Chapter 28 - Securing Wireless Networks

Question 1

True or False. If a wireless connection is left unsecured, any wireless device in range of the sender could intercept it.

Answer 1

True. This is why all wireless traffic (even LAN) should be encrypted.

Question 2

What is a Group Key?

Answer 2

• An encryption key that is used when an AP wants to send data to all devices associated with it at once.
• All clients associated with the AP keep this key so they can decrypt the traffic sent using the group key.

Question 3

What is MIC?

Answer 3

• Message Integrity Check
• A security tool used to protect against data tampering. It does this by applying a new field to the header of the frame (MIC field) which resembles the raw data itsself. The receiver then uses the same protocol that the sender used for encryption to decrypt the message. If this field matches the raw data then the data must not have been tampered with.
• If the MICs are different, the frame is discarded.

Question 4

What are the two original wireless authentication methods?

Answer 4

• Open Authentication
• WEP (Wired Equivalence Privacy)

Question 5

What is Open Authentication?

Answer 5

• A disused, weak wireless Authentication method
• No auth credentials are required. When a client attempts to connect to an AP it will send an 802.11 authentication request but there are no auth details in the request. This just proves that the wireless device is 802.11 compatible. As long as it is, the AP accepts the authentication request.
• Normally used in places like shopping centres where anyone can join but you must accept terms and enter some details to authenticate following association.

Question 6

What is WEP?

Answer 6

• A disused, weak wireless Authentication method. Although also includes encryption.
• Wired Equivalent Privacy
• Uses the RC4 cipher algorithm to make wireless data private and hidden from eavesdroppers. The key used to encrypt and decrypt is comprised of a series of bits and is called a WEP key.
• Also known as a shared-key security method meaning that the encryption key must be shared with the sender and receiver ahead of time so that any client can attempt association.
• Also used for authentication. The AP sends a random challenge phrase to the client that is attempting to associate. The client then encrypts the phrase with a WEP key and returns it. If the client’s and AP’s WEP encryption keys match then the client can associate. This confirms that the group key matches on the AP and client.
• WEP keys can be either 40 or 104 bits long, represented by a string of 10 or 26 hex digits. The initial bits are combined with a 24 bit IV (Initialisation Vector) to make it 64 or 128 bits.

Question 7

What is EAP?

Answer 7

• Extensible Authentication Protocol
• Used for authenticaiton, although not an authentication method in itsself. Defines functions that EAP based authentication methods can use to authenticate users.
• Integrates with 802.1x

Question 8

What is 802.1x?

Answer 8

• Otherwise known as PNAC (Port-based Network Access Control)
• Integrates with EAP. a device can be allowed to associate with an AP via open authentication but EAP and 802.1x will not allow the device to transmit data over the network without authenticating with an external server (e.g. RADIUS). The only data that is allowed to be transmitted is EAP authentication data.

Question 9

What are the 3 parties that exist in an 802.1x exchange?

Answer 9

• Supplicant - The client device that is requesting access
• Authenticator - The network device that provides access to the network (e.g. WLC)
• Authentication Server - The device that takes the supplicant’s credentials and permits or denies network access based on the server’s database and policies (e.g. RADIUS)

Question 10

What are the different EAP methods?

Answer 10

• LEAP - Lightweight EAP
• EAP-FAST - EAP Flexible Authentication by Secure Tunneling
• PEAP - Protected EAP
• EAP-TLS - EAP Transport Layer Security

Question 11

What is LEAP?

Answer 11

• An EAP Authentication method
• Lightweight EAP
• Developed by Cisco as an early attempt to resolve the security issues with WEP by using dynamic WEP keys that changed over time.
• Uses username and password authentication
• The client and authentication server both exchange challenge messages that are encrypted at each end and returned to the originator providing mutual authentication. As long as the message can be decrypted, the client and server have successfully authenticated.
• Although wireless devices still support LEAP, it should not be used as it is insecure due to the method used to encrypt the challenge messages.

Question 12

What is EAP-FAST?

Answer 12

• An EAP Authentication method
• EAP Flexible Authentication by Secure Tunnelling
• Developed by Cisco to improve upon the insecure LEAP
• Authentication credential are protected by passing a PAC (Protected Access Credential) from the authentication server to the supplicant. This is generated by the authentication server and is used for mutual authentication.
• The 3 phases of the EAP-FAST process are:
  - Phase 0 - The PAC is generated or provisioned and installed on the client
  - Phase 1 - After supplicant and authentication server have successfully authenticated each other, they negotiate a TLS tunnel
  between each other
  - Phase 2 - The supplicant will then be authenticated through the TLS tunnel for extra security
• Phase 1 and 2 are known as an outer and inner two stage authentication method
• A RADIUS server is required. In order to be able to generate PACs, it must also act as an EAP-FAST server.
• One PAC per user

Question 13

What is PEAP?

Answer 13

• An EAP Authentication Method
• Protected EAP
• Similar process to EAP-FAST, however, rather than using a PAC generated by the authentication server, it uses a digital certificate to authenticate itsself with the supplicant on the outer phase of authentication. If the supplicant is happy with the identity of the authentication server, the two will build a TLS tunnel (like EAP-FAST) to be used for the inner phase of authentication.
• The certificate identifies the owner of it and is signed (validated) by a third party Certificate Authority (CA) which is trusted by both the authentication server and the supplicant.
• The supplicant doesn’t have its own certificate to validate so it uses one of the two following methods to authenticate itsself within the TLS tunnel:
  - MSCHAPv2 - Microsoft Challenge-Handshake Authentication Protocol V2
  - GTC - Generic Token Card - A hardware device that generates a one time password for the supplicate or a manually
  generated password.

Question 14

What is EAP-TLS?

Answer 14

• An EAP Authentication Method
• EAP - Transport Layer Security
• Requires a certificate to be installed on the authentication server and every client
• Builds a TLS tunnel following the certificate exchange.
• Considered to be the most secure wireless authentication method available
• You don’t need to manually install a certificate on every client. You can use a PKI (Public Key Infrastructure) to supply and revoke certificates when necessary. This normally involves setting up a CA or building a trust relationship with a third party CA.
• Only applicable to devices that can accept and use digital certificates. For example, Medical Devices with underlying operating systems that cannnot interface with a CA or use certificates would not be able to use EAP-TLS for wireless security.

Question 15

What are the recommended alternatives to WEP as privacy and integrity methods?

Answer 15

• TKIP - Temporal Key Integrity Protocol
• CCMP - Counter/CBC MAC Protocol
• GCMP - Galois/Counter Mode Protocol

Question 16

What is TKIP?

Answer 16

• Temporal Key Integrity Protocol
• Designed to be a temporary solution for WEP for better data encryption and data integrity
• Used in WPA
• Now a disused security method
• Builds on WEP by adding the below security features:
  - MIC - Adds the MIC field to each frame as a data integrity check to prevent tampering. Also referred to as “Michael”
  - Time Stamp - Adds a time stamp into the MIC field to prevent replay attacks that attempt to reuse frames that have already
  been sent
  - Sender’s MAC Address - Adds the source of the frame to the MIC field as proof of the sender
  - TKIP Sequence Counter - Provides a record of frames sent by a MAC address to prevent replay attacks
  - Key Mixing Algorithm - Computes a unique 128-bit WEP key for each frame
  - Longer IV (Initialisation Vector) - The IV size is doubled from 24 to 48 bits making it much more difficult to exhaust all WEP
  keys via brute force attack

Question 17

What is CCMP?

Answer 17

• Counter/CBC MAC Protocol
• Replaces TKIP for even better security
• Used in WPA2
• Consists of two separate algorithms:
  - AES (counter mode) - Advanced Encryption Standard
  - CBC-MAC - Cipher Block Chaining Message Authentication Code used as an MIC
• AES is the most secure encryption method available to day
• In order for devices to be able to use CCMP, they must support it which a lot of legacy devices don’t.
• If a device supports WPA2, it supports CCMP.

Question 18

What is GCMP?

Answer 18

• Galois/Counter Mode Protocol
• More secure and efficient than CCMP and allows for higher throughput
• Used in WPA3
• Consists of two algorithms:
  - AES (counter mode) - Advanced Encryption Standard
  - Galois Message Authentication Code (GMAC) used as an MIC
• If a device supports WPA3, it supports GCMP.

Question 19

What does WPA stand for?

Answer 19

Wifi Protected Access

Question 20

Who is WPA developed and maintained by?

Answer 20

The Wifi Alliance

Question 21

Which WPA versions were based on which privacy and integrity methods?

Answer 21

• WPA was based on TKIP
• WPA2 was based on AES CCMP
• WPA3 was based on GCMP

Question 22

Which WPA version also uses PMF, Forward Secrecy, and SAE?

What is PMF? What is SAE? What is Forward Secrecy?

Answer 22

• WPA3 uses these. PMF is also optional in WPA2.
• SAE (Simultaneous Authentication of Equals) - Protects the four way handshake used to exchange PSKs when using personal mode authentication
• PMF (Protected Management Frames) - Used to secure management frames between APs and clients that could be used for malicious purposes
• Forward Secrecy - Even if an attacker is able to compromise a PSK, this prevents them from using a key to decrypt data that has already been transmitted.

Question 23

Which WPA methods support authentication with PSKs?

Answer 23

WPA, WPA2, and WPA3

Question 24

Which WPA methods support authentication with 802.1x?

Answer 24

WPA, WPA2, and WPA3

Question 25

Which WPA methods support encryption with TKIP?

Answer 25

WPA

Question 26

Which WPA methods support encryption with CCMP?

Answer 26

WPA2

Question 27

Which WPA methods support encryption with GCMP?

Answer 27

WPA3

Question 28

What is Personal Mode authentication?

Answer 28

• Authentication using PSKs
• Generally used across smaller deployments
• Clients must enter a PSK configured on an AP before being allowed to associate
• The PSK is never sent between client and AP, instead both parties go through a four way handshake which allows them to construct encryption key material using the PSK that can be sent between.
• WPA and WPA2 personal modes can be compromised so that a malicious user could capture the encryption key material being sent between client and AP during the handshake. From this they can use a dictionary attack to automate guessing the PSK. WPA3 gets around this using SAE (Simultaneous Authentication of Equals).

Question 29

What is Enterprise Mode authentication?

Answer 29

• Authentication using 802.1x
• Generally used across larger deployments
• All EAP methods are supported

Question 30

What are examples of Authentication Methods?

Answer 30

• Open Authentication
• WEP (Also used for encryption)
• EAP (LEAP, EAP-FAST, PEAP, EAP-TLS)

Question 31

What are examples of Encryption and Integrity Methods?

Answer 31

• TKIP
• CCMP
• GCMP
• WEP (Also used for authentication)

Question 32

What are the three 802.11 authentication states? Which one must stations be in in order to send traffic through an AP?

Answer 32

• Not authenticated, not associated
• Authenticated, not associated
• Authenticated, associated - Stations should be in this state if they wish to send traffic through an AP.

Question 33

What messages are sent when a station attempts to associate with an AP?

Answer 33

• The station sends a probe request to learn about what APs are available
• The AP sends a probe response to inform the station that it is available for association
• The station then sends an authentication request which could be containing a password
• The AP then responds with an authentication response confirming whether authentication was successful or not
• If the authentication was successful, the station then sends an association request
• If the AP accepts the association, it sends a successful association response

Question 34

What are the two forms of scanning that a station can perform in order to locate a BSS?

Answer 34

• Active Scanning - The station sends a probe request and listens for a probe response from an AP about a BSS.
• Passive Scanning - The station listens for beacon messages from an AP.

Question 35

What are beacons?

Answer 35

• Beacons are messages send periodically by APs that advertise BSSs.
• They can include SSID, timestamp info, auth info, data transfer speed info, and vendor specific info

Question 36

What are the different 802.11 message types? Provide examples

Answer 36

• Management frames - Used to manage the BSS (e.g. Beacons, Probes, Authentication and association messages)
• Control Frames- Used to control access to the medium (radio frequency). Assists with the delivery of management and data frames. (e.g. RTS and CTS messages used in CSMA/CA, ACK messages)
• Data Frames - Used to send actual data.

Question 37

True or False. Devices connected on a WLAN can use whatever encryption protocol that they deam necessary.

Answer 37

False. All devices on a WLAN must use the same encryption protocol so that they can successfully decrypt received messages and vice versa.

Question 38

What are the options in the Layer 2 Security dropdown of the Layer 2 tab of a WLC in WLAN configuration?

Answer 38

• None
• WPA+WPA2
• 802.1x
• Static WEP
• Static WEP + 802.1x
• CKIP
• None + EAP Passthrough

Question 39

What are the options in the Layer 3 Security dropdown of the Layer 3 tab of a WLC in WLAN configuration?

Answer 39

• None
• IPSEC
• VPN pass through
• Web authentication
• Web passthrough