Wireless security
Wireless networks are widely used in companies of any size. Due to their low cost and ease of deployment, wireless networks can provide an advantage over wired networks in small and medium enterprises. In large institutions, wireless networks provide the network connections needed for business communication between employees in work areas or break rooms.
To take advantage of wireless networks, they must be secured. Unsecured wireless networks provide virtually unlimited access to the corporate network for hackers and other intruders, who often seek only free access to the Internet. In large institutions, unauthorized wireless networks sometimes exist - members of workgroups or end users sometimes ignore corporate policy and install access points (Access Points, AP), and this is fraught with great danger to the enterprise. Experienced spammers and scammers use unsecured wireless networks to send bulk email messages. They roam cities and industrial areas looking for vulnerable wireless networks, and when they find them, they configure their mobile computers to connect to the network, obtain a valid IP address, DNS, and standard gateway information via DHCP, and then broadcast their messages. Users of products such as NetStumbler, or the built-in wireless network management tool found in most laptops and PDAs, have probably had to detect unsecured wireless networks in their homes, neighborhoods, or within their businesses.
Owners of insecure networks must be prepared to reduce the bandwidth of the Internet connection, and to infiltrate viruses and worms, and even incur criminal or civil liability for using insecure networks to carry out attacks against third parties. This article discusses practical steps you can take to secure wireless networks, methods for automated deployment of settings, and tools for analyzing unsecured and rogue wireless networks.
Wireless Basics
Before you begin to secure a wireless network, you need to understand the basic principles of its organization. As a rule, wireless networks consist of access nodes and clients with wireless adapters. Access nodes and wireless adapters are equipped with transceivers to communicate with each other. Each AP and wireless adapter is assigned a 48-bit MAC address, which is functionally equivalent to an Ethernet address. Access points link wireless and wired networks, allowing wireless clients to access wired networks. Communication between wireless clients in peer-to-peer networks is possible without APs, but this method is rarely used in institutions. Each wireless network is identified by an administrator-assigned SSID (Service Set Identifier). Wireless clients can communicate with the AP if they recognize the SSID of the access point. If the wireless network has several access points with the same SSID (and the same authentication and encryption settings), then mobile wireless clients can switch between them.
The most common wireless standards are 802.11 and its enhancements. The 802.11 specification defines the characteristics of a network operating at speeds up to 2 Mbps. Improved versions provide higher speeds. The first, 802.11b, is the most widely used, but is rapidly being replaced by 802.11g. 802.11b wireless networks operate in the 2.4GHz band and provide data rates up to 11Mbps. An enhancement, 802.11a, was ratified earlier than 802.11b but came to market later. Devices of this standard operate in the 5.8 GHz band with a typical speed of 54 Mbps, but some vendors offer higher speeds, up to 108 Mbps, in turbo mode. The third, improved version, 802.11g, operates in the 2.4 GHz band, like 802.11b, at a standard speed of 54 Mbps and higher (up to 108 Mbps) in turbo mode. Most 802.11g wireless networks are capable of working with 802.11b clients due to backwards compatibility built into the 802.11g standard, but practical compatibility depends on the specific implementation of the vendor. Most modern wireless equipment supports two or more variants of 802.11. A new wireless standard, 802.16, called WiMAX, is being designed with the specific goal of providing wireless access to businesses and homes through stations similar to cell phones. This technology is not covered in this article.
The actual range of an AP depends on many factors, including the 802.11 variant and operating frequency of the equipment, manufacturer, power, antenna, exterior and interior walls, and network topology features. However, a wireless adapter with a high-gain, narrow-beam antenna can communicate with the AP and the wireless network over a considerable distance, up to about one and a half kilometers, depending on conditions.
Due to the public nature of the radio spectrum, there are unique security issues not found in wired networks. For example, to eavesdrop on messages on a wired network, you need physical access to a network component such as a device's LAN attachment point, switch, router, firewall, or host computer. A wireless network only needs a receiver, such as a conventional frequency scanner. Due to the openness of wireless networks, the developers of the standard prepared the Wired Equivalent Privacy (WEP) specification, but made its use optional. WEP uses a shared key that is known to wireless clients and access points with which they communicate. The key can be used for both authentication and encryption. WEP uses the RC4 encryption algorithm. The 64-bit key consists of 40 user-defined bits and a 24-bit initialization vector. In an attempt to improve the security of wireless networks, some equipment manufacturers have developed advanced algorithms with 128-bit or longer WEP keys, consisting of a 104-bit or longer user part and an initialization vector. WEP is used with 802.11a, 802.11b, and 802.11g compliant equipment. However, despite the increased key length, the flaws of WEP (in particular, weak authentication mechanisms and encryption keys that can be revealed by cryptanalysis methods) are well documented, and today WEP is not considered a reliable algorithm.
In response to the shortcomings of WEP, the Wi-Fi Alliance, an industry association with more than 200 members including Apple Computer, Cisco Systems, Dell, IBM, and Microsoft, decided to develop the Wi-Fi Protected Access (WPA) standard. WPA outperforms WEP by adding TKIP (Temporal Key Integrity Protocol) and a strong authentication mechanism based on 802.1x and EAP (Extensible Authentication Protocol). WPA was supposed to be a working standard that could be submitted to an IEEE committee for approval as an extension to the 802.11 standards. An extension, 802.11i, was ratified in 2004 and WPA upgraded to WPA2 to be compatible with Advanced Encryption Standard (AES) instead of WEP and TKIP. WPA2 is backward compatible and can be used in conjunction with WPA. WPA was intended for enterprise networks with a RADIUS (Remote Authentication Dial-In User Service) authentication infrastructure, but a version of WPA called WPA Pre-Shared Key (WPAPSK) has gained support from some manufacturers and is on the way. in small businesses. Like WEP, WPAPSK works with a shared key, but WPAPSK is more secure than WEP.
Many people have the wrong idea about 802.1x. The standard is used to control access to ports in wired network switches and access nodes in wireless network APs. 802.1x does not specify an authentication method (for example, version 3 of the X.509 or Kerberos specification can be used), and there is no encryption mechanism or requirement to encrypt data.
Three steps to safety
There are three wireless network security mechanisms: configure the client and AP to use the same (non-default) SSID, allow the AP to communicate only with clients whose MAC addresses are known to the AP, and configure clients to authenticate to the AP and encrypt traffic. Most APs are configured to operate with a default SSID, no list of allowed client MAC addresses, and a known pre-shared key for authentication and encryption (or no authentication and encryption at all). Typically, these settings are documented in the online help system on the manufacturer's Web site. These options make it easy for an inexperienced user to set up and start a wireless network, but they also make it easier for hackers to break into the network. To make matters worse, most APs are configured to broadcast the SSID. Therefore, an attacker can find vulnerable networks using standard SSIDs.
The first step to a secure wireless network is to change the default SSID of the access point. In addition, you must change this setting on the client to enable communication with the AP. It is convenient to assign an SSID that is meaningful to the administrator and users of the enterprise, but does not explicitly identify this wireless network from other SSIDs intercepted by unauthorized persons.
The next step is to block the AP from broadcasting the SSID if possible. As a result, it becomes more difficult (although still possible) for an attacker to detect the presence of a wireless network and SSID. Some APs cannot cancel the SSID broadcast. In such cases, you should increase the broadcast interval as much as possible. In addition, some clients may only communicate if the AP broadcasts the SSID. Thus, you may need to experiment with this setting to find the mode that suits your situation.
After that, you can allow access to access nodes only from wireless clients with known MAC addresses. Such a measure is hardly appropriate in a large organization, but in a small enterprise with a small number of wireless clients, this is a reliable additional line of defense. Attackers will need to figure out the MAC addresses that are allowed to connect to the enterprise AP and change the MAC address of their own wireless adapter to the allowed one (on some adapter models, the MAC address can be changed).
Selecting authentication and encryption options can be the most difficult part of securing a wireless network. Before assigning parameters, it is necessary to inventory access points and wireless adapters in order to establish the security protocols they support, especially if the wireless network is already organized using a variety of equipment from different vendors. Some devices, especially older APs and wireless adapters, may not be compatible with WPA, WPA2, or extended WEP keys.
Another situation to be aware of is that some older devices require users to enter a hexadecimal number that represents a key, and other older APs and wireless adapters require a passphrase to be converted to a key. As a result, it is difficult to achieve the use of one key for all equipment. Owners of such equipment can use resources such as the WEP Key Generator () to generate random WEP keys and convert passphrases to hexadecimal numbers.
In general, WEP should only be used when absolutely necessary. If the use of WEP is mandatory, it is worth choosing the maximum length of the keys and setting the network to Open mode instead of Shared. In Open mode, no client authentication is performed on the network, and anyone can establish a connection with access nodes. These preparatory connections partially load the wireless link, but attackers who establish a connection at the AP will not be able to continue communicating because they do not know the WEP encryption key. You can even block tentative connections by configuring the AP to only accept connections from known MAC addresses. Unlike Open, in Shared mode, the access point uses the WEP key to authenticate wireless clients in a challenge-response procedure, and an attacker can decrypt the sequence and determine the WEP encryption key.
If you can use WPA, then you must choose between WPA, WPA2, and WPA-PSK. The main factor in choosing WPA or WPA2 on the one hand, and WPA-PSK on the other, is the ability to deploy the infrastructure required by WPA and WPA2 for user authentication. WPA and WPA2 require RADIUS and possibly Public Key Infrastructure (PKI) servers to be deployed. WPA-PSK, like WEP, works with a shared key known to the wireless client and the AP. WPA-PSK can safely use the WPA-PSK pre-shared key for authentication and encryption, since it does not have the disadvantage of WEP (the ability to find out the encryption key by cryptanalysis of the authentication procedure).
Naturally, access points from different vendors have different user interfaces and configuration methods, so it is not possible to provide a single list of detailed instructions for all devices. But the above information will be useful when setting up access nodes.
Windows client setup
Windows Server 2003 and Windows XP make it easy to configure a client for wireless networks, especially networks with WEP. Microsoft introduced the Wireless Zero Configuration service in XP and named it the Wireless Configuration service in Windows 2003. The running service monitors wireless adapters to receive SSID broadcasts from APs. If a broadcast of a known SSID is received and there is enough configuration information available, then Windows automatically connects to the network (if configured to connect). The Wireless Configuration Service displays a standard dialog box for configuring wireless network settings, regardless of the installed wireless adapter. Unfortunately, the service does not work with all wireless adapters; if it does not work with a particular card, you must disable it and use the driver and configuration tool kit that comes with the network adapter.
To use the configuration service, open the Network Connections utility in Control Panel, right-click on the wireless adapter icon, select Properties, and navigate to the Wireless Networks tab. Make sure Use Windows to configure my wireless network settings is enabled and click the Add button to configure your wireless network. Figure 1 shows a dialog box for entering wireless network settings. Then enter the SSID for the wireless network you want to connect to, select the method for Network Authentication. If you select Open or Shared, then you can specify one of the values \u200b\u200bin the Data encryption field - WEP or Disabled. If WPA or WPA-PSK is selected, TKIP or AES encryption algorithms can be used.
| Figure 1: Configuring Wireless Settings in XP |
When using WPA or WPA-PSK for authentication or encryption, you can enter an authentication or encryption key (to enable the Network key field and the Confirm network key field, you must deselect The key is provided for me automatically). If more than one key exists, the key number, or index, should be selected. Some access points and wireless adapters can store and use up to four keys for increased flexibility. For example, keys can be changed weekly by manually selecting a key from a list every Monday morning.
Rogue Access Point Detection
As noted above, rogue access nodes can be a huge threat to an enterprise. But because of the benefits and ease of setting up an AP (especially if using the default settings), it's very likely that someone will one day install an access point on an enterprise network.
Finding unauthorized access points can be difficult, but it is necessary for reliable protection. Windows 2003 introduced a new Microsoft Management Console (MMC) snap-in called Wireless Network Monitor that can be used to log network client activity and locate access nodes. However, installing Windows 2003 on laptops just for the MMC snap-in is inconvenient, expensive, and generally unnecessary. Most laptops and PDAs with built-in wireless adapters have tools suitable for finding rogue APs.
If your laptop or PDA doesn't come with this tool, or you need advanced features like GPS (global positioning system combined with a bi-directional antenna and compass to triangulate the location of a rogue AP), then a free tool like NetStumbler may be preferable. There are two versions available at the address, one for Windows 2000 and later and one for Windows CE devices called MiniStumbler. Figure 2 shows NetStumbler running on a Dell laptop with XP Service Pack 2 (SP2) and a Dell TrueMobile 1400, one of many NetStumbler compatible wireless adapters.
With NetStumbler, you can detect rogue APs by simply running the program on a laptop computer and walking around the enterprise with a laptop. The discovered access nodes are displayed on the screen. Thus, you can get information about the MAC address of the access point, the channel being listened to, encryption and provider. In addition, NetStumbler shows the signal-to-noise ratio for the radio signal. The higher the number, the shorter the distance to the AP.
Before rogue APs can be detected, the MAC address and SSID of each legitimate AP in the enterprise must be known. When deploying access nodes, record their MAC address, SSID, and location. When bypassing NetStumbler, you should look for access nodes with unknown SSIDs and unknown MAC addresses. When you find illegal devices, you should record their location, then go in different directions and note the direction in which the SNR increases. If we continue to go in this direction, sooner or later AP will be discovered, or at least an approximate area of \u200b\u200bits location will be outlined for more complete research in the future. Note that the AP may be on the floor or on the ceiling.
It is especially important to note that a skilled hacker can set up an AP with the same SSID that is available on the network, hoping to surprise unsuspecting users. By connecting to an unauthorized AP, users will attempt to access network resources such as a mail server and applications hosted on the Web. They will not be able to access resources through the attacker's AP, but until they find out, they can reveal their passwords and names. Help desk personnel should be trained to track down calls related to wireless network problems that could be indicative of rogue access points, and ask users to report their location. Incoming signals should be investigated using NetStumbler or other tools and check the MAC addresses of all APs in the area to make sure they are legally installed.
For more information on securing a wireless network for businesses of all sizes and even home users, see Joseph Davis' excellent book Deploying Secure 802.11 Wireless Networks with Microsoft Windows (Microsoft Press, 2003). At the address you can get information about the book and how to purchase it, as well as find a link to additional materials. An excellent operational resource - . This page is in the Windows 2003 section of the Microsoft Web site, but it also has links to information for XP.
Wireless networks are more convenient than wired ones, but they can also be vulnerable to hackers and malware (such as worms). Because wireless networks use radio waves that can travel through walls, the network signal can travel outside the home.
If you do not try to secure the network, nearby computer users will be able to access data stored on network computers and use your Internet connection. By setting a security key on a wireless network, you can protect against unauthorized access.
Ways to secure your wireless network
The wireless network should be configured so that only selected users have access to it.
Several wireless security settings are described below:
Wi-Fi Protected Access Technology (WPA and WPA2)
Wi-Fi Protected Access Technology encrypts information and verifies that the network security key has not been changed. In addition, Wi-Fi Protected Access technology performs user authentication to ensure that only authorized users access the network.
There are two types of WPA authentication: WPA and WPA2.
WPA type is designed to work with all wireless network adapters, but is not compatible with older routers or access points. Type WPA2 more secure than WPA, but not compatible with some older network adapters.
WPA is designed to be used with an 802.1x authentication server that generates a different key for each user. Then it is called WPA-Enterprise or WPA2-Enterprise. It can also be used in pre-shared key (PSK) mode, where each user receives the same passphrase. Then it is called WPA-Personal or WPA2-Personal.
Wired Equivalent Privacy Protocol (WEP)
WEP as an old network security method is still available to support older devices, more use is not recommended. When WEP is enabled, a network security key is set. This encryption key is sent across the network from one computer to another. However, the security of WEP is relatively easy to crack.
Attention! It is recommended to use WPA2 whenever possible. WEP is not recommended. WPA or WPA2 is more secure. If WPA or WPA2 does not work when you try to start, we recommend that you update your network adapter to work with one of the working WPA or WPA2 technologies.
802.1x authentication
802.1x authentication can enhance the security of 802.11 wireless networks and Ethernet networks. 802.1x authentication uses an authentication server to verify users and grant permission to access the network. On wireless networks, 802.1x authentication can be used with WPA, WPA2, or WEP protocol keys. This type of authentication is typically used to connect to the network at the workplace.
So, you bought a wireless adapter, connected it to the network, set up an Internet connection - and you have complete wireless freedom. Now, to access the network, you do not need to connect a cable, you just need to be in the wireless network coverage area - and this is much easier and more convenient. However, it is simple and convenient not only for you. Indeed, unlike wired networks, in order to hack wireless networks, it is enough to be in their coverage area, which can extend beyond buildings.
Do not think that you have nothing to fear if you have installed a wireless network at home. Of course, it is unlikely that any confidential information will be stored on your home computer (although it may be), and the most that an attacker can count on is your personal photo archive and a selection of your favorite music. However, the main danger of hacking home wireless networks is not this. Hackers are usually interested in your access to the Internet.
If you pay for the Internet depending on the traffic you consume, such an unauthorized connection can lead to extra charges. Happy owners of unlimited tariffs also cannot feel calm, of course, if someone else starts using their Internet access, they will not suffer financially. But at the same time, there is a danger that the speed of your connection will drop - this is especially true if the freebie lover is not modest and starts using peering through your channel to the fullest.
Well, there is no need to talk about the need to protect wireless networks in an enterprise - the work of a modern organization is often so dependent on the IT infrastructure that failures and violations of the protection of local networks can completely destroy effective activity.
Encryption
Encryption is one of the most obvious ways to secure a wireless network. In theory, everything is simple - in order for the user device to be able to connect to the wireless network, they must prove their right in one way or another using authentication. Thus, to protect information in computer networks, it is enough to restrict access to the network using passwords or other means of authentication.
Historically, the first such method of securing wireless networks was WEP encryption. Some time ago, the algorithm provided fairly reliable protection for wireless networks, but in 2001, cryptanalysts conducted several studies that drew attention to certain vulnerabilities in this algorithm, due to which a connection protected by this algorithm is hacked within a few minutes. Although such encryption is better than transmitting data over a direct, unencrypted connection, it is not suitable for protecting wireless networks from wireless network hackers. Despite this, there are still a large number of wireless networks that are protected by this particular algorithm. This is due to the fact that outdated equipment does not support modern methods of protecting information in computer networks. However, despite the errors in the implementation of one encryption method, this approach to protecting information in networks is quite effective. Therefore, after WEP, another algorithm appeared, devoid of the shortcomings of its predecessor - WPA.
In addition to eliminating errors in the encryption algorithm, this security method used the new extended authentication protocol EAP, the temporary key integrity protocol TKIP, and the MIC message integrity mechanism. It would seem that this impressive set of technologies should provide a high level of protection for computer networks. However, not so long ago, in 2009, evidence was presented that any connection protected by this protocol can be hacked (moreover, with successful combinations of settings, it takes about 1 minute to overcome the protection of computer networks). However, encryption as a method of protecting wireless networks is not going to give up its positions. In 2004, long before WPA was compromised, a new WPA 2 protocol was developed. The main difference from WPA is the change from the fundamentally vulnerable RC4 encryption method to the more secure AES algorithm. At the moment, there are no reports that such protection of computer networks can be hacked.
However, a serious stumbling block to the full implementation of such a modern and resistant to ways to bypass the protection of wireless networks from wireless networks hackers as WPA2 is its support from client devices. There is no problem if you are deploying a network from scratch - all modern devices released after 2006 support this method of protecting information in networks. However, if you have wireless devices that you would like to use in wireless networks, and they do not support WPA2, then do not forget that encryption is not the only effective way to protect computer networks.
MAC address filtering
Such a method of protecting local networks as access filtering by MAC addresses is quite effective. The MAC address is the unique number of the network interface (network card). Thus, knowing in advance the MAC addresses of trusted devices, you can configure the security of your wireless network. However, since it is possible to change the factory MAC address on modern network equipment, this method of protecting information on the network may not be effective. After all, if an attacker somehow gains access to a trusted device, he can copy its MAC address, and, in the future, use it to penetrate the network from any other device (if, of course, it supports changing the MAC address). However, this method can be used in addition to others, and thus increase the security of the wireless network.
Hiding the SSID
In order for something to be hacked, it needs to be seen, or at least known to exist. And if this method is not suitable for protecting a local network (try to hide the wires), then for protecting wireless networks this is a pretty good way out. The fact is that, by default, the access point constantly broadcasts its SSID - the wireless network identifier. It is this identifier that the network card of your laptop or communicator notices when a message appears on it that a new wireless network has been detected. While it doesn't make networks impossible to discover if the SSID is not broadcast, it will make it much more difficult for an attacker to detect it and even more difficult to connect to such a network. However, this method of protecting information in networks has certain disadvantages: when connecting new devices to an existing wireless network, you will need to enter the network name manually.
In general, such a method of protecting information as a VPN was invented not so much to protect wireless networks, but to organize a secure connection to a remote local network via the Internet. However, this technology works great on wireless networks and is great for securing LANs. In this case, the wireless network itself can be completely devoid of other protection, but there will be no open resources in it - all vulnerable resources are in a virtual network, the only interface to which is available only through the wireless network. Modern encryption algorithms provide high resistance of such a connection and reliable protection of information in computer networks.
The topic of protecting wireless networks is quite extensive, but the general rules for protecting information in networks are generally the same. If you want to get truly hack-resistant protection of computer networks, then it is better to combine several protection methods.
The combination of a multilayer local network protection system (the most advanced encryption option, SSID hiding, MAC address filtering and data transmission over VPN) will provide effective information protection in computer networks. However, in the pursuit of efficiency, try to strike a balance between the reliability of protection and ease of use - after all, the more checks and obstacles your wireless network has, the more difficult it will be to use. Therefore, when thinking about protecting your local network, think about the likelihood of a hacker attack on your network - do not overload the network with unjustified security measures, this can adversely affect performance and lead to bandwidth losses.
Unauthorized access - reading, updating or destroying information in the absence of appropriate authority.
Unauthorized access is carried out, as a rule, using someone else's name, changing the physical addresses of devices, using information left after solving problems, modifying software and information support, stealing information media, installing recording equipment.
To successfully protect their information, the user must have an absolutely clear idea of the possible ways of unauthorized access. The main typical ways of unauthorized obtaining of information:
· theft of storage media and industrial waste;
copying of information carriers with overcoming protection measures;
disguise as a registered user;
hoax (masking under system requests);
use of shortcomings of operating systems and programming languages;
· the use of software bookmarks and software blocks such as "Trojan horse";
interception of electronic radiation;
interception of acoustic radiation;
remote photography;
the use of listening devices;
Malicious disabling of protection mechanisms, etc.
To protect information from unauthorized access, apply:
1) organizational measures;
2) technical means;
3) software;
4) encryption.
Organizational activities include:
· access mode;
storage of media and devices in a safe (floppy disks, monitor, keyboard, etc.);
Restriction of access of persons to computer rooms, etc.
Technical means include:
filters, screens for equipment;
key to lock the keyboard;
Authentication devices - for reading fingerprints, hand shape, iris, printing speed and techniques, etc.;
· electronic keys on microcircuits, etc.
Software tools include:
password access – setting the user's authority;
Locking the screen and keyboard using a key combination in the Diskreet utility from the Norton Utilites package;
Use of BIOS password protection tools - on the BIOS itself and on the PC as a whole, etc.
Encryption is the transformation (coding) of open information into encrypted, not accessible to the understanding of outsiders. Methods of encryption and decryption of messages are studied by the science of cryptology, the history of which is about four thousand years old.
2.5. Information security in wireless networks
The incredibly fast pace of adoption of wireless solutions in today's networks makes us think about the reliability of data protection.
The very principle of wireless data transmission includes the possibility of unauthorized connections to access points.
An equally dangerous threat is the likelihood of equipment theft. If the wireless network security policy is based on MAC addresses, then a network card or access point stolen by an intruder can open access to the network.
Often, unauthorized connection of access points to the LAN is performed by the employees of the enterprise themselves, who do not think about protection.
Problems like these need to be addressed in a comprehensive manner. Organizational measures are selected based on the operating conditions of each specific network. With regard to technical measures, a very good result is achieved with the use of mandatory mutual authentication of devices and the introduction of active controls.
In 2001, the first implementations of drivers and programs appeared to handle WEP encryption. The most successful one is PreShared Key. But even it is good only with reliable encryption and regular replacement of high-quality passwords (Fig. 1).
Figure 1 - Algorithm for analyzing encrypted data
Modern requirements for protection
Authentication
Currently, in various network equipment, including wireless devices, a more modern authentication method is widely used, which is defined in the 802.1x standard - until mutual verification is carried out, the user can neither receive nor transmit any data.
A number of developers use the EAP-TLS and PEAP protocols for authentication in their devices, Cisco Systems offers the following protocols for their wireless networks, in addition to those mentioned: EAP-TLS, PEAP, LEAP, EAP-FAST.
All modern authentication methods imply support for dynamic keys.
The main disadvantage of LEAP and EAP-FAST is that these protocols are supported mainly in Cisco Systems equipment (Fig. 2).
Figure 2 - 802.11x packet structure using TKIP-PPK, MIC and WEP encryption.
Encryption and Integrity
Based on the 802.11i recommendations, Cisco Systems implemented the TKIP (Temporal Integrity Protocol) protocol, which provides the change of the PRK encryption key (Per Packet Keying) in each packet and MIC (Message Integrity Check) message integrity control.
Another promising encryption and integrity protocol is AES (Advanced Encryption Standard). It has better cryptographic strength compared to DES and GOST 28147-89. It provides both encryption and integrity.
Note that the algorithm used in it (Rijndael) does not require large resources either during implementation or during operation, which is very important for reducing data latency and processor load.
The security standard for wireless LANs is 802.11i.
The Wi-Fi Protected Access (WPA) standard is a set of rules that enforce data protection over 802.11x networks. Since August 2003, WPA compliance has been a requirement for Wi-Fi Certified equipment.
The WPA specification includes a modified TKOP-PPK protocol. Encryption is performed on a combination of several keys - current and subsequent. At the same time, the IV length is increased to 48 bits. This makes it possible to implement additional measures to protect information, for example, to tighten the requirements for reassociations, reauthentications.
The specs include support for 802.1x/EAP, shared key authentication, and, of course, key management.
Table 3 - Ways to implement security policy
|
Index | ||||
|
Support for modern OS | ||||
|
Software complexity and resource intensity of authentication | ||||
|
Management complexity | ||||
|
Single Sign on (single login in Windows) | ||||
|
Dynamic Keys | ||||
|
One Time Passwords | ||||
Table 3 continued
Given the use of modern hardware and software, it is currently quite possible to build a secure and attack-resistant wireless network based on the 802.11x series standards.
Almost always, a wireless network is connected to a wired network, and this, in addition to the need to protect wireless channels, it is necessary to provide protection in wired networks. Otherwise, the network will have fragmented protection, which, in fact, is a security risk. It is advisable to use equipment that has a Wi-Fi Certified certificate, that is, confirming WPA compliance.
Implement 802.11x/EAP/TKIP/MIC and dynamic key management. In the case of a mixed network, VLANs should be used; with external antennas, VPN technology is used.
It is necessary to combine both protocol and software methods of protection, as well as administrative ones.
Password and MAC address filtering should protect you from being hacked. In fact, safety is more dependent on your discretion. Inappropriate security methods, a simple password, and a careless attitude towards strangers on a home network provide attackers with additional opportunities to attack. In this article, you will learn how you can crack a WEP password, why you should abandon filters, and how to secure your wireless network from all sides.
Protection from uninvited guests
Your network is not secure, therefore, sooner or later, an outsider will connect to your wireless network - perhaps not even on purpose, because smartphones and tablets are able to automatically connect to insecure networks. If he just opens a few sites, then, most likely, nothing terrible will happen except for traffic consumption. The situation will become more complicated if a guest starts downloading illegal content through your Internet connection.
If you have not taken any security measures yet, then go to the router interface through a browser and change the network access data. The router address usually looks like this: http://192.168.1.1. If this is not the case, then you can find out the IP address of your network device through the command line. In the Windows 7 operating system, click on the "Start" button and type "cmd" in the search bar. Call the network settings with the "ipconfig" command and find the line "Default gateway". The specified IP is the address of your router, which you need to enter in the address bar of your browser. The location of the router's security settings varies by manufacturer. As a rule, they are located in a section with a name like “WLAN | Safety".
If your wireless network uses an insecure connection, you should be especially careful with the content that is located in the shared folders, because in the absence of protection, it is in the full possession of other users. At the same time, in the Windows XP Home operating system, the situation with general access is simply catastrophic: by default, passwords cannot be set here at all - this function is present only in the professional version. Instead, all network requests are made through an insecure guest account. You can secure the network in Windows XP with the help of a little manipulation: launch the command prompt, enter "net user guest YourNewPassword" and confirm the operation by pressing the "Enter" key. After restarting Windows, it will be possible to access network resources only if you have a password, however, finer tuning in this version of the OS, unfortunately, is not possible. Much more convenient management of sharing settings is implemented in Windows 7. Here, in order to limit the circle of users, it is enough to go to the "Network and Sharing Center" in the Control Panel and create a password-protected home group.
The lack of proper protection in a wireless network is a source of other dangers, as hackers can use special programs (sniffers) to detect all unsecured connections. Thus, it will be easy for hackers to intercept your identification data from various services.
hackers
As before, the two most popular security methods today are MAC address filtering and hiding the SSID (network name): these security measures will not keep you safe. In order to reveal the network name, an attacker only needs a WLAN adapter, which switches to monitoring mode with the help of a modified driver, and a sniffer - for example, Kismet. The cracker monitors the network until a user (client) connects to it. It then manipulates the data packets and thus kicks the client out of the network. When the user reconnects, the attacker sees the network name. It seems complicated, but in fact the whole process only takes a few minutes. Bypassing the MAC filter is also easy: the attacker determines the MAC address and assigns it to his device. Thus, the connection of an outsider remains unnoticed by the owner of the network.
If your device supports only WEP encryption, take immediate action - even non-professionals can crack such a password in a few minutes.
The Aircrack-ng software package, which, in addition to a sniffer, includes an application for downloading and modifying WLAN adapter drivers, and also allows you to recover a WEP key, is especially popular among cyber scammers. Known hacking methods are PTW and FMS/KoreK attacks, in which traffic is intercepted and a WEP key is calculated based on its analysis. In this situation, you have only two options: first, you should look for the latest firmware for your device that will support the latest encryption methods. If the manufacturer does not provide updates, it is better to refuse to use such a device, because in doing so you jeopardize the security of your home network.
The popular advice to cut Wi-Fi range gives only the appearance of protection. Neighbors will still be able to connect to your network, and attackers often use Wi-Fi adapters with a long range.
Public hotspots
Places with free Wi-Fi attract cyber scammers, as huge amounts of information pass through them, and anyone can use hacking tools. Public hotspots can be found in cafes, hotels and other public places. But other users of the same networks can intercept your data and, for example, take control of your accounts on various web services.
Cookie protection. Some attack methods are really so simple that anyone can use them. The Firesheep Firefox extension automatically reads and lists the accounts of other users, including Amazon, Google, Facebook, and Twitter. If a hacker clicks on one of the entries in the list, he will immediately have full access to the account and be able to change the user's data at will. Firesheep does not crack passwords, but only copies active unencrypted cookies. To protect yourself from such interceptions, you should use the special HTTPS Everywhere add-on for Firefox. This extension forces online services to always use an encrypted connection over HTTPS if supported by the service provider's server.
Android protection. In the recent past, a flaw in the Android operating system attracted everyone's attention, due to which fraudsters could gain access to your accounts in services such as Picasa and Google Calendar, as well as read contacts. Google fixed this vulnerability in Android 2.3.4, but most of the devices previously purchased by users have older versions of the system installed. You can use the SyncGuard application to protect them.
WPA2
The best protection is provided by WPA2 technology, which has been used by computer equipment manufacturers since 2004. Most devices support this type of encryption. But, like other technologies, WPA2 also has its weak point: using a dictionary attack or a brute force method (“brute force”), hackers can crack passwords - however, only if they are unreliable. Dictionaries simply iterate over the keys stored in their databases - as a rule, all possible combinations of numbers and names. Passwords like "1234" or "Ivanov" are guessed so quickly that the cracker's computer doesn't even have time to warm up.
The bruteforce method does not involve using a ready-made database, but, on the contrary, guessing a password by listing all possible combinations of characters. In this way, a cracker can calculate any key - the only question is how long it will take him. NASA in its security guidelines recommends a password of at least eight characters, and preferably sixteen. First of all, it is important that it consists of lowercase and uppercase letters, numbers and special characters. It would take decades for a hacker to crack such a password.
Your network is not yet completely secure, since all users inside it have access to your router and can make changes to its settings. Some devices provide additional security features that you should also take advantage of.
First of all, disable the ability to manipulate the router via Wi-Fi. Unfortunately, this feature is only available on some devices, such as Linksys routers. All modern router models also have the ability to set a password for the management interface, which allows you to restrict access to settings.
Like any program, the firmware of the router is imperfect - small flaws or critical holes in the security system are not excluded. Usually, information about this is instantly distributed over the Web. Check regularly for new firmware for your router (some models even have an automatic update feature). Another plus of flashing is that they can add new features to the device.
Periodic analysis of network traffic helps to recognize the presence of intruders. In the router management interface, you can find information about which devices connected to your network and when. It is more difficult to find out how much data a particular user has downloaded.
Guest access - a means of protecting your home network
If you protect your router with a strong password when using WPA2 encryption, you will no longer be in danger. But only until you share your password with other users. Friends and acquaintances who with their smartphones, tablets or laptops want to access the Internet through your connection are a risk factor. For example, the possibility that their devices are infected with malware cannot be ruled out. However, because of this, you will not have to refuse your friends, since the top models of routers, such as Belkin N or Netgear WNDR3700, have guest access specifically for such cases. The advantage of this mode is that the router creates a separate network with its own password, and the home network is not used.
Reliability of security keys
WEP (WIRED EQUIVALENT PRIVACY). Uses a pseudo-random number generator (RC4 algorithm) to obtain the key, as well as initialization vectors. Since the last component is not encrypted, it is possible for third parties to intervene and recreate the WEP key.
WPA (WI-FI PROTECTED ACCESS) Based on the WEP mechanism, but offers a dynamic key for advanced security. Keys generated using the TKIP algorithm can be cracked through a Beck-Tews or Ohigashi-Moriya attack. To do this, individual packets are decrypted, manipulated and sent back to the network.
WPA2 (WI-FI PROTECTED ACCESS 2) Uses the secure AES (Advanced Encryption Standard) algorithm for encryption. Along with TKIP, CCMP (Counter-Mode/CBC-MAC Protocol) has been added, which is also based on the AES algorithm. Until now, the network protected by this technology has not been hacked. The only possibility for hackers is a dictionary attack or "brute force method" when the key is guessed by guessing, but with a complex password it is impossible to guess it.
Loading...