The "Foundation Summary" section of each chapter lists the most important facts from the chapter. Although this section does not list every fact from the chapter that will be on your CSI exam, a well-prepared CSI candidate should, at a minimum, know all the details in each "Foundation Summary" before going to take the exam.
The following are some of the potential threats and problems that can be associated with WLANs:
Interference and jamming It is easy to interfere with wireless communications. A simple jamming transmitter can make communications impossible.
MAC authentication Wireless access points can be configured to allow only predefined MAC addresses to associate. However, hackers easily can spoof MAC addresses and can circumvent authentication by sniffing the wireless spectrum.
Denial or degradation of service 802.11 management messages do not require authentication, so a DoS attack is possible if these messages are not authenticated.
Rogue access points This is the unauthorized placement of an access point onto a network that a hacker can use to gain network connectivity.
802.11 is insecure Traditional 802.11 WLAN security relied on open or shared-key authentication and static wired equivalent privacy (WEP) keys. The use of shared-key authentication is considered insecure because a hacker can use techniques to derive the WEP key from the clear-text challenge. The use of static WEP keys recently has been shown to cause key-management issues and is a security risk because WEP keys easily can be derived because of a weakness in the standard.
The following three technologies are recommended as an alternative to WEP:
IP Security (IPSec)
802.1X/Extensible Authentication Protocol (EAP)
WEP enhancements
802.11X and EAP provide the framework for a centralized authentication and dynamic key distribution approach, which has three elements:
Mutual authentication between the wireless client and an authentication server. A Remote Access Dial-in User Service (RADIUS) server provides the authentication service.
Dynamically derived encryption keys after authentication.
Centralized policy control for reauthentication and generation of encryption keys.
Use the following EAP protocols to authenticate a user over a wired or wireless connections:
Cisco Lite-EAP (LEAP) With LEAP, mutual authentication relies on a shared secret, the user's logon password, which is known by both the client and the network. When the mutual authentication is complete, both the client and RADIUS server derive a dynamic WEP key for the session.
EAP-Transport Layer Security (EAP-TLS) EAP-TLS uses digital certificates for both user and server authentication. Again, when authentication is complete, both the client and the RADIUS server derive a dynamic WEP key for the session.
Protected EAP (PEAP) PEAP uses a digital certificate for server authentication. For user authentication, PEAP supports various EAP-encapsulated methods within a protected TLS tunnel. Again, when authentication is complete, both the client and RADIUS server derive a dynamic WEP key for the session.
To overcome the vulnerabilities found in the 802.11 WEP protocol, 802.11i includes two encryption enhancements:
Temporal Key Integrity Protocol (TKIP) TKIP provides for a software enhancement to WEP that overcomes the vulnerabilities from weak initialization vectors (IVs) within the WEP encryption process and also from replay attacks. Weak IVs are overcome by a per-packet keying process in which a hash is created from the WEP key and IV to produce a new packet key that is used for encryption. A message integrity check (MIC) is used to prevent tampering of the wireless frame, ensuring mitigation against replay attacks.
Advance Encryption Standard (AES) AES provides for a much stronger encryption standard than that currently available with WEP.
The following two main choices of mitigation available to a designer are based on the technology to be incorporated:
Implementing a mutual authentication-based and key-distribution method using 802.1X with WEP improvements
Implementing a network layer encryption approach based on IPSec
The key devices found in the mutual authentication or EAP WLAN model are shown in Table 20-6.
Device | Description |
|---|---|
DHCP server | Delivers IP configuration details. |
Layer 2 or 3 switch | Provides Ethernet connectivity and Layer 3 or 4 filtering between the wireless access point and the corporate network |
OTP server (optional) | Authorizes OTP details from the RADIUS server (PEAP use only). |
PKI server (optional) | Provides X.509 digital certificate for user and server identification. |
RADIUS server | Provides user-based authentication for wireless clients and access point authentication to the wireless clients. |
Wireless access point | Mutually authenticates wireless clients through EAP. |
Wireless client adapter and software | Provides the hardware and software necessary for wireless communication. |
Table 20-7 shows the anticipated threats and mitigation actions for the WLAN EAP model.
Threat | Threat Mitigation |
|---|---|
ARP spoofing | Authentication. |
IP spoofing | Authentication and RFC 2827 filtering on the Layer 3 switch. |
Man-in-the middle attacks | Several EAP authentication types combined with the MIC feature. |
Network topology discovery | Authentication. |
Password attack | EAP protocols such as PEAP that use secure connectivity between client and server before authentication. |
Unauthenticated access | Authentication. Optional access control on the Layer 3 switch limits wired network access. |
Wireless packet sniffers | WEP enhancements (specifically, per-packet keying as part of TKIP). |
Depending on the type of EAP used, observe the following guidelines:
EAP-TLS Use of a private PKI server to issue digital certificates is recommended.
EAP-TLS and EAP-PEAP Prevent normal users from accessing the wireless client's EAP supplicant settings. Configure wireless clients with the trusted certificate server's digital certificate.
EAP-LEAP and EAP-PEAP To prevent brute-force password attacks, configure user accounts to be locked after only a few number of incorrect login attempts.
EAP-TLS Configure the RADIUS server to check the Certificate Authority's certificate revocation list (CRL).
The key devices found in the IPSec WLAN model are shown in Table 20-8.
Device | Description |
|---|---|
DHCP server | Delivers IP addressing information to wireless clients before and after VPN establishment. |
Layer 2 switch | Provides Ethernet connectivity between the WLAN access points and the corporate network. |
Layer 3 switch | Provides Ethernet connectivity and Layer 3 or 4 filtering on the corporate network. |
OTP server | Authorizes OTP details from the RADIUS server. |
RADIUS server | Provides user-based authentication for wireless clients terminating on the VPN gateway. Optionally, also can talk to an OTP server. |
VPN gateway | Authenticates remote users and terminates their IPSec tunnels. Also can act as a DHCP relay. |
VPN software client | Provides a remote user with a software VPN client and personal firewall software on a PC. |
Wireless access point | Mutually authenticates wireless clients through EAP. |
Wireless client adapter and software | Provides the hardware and software necessary for wireless communication. |
Table 20-9 shows the anticipated threats and mitigation actions for the WLAN IPSec design model.
Threat | Threat Mitigation |
|---|---|
ARP spoofing | Encryption. |
IP spoofing | Encryption. Only valid, authenticated IPSec packets ever reach the corporate network. |
Man-in-the middle attacks | Authentication and IPSec encryption. |
Network topology discovery | Protocol filtering. |
Password attack | Strong passwords or OTP. |
Wireless packet sniffers | Encryption. |
The large enterprise WLAN EAP design utilizes three modules from within the SAFE Enterprise architecture:
Building module
Building Distribution module
Server module
The large enterprise IPSec VPN design utilizes four modules from within the SAFE Enterprise architecture:
Building module
Building Distribution module
Edge Distribution module
Server module
The following are characteristics of the medium WLAN design:
Wireless is laid on top of the Campus module within the SAFE medium-sized network design.
High availability is not offered.
In the medium WLAN EAP design, wireless access points connect to existing Layer 2 access switches located in the medium Campus module.
In the medium IPSec VPN design, the VPN gateway connects to the Campus module Layer 3 switch through two VLANs.
The following are characteristics of the small WLAN design:
Wireless is laid on top of the Campus module of the SAFE small network design model.
In the small WLAN EAP design, wireless access points connect to existing Layer 2 access switches located in the small Campus module. The RADIUS and DHCP servers reside on this same subnet.
The following are characteristics of the remote WLAN design:
Remote VPN connectivity is based on either software- or hardware-terminated IPSec VPNs to a central site.
The remote software-based VPN WLAN design is recommended when security is focused on the wireless device or user. Secure connectivity is provided through a personal firewall on the user's device and through the IPSec VPN to the corporate resource.
The remote hardware-based VPN WLAN design is recommended when security is focused on the remote LAN. Wireless users authenticate to the WLAN using EAP. The LAN has a hardware-based IPSec connection to the headend VPN gateway.