Fundamental Network Security - A Comprehensive Study Guide

What are the most common wireless technologies? 

Cellular, bluetooth, near field communication, radio frequency identification, and wireless local area networks. 

What are the most widespread wireless networks?

Cellular networks

How are cellular networks operated?

Operated by telecommunication service providers and include consumer wireless cellular carriers.

What is a fixed wireless service?

The device that receives the wireless signal is stationary, and the user can roam freely and remain connected to the fixed device.

Who is responsible for configuring cellular networks?

The telecommunication providers. They own, maintain, and manage their own network equipment and facilities.

What is Bluetooth?

A technology that uses short-range radio frequency (RF) transmissions and provide rapid device pairings. 

What type of network technology is Bluetooth?

Personal area network (PAN)

Bluetooth is a PAN technology designed for what?

Data communication over short distances, enabling users to connect wirelessly to a wide range of computing & telecommunication devices. 

What is the current version of Bluetooth that was introduced in early 2023? 

Bluetooth 5.4

Explain what Bluetooth Basic Rate/Enhanced Data Rate (BR/EDR), or Bluetooth Classic, is designed for.

It is for devices needing short-range continuous connectivity. 

Explain what Bluetooth Low Energy (LE) is for.

For devices that require short bursts of data over long distances.

How many bits per second (bps) can Bluetooth BR/EDR transmit?

1 Mbps to 3 Mbps

How many bits per second (bps) can Bluetooth LE transmit?

125 Kbps to 2 Mbps

What are Bluetooth "classes” for?

They categorize Bluetooth devices. Each class transmits over different distances.

What are the advertised distance ranges for Class 1, Class 2, and Class 3 Bluetooth devices?

Class 1. Up to 328 ft

Class 2. Up to 98 ft

Class 3. Up to 22 ft

What is the primary type of Bluetooth network?

Piconet

What is a broadcaster in a piconet?

The device that controls all wireless traffic.

What is the observer in a piconet?

The device that takes commands from the broadcaster.

What are the two types of observer that a broadcaster can control?

Active (sending transmissions) and parked (not actively participating) followers.

T or F: Bluetooth is usually point-to-point or point-to-multipoint. 

True

What is a Mesh topology do in Bluetooth LE?

They are used to extend the range of a Bluetooth network. An observer can communicate with another broadcaster closer to the broadcaster, who can send it to another broadcaster and so on. 

What ability of Bluetooth opens the door for attacks on Bluetooth?

Its ability for observers to connect to a broadcaster dynamically and automatically.

What is Bluejacking?

An attack that sends unsolicited messages to Bluetooth-enabled devices. More annoying than harmful. 

What is Bluesnarfing? 

An attack that accesses unauthorized information from a wireless device through a Bluetooth connection. Usually done without owner’s permission or knowledge. 

How can we mitigate Bluejacking and Bluesnarfing?

Turn off Bluetooth, making the device nondiscoverable and rejecting pairing unknown requests. 

What is Near Field Communication?

A set of standards used to establish communication between devices in close proximity. It establishes a two-way communication. 

What are the two types of NFC devices?

Passive and Active

What can a Passive NFC device do?

Contains information other devices can read, but it cannot read other tags or receive information.

What can an Active NFC device do?

Can read info and transmit data.

How do NFC devices communicate?

Through magnetic induction; The interrogator and tag each create a high frequency magnetic field from an internal antenna forming a connection.

What does a tag do when it receives instructions from the interrogator?

It checks to determine if they’re valid, if not it ignore the communication.

What are consumer NFC devices used as?

Theya re used as an alternative to paying cash or credit card in a retail store.

What are the four risks against NFC? 

Eavesdropping, data theft, MITM, and device theft. 

What is Radio Frequency Identification used for?

Used to transmit information that can be detected by a proximity reader. Ex. ID Badge with RFID tag inside that can be read by an RFID reader. 

T or F: Most RFID tags are active and have their own power supply.

False. They are passive and have no power supply.

How do RFID tags provide a response?

They are powered by the electrical current induced in the antenna by the incoming signal form the transceiver.

What kind of data do RFID transmit?

ID numbers.

What must active RFID tags have?

Their own power source.

What are four RFID attacks in retail stores?

Unauthorized tag access, fake tags, eavesdropping, and RFID cloning.

T or F: RFID technology can be embedded in a chip.

True

Where is RDIF technology found? 

Enhanced Drivers Licenses, Passports, and Hotel key cards.

Why is not RFID eavesdropping not considered a high risk?

Because of their short range. It makes it hard for an attacker to just walk next to the target and steal information. 

What are WLANs also commonly called? 

Wi-Fi 

What are WLANs designed for?

Replace or supplement a wired local area network

What influential organization is known in computer networking and wireless communications? 

The Institute of Electrical and Electronics Engineers (IEEE).

What is the standard for WLANs operating at 1 and 2 Mbps?

IEEE 802.11

What IEEE amendment added higher speeds to the 802.11 standard?

IEEE 802.11b, it added speeds 5.5 Mbps and 11 Mbps.

What were the drives forces for creating new Wi-fi versions?

New wireless technology being continually developed and incorporated into the new versions, government organizations controlling the usage of the electromagnetic spectrum, and the ongoing need for increased security to prevent eavesdropping and manipulating wireless signals. 

Why would an endpoint need a wireless client network interface card?

To send and receive wireless signals from an embedded antenna in the card.

What is a Wireless Access Point?

It is a centrally located WLAN connection device that can send and receive information. 

What does a Wireless AP consist of?

An antenna, a radio transmitter/receiver, and bridging software to interface wireless devices to other devices, and a wired network interface for connecting to a wired network. 

A WLAN using an AP is operating in what mode?

Infrastructure mode

What are the two basic AP functions?

Acting as a base station for the wireless network and to act as a bridge between the wireless and wired network.

What does a wireless router combine and what are they also called?

Includes features of an AP, firewall, router and DHCP server, along with others. They are also called residential WLAN gateways. 

What are Standard/Fat APs

Independent form other network devices. They have the intelligence required to manage wireless authentication, encryption, and other functions for the wireless devices they serve.

What is the downside of Fat APs?

They each require individual reconfiguration if a network configuration were to change. 

When would we choose a Thin AP over a Fat AP?

When there are multiple APs widely deployed.

What is a Thin AP?

It is a lightweight AP that doesn’t contain all the management and configuration functions that fat APs do.

Where is the configuration for a Thin AP?

It is centralized in the wireless switch. It improves security as it manages from a central location. 

What is a Wireless LAN Controller (WLC)?

They manage controller APs. The WLC is a single device that can be configured and distribute the configurations to all controller APs. 

What is the handoff procedure that occurs when wireless client devices moves through a WLAN? 

One stand alone AP transfers authentication information to another. It can be slow, which affects time-dependent communication.

Where is the handoff procedure done with Controller APs?

In the Wireless LAN Controller (WLC)

What are Captive Portal APs?

An AP that uses a web browser to provide information and give users the chance to agree to a policy or present login credentials.

What is a network hard edge?

A single point through which data passes through form an external network to the internal network in a wired network. Another hard edge is the walls of the building. 

Why have the WLANs in enterprises changed hard edges to “blurred edges”?

A WLAN contains multiple entry data points. Also RF signals can extend past boundaries of a building. 

What is a rogue AP?

An unauthorized AP that allows an attacker to bypass many network security configurations and open the network and its users to attacks. Attackers enter the rogue AP which is behind the firewall. 

What is a Evil Twin AP?

It is designed to mimic an authorized AP. Attackers can capture transmissions from users to the evil twin AP. 

What is one of the most common wireless attacks? 

Intercepting and reading transmitted data.  

What is Jamming?

Attackers use intentional RF interference to flood the RF spectrum to prevent a device from communicating with the AP. Often requires sophisticated and expensive equipment. 

What is a design weakness of 802.11? 

There is an implicit trust of management frames that are transmitted across the wireless network which include the sender’s source address. 

• It requires no verification of the source device’s identity

• An attacker can craft a fake frame that pretends to come from a trusted client

What is a Disassociation attack?

An attacker creates false disassociation management frames appearing to come from another device to disconnect it from the AP.

What is the 802.11 Request to Send/Clear to Send (RTS/CTS) protocol?

A RTS frame is transmitted to an AP that contains a duration field indicating the length of time needed for both the transmission and returning acknowledgment frame. The AP and stations that receive the frame are alerted that the medium will be reserved for a specific period. 

• Each station stores the info in its net allocation vector (NAV) field 

• No station can transmit if the NAV contains a value other than 0. 

Why is the RTS/CTS Protocol vulnerable? 

An attacker can send the frame with the duration field set to a high value preventing other devices from transmitting for long periods of time. 

What are four WLAN Consumer Attacks?

Data theft, wireless transmissions read, malware injections, and downloading harmful content. 

What is Wired Equivalent Privacy?

An 802.11 security protocol designed to ensure only authorized parties view transmitted wireless information. It accomplishes this by encrypting the transmissions. 

What does WEP rely on? 

A secret key known by the wireless client and AP. That key must be entered on the AP and all devices before transmission can occur because it needs to encrypt and decrypt packets.

How long must the WEP shared key be (in bits)?

It must be 64 bits in length. Vendors also have an option to use a 128-bit shared secret key for higher security. 

What is the shared WEP key combined with? 

An initialization vector (IV)

What is an initialization vector? 

A 24-bit value that changes each time a packet is encrypted. 

Why are the IV and shared key combined?

To be used as a seed for generating a random number necessary in the encryption process. 

How does data get decrypted with WEP?

1. The IV and encrypted cipher text are transmitted to the receiving device. 

2. Upon arrival, the receiving device separates the IV from the encrypted text and combines it with its own shared secret key to decrypt. 

What WEP vulnerability deals with bit numbers?

The IV remains at 24 bits, so it can be easier to break than longer keys.

What cryptography rule does WEP violate?

It creates a detectable pattern as there are only a limited amount of possible IV values.

What is Wi-Fi Protected Setup (WPS)?

It is an optional means of configuring security on WLANs. Designed for user with little knowledge of security to implement security easily and quickly on their WLANs. Support for this model is mandatory for wireless routers.

What are the two common WPS methods?

PINS and the push-button method. 

What are the flaws with WPS PIN method? 

No lockout limit, last PIN char is only a checksum, and wireless router reports validity of the 1st and 2nd halves separately, so attackers can just break the 1st four character PIN and the 2nd three character PIN.

What is the most common type of wireless access media control?

MAC address filtering

What is a MAC address?

A 48-but number that is “burned” into the NIC adapter when manufactured.

Explain MAC address filtering.

A clients device’s MAC can be entered on software running on the AP, which is then used to permit or deny the device from connecting to the network.

What MAC vulnerability involves exchanging the MAC address between devices?

While it is being exchanged, it is in unencrypted format. It can be seen by an attacker monitoring the air waves and then substituted it on their device. . 

What MAC address filtering challenge involves managing several MAC addresses? 

It can be difficult and demands constant attention as users join and leave. Not very practical for large wireless networks. 

What was Wi-Fi Protected Access (WPA) designed for? 

It was to fit into the existing WEP engine without requiring hardware upgrade or replacements. 

What are the two versions of WPA?

Enterprise and Personal (10 or fewer)

How is authentication accomplished for WPA-Personal?

Using a preshared key. It is a secret value manually entered on the AP and each wireless device. Devices with the key are authenticated by the AP. WPA is still considered not secure. 

What standard was WPA2 based on?

IEEE 802.11i

What two security areas of WLANs does WPA2 address?

Authentication and encryption

What is the cryptographic wireless protocol for WPA2?

CCMP, or Counter Mode with Cipher Block Chaining Message Authentication Code Protocol

What does CCMP do?

It specifies the use of CCM ( a cipher mode algorithm for data privacy) with AES.

The Cipher Block Chaining Message Authentication Code (CBC-MAC) component of CCMP provides what?

Data integrity and authentication

What is CBC-MAC?

A component of CCMP