WLAN Security Overview
This Chapter Explore the basic terminology of WLAN security. Discuss the organizations that create the standards, certifications, and recommendations that help guide and direct wireless security. Learn about wireless security standards and certifications.
Contents Standards organizations International Organization for Standardization (ISO) Institute of Electrical and Electronics Engineers (IEEE) Internet Engineering Task Force (IETF) Wi - Fi Alliance 802.11 networking basics 802.11 security basics Data Privacy Authentication, authorization, accounting (AAA) Segmentation Monitoring Policy 802.11 security history 802.11i security amendment and WPA certifications RSN The future of 802.11 security
Introduction The 802.11-2007 standard defines wireless local area network (WLAN) technology. Wi Fi communications - concern about the: ability to transmit data securely over a wireless medium and properly protect wired network resources. This concern is as valid now as it was in 1997 when 802.11 was introduced.
Standards Organizations The International Organization for Standardization (ISO) Open Systems Interconnection (OSI) model = architectural model for data communications. The Institute of Electrical and Electronics Engineers (IEEE) Creating standards for compatibility and coexistence between networking equipment inc. wireless equipment The Internet Engineering Task Force (IETF) Creating Internet standards -> wireless networking, security protocols etc. The Wi-Fi Alliance Performs certification testing wireless networking equipment conforms to the 802.11 WLAN communication guidelines, similar to the IEEE 802.11-2007 standard.
International Organization for Standardization (ISO) a global + non governmental organization identifies business, government, and society needs develops standards in partnership with the sectors that will put them to use. creation of the Open Systems Interconnection (OSI) model - standard reference for data communications between computers since the late 1970s. Website
International Organization for Standardization (ISO) The layers of the OSI model are as follows: Layer 7, Application Layer 6, Presentation Layer 5, Session Layer 4, Transport Layer 3, Network Layer 2, Data - Link LLC sublayer MAC sublayer Layer 1, Physical The IEEE 802.11-2007 standard defines communication mechanisms only at the Physical layer and MAC sublayer of D-L.
Institute of Electrical and Electronics Engineers (IEEE) a global professional society > 350,000 members. mission - to foster technological innovation and excellence for the benefit of humanity. IEEE is probably best known for its LAN standards, the IEEE 802 project. IEEE projects are subdivided into working groups to develop standards that address specific problems or needs. the IEEE 802.3 working group - creation of a standard for Ethernet, the IEEE 802.11 working group - creating the WLAN standard. the 11 = 11th working group Website
Institute of Electrical and Electronics Engineers (IEEE) IEEE 802.11, more commonly referred to as Wi Fi. standard for providing LAN communications using radio frequencies (RF). 802.11-2007 standard = the most current guideline to provide operational parameters for WLANs. Working groups -> task groups are formed. These task groups are assigned a sequential single letter that is added to the end of the standard number Eg. 802.11g, 802.11i, and 802.3af
Internet Engineering Task Force (IETF) international community of people in the networking industry goal is to make the Internet work better. no membership fees, and anyone may register for and attend an IETF meeting. one of five main groups that are part of the Internet Society (ISOC). IAB, ICANN, IESG, IRTF, and IETF. The IETF is broken into eight subject matter areas: Applications, General, Internet, Operations and Management, Real - Time Applications and Infrastructure, Routing, Security, and Transport. Website
Internet Engineering Task Force (IETF) The results of a working group = Request for Comments (RFC). RFCs describe network protocols, services, or policies may evolve into an Internet standard. numbered sequentially, and never reused. updated or supplemented by higher numbered RFCs. Eg. Mobile IPv4 is described in RFC 3344 and updated in RFC 4721. When RFC 3344 was created, it made RFC 3220 obsolete. At the top of the RFC document, it states whether it is updated by another RFC and also if it makes any other RFCs obsolete.
Wi - Fi Alliance Originally named the Wireless Ethernet Compatibility Alliance (WECA), Founded in August 1999. Renamed Wi-Fi Alliance in October 2002. is a global, nonprofit industry association promoting the growth of WLANs. primary tasks - to market the Wi-Fi brand + raise consumer awareness of new 802.11 technologies. 450 m users immediately recognize the Wi-Fi logo. website
Wi - Fi Alliance main task - ensure the interoperability of WLAN products - certification testing. Products pass the Wi - Fi certification process receive a Wi - Fi Interoperability Certificate (next slide) provides detailed information about the individual product s Wi-Fi certifications This certification includes radio interoperability such as 802.11a and 802.11b + additional capabilities -> security, multimedia, convergence, and supported special features.
Wi - Fi Alliance iphone 4s
802.11 Networking Basics Wireless bridge links - provide connectivity between buildings in the same way that county or state roads provide distribution of traffic between neighbourhoods. The purpose of wireless bridging is to connect two separate, wired networks wirelessly. An 802.11 bridge link is an example of wireless technology being implemented at the distribution layer.
802.11 Security Basics Securing a wireless 802.11 network, five major components are typically required: Data privacy Authentication, authorization, and accounting (AAA) Segmentation Monitoring Policy
802.11 Security Basics Because data is transmitted freely and openly in the air, proper protection is needed to ensure data privacy, -> so strong encryption is needed. Wireless portal must be protected, -> authentication solution is needed to ensure that only authorized users can pass through the portal via a wireless access point. After users have been authorized to pass through the wireless portal, VLANs and identity - based mechanisms are needed to further restrict access to network resources (Segmentation). 802.11 wireless networks can be further protected with continuous monitoring by a wireless intrusion detection system (Monitoring). All of these security components should also be cemented with policy enforcement.
Data Privacy 802.11 wireless - > all data transmissions travel in the open air. Data privacy in a wired network -> easier because physical access to the wired medium is more restricted. Wireless transmissions is available to anyone in listening range. cipher encryption technologies - > obscure information - > proper data privacy in wireless networks. A cipher is an algorithm used to perform encryption.
Data Privacy Encrypt and decrypt information forms the science known as cryptology The term cryptology - > Greek language and translates to mean hidden word. The goal - > take a piece of information, often referred to as plaintext, and, using a process or algorithm, also referred to as a key or cipher, to transform the plaintext into encrypted text, also known as ciphertext.
Data Privacy Steganography - Greek language and is translated as concealed writing. steganography strives to hide the fact that there is a message. Steganography vs Cryptography This is often referred to as security through obscurity or hiding a message in plain sight. A classic example - write a document with the first letter of each sentence or word as the hidden message Case- speaks in different language?
Data Privacy Steganography -> digital watermarking embeds an artist or photographer s information in an image so that ownership can be proven in case someone tries to use the image without permission. Case : microsoft word
Authentication, Authorization, Accounting (AAA) Authentication is the verification of user identity and credentials. Users must identify themselves and present credentials, - usernames and passwords or digital certificates. More secure authentication systems use multifactor authentication, which requires at least two sets of different credentials to be presented. Authorization involves granting access to network resources and services. Before authorization - authentication must occur. Accounting is tracking the use of network resources by users. It is an important aspect of network security that is used to keep a paper trail of who used which resource and when. A record is kept of user identity, which resource was accessed, and at what time.
Segmentation Although it is of the utmost importance to secure an enterprise wireless network by utilizing both strong encryption and an AAA solution, an equally important aspect of wireless security is segmentation. Important to separate users into proper groups. Once authorized onto network resources, users can be further restricted as to what resources they may access and where they can go. Segmentation can be achieved through a variety of means, including firewalls, routers, VPNs, and VLANs. The most common wireless segmentation strategy used in 802.11 enterprise WLANs is Layer 3 segmentation using VLANs.
Monitoring After designed and installed -> important to monitor it. make sure that it is performing up to your expectations and those of your users, it is necessary to monitor it for attacks and intrusions constantly. Like cctv = important for the wireless network administrator to monitor the wireless traffic of a secured network. install a wireless intrusion detection system (WIDS). + wireless intrusion prevention system (WIPS). Both have the ability to classify valid and invalid devices on the network.
Policy Securing a wireless network and monitoring for threats are absolute necessities, but both are worthless unless proper security policies are in place. What good is an 802.1X/EAP solution if the end users share their passwords? Why purchase an intrusion detection system if a policy has not been established for dealing with rogue access points? WLAN security policies must be clearly defined and enforced to solidify the effectiveness of all WLAN security components. In most countries, mandated regulations exist for protecting and securing data communications within all government agencies. - USIM In the United States, the National Institute of Standards and Technology (NIST) maintains the Federal Information Processing Standards (FIPS). Of special interest to wireless security is the FIPS 140-2 standard, which defines security requirements for cryptography modules. Additionally, protecting information and communications in certain industries such as healthcare and banking.
Summary This chapter explained the roles and responsibilities of four key organizations involved with wireless security and networking: ISO, IEEE, IETF & Wi - Fi Alliance provide a basic understanding of the relationship between networking fundamentals and 802.11 technologies: OSI model, Core, distribution, and access provide a basic knowledge of data privacy, some of the basic components of security: Cryptology, Cryptography, Cryptanalysis, Steganography, Plaintext, Key, Cipher, Ciphertext Discussed five major components that are typically required to secure an 802.11: Data privacy, Authentication, authorization, and accounting (AAA), Segmentation, Monitoring, Policy The 802.11 security history