Securing WLANs
SSID Cloaking and MAC Address Filtering
As we all know, Wireless signals can easily travel through walls, windows, ceilings, floors, furniture etc… even outside home and/or office space. If you don’t protect a WLAN, it can be equivalent of placing an Ethernet port outside the building, where anyone could connect to.
To mitigate such threats of keeping intruders out of the network and protect the data, two security features are commonly used:
| SSID Cloaking |
| Access Points and Wireless Routers allow the Beacon Frame to broadcast the SSID. A lot of APs and Wireless Routers nowadays also allow such SSID Beacon Frame to be disabled, in other words, the SSID of the WLAN won’t be shown in the Wireless list when users search for it, therefore clients must manually configure the SSID when connecting to the network. |
| MAC Address Filtering |
| A lot of Access Points and Wireless Routers also allows the network admin to manually permit or deny clients based on their physical MAC Address. If a MAC Address is listed in the “Permit” list, such client will be able to connect onto the WLAN, therefore if the MAC Address is listed in the “Deny” list, it will be blocked access. |
[NOTE] When using a “Deny” list, note that all the clients trying to connect will be allowed access if not on the list, on the other hand, when using an “Allow” list, only the clients listed on the “Allow” list will be allowed access and other clients which are not listed on the “Allow” list will be automatically denied access.
802.11 Original Authentication Methods
Although the two features mentioned earlier (SSID CLoaking and MAC Address Filtering) would discourage many users, the truth. is that neither of them would discourage an intruder.
An SSID can be discovered easily even if an Access Point is not broadcasting it, and a MAC Address can be easily spoofed. Nowadays, Authentication and Encryption solutions are recommended on any WLAN.
When the original 802.11 standard was released, 2 types of authentication were introduced
| Open System Authentication |
| Using such a method, any wireless client will be able to associate without any sort of Password requirement. This option should only be used in situations where security isn’t a concern, like for example cafes, restaurants, and public places. |
| Shared Key Authentication |
| Shared Key Authentication method provides authentication and encryption mechanisms such as WEP, WPA, WPA2, and nowadays WPA3. This method will ask the user for Authentication and will encrypt the data between the client and the Access Point. The password must be pre-shared between both parties for a connection to be established successfully. |
Shared Key Authentication Methods
Presently, there is a total of 4 shared key authentication techniques available for use as per the table below:
| WEP (Wired Equivalent Privacy) |
| This is the original 802.11 specification which was designed to secure data using RC4 (Rivest Cipher 4) encryption method using. astatic key. The problem with such specification is that the key never changes when exchanging packets therefore it is easily hackable. WEP is not recommended nowadays and should never be used. |
| WPA (Wi-Fi Protected Access) |
| This is based on WEP but secures the data with a much stronger encryption algorithm known as TKIP (Temporal Key Integrity Protocol). TKIP changes the key for each packet, thus it’s much more difficult to hack than WEP. |
| WPA2 (Wi-Fi Protected Access v2) |
| This is the current industry standard for securing WLANs. It uses the AES (Advanced Encryption Standard) for encryption which is considered. tobe the strongest and best encryption protocol at the moment. |
| WPA3 (Wi-Fi Protected Access v3) |
| This is the future of WiFI Security. All WPA3-enabled devices will by force use the latest security systems, do not permit legacy protocols, and also require the use of PMF (Protected Management Frames). This is still in its early stages and not yet available. |
[NOTE] WPA3 is slowly becoming the new standard, but since it’s at its earliest stages, devices that don’t yet support WPA3 should use the WPA2 standard.
Authenticating a Home User
Usually, Home routers will offer 2 choices for authentication, being WPA, and WPA2. As discussed earlier, WPA2 is the current strongest standard of the two. Both of these 2 authentication methods can be utilized as follows:
| Personal |
| This is meant for home or small office networks, users authenticate and associate to the Router/AP using a PSK (pre-shared key). Wireless clients simply authenticate with the Router using a pre-shared key, thus no special authentication server is required. |
| Enterprise |
| This is meant for enterprise networks but will always require a RADIUS Server (Remote Authentication Dial-In User Service). It is obviously more complicated to configure, but it provides additional security. The devices must be authenticated via the RADIUS server and the users must authenticate using the 802.1X standard, which uses EAP (Extensible Authentication Protocol). |
Encryption Methods
Like in many other situations when it comes to networking, encryption is used to protect the data. If a threat actor has somehow managed to capture the encrypted data, he/she will not be able to decipher it in any reasonable amount of time since it’s encrypted.
Both WPA and WPA2 standards make use of the following encryption protocols:
| TKIP (Temporal Key Integrity Protocol) |
| TKIP is the encryption method used by WPA. TKIP provides support for legacy WLAN devices by addressing the flaws associated with the 802.11WEP encryption method. It makes use of WEP, but encrypts the Layer 2 payload via TKIP, and carries out a MIC (Message Integrity Check) in the packet to ensure that the data has not been altered. |
| AES (Advanced Encryption Standard) |
| AES is the encryption method utilized by WPA2. This is the preferred method since it’s a much stronger method of encryption. This uses CCMP (Counter Cipher Mode Protocol) with Block Chaining Message Authentication allowing destination hosts to recognize if the data has been altered or tampered with. |
Authentication in the Enterprise
When it comes to enterprise grade networks that have much tighter security requirements, additional authentication is required to grant clients wireless access.
Enterprise security requires an AAA RADIUS Server, and configuration will require the following
| RADIUS Server IP Address |
| The reachable IP Address of the RADIUS Server. |
| UDP Port Numbers |
| The official ports are UDP Port 1812 for RADIUS Authentication and UDP Port 1813 for RADIUS Accounting, but it can also use UDP Port 1645 and UDP Port 1646. |
| Shared Key |
| This is used to authenticate the Access Point with the RADIUS Server, therefore this is not a parameter that must be configured on the wireless client. |
User authentication and authorization are managed and controlled by the 802.1X standard, which provides a centralized server-based authentication of clients.
Such a process (802.1X) uses EAP to communicate with the Access Points and the RADIUS Server. EAP is a framework used for authenticating network access. It automatically negotiates a secure private key which will be used for wireless encryption using TKIP or AES.
WPA3
Up till now,WPA3 authentication is not officially available but it’s being implemented slowly since WPA2 is no longer considered to be secure. WPA3 will become the recommended 802.11 authentication method very soon.
It includes 4 main features:
| WPA3 Personal |
| As explained earlier, when using WPA2-Personal authentication, threat actors are able to listen on the “handshake” between a client and an Access Point and deploy a brute-force attack to guess the PSK. WPA3 Personal protects against this attack by using SAE (Simultaneous Authentication of Equals), in such way that the PSK is never exposed, making it impossible for a threat actor to guess. |
| WPA3 Enterprise |
| WPA3 Enterprise still uses 802.1X/EAP Authentication, but it requires the use of a 192-bit cryptographic suite and does not allow for mixing of security protocols for earlier 802.11 standards. WPA3 Enterprise uses the CNSA (Commercial National Security Algorithm) suite which is usually used in high-security WiFI Networks. |
| Open Networks |
| When using WPA2, open networks will forward unauthenticated traffic in plain text. When it comes to WPA3, open networks still do not require any authentication, but they use a form of encryption known as OWE (Opportunistic Wireless Encryption) to encrypt all traffic |
| IoT (Internet of Things) Onboarding |
| WPA2 used WPS (WiFI Protected Setup) to onboard devices without configuring them first, thus it’s of course vulnerable to many attacks and is no longer recommended. The majority of IoT devices are headless (Does not have a built-in GUI) and require an easy way to connect to the wireless network. To solve this requirement, DPP (Device Provisioning Protocol) was designed. Each headless device has a hardcoded public key which is stamped on the outside of the device or via QR (Quick Response) code. The user will scan such QR code to quickly pair the device with the network. DPP will replace WPS in the upcoming future. |