Professional Documents
Culture Documents
Lecture 3
1
Chapter 1: WLAN
Security Overview
Chapter 2: Legacy
802.11 Security
2
Lecture Objectives
• Introduce the new WPA3 security for Wi-Fi 6
• Review Standards Organizations that influence wireless
network security, specifically the Wi-Fi Alliance
• Explain IEEE 802.11 network security basics, such as:
• Data privacy
• Authentication, authorization, and accounting (AAA)
• Segmentation
• Monitoring
• Policy
• Internet Engineering Task Force (IETF) • Produces technical documents known as RFCs
(Request for Comments) that influence the way people
design, use, and manage the Internet.
• Internet Architecture Board (IAB) • Oversees the technical evolution of the Internet and
supervises the IETF.
• Internet Corporation for Assigned • Allocates IP addresses and manages Domain Name
Names and Numbers (ICANN) System and root server system for the Internet.
• Internet Engineering Steering Group • Provides technical management of IETF’s activities and
(IESG) the Internet standards process.
• Internet Research Task Force (IRTF) • Promotes research of importance to the evolution of the
Internet.
(Coleman et al., 2016b)
5
Standards Organizations (Cont.)
• Wi-Fi Alliance
• Provides interoperability testing and certification.
• Wi-Fi is a registered trademark, originally registered
in 1999 by Wireless Ethernet Compatibility Alliance
(WECA) and now registered to the Wi-Fi Alliance.
6
Wi-Fi Alliance Interoperability Certifications
• Core Technology and Security
• Certifies 802.11a, b, g, n, and/or ac interoperability to ensure
wireless data transmission works as expected (see Table 2).
• Tests wireless devices for compliance with IEEE 802.11i security
requirements, such as support for Wi-Fi Protected Access (WPA)
and Wi-Fi Protected Access 2 (WPA2) in personal and enterprise
environments.
Table 2: Five generations of Wi-Fi
Wi-Fi technology Frequency band Maximum data rate
802.11a 5 GHz 54 Mbps
802.11b 2.4 GHz 11 Mbps
802.11g 2.4 GHz 54 Mbps
802.11n 2.4 GHz, 5 GHz 600 Mbps
2.4 or 5 GHz (selectable),
or 2.4 and 5 GHz (concurrent)
802.11ac 5 GHz 6.93 Gbps
(Coleman et al., 2016b, p. 9)
7
Security in Wireless
Authentication
Proving identity can be done using: Encryption
- Something you know - Symmetric (same keys)
- Something you have - Asymmetric (different keys)
- Something you are
8
Wireless Security Evolution
9
Wi-Fi Alliance Interoperability Certifications
Acronyms:
TKIP = Temporal Key Integrity Protocol
RC4 = Rivest Cipher 4 (named after Ron Rivest of RSA Security)
CCMP = Counter Mode with Cipher-Block Chaining Message
Authentication Code Protocol
AES = Advanced Encryption Standard
EAP = Extensible Authentication Protocol
12
(Bartz, 2017, p. 57)
Wi-Fi Alliance Interoperability Certifications (Cont.)
• Wi-Fi Multimedia (WMM)
• Based on quality of service (QoS) mechanisms defined in the
802.11e amendment to 802.11 standard.
• Prioritizes transmission of time-sensitive applications like
voice or video on the half-duplex RF medium.
• Both the access point and wireless client must support WMM
interoperability certification.
(Bartz, 2017)
15
802.11 Security Basics
Monitoring
• Use of hardware and software products to review the performance
and security of the wireless network.
• Logs, wireless intrusion detection systems (WIDSs), and wireless
intrusion prevention systems (WIPSs) should be used for monitoring.
(Coleman et al., 2016b)
18
802.11 Security Basics (Cont.)
Policy
• Documents that clearly outline the proper use and configuration of
wireless networks, and the consequences for not following mandated
procedures.
• Some policies applicable to wireless networks include:
• IT Acceptable Use Policy – defines purpose and use of WLAN
• Wireless Use Policy – provides specific details on how devices should
be used on WLAN
• Password Policy – outlines criteria, use, and protection of passwords
• Data Sensitivity Policy – defines what is considered sensitive data and
how it should be protected
• Physical Security Policy – explains how WLAN infrastructure will be
protected from theft and vandalism
• Remote Office Policy – describes the procedures remote users must
follow to protect the data of the organization
24
WPA3-Enterprise
• Features:
– It is the same as WPA2-Enterprise in addition to Protected
Management Frames (PMF) enabled (mandatory).
– 192-bit mode for EAP-TLS (Suite B):
• It enforces EAP-TLS, 256 bit encryption and SHA384
• RSA keys > 3K or elliptic curve P-384
❑ TLS v1.2
❑ EAP server enforces policy via RADIUS attributes
❑ 4-Way Handshake uses SHA384 with 192-bit AKM
• Drawback:
– No real update to WPA2
– 192-bit mode requires RADIUS and clients with EAP-TLS 192-bit
support
25
Table 4: IEEE 802.11 security standards and certifications
802.11 Wi-Fi Alliance Authentication Encryption Cipher Key
standard certification method method generation
802.11 legacy No Open System or WEP ARC4 Static
Certification Shared Key
RADIUS server
communicates with a
central server to
authenticate users/devices
and authorize them to
access network resources.
• VPN Scalability
• As the size of the network grows, VPN servers will need to be expanded and
upgraded, which can be costly.
• VPN client software may need to be added to each computer connecting to
the WLAN, which can be a time-consuming process.
36
SSID Cloaking/Hiding
• Stops unauthorized users from seeing the network.
• AP(s) still respond to probes for given SSIDs so that
legitimate end users can connect to the WLAN.
• Not a recommended enterprise security solution for
802.11 WLANs for the following reasons:
• A protocol analyzer, such as Wireshark, can capture frames
transmitted by legitimate users and discover the SSID, which
is transmitted in cleartext.
• Some hardware devices may not support connecting to hidden
or cloaked SSIDs.
• Assisting end users with manually entering or troubleshooting
SSIDs often consumes a lot of valuable technical support time.
40