security

CTS 155: Security beyond the fi

Security is much more than protecting the wireless frames over the air. We must also protect the infrastructure side, have proper segmentation, and ensure the right role based access. In this episode we speak with Chris Hinsz about security beyond Wi-Fi.

Securing wireless is much more than encryption. We have WPA2, upcoming WPA3 and OWE. But that’s done over the air and with 802.1X.

It goes beyond and into worrying over insecure IoT devices, stolen credentials, compromised employee devices, and more. These are all real security threats which have nothing to do with over-the-air encryption.

In this episode we talk about these security concerns and the pieces needed to secure wireless further:

  • Zero Trust Model
  • Strong segmentation
  • Multi-factor authentication
  • Indication of compromise
  • IoT Visibility

Links and Resources

Security Improvements in Wi-Fi: An Ekahau Webinar

Recently, I had the pleasure of joining Joel and Jerry on an Ekahau webinar. The topic I presented was on Security Improvements in Wi-Fi.

In this webinar, I touch upon three different security improvements:

  • Device Provisioning Protocol
  • Opportunistic Wireless Encryption
  • WPA3

While I go over a general overview of the topics, OWE gets a little detailed because of the frame capture I was able to obtain from Aruba Networks’ live demo from MFD3.

Check out the webinar and let me know what you think in the comments:

CTS 139: Aruba Networks Demos OWE at MFD3

Understanding OWE operation from the Aruba Networks demo presented at MFD3.

Aruba Networks Demos OWE

Opportunistic Wireless Encryption (OWE) is a security improvement coming to open SSIDs. It’s aimed at securing the insecure. We see it everywhere. A Wi-Fi network completely open for clients to join. It’s unencrypted traffic between clients and the AP.

OWE was demoed by Aruba Networks at Mobility Field Day 3 (MFD3) and I was able to capture the frames during the demo. Aruba needed to build a custom supplicant using Ubuntu in order for this demo to work since there are no working clients supporting OWE yet.

There was an AP broadcasting an SSID, MFD-OWE, in OWE Transition Mode.

Aruba Networks OWE Demo from MFD3

OWE Transition Mode SSID

An SSID in OWE Transition Mode will utilize 2 BSSIDs. One for the Open SSID, for clients that do not support OWE, and another BSSID for the OWE-capable SSID. That’s something to keep in mind for OWE Transition Mode.

When most clients support OWE, an SSID strictly supporting OWE can be configured.

In the demo, Aruba Networks created a custom supplicant within Ubuntu since there are no OWE capable clients available. In a Probe Response to the client, there will be an Information Element containing the BSSID and SSID for an OWE-capable client to send a Probe Request to.

OWE Information Element from a Probe Response frame.

OWE Information Element inside the Probe Response

The client sends a Probe Request frame to the OWE SSID, which is a hidden SSID.

Within the Association Request frame, the client will include an RSN Information Element. Within that RSNIE there will be the MFP requirement needed in OWE.

After association a 4-way handshake will follow and when complete, transmissions will be encrypted.

Frame exchange for OWE supported SSID and client.

Frames exchanged to joining an OWE-enabled SSID.

Information you’ll need for the pcap file:

Open SSID: MFD-OWE
BSSID of MFD-OWE: 20:a6:cd:60:00:b0

OWE SSID: _owetm_MFD-OWE2340208851
BSSID: 20:a6:cd:60:00:b1

Client MAC: 9c:b6:d0:d7:ce:dd

Links and Resources

CTS 063: Wi-Fi Security – Securing Access

François Vergès discusses Wi-Fi security and securing the access to the Wi-Fi network.

On episode 56, we have talked about the legacy Wi-Fi security mechanisms and we explained why they are not considered safe and secure anymore and why we should not be using them in our modern Wi-Fi networks deployments.

In this follow up episode, we want to start going over the stronger and safer way to secure a Wi-Fi network. We are focusing on how the client devices can securely connect and exchange data over a Wi-Fi network.

This episode will answer the following questions:

  • How does a client station securely connect to a Wi-Fi network?
  • What is WPA?
  • What is the difference between WPA and WPA2?
  • How does the Personal and Enterprise mode of operation work?
  • What is 802.1X and how is it related to Wi-Fi security?
  • What is required in order to authenticate client devices using 802.1X?
  • What is the 4-way handshake?
  • What are the secured EAP methods?
  • What do we need to do in order to securely use WPA/PA2-Personal?
  • What is considered a strong password?
  • How does a client station securely exchange data over the Wi-Fi network?

Resources

Here are the links to the videos we talked about during this episode:

Here are a couple of diagrams related to the Wi-Fi security topic:

 

 

If we want to dive deeper into the topic of Wi-Fi security, you can read the following book:

Other resources we talked about:

Password generation website: xkpasswd.net

CTS 056: Legacy Wi-Fi Security

Pre-RSNA (Robust Security Network Association) is the main topic for this episode. Francois and I talk about why you shouldn’t be using these legacy security methods and in future episodes we talk about the Wi-Fi security mechanisms you should be using. This is part one of a multi-part series.

In the 802.11 Standard there are two ways to join a BSS:

  • Open System Authentication (WEP can then be used to encrypt the communications) OR
  • Shared Key Authentication (WEP is used for both the authentication and to encrypt the communications)

Legacy Security Methods

WEP

A couple of weaknesses have been found on WEP and it makes it very easy to crack.

The characteristics of WEP include:

  • Using static keys
  • Uses RC4 as a Cipher for encryption
  • Attacks against WEP:
    • Collision attack against the IV (Initialization Vector) – only 24 bits (repeat itself every 16 millions frames)
    • Attack against the weak encryption keys (40 or 104 bit)
    • Packet injection is a technic used to speed up the attacks against WEP
    • The ICV (Integrity Check Value) mechanism is also considered weak (Bit-flipping attack can be used to alter WEP packets)

IV Seen under WEP parameters

MAC Filtering

This is not really a security method but a common one people use. MAC filtering is a way to create a whitelist of MAC addresses allowed to join the Wi-Fi network. It’s easy to capture packets to find an authorized MAC address and then spoof it. L2 information are not encrypted in 802.11 frames. L3 to L7 is encrypted.

Hidden SSID

Another method which is not really security but commonly used. The SSID is not broadcasted in the beacon frames. The SSID still visible is management frames when a STA connects to it. You can spot the hidden SSID in a directed Probe Request frame.

TKIP

It has been cracked. Not as easily as WEP but it has been cracked (using the same Cipher: RC4). Has been replaced by CCMP/AES. Also, TKIP only allows speeds up to 54Mbps. Like WEP, TKIP will be going away.

Links and Resources