CWNA Guide to Wireless LANs, Second Edition
Chapter 8
Wireless LAN Security and Vulnerabilities
At a Glance
Instructor’s Manual Table of Contents

Overview

Objectives

Teaching Tips

Quick Quizzes

Class Discussion Topics

Additional Projects

Additional Resources

Key Terms
8-1
CWNA Guide to Wireless LANs, Second Edition
8-2
Lecture Notes
Overview
When compared to a wired network, a wireless LAN has several features that make it
more vulnerable to attacks. Coupled with the fact that wireless security in the original
IEEE 802.11 standard was not properly implemented and thus further exposed wireless
networks to a variety of attacks, security has been the Achilles heel of wireless
networking for many years. However, much of that is changing. According to many
experts, by implementing new wireless security technologies WLANs can be made as
secure as their wired counterparts. In this chapter students will look at wireless security
and vulnerabilities. They start by briefly reviewing security in general. Then they
explore the basic IEEE 802.11 security protections and observe the vulnerabilities in
that protection mechanism. Finally the students will consider some of the different types
of attacks on WLANs.
Chapter Objectives




Define information security
Explain the basic security protections for IEEE 802.11 WLANs
List the vulnerabilities of the IEEE 802.11 standard
Describe the types of wireless attacks that can be launched against a wireless
network
Teaching Tips
Security Principles
1. Provide a brief overview of information security, and discuss the importance of
understanding the concepts involved in information security when trying to analyze the
vulnerabilities of a system.
What Is Information Security?
1. Define the term information security. Discuss the various media on which the digital
information being protected may be located.
2. Explain that information security involves ensuring that protective measures are
properly implemented.
3. Using the list on page 257 of the text as a guide, discuss the three characteristics of
information that must be protected by information security. Stress that information
security protects the confidentiality, integrity, and availability of information on the
devices that store, manipulate, and transmit the information through products, people,
and procedures. Use Figure 8-1 to illustrate.
CWNA Guide to Wireless LANs, Second Edition
8-3
Challenges of Securing Information
1. Using the list on pages 258 and 259 of the text as a guide, discuss the various reasons
why security has become increasingly difficult. Stress that it can be difficult to
distinguish an attack from normal Internet traffic. Define the term day zero attacks.
Mention that distributed attacks make it impossible to stop an attack by trying to
identify and block the source.
Categories of Attackers
1. Using the list on pages 259 and 260 of the text as a guide, describe in detail the six
different categories of attackers. Stress that employees of a company are one of the
largest categories of attackers.
Teaching
Tip
The original connotation of the term "hacker" referred to someone with the intent
to expand his or her knowledge of computing through experimentation. The
term's connotation has, over the years, assumed a more negative connotation.
Teaching
Tip
An attacker may fall into more than one of the described categories.
Teaching
Tip
Mention to the students that the U.S. Department of Homeland Security’s annual
budget includes hundreds of millions of dollars for information infrastructure
protection from cyberterrorists.
2. Using Table 8-1 as a guide, summarize the different types of attackers, their motivation,
and their skill level.
Security Organizations
1. Using the list on page 261 of the text as a guide, discuss some of the organizations
dedicated to information security. Explain these organization's missions and goals.
Basic IEEE 802.11 Security Protections
1. Explain that, unlike a wired LAN that requires access to the cable plant in order to view
data that is being transmitted, data transmitted through the air by a wireless LAN could
be intercepted and viewed by an attacker. Discuss the importance of providing basic
security mechanisms for WLANS.
2. Briefly introduce the three categories of protections that can be applied to WLANS.
Access Control
1. Explain that access control is intended to guard the availability of data.
2. Provide an overview of the concept of wireless access control, or filtering.
CWNA Guide to Wireless LANs, Second Edition
8-4
3. Describe the concept of MAC layer filtering, stressing that this is the most common
form of access control in WLANs. Briefly review the purpose of the MAC layer,
reminding the students that it is one of the two divisions of the Data Link layer specified
by the IEEE 802 standards. Remind the students that the MAC address is a hardware
address that uniquely identifies each node of a network.
Teaching
Tip
The MAC layer was first discussed in Chapter 4.
4. Using Figure 8-2 to illustrate, discuss the format of a typical MAC address, explaining
the purpose of the OUI and IAB.
Teaching
Tip
MAC addresses are regulated by the IEEE. At this writing, an OUI costs $1,650
and an IAB is $550.
5. Explain that access to the wireless network can be restricted by entering the MAC
address of approved devices into the access point. Illustrate with Figures 8-3 and 8-4.
Teaching
Tip
Although it does not restrict access to the wireless LAN, another type of filtering
can restrict the type of traffic that passes through the access point based on the
protocol. For example, if Web traffic were to be restricted, the AP could be
configured to reject all HTTP traffic on Port 80.
6. Explain that MAC address filtering has the drawback of requiring pre-approval for
MAC addresses.
Teaching
Tip
Wireless LAN MAC address filtering has serious vulnerabilities. These
vulnerabilities are discussed later in this chapter.
Wired Equivalent Privacy (WEP)
1. Explain that WEP is intended to guard the confidentiality of the data on a WLAN, and
that it ensures that only authorized parties can view the information.
2. Mention that WEP uses a process of "scrambling" information in order to encrypt it.
Teaching
Tip
WEP was actually part of the original IEEE 802.11 standard that was released in
1997.
Cryptography
CWNA Guide to Wireless LANs, Second Edition
8-5
1. Define the terms cryptography and steganography, mentioning the difference between
them.
2. Define the terms encryption, plaintext, and ciphertext.
3. Define the terms algorithm and cipher. Stress that a cipher algorithm is given a key that
is used to encrypt and decrypt the text. Mention why both the sender and the receiver
would need this key. Illustrate with Figure 8-5.
4. Define the term weak key, and explain that easily discovered keys are unacceptable
when trying to provide secure information transfer.
WEP Implementation
1. Using the list on page 266 of the text as a guide, discuss the IEEE 802.11 cryptography
objectives as outlined in the standard.
2. Stress that WEP relies on a secret key that is “shared” between a wireless device and the
AP. Explain that this type of encryption is known as private key cryptography or
symmetric encryption, and requires that the same key be installed on both the AP and
the wireless device. Illustrate with Figure 8-6.
3. Explain that WEP shared secret keys must be a minimum of 40 bits in length, and that
most vendors implement a 104-bit key.
4. Using the second list on page 266 of the text as a guide, discuss the various ways that
shared keys may be generated within the WEP framework.
5. Explain that the IEEE standard also specifies that the access points and devices can hold
up to four WEP shared secret keys simultaneously. Illustrate with Figure 8-7.
6. Discuss the role of the default key. Mention that a device may decrypt packets that have
been encrypted with any of the four keys, but can only encrypt packets based on the
default key. Illustrate with Figure 8-8.
Teaching
Tip
In practice, most installations use a single key that is shared among all wireless
devices and APs.
7. Using the steps listed on page 269 of the text as a guide, and using Figure 8-9 to
illustrate, describe the mechanisms used by WEP to perform encryption. Define the
terms CRC, ICV, IV, PRNG, and keystream.
Teaching
Tip
The reason why the IV is added to the ciphertext in plaintext is because it is
needed to decrypt the message.
CWNA Guide to Wireless LANs, Second Edition
8-6
8. Describe the processes that occur when an encrypted frame arrives at its destination
device.
9. Explain that generating the keystream using the PRNG is based on the RC4 cipher
algorithm. Briefly discuss the origins of the RC4 cipher algorithm, and define the term
stream cipher. Illustrate with Figure 8-10.
Authentication
1. Stress that, because wireless LANs cannot limit access to the RF signal by walls or
doors, wireless authentication requires the wireless device and not the individual user to
be authenticated prior to being connected to the network.
Teaching
Tip
Authentication is covered in detail in Chapter 5.
2. Describe the concept of open system authentication.
Teaching
Tip
Open system authentication is sometimes called SSID filtering.
3. Describe the concept of shared key authentication. Define the term challenge text.
Teaching
Tip
When WEP is used for shared key authentication it is serving a dual function of
encryption and authentication.
Quick Quiz 1
1. True or False: A hacker is a person who violates system security with malicious intent.
Answer: false
2. Access control is intended to guard the ____________________ of information.
Answer: availability
3. The most common type of access control is ____________________ address filtering.
Answer: Media Access Control (MAC)
4. ____________________ is intended to guard confidentiality of information.
Answer: Wired equivalent privacy (WEP)
5. An encryption algorithm is known as a(n) ____________________.
Answer: cipher
6. Using the same (shared) secret key to both encrypt as well as decrypt is called
____________________.
CWNA Guide to Wireless LANs, Second Edition
8-7
Answer: private key cryptography or symmetric encryption
7. True or False: Shared key authentication uses WEP keys.
Answer: True
Vulnerabilities of IEEE 802.11 Security
1. Stress that, despite the fact that the IEEE 802.11 standard provided security mechanisms
for wireless networks, these mechanisms have fallen far short of their goal. Explain that
vulnerabilities exist in the areas of authentication, address filtering, and WEP.
Teaching
Tip
When testing for vulnerabilities a device must maintain its persistent physical
state so that an accurate test can be performed. This is sometimes called the
“state machine.”
Authentication
1. Provide a brief introduction to the vulnerabilities inherent to wireless authentication.
Open System Authentication Vulnerabilities
1. Explain that open system authentication is inherently weak because an attacker only has
to discover the SSID to be authenticated. Explain how an attacker would be able to
discover an SSID.
2. Mention that some APs are configured to not include the SSID in beacon frames.
3. Using the list on page 272 of the text as a guide, discuss some of the open system
authentication vulnerabilities that exist. Use Figures 8-11 and 8-12 to illustrate some of
these points.
Teaching
Tip
A list of default SSIDs can be found at www.cirt.net/cgi-bin/ssids.pl.
4. Mention that there are free utilities available on the Internet that allow people with little
knowledge of WLANs to be able to easily capture SSIDs.
Shared Secret Key Authentication Vulnerabilities
1. Explain that the first vulnerability of shared secret key authentication is based on the
fact that key management can be very difficult when it must support a large number of
wireless devices. Mention that attackers may discover the key by stealing it from an
approved wireless device.
2. Discuss the concept of a brute force attack. Stress that these are automated attacked in
which the password combinations are generated by a program.
CWNA Guide to Wireless LANs, Second Edition
Teaching
Tip
8-8
Brute force password attack programs are readily available on the Internet.
3. Explain that a dictionary attack takes each word from a dictionary and encodes it in the
same way the passphrase was encoded, and that the encoded dictionary words are
compared to the encrypted frame to find a match.
Teaching
Tip
Research has indicated that 64-bit passphrase generators may contain flaws.
Many wireless security experts recommend avoiding passphrase generators
altogether.
4. Mention that the AP sends the challenge text it is sent in plaintext, and explain that an
attacker can capture the challenge text along with the device’s response, which can then
be used to mathematically derive the keystream.
5. Using Table 8-2 as a guide, summarize the different types of authentication attacks
Address Filtering
1. Explain that the sheer number of users with MAC addresses on a network makes it
difficult to manage all of the MAC addresses and thus creates avenues for attackers.
Mention that there are no "guest" users.
2. Explain that MAC addresses are initially exchanged in plaintext, and discuss the
vulnerabilities that this exposes.
3. Discuss the two ways that MAC addresses can be "spoofed".
4. Using Table 8-3 as a guide, summarize all of the types of MAC address attacks.
WEP
1. Stress that it is important to note that the vulnerability in WEP is based on how WEP
and the RC4 cipher are implemented.
2. Explain that the secret key in WEP is either 40 or 104 bits, stressing that the shorter the
key, the easier it is to crack.
3. Explain that the WEP implementation violates the cardinal rule of cryptography, and
describe how WEP's implementation creates a detectable pattern for attackers.
4. Explain how an attacker can detect a collision, and then use this to initiate a keystream
attack. Use Figure 8-13 and 8-14 to illustrate these concepts.
5. Discuss the limitations of the RC4 cipher, and using pseudo-random numbers for
encryption in general.
6. Using Table 8-4 as a guide, summarize all of the WEP vulnerabilities.
CWNA Guide to Wireless LANs, Second Edition
Teaching
Tip
8-9
Security mechanisms for 802.11 WLANs that do provide adequate security are
discussed in Chapter 9.
Other Wireless Attacks
1. Provide an overview of some of the other types of wireless attacks that may be initiated
by attackers.
Man-in-the-Middle Attack
1. Discuss the concept of a man-in-the-middle attack, using Figure 8-15 to illustrate.
Explain the difference between active and passive man-in-the-middle attacks.
2. Explain that on wireless networks, man-in-the-middle attacks are commonly done by
attackers setting up a “fake” access point. Illustrate with Figure 8-16.
Teaching
Tip
Wireless man-in-the-middle attacks are sometimes called TCP/IP hijacking
attacks.
Denial of Service (DoS) Attack
1. Describe the way in which standard DoS attacks are orchestrated.
2. Describe the ways in which wireless DoS attacks may occur. Discuss the concept of
jamming, and explain why it will prevent any wireless device from transmitting.
3. Explain that another type of DoS attack on a wireless device is to continually cause the
device to dissociate and re-associate with the AP.
Teaching
Tip
Although wireless security has serious vulnerabilities as shown in this chapter,
there are sufficient means available to protect a WLAN. These protections are
covered in Chapter 9.
Quick Quiz 2
1. True or False: Open system authentication is considered to be inherently weak.
Answer: True
2. A(n) ____________________ attack is one in which an attacker attempts to create
every possible key combination.
Answer: brute force
3. True or False: MAC addresses are initially exchanged in cipertext.
Answer: False
CWNA Guide to Wireless LANs, Second Edition
8-10
4. A(n) ____________________ attack is a method of determining the keystream by
analyzing two packets that were created from the same IV.
Answer: keystream
5. A(n) ____________________ attack makes it seem that two computers are
communicating with each other, when actually they are sending and receiving data with
a computer between them.
Answer: man-in-the-middle
6. ____________________ is a technique in which an attacker will flood the radio
frequency spectrum with noise that makes it appear that there is legitimate traffic being
transmitted.
Answer: Jamming
Class Discussion Topics
1. Have the students consider that employees of companies are one of the largest threats to
information security within an organization. Have them discuss why this might be, why
employees might be more of a threat than other types of attackers, and what motivations
may influence employees to launch attacks.
2. Have the students compare their understanding of authentication and access control
within wired networks to the concepts presented in this chapter. What basic differences
do they see between wired and wireless network in terms of how authentication and
access control can be applied. Can they think of any other authentication or access
control techniques not presented in this chapter that might apply to WLANs.
Additional Projects
1. There are many types of computer attacks other than the one discussed in this chapter.
Have the students do research online to find descriptions of other types of attacks, and
generate a list of three or four of them. When the students are done, compile their
results into a master list that can be redistributed to the class. Have the students discuss
which of the types of attacks in the list might be applicable specifically to WLANs and
which may not apply directly.
2. One type of wireless security threat is exposed through the practice of "wardriving". In
wardriving, and attacker with a wireless device drives around searching for unsecured
wireless networks. Have the students do research online and develop a list of best
practices and procedures to protect a wireless network from wardriving.
Additional Resources
1. An Executive's Information Security Challenge:
http://www.informit.com/articles/article.asp?p=368647&rl=1
2. Computer System Security: A Primer:
http://www1.us.dell.com/content/topics/global.aspx/power/en/ps1q02_lowery?c=us&=e
n&s=corp
CWNA Guide to Wireless LANs, Second Edition
8-11
3. Security Groups and Organizations:
http://www.alw.nih.gov/Security/security-groups.html
4. MAC Address Filtering:
http://netsecurity.about.com/od/quicktip1/qt/qtwifimacfilter.htm
5. Wireless LAN Security (802.11) Wardriving & Warchalking:
http://www.wardrive.net/
6. 802.11 WEP: Concepts and Vulnerability:
http://www.wi-fiplanet.com/tutorials/article.php/1368661
7. Cryptography:
www.Cryptography.org
8. Encryption Tutorial:
http://webmonkey.wired.com/webmonkey/programming/php/tutorials/tutorial1.html
9. Wireless Authentication, Routing, Traffic control and Accounting:
http://www.hpi.net/whitepapers/warta/
Key Terms
 Access control: Restricting access to authorized users.
 Algorithm: The underlying process or formula for encrypting and decrypting messages.
 Brute force attack: An attack in which an attacker attempts to create every possible
key combination by systematically changing one character at a time in a possible key.
 Cipher: An encryption algorithm.
 Ciphertext: An encrypted message.
 Collision: In wireless security, two packets that were created from the same
initialization vector (IV).
 Computer spy: A person who has been hired to break into a computer and steal
information.
 Cracker: A person who violates system security with malicious intent.
 Cryptography: The science of transforming information so that it is secure while it is
being transmitted or stored.
 Cyberterrorists: Terrorists who attack networks and computer infrastructures in order
to cause panic.
 Cyclic redundancy check (CRC): A checksum value that is based on the contents of
the text.
 Day zero attack: An attack that takes advantage of a previously unknown flaw.
 Decryption: The process of changing a ciphertext into plaintext.
 Default key: A key value that is used to encrypt wireless data transmissions when they
are sent.
 Denial of service ( DoS ) attack: An attack that attempts to make a server or other
network device unavailable by flooding it with requests.
 Dictionary attack: An attack that takes each word from a dictionary and encodes it in
the same way a passphrase was encoded.
 Encryption: The process of changing plaintext into ciphertext.
 Filtering: Restricting access to authorized users.
 Hacker: A person who uses his or her advanced computer skills to attack computers but
not with a malicious intent.
CWNA Guide to Wireless LANs, Second Edition
8-12
 Information security: Protecting the confidentiality, integrity, and availability of
information on the devices that store, manipulate, and transmit the information through
products, people, and procedures.
 Initialization vector (IV): A 24-bit WEP value that changes each time a packet is
encrypted.
 Integrity check value (ICV): The checksum value generated by WEP.
 Jamming: An attack technique that floods the radio frequency spectrum with noise.
 Key: The value that an algorithm uses to encrypt or decrypt a message.
 Keystream: The output from a pseudo-random number generator (PRNG).
 Keystream attack: An attack method to determining the keystream by analyzing two
packets that were created from the same initialization vector (IV).
 Man-in-the-middle attack: An attack that intercepts communication from one device
and sends a substitute communication to the intended receiver.
 Media Access Control (MAC) address filtering: An access control method that
restricts access based on the media access control (MAC) address.
 Plaintext: A message in an unencrypted format.
 Private key cryptography: Using the same shared secret key to both encrypt and
decrypt messages.
 Pseudo-random number generator (PRNG): A part of the process for encrypting
packages using WEP that generates a keystream.
 RC4: A cipher algorithm used in WEP.
 Script kiddies: Unskilled or novice attackers who break into computers to create
damage.
 Steganography: The process of hiding data so that it cannot be discovered.
 Stream cipher: A cipher that takes one character and replaces it with one character.
 Symmetric encryption: Using the same shared secret key to both encrypt and decrypt
messages.
 Weak key: A cryptographic key that creates a repeating pattern.
 Wired equivalent privacy (WEP): An IEEE 802.11 cryptography mechanism.