CCST Networking - Security Concepts

Wireless Media

  • Wireless media carries electromagnetic signals representing binary digits using radio or microwave frequencies.
  • It offers the greatest mobility option.
  • Wireless connection numbers are continuously increasing.

Limitations of Wireless:

  • Coverage Area:
    • Effective coverage can be significantly impacted by the physical characteristics of the deployment location.
  • Interference:
    • Wireless is susceptible to interference and can be disrupted by common devices such as microwaves, power lines, and walkie-talkies.
  • Security:
    • Wireless communication coverage requires no physical access, making it easier for unauthorized individuals to gain access to the transmission.
  • Shared Medium:
    • WLANs operate in half-duplex mode, meaning only one device can send or receive at a time.
    • Simultaneous access by many users results in reduced bandwidth for each user.

Types of Wireless Networks

  • Wireless Personal-Area Networks (WPAN):
    • Uses low-powered transmitters for short-range networks, typically 20 to 30 feet (6 to 9 meters).
    • Commonly uses Bluetooth and ZigBee based devices.
    • Based on the 802.15 standard and a 2.4-GHz radio frequency.
  • Wireless LANs (WLAN):
    • Uses transmitters to cover a medium-sized network, usually up to 300 feet.
    • Suitable for homes, offices, and campus environments.
    • Based on the 802.11 standard and operates on 2.4-GHz or 5-GHz radio frequencies.
  • Wireless MANs (WMAN):
    • Uses transmitters to provide wireless service over a larger geographic area.
    • Suitable for providing wireless access to a metropolitan city or specific district.
    • Uses specific licensed frequencies.
  • Wireless Wide-Area Networks (WWAN):
    • Uses transmitters to provide coverage over an extensive geographic area.
    • Suitable for national and global communications.
    • Uses specific licensed frequencies.

Wireless Standards

  • Wi-Fi (IEEE 802.11):
    • Wireless LAN (WLAN) technology.
  • Bluetooth (IEEE 802.15):
    • Wireless Personal Area Network (WPAN) standard.
  • WiMAX (IEEE 802.16):
    • Uses a point-to-multipoint topology to provide broadband wireless access.
  • Zigbee (IEEE 802.15.4):
    • Low data-rate, low power-consumption communications, primarily for Internet of Things (IoT) applications.

Wireless Client and AP Association

  • To achieve successful association, a wireless client and an AP must agree on specific parameters:
    • SSID: The client needs to know the network name to connect.
    • Password: Required for the client to authenticate to the AP.
    • Network Mode: The 802.11 standard in use.
    • Security Mode: The security parameter settings, such as WEP, WPA, or WPA2.
    • Channel Settings: The frequency bands in use.

802.11 Authentication Methods

  • The best way to secure a wireless network is to use authentication and encryption systems.
  • Two types of authentication were introduced with the original 802.11 standard:
    • Open System Authentication:
      • Any wireless client should be able to easily connect.
      • Should only be used where security is not a concern, such as free internet access in cafes, hotels, or remote areas.
      • The wireless client is responsible for providing security, such as using a virtual private network (VPN) to connect securely.
      • VPNs provide authentication and encryption services but are beyond the scope of this topic.
    • Shared Key Authentication:
      • Provides mechanisms like WEP, WPA, WPA2, and WPA3 to authenticate and encrypt data between a wireless client and AP.
      • The password must be pre-shared between both parties to connect.

Wireless Security

  • There are currently four shared key authentication techniques available:
    • Wired Equivalent Privacy (WEP):
      • The original 802.11 specification designed to secure data using the Rivest Cipher 4 (RC4) encryption method with a static key.
      • WEP is no longer recommended and should never be used.
    • Wi-Fi Protected Access (WPA):
      • A Wi-Fi Alliance standard that uses WEP but secures the data with the much stronger Temporal Key Integrity Protocol (TKIP) encryption algorithm.
      • TKIP changes the key for each packet, making it much more difficult to hack.
    • WPA2:
      • It uses the Advanced Encryption Standard (AES) for encryption.
      • AES is currently considered the strongest encryption protocol.
    • WPA3:
      • The next generation of Wi-Fi security.
      • All WPA3-enabled devices use the latest security methods, disallow outdated legacy protocols, and require the use of Protected Management Frames (PMF).
      • WPA3-Personal:
        • In WPA2-Personal, threat actors can listen in on the “handshake” between a wireless client and the AP and use a brute force attack to try and guess the PSK.
        • WPA3-Personal thwarts this attack by using Simultaneous Authentication of Equals (SAE), a feature specified in the IEEE 802.11-2016.
        • The PSK is never exposed, making it impossible for the threat actor to guess.

Wireless Authentication Process

  • There are two choices for authentication using WPA, WPA2, and WPA3 methods:
    • Personal:
      • Intended for home or small office networks.
      • Users authenticate using a pre-shared key (PSK).
      • Wireless clients authenticate with the wireless router using a pre-shared password.
      • No special authentication server is required.
    • Enterprise:
      • Intended for enterprise networks.
      • Requires a Remote Authentication Dial-In User Service (RADIUS) authentication server.
      • Client (Supplicant) makes the request to the Switch (Authenticator).
      • Switch forwards the request to the RADIUS Server (Authenticator Server).
      • The RADIUS server accepts or denies the request.

Other Security Measures

  • Hiding Wireless AP: Disable SSID advertisement.
  • Blocking Specific Devices: Use MAC-address filtering.

AAA (Authentication, Authorization, and Accounting)

  • AAA network security services provide the primary framework to set up access control on network devices.
  • AAA is a way to control who is permitted to access a network (authenticate), what actions they perform while accessing the network (authorize), and make a record of what was done while they are there (accounting).
  • The concept of AAA is similar to the use of a credit card: it identifies who can use it, how much that user can spend, and keeps account of what items the user spent money on.
  • Authentication:
    • Users and administrators must prove that they are who they say they are.
  • Authorization:
    • Determines which resources the user can access.
  • Accounting:
    • Keeps track of how network resources are used.

Firewall

  • Network firewalls reside between two or more networks, control the traffic between them, and help prevent unauthorized access.
  • A firewall could allow outside users controlled access to specific services.
  • Servers accessible to outside users are usually located on a special network referred to as the demilitarized zone (DMZ).
  • The DMZ enables a network administrator to apply specific policies for hosts connected to that network.

Types of Firewalls

  • Packet Filtering:
    • Prevents or allows access based on IP or MAC addresses.
  • Application Filtering:
    • Prevents or allows access by specific application types based on port numbers.
  • URL Filtering:
    • Prevents or allows access to websites based on specific URLs or keywords.
  • Stateful Packet Inspection (SPI):
    • Incoming packets must be legitimate responses to requests from internal hosts.
    • Unsolicited packets are blocked unless permitted specifically.
    • SPI can also include the capability to recognize and filter out specific types of attacks, such as denial of service (DoS).