Chapter 7: Wireless Network Security

Question 1

What are some security concerns with wireless networks?

Answer 1

1. Channel: wireless networks typically involves broadcast communications which is more susceptible to eavesdropping and jamming. Active attacks that exploit vulnerabilities in communications protocols.
2. Mobility: wireless devices are more portable and mobile
3. Resources: wireless devices have sophisticated OS but limited memory and processing resources that can counter threats.
4. Accessibility: wireless devices may be left unattended, increases vulnerability to physical attacks.

Question 2

What are some wireless network security threats?

Answer 2

1. Accidental association: Wireless LANS in close proximity may create overlapping transmission ranges resulting in users accidentally connecting to the wrong LAN.
2. Malicious association: wireless device configured to appear legitimate, that enables the stealing of user credentials.
3. Ad hoc networks: peer-to-peer networks between wireless computers with no access point in between. Security threat due to a lack of a central point of control.
4. Nontraditional networks: i.e. barcode readers or PDAs, pose a security risk in terms of eavesdropping and spoofing.
5. ID theft (MAC spoofing): eavesdropping to identify the MAC address of a computer with network privileges.
6. MITM
7. DoS
8. Network Injection

Question 3

What are the principal threats to wireless transmission and what two types of countermeasures are appropriate?

Answer 3

Threat: eavesdropping, alteration/insertion of messages, disruption.

Signal-hiding: make it more difficult to locate the wireless access point. Turning off service set identifier (SSID) broadcasting by wireless access points: cryptic names to SSID, reduce signal strength, placing access points away from windows and exterior walls, directional antennas, signal-shielding techniques.

Encryption

Question 4

What are the principal threats to wireless access points and what types of countermeasures are appropriate?

Answer 4

Threats: unauthorised access.

IEEE 802.1X standard for port-based network access control.

Countermeasures:
1. Encryption

2. Antivirus, anti spyware, firewalls
3. Turning off identifier broadcasting. (Used so other devices can know about the network and connect to it)
4. Change the identifier on the router from the default.
5. Change the routers pre-set password
6. Allow only approved computers to access the network

Question 5

What are some security concerns regarding mobile devices?

Answer 5

1. Lack of physical security controls: mobile devices under the control of the user. Can be used in environments that are not secure leading to higher risk of theft or tampering
2. Use of un-trusted mobile devices. Personal mobile devices assumed not to be trustworthy as security mechanisms adhering to company policy may be non-existent.
3. Use of un-trusted networks: traffic with an off-site premise segment. Such as remote access to company network from home.
4. Unknown or un-trusted applications
5. Interaction with other systems. The synchronisation of data with different services and systems.
6. Un-trusted content. QR code scanning for more information.
7. GPS. Can be used to target devices for attacks to access restricted systems or networks.

Question 6

What is traffic security?

Answer 6

All traffic should be encrypted and travel by secure means. SSL, IPv6, VPN.

Question 7

What is barrier security?

Answer 7

Security mechanisms to protect the network from unauthorised access.

Question 8

The IEEE 802.11 standard has 8 terms with abbreviations, what are these terms?

Answer 8

Access Point

Basic Service Set

Coordination Function

Distribution System

Extended Service Set

MAC protocol data unit

MAC service data unit

Station

Question 9

What are the three layers in the IEEE 802 architecture?

Answer 9

Bottom to top

1. Physical
2. Media access control
3. Logical link control

Question 10

What is the function of the MAC layer?

Answer 10

1. Controls access to the transmission medium
2. Receives data from the LLC in the form of a MSDU.

On transmission: assemble data into a frame (MPDU) with address and error-detection fields.

On reception: disassemble frame, and perform address recognition and error detection.

Detects errors and discards frames containing errors.

Question 11

What is the function of the physical layer?

Answer 11

1. Encodes/decodes signals
2. Bit transmission/reception
3. Specification of the transmission medium
4. Defined frequency bands and antenna characteristics

Question 12

What is the function of the logical link control layer?

Answer 12

Responsible for detecting errors using the CRC and recovering from the errors by retransmitting damaged frames.

Optionally: keeps track of which frames where successful and retransmits unsuccessful ones.

Question 13

What does AP stand for?

Answer 13

Access Point: provides access to the network via wireless connections.

Question 14

What does BSS stand for?

Answer 14

Basic Service Set: a set of stations controlled by a single coordination function

Question 15

What is a coordination function?

Answer 15

Coordination Function: logical function that determines when stations in the BSS are allowed to transmit.

Question 16

What does DS stand for?

Answer 16

Distribution System: a system that interconnects BSSs and integrated LANs to create an ESS.

Question 17

What does ESS stand for?

Answer 17

Extended Service Set: interconnected BSSs and integrated LANs that appear as a single BSS to the LLC layer.

Question 18

What does MPDU stand for?

Answer 18

MAC protocol data unit: unit of data exchanged between to peer MAC entities using the services of the physical layer

Question 19

What does MSDU stand for?

Answer 19

MAC service data unit: info delivered as a unit between MAC users

Question 20

What is a station?

Answer 20

Any device conforming to IEEE 802.11

Question 21

What is the general format of the MPDU?

Answer 21

MAC control: protocol control info

Dest. MAC address

Source MAC address

^MAC header

MSDU

MAC trailer = CRC: cyclic redundancy check, an error-detecting code. Sender and receiver calculate the value to check if it matches.

Question 22

What two services are involved in the distribution of messages?

Answer 22

Distribution
Integration

Question 23

What is the distribution service involved in the distribution of messages?

Answer 23

It is the primary service used by stations to exchange MPDUs when the MPDUs must traverse the DS to get from a station in one BSS to a station in another BSS

Question 24

What is the integration service involved in the distribution of messages?

Answer 24

It enables transfer of data between a station on an IEEE 802.11 LAN and a station on an integrated IEEE 802.x LAN.

Integrated meaning a wired LAN.

Question 25

What is an association-related service?

Answer 25

Provides information about stations within the ESS. Before the distribution service can deliver or accept data from a station, the station need to be associated.

Question 26

There are three services related to fullfuling the requirement that a DS need to know the identity of the AP in order to deliver messages, which three services are they and what do they do?

Answer 26

Association: Establishes an initial association between a station and an AP. Before a station can transmit or receive frames on a wireless LAN, its identity and address must be known. Re-association: Enables an established association to be transferred from one AP to another, allowing a mobile station to move from one BSS to another. Disassociation: A notification from either a station or an AP that an existing association is terminated. A station should give this notification before leaving an ESS or shutting down.

Question 27

What was the issue with the original IEEE 802.11 Standard?

Answer 27

The security features for privacy and authentication were weak. Wired Equivalent Privacy (WEP) was used for privacy and contained major weaknesses. Wi-Fi Protected Access (WPA) was introduced to rectify these weaknesses.

Question 28

What does RSN stand for?

Answer 28

The Robust Security Network which is the final form of the IEEE 802.11i standard

Question 29

What services does RSN specify and what do they do?

Answer 29

Authentication: a protocol is used to define an exchange between a user and an AS that provides mutual authentication and generates temporary keys. Access control: 1. enforces the use of the authentication function 2. routes messages 3. facilitates key exchange Privacy with message integrity: MAC-level data are encrypted along with a message integrity code.

Question 30

What five phases of operation does the RSN have?

Answer 30

1. Discovery 2. Authentication 3. Key generation and distribution 4. Protected data transfer 5. Connection termination

Question 31

What does the discovery phase do?

Answer 31

It enables a STA and an access point to 1. recognise each other 2. agree on security capabilities 3. establish an association for future communication

Question 32

What security capabilities can be agreed upon during the discovery phase?

Answer 32

1. Confidentiality and MPDU integrity protocols (dictated by the AP since all STAs must use the same ones. 2. Authentication method 3. Key management approach

Question 33

What is a cipher suite and what options are available?

Answer 33

The specification of confidentiality and integrity protocols and the chosen key length Available options: 1. WEP, allows backward compatibility 2. TKIP 3. CCMP 4. Vendor-specific methods

Question 34

What is the AKM suite and what options are available?

Answer 34

Authentication and key management suite. Authentication means Means for deriving the root key from which other keys are generated. Available options: 1. IEEE 802.1X 2. Pre-shared key 3. Vendor-specific methods

Question 35

What three exchanges occur in the discovery phase?

Answer 35

Network and security capability discovery: STAs discover the network that it can communicate with. Open system authentication: provides backwards compatibility. The station and the AP exchange identifiers. Association: agree on security capabilites

Question 36

What does the authentication phase do?

Answer 36

It enables mutual authentication between STA and AS located in the DS. Authentication is designed to allow only authorised stations to use the network and provide the STA with assurance that it is communication with a legitimate network. Uses EAP. Communicates on the control channel until authentication has been confirmed, then it can use the data channel.

Question 37

The authentication phase consists of three phases, what are they?

Answer 37

Connect to AS: the STA requests a connection to an associated AP. EAP exchange: flow between STA and AP typically employs the EAPOL. Flow between AP and AS uses RADIUS. Secure key delivery: when authentication has been established the AS generates am master session key (MSK) aka, the AAA key. All keys needed by the STA for secure communication with its AP are generated using the MSK. Relies on EAP for secure delivery of the key.

Question 38

What does STA mean?

Answer 38

Supplicant

Question 39

What does the key management phase do?

Answer 39

Cryptographic keys are generated and distributed to STAs. Two types of keys: 1. pairwise keys 2. group keys

Question 40

What is the difference between a group key and a pairwise key?

Answer 40

A group key is used for multicast communication where on STA sends MPDUs to multiple other STAs. A pairwise key is used for communication between a pair of devices, usually a STA and an AP.

Question 41

What does the protected data transfer phase do?

Answer 41

It defines two schemes for protecting data transmitted in MPDUs: 1. TKIP: temporal key integrity protcol 2. CCMP: Counter Mode-CBC MAC Protocol

Question 42

What is the TKIP?

Answer 42

It is designed to only require software changes to devices that implement WEP and it provides two services. Message integrity: adds a message integrity code (MIC) to the 802.11 MAC frame after the data field. The MIC is generated by an algorithm, called Michael, that computes a 64-bit value using as input the source and destination MAC address values and the Data field, plus key material. Data confidentiality: Data confidentiality is provided by encrypting the MPDU plus MIC value using RC4.

Question 43

What is the CCMP?

Answer 43

CCMP is intended for newer IEEE 802.11 devices that are equipped with the hardware to support this scheme. CCMP provides two services: Message integrity: CCMP uses the cipher block chaining message authentication code (CBC-MAC). Data confidentiality: CCMP uses the CTR block cipher mode of operation with AES for encryption. The same 128-bit AES key is used for both integrity and confidentiality.

Question 44

What is the IEEE 802.11i PRF?

Answer 44

The pseudorandom function. It is used, for example, to expand pairwise keys and to generate GTK. It is built on the use of HMAC-SHA-1.