Professional Documents
Culture Documents
Chapter 02
Chapter 02
Methods
Open System Authentication
Shared Key Authentication
Wired Equivalent Privacy (WEP)
Pre-Shared Keys
Status: Deprecated
Open System Authentication
If the cleartext challenge phrase and encrypted challenge phrase in the response
is captured, then the static WEP key might be derived.
Wired Equivalent Privacy (WEP) Encryption
Some features…
Temporal keys:
uses dynamic keys instead of static ones
Sequencing:
uses a TKIP sequence counter (TSC) to avoid replay
attacks
Temporal Key Integrity Protocol (TKIP)
Some features…
Key mixing:
two-phase cryptographic mixing process to produce a
stronger seed to ARC4
Enhanced data integrity:
uses a stronger data integrity check known as Message
Integrity Code (MIC)
Temporal Key Integrity Protocol (TKIP)
Some features…
TKIP countermeasures. If MIC fails, then:
Logging
60-sec shutdown
New temporal keys
Easily cracked with freeware tools
MAC Filters
Implementing restrictions
A device can be permitted into the network
A device can be prevented from the network
Vulnerable solution since MAC can be easily spoofed or
impersonated
SSID Cloaking/Hiding
SSID stands for service set identifier
Logical name of the WLAN
Removes the SSID from Beacon frames, then STAs that do not know the
SSID will not associate to it.
Passive scan will not reveal the SSID, but active will.
Do not secure the WLAN
Might cause problems for the WLAN administration.
Recommendation: Broadcast the SSID!
Virtual Private Networks (VPNs)
No longer recommended practice for WLAN security, but often
implemented since the VPN server is already deployed in the
wired network
The solution calls for a Firewall (FW) between the WLAN client
and the VPN server
FW allows only VPN traffic to pass
VPN client encrypts (decrypts) traffic which is decrypted
(encrypted) by the VPN server
Virtual Private Networks (VPNs)
Virtual Private Networks (VPNs)
Recommendation:
Enterprise APs might support up to 16 SSIDs, each of which
is mapped into a VLAN
Layer 2 overhead is considerable when 16 SSIDs are lifted
leading to 40% performance reduction
Best practice: 3-4 SSIDs.
SSID Segmentation: example
Guest SSID/VLAN
Open access
Deny access to local network
resources
Routed off to an Internet gateway
Voice SSID/VLAN
Use WPA2 encryption
VoWiFi clients are routed to VoIP
server
Employee SSID/VLAN
Strong security solutions WPA2
encryption, ACLs or FWs to access
network resources after
authentication