 Advanced Networking

Wireless Security Security problems in Wireless Networks

Wi-Fi Scanner. Glossary. LizardSystems

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

Wireless Security i. Lars Strand lars (at) unik no June 2004

Mobile Security Fall 2013

Configuring WEP and WEP Features

IEEE Wireless LANs

Securing a Wireless LAN

WPA Migration Mode: WEP is back to haunt you

TopGlobal MB8000 Hotspots Solution

CSC344 Wireless and Mobile Computing. Department of Computer Science COMSATS Institute of Information Technology

WL-5420AP. User s Guide

Table of Contents 1 WLAN Service Configuration 1-1

Overview of Security

Karthik Pinnamaneni COEN 150 Wireless Network Security Dr. Joan Holliday 5/21/03

Physical and Link Layer Attacks

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 8

Wireless Network Security

Network Security: WLAN Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2012

Wednesday, May 16, 2018

NWD2705. User s Guide. Quick Start Guide. Dual-Band Wireless N450 USB Adapter. Version 1.00 Edition 1, 09/2012

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

Wireless Network Security

Securing Wireless LANs with Certificate Services

Basic processes in IEEE networks

Wireless LANs. ITS 413 Internet Technologies and Applications

The 8 th International Scientific Conference DEFENSE RESOURCES MANAGEMENT IN THE 21st CENTURY Braşov, November 14 th 2013

Network Security: WLAN Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Mobile MOUSe WIRELESS TECHNOLOGY SPECIALIST ONLINE COURSE OUTLINE

ECHONET Lite SPECIFICATION. ECHONET Lite System Design Guidelines 2011 (2012) ECHONET CONSORTIUM ALL RIGHTS RESERVED

Network Security and Cryptography. 2 September Marking Scheme

Wireless Network Security Fundamentals and Technologies

Wireless Networks. Authors: Marius Popovici Daniel Crişan Zagham Abbas. Technical University of Cluj-Napoca Group Cluj-Napoca, 24 Nov.

Chapter 17. Wireless Network Security

Wireless Network Security

Frequently Asked Questions WPA2 Vulnerability (KRACK)

WPA-GPG: Wireless authentication using GPG Key

LESSON 12: WI FI NETWORKS SECURITY

Basic Wireless Settings on the CVR100W VPN Router

Standard For IIUM Wireless Networking

Overview of IEEE b Security


Configuring Management Frame Protection

1. INTRODUCTION. Wi-Fi 1

WPA SECURITY (Wi-Fi Protected Access) Presentation. Douglas Cheathem (csc Spring 2007)

Seamless Yet Secure -Hotspot Roaming

Wireless Router at Home

COPYRIGHTED MATERIAL. Index

Worldwide Release. Your world, Secured ND-IM005. Wi-Fi Interception System

02/21/08 TDC Branch Offices. Headquarters SOHO. Hot Spots. Home. Wireless LAN. Customer Sites. Convention Centers. Hotel

Guide to Wireless Communications, Third Edition. Objectives

Last Lecture: Data Link Layer

Interworking Evaluation of current security mechanisms and lacks in wireless and Bluetooth networks ...

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

WIRELESS EVIL TWIN ATTACK

Configuring WLANsWireless Device Access

Configuring the Xirrus Array

Wireless LAN Security (RM12/2002)

Release Notes for Avaya WLAN 9100 AOS-Lite Operating System WAP9112 Release WAP9114 Release 8.1.0

Overview of IEEE Networks. Timo Smura

CWA-854HT 54 Mbps Wireless-G High Transmission Access Point User s Guide

WLAN Roaming and Fast-Secure Roaming on CUWN

New Windows build with WLAN access

Transcription:

Outline 18-759: Wireless Networks Lecture 10: 802.11 Management Peter Steenkiste Departments of Computer Science and Electrical and Computer Engineering Spring Semester 2016 http://www.cs.cmu.edu/~prs/wirelesss16/ Peter A. Steenkiste, CMU 1 Brief history 802 protocol overview Wireless LANs 802.11 overview 802.11 MAC, frame format, operations 802.11 management 802.11 security 802.11 power control 802.11* 802.11 QoS Peter A. Steenkiste, CMU 2 Management and Control Services 802.11: Infrastructure Reminder Association management Handoff Security: authentication and privacy Power management QoS Peter A. Steenkiste, CMU 3 STA 1 ESS 802.11 LAN BSS 1 Access Point BSS 2 Portal Distribution System Access Point 802.x LAN STA 2 802.11 LAN STA 3 Station (STA)» terminal with access mechanisms to the wireless medium and radio contact to the access point Access Point» station integrated into the wireless LAN and the distribution system Basic Service Set (BSS)» group of stations using the same AP Portal» bridge to other (wired) networks Distribution System» interconnection network to form one logical network (ESS: Extended Service Set) based on several BSS Peter A. Steenkiste, CMU 4 Page 1

Service Set Identifier - SSID Association Management Mechanism used to segment wireless networks» Multiple independent wireless networks can coexist in the same location» Effectively the name of the wireless network Each AP is programmed with a SSID that corresponds to its network Client computer presents correct SSID to access AP Security Compromises» AP can be configured to broadcast its SSID» Broadcasting can be disabled to improve security» SSID may be shared among users of the wireless segment Peter A. Steenkiste, CMU 5 Stations must associate with an AP before they can use the wireless network» AP must know about them so it can forward packets» Often also must authenticate Association is initiated by the wireless host involves multiple steps: 1. Scanning: finding out what access points are available 2. Selection: deciding what AP (or ESS) to use 3. Association: protocol to sign up with AP involves exchange of parameters 4. Authentication: needed to gain access to secure APs manyoptions possible Disassociation: station or AP can terminate association Peter A. Steenkiste, CMU 6 Association Management: Scanning Association Management: Selecting an AP and Joining Stations can detect AP based by scanning Passive Scanning: station simply listens for Beacon and gets info of the BSS» Beacons are sent roughly 10 times per second» Power is saved Active Scanning: station transmits Probe Request; elicits Probe Response from AP» Saves time + is more thorough» Wait for 10-20 msec for response Scanning all available channels can become very time consuming!» Especially with passive scanning» Cannot transmit and receive frames during most of that time not a big problem during initial association Peter A. Steenkiste, CMU 7 Selecting a BSS or ESS typically must involve the user» What networks do you trust? Are you willing to pay?» Can be done automatically based on stated user preferences (e.g. the automatic list in Windows) The wireless host selects the AP it will use in an ESS based on vendor-specific algorithm» Uses the information from the scan» Typically simply joins the AP with the strongest signal Associating with an AP» Synchronization in Timestamp Field and frequency» Adopt PHY parameters» Other parameters: BSSID, WEP, Beacon Period, etc. Peter A. Steenkiste, CMU 8 Page 2

Association Management: Roaming Association Management: Reassociation Algorithms Reassociation: association is transferred from active AP to a new target AP» Supports mobility in the same ESS layer 2 roaming Reassociation is initiated by wireless host based on vendor specific algorithms» Implemented using an Association Request Frame that is sent to the new AP» New AP accepts or rejects the request using an Association Response Frame Coordination between APs is defined in 802.11f» Allows forwarding of frames in multi-vendor networks» Inter-AP authentication and discovery typically coordinated using a RADIUS server» Fast roaming support (802.11r) also streamlines authentication and QoS, e.g. for VoIP Peter A. Steenkiste, CMU 9 Failure driven: only try to reassociate after connection to current AP is lost» Typically efficient for stationary clients since it not common that the best AP changes during a session» Mostly useful for nomadic clients» Can be very disruptive for mobile devices Proactive reassociation: periodically try to find an AP with a stronger signal» Tricky part: cannot communicate while scanning other channels» Trick: user power save mode to hold messages» Throughput during scanning is still affected though Mostly affects latency sensitive applications Peter A. Steenkiste, CMU 10 Ex. Outline Brief history 802 protocol overview Wireless LANs 802.11 overview 802.11 MAC, frame format, operations 802.11 management 802.11 security 802.11 power control 802.11* 802.11 QoS Peter A. Steenkiste, CMU 11 Peter A. Steenkiste, CMU 12 Page 3

WLAN Security Requirements Security in 802.11b Authentication: only allow authorized stations to associate with and use the AP Confidentiality: hide the contents of traffic from unauthorized parties Integrity: make sure traffic contents is not modified while in transit WEP: Wired Equivalent Privacy» Achieve privacy similar to that on LAN through encryption» Intended to provide both privacy and integrity» RC4 and CRC32» Has known vulnerabilities WPA: Wi-Fi Protected Access» Larger, dynamically changed keys 802.1x: port-based authentication for LANs» Port-based authentication for LANs 802.11i (WPA2)» Builds on WPA» Uses AES for encryption Peter A. Steenkiste, CMU 13 Peter A. Steenkiste, CMU 14 WLAN Security Exploits WLAN Security Exploits Insertion attacks» Unauthorized Clients or AP Client-to-Client Attacks» DOS - duplicate MAC or IP addresses» Can also be used to get free service on secured APs Interception and unauthorized monitoring» Packet Analysis by sniffing listening to all traffic Jamming denial of service» Cordless phones, baby monitors, leaky microwave oven, etc. Brute Force Attacks Against AP Passwords» Dictionary Attacks Against SSID Encryption Attacks» Exploit known weaknesses of WEP Misconfigurations» APs ship in an unsecured configuration» Many people use APs with default configuration Peter A. Steenkiste, CMU 15 Peter A. Steenkiste, CMU 16 Page 4

MAC Filtering Wired Equivalent Privacy WEP Each client identified by its 802.11 NIC Mac Address Each AP can be programmed with the set of MAC addresses it accepts Combine this filtering with the AP s SSID Very simple solution» Some overhead to maintain list of MAC addresses But it is possible to forge MAC addresses» Unauthorized client can borrow the MAC address of an authenticated client» Built in firewall will discard unexpected packets Employs RC4 to Encrypt/Decrypt data» RC4 is a stream cypher based on a symmetric algorithm» 40 bit encryption key is supplied by the user» 24 bit initialization vector (IV) is supplied in the header» 64 bit string is seed for PRNG to generate a key sequence» 40 and 64 bit WEP are the same thing ICV (integrity check value) is computed for plaintext (CRC-32) ICV is appended to plaintext to create data string Key Sequence is XORéd to data string to create ciphertext Ciphertext and IV are sent to receiver 128-bit encryption uses a 104+24 bit key Peter A. Steenkiste, CMU 17 Peter A. Steenkiste, CMU 18 WEP-Based Security Discussion WEP Authentication WEP has known vulnerabilities Key can be cracked with a couple of hours of computing» IV transmitted in the clear» No protocol for encryption key distribution» Clever optimizations can reduce time to minutes All data then becomes vulnerable to interception» WEP typically uses a single shared key for all stations The CRC32 check is also vulnerable so that the data could be altered as well» Can makes changes without even decrypting! 128-bit WEP encryption is recommended Access request by client Challenge text sent to client by AP Challenge text encoded by client using shared secret then sent to AP If challenge text encoded properly, AP allows access; else access is denied Peter A. Steenkiste, CMU 19 Peter A. Steenkiste, CMU 20 Page 5

Port-based Authentication Wi-Fi Protected Access WPA 802.1x is the IEEE standard for portbased authentication Users get a username/password to access the access point Was originally defined for switches but extended to APs Can be used to bootstrap other security mechanisms» Effectively creating a session Peter A. Steenkiste, CMU 21 Introduced by Wi-Fi Alliance as an interim solution after WEP flaws were published» Uses a different Message Integrity Check» Encryption still based on RC4, but uses 176 bit key (48bit IV) and keys are changed periodically» Also frame counter in MIC to prevent replay attacks. Can be used with 802.1x authentication (optional)» It generates a long WPA key that is randomly generated, uniquely assigned and frequently changed.» Attacks are still possible since people sometimes use short, poorly random WPA keys that can be cracked 802.11i is a permanent security fix» Builds on the interim WPA standard (i.e. WPA2)» Replaces RC4 by the more secure Advanced Encryption Standard (AES) block encryption» Better key management and data integrity» Uses 802.1x for authentication. Peter A. Steenkiste, CMU 22 Wireless Security Authentication in WLAN Hotspots Security is not just about authentication and encryption Must also consider business and deployment issues» AAA: Authentication, Authorization, and Accounting» Supporting users at different levels Upon association with the AP, only authentication traffic can pass through, as defined by IEEE 802.1x not authenticated Authentication traffic only authenticated Peter A. Steenkiste, CMU 23 The protocol used to transport authentication traffic is the Extensible Authentication Protocol (EAP - RFC3748) Peter A. Steenkiste, CMU 24 Page 6

Dual SSID Approach 802.1x and EAP Protocol Execution Broadcasted SSID: mobile Hidden SSID: mobile-eapsim 802.1x enabled AP VLAN1 : Public IP pool A 10.0.4.X VLAN2 : Management VLAN3 : User Traffic IP pool B 10.0.2.Y DHCP server Subscriber Information System HLR-proxy User traffic Authentication traffic Billing interface Radius Operator Services CDRs (charging data) Home Agent IP Internet Peter A. Steenkiste, CMU 25 Public Service Access to DHCP server WPA/WEP encryptio n key Peter A. Steenkiste, CMU 26 Best Practices for WiFi Security Wardriving Use WPA2» Widely supported today» If not available, use WEP or WPA Better than no security plus some possible legal benefits Change the default configuration of your AP:» Change default passwords on APs» Don t name your AP by brand name» Don t name your AP by model #» Change default SSID Use MAC filtering if available Use a VPN or application layer encryption» Must assume that wireless segment is untrusted» Provides end-to-end encryption is what you want! Peter A. Steenkiste, CMU 27 The act of locating and possibly exploiting to a wireless network while driving around a city You need a vehicle, a laptop, a wireless PC card and some kind of antenna People can intercept your wireless signal when the signal exceeds your building http://www.wardriving.com Is this legal?? Peter A. Steenkiste, CMU 28 Page 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback