Monday, April 1, 2019
Wireless Local Area Networks and Security Mechanisms
tuner Local orbit interlockings and protective covering MechanismsWlocal ara inter intercommunicate tuner Local Area Ne twainrkLAN Local Area NetworkIEEE Institute of Electrical and Electronics EngineersWEP outfit Equivalent PrivacyWPA Wi-Fi protect main courseNIC Network Interface Card mac Media doorway catchWAP tuner gravel PointAP Access PointNAT Network Address interlingual renditionSSID gain situate IdentifierIV Initialization VectorIDS Intrusion catching carcasss radio local plain mesh topologying ( tuner fidelity) has swiftly become actually popular engineering science all over the world. The WLAN communications protocol, IEEE 802.11, amongst some other associated technologies enable take into custody approaching to a receiving garment network infrastructure. Before the development of receiving set set networking, lymph nodes had to riding habit corporeal media such as wiring to bond to the network. With the fast increase in de mand and usage of wireless networking, it is full of life that in effect(p) communication is provided. Since the creation of wireless networks, the guarantor alongside has g peerless finished m each different stages of development, from MAC address filtering, to WEP, leading to WPA/WPA2.2.1 radio set parleyWireless communication provides wireless networking between thickening devices, without the submit for a forcible conjoinion between them (Obrien, 2008). In order to transmit via wireless signals, tuner waves atomic number 18 used. The basic military operation of communication using radio waves is as followsA transmitter sends data by turning galvanic signals into radio wavesA receiver listens for the radio waves and turns them back into electrical signals, which throne create the desired output.Figure 1 below shows an illustrated example of this.The use of this communication process enables different scenario requirements to be met, for instance short and lengthy distances post be achieved simply by altering the strength and surface of the transmitter/reciever. It as well as contains various types of fixed and mobile applications including mobile phones, two-part radios, computer hardware, GPS units, amongst others.2.2 Wireless Internet AccessWi-Fi is the term denoted to the functionality in which devices plunder be connected to the internet without the need of a physical cable. Wi-Fi technology has become the standard for internet admission fee in main offices, work put ups and in place spaces. Regardless of the environment, the core setup consists two severalize components, an admission caput and wireless devices.2.2 WLAN ComponentsWithin WLAN, two promoters of operating theater exist ad-hoc and infrastructure. The ad-hoc musical mode enables a small wireless workgroup to be quickly setup (no access take required), whereas the infrastructure mode is utilized in cooperation with an existing LAN infrastructure to incorporate w ireless clients into the network (Netgear, 2014). Within these two operation modes there are two see components access prognosticates and wireless clients.2.2.1 Access PointsAn access points is used to link wireless clients into an existing traditional pumped-up(a) LAN (Netgear, 2014), it doesnt besides interconnect two networks (Wallace, 2011). A basic WLAN topology with a Wireless Access Point (WAP) is sh cause in physical body 2. The topology shows an access point connected to the outfit LAN, and the wireless clients that connect to the wired LAN via the access point are on the aforementioned(prenominal) subnet as the access point (note that no Network Address interlingual rendition (NAT) is universe per occured). Depending on the elect technology (802.11 a/b/g) and its implementation, a single access point is capable of handling up to several(prenominal) hundred wireless clients (Intel, 2017). The security associated with access points gull some ad hoc consideration s. Many traditional wired networks base the security on physical access, entrusting exploiters currently on the network, whereas anyone within the die hard of the access point peck attach to the network provided no password is attached. Another concern is if a hacker stable manager to bypass the password security, the ability to packet boat-sniff and pester data being sent over the wireless network. There are a few security solutions open to address these issues (see section 2.3).2.2.2 Wireless ClientsA wireless client jakes include a range of devices, including a desktop, laptop, tablet, or mobile phone with a wireless network port wine card that enables that device to communicate with an access point. For the client to communicate with the access point, it needs to be configured so that it uses the same SSID (Service Set Identifier) as the access point. An SSID is a case-sensitive alphanumeric string of up to 32 characters (Beal, 2017), and is often referred to as the net work name (Intel, 2017). Most access points ship their SSID to advertise themselves to wireless clients within its range by nonpayment.2.3 Wireless bailSecurity is a study concern in wireless networks, where the radio waves carrying the frames can propagate far beyond the confines of the desired area of the wireless access point and hosts increasing the chances for an unwished-for client to connect to the network and intercept data. Within this section, security mechanisms available to address issues surround wireless networking including SSID broadcasting, MAC address filtering, Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) will be covered.2.3.1 SSID BroadcastingAs mentioned above it is very common for an access point to broadcast themselves to wireless clients within its radius. This results in clients being able to see all available access points (SSIDs) and train which one to join, meaning users can good attach to the network provided no password is attac hed. Disabling SSID broadcasting makes it much harder for access points to be place (Farshchi, 2003). However, this results in the clients having to remember and manually enter the SSID to join a specific access point. Whilst being the simplest security measure available, it by the nearly inefficient method as it provides very little protection a slangst anything and the most casual intrusion (Ou, 2005).2.3.2 MAC FilteringAnother simple security induce available on many access points in MAC (Media Access nurse) Address Filtering. This method utilizes the 48-bit address assigned to each network interface card (NIC) and adds them to either a whitelist or blacklist (Cisco, 2008). The restriction of network access by the use of lists is straightforward, however an individual is not determine by a MAC address, rather a device. The method means that an authorized administrator would need to whitelist or blacklist an entry for each device a client may want to use on the network. T he process of specifying the approved and rejected MAC addresses can be controlled with the administrator page of the access point (provided it comes with admin tools available), see Figure 3 above. This form of security may be suitable for small home use, it isnt practical for a business level as it provides a big overhead for the administrator, as they need to manually add each address. Relying on the security feature alone isnt enough, as an individual can easily spoof their MAC address to imitate other device (InfoExpress, 2017).2.3.3 Wired Equivalent PrivacyThe IEEE 802.11 WEP protocol was introduced as the privacy component of the master key 802.11 spec created in 1997, and was initially designed to provide confidentiality comparable to that of a traditional wired network (IEEE, 1997). Both WEP earmark and data encoding use two types of share secret keys 40-bit and 104-bit. To create the total encryption key is a combination of the base overlap secret key and a 24-bit parameter called the Initialization vector and is used by both(prenominal) the client and server to decrypt the messages sent. The resulting length of the encryption key is 64-bit for the 40-bit shared key, and 128-bit for the 104-bit shared key (Schenk, 2001). The WEP protocol doesnt provide a key focusing algorithm, so it assumes that the access point and client charter agreed on the shared key via another prior method. With each message sent, the IV component of the encryption key can be changed. The original 802.11 specification doesnt standardize how the current IV should be created, with the implementation depending on the chosen algorithm. As the IV component of the key can change, it is sent as clear textbook with the encrypted message (cipher text), as the recipient needs to go through the IV component for them to generate the new encryption key in like manner (see figure 4 for the process overview). By having to send the IV as clear text, this means that if these p ackets were to be intercepted, an unwanted user could easily gain part of the encryption key and potentially access the data.WEP also has its own corroboration process (before the data transfer process can commence) consisting of two distinct modes, exposed dust, and Shared Key (Qnx, 2017). The Open System mode does not require a key for the credentials process, therefore the client is al ways authenticated which also means the same configuration for certification is not required to match. An illustrated process of the Open System authentication is shown in figure 5 below.The steps to authenticate when using Open System mode (Kurose et al, 2013)The client sends an authentication demand to the access point.The access point will then authenticate the requesting client.The client connects to the network.The Shared Key authentication method however, requires an encryption key for the authentication process. Unlike the Open System mode, the Shared Key authentication requires both the client and access point to use the same authentication configuration. An illustrated process of the Shared Key authentication mode is shown in figure 6 below.The following steps supervene when using Shared Key Authentication (Kurose et al, 2013)The client sends an authentication request to the access point.The access point sends challenge text to the station.The client uses the pre-configured default key to encrypt the challenge text received, and sends the encrypted text to the access point.The access point decrypts the received text using its own pre-configured key that corresponds to the clients key. The text is compared, and if it matches, then the client is authenticated.The client connects to the network.When WEP was initially created, it performed the job it was designed and intend for however as technology become more readily available and advanced the security issues in the WEP protocol began to show. The WEP protocol was contains three major problems which make wirele ss networking more unsecure. The first major disadvantage is that the shared key needs to be sent to every single user on the network and this isnt an easy task. Another disadvantage is that the encryption key size of it is only 40-bit or 104-bit which is a very small size and can easily be hacked with open source software. Due to the security flaws, WEP was deprecated in 2004 with the introduction of WPA and WPA2 to more a more reliable and burly security service.2.3.4 Wi-Fi Protected Access 2The 802.11i WPA2 protocol was introduced in 2004, as an improvement upon the intermediate WPA protocol and original WEP protocol. The WPA protocol increases security by introducing two new protocols 4-way handshake, and the group key handshake. The two protocols use authentication and port access services in WPA2 to create and alter the encryption keys (IEEE, 2004).Add something hereThe four-way handshake is an authentication process that occurs between an access point and the client. It i s method used for them both to prove to one another that they both know the Pairwise Master Key (PMK), without ever needing to disclose any part of the key already providing more security over WEP. The process of sending encrypted message between the client and access point is still adopted from the WEP protocol, and if they successfully decrypt the message then it proves they are lettered of the PMK (Chaudhary, 2014). This process is vital in protecting the PMK from malicious and unwanted users, point if an attackers network id (SSID) was impersonating a real access point, the PMK would still never have to be disclosed.Amongst the cognitive content in the aforementioned sections, there are other aspects that also relate to both wireless networking and wireless security. The most germane(predicate) aspect to consider is operational security, which includes three sub components firewalls, intrusion spying systems (IDS), and intrusion prevention systems (IPS). These systems provi de an exceptional layer of security to plan of attack to block, detect and resolve security issues.3.1 FirewallsA firewall is a combination of software and hardware that isolates an organizations internal network from the internet, controlling which packets are allowed to pass through, and those that are blocked (Boudriga, 2010), by scanning the header fields of each packet to check if it passes the defined criteria. Figure 8 shows an illustrated example of where a physical firewall would sit within a networking infrastructure.Firewalls are often categorized as either network firewalls or host-based firewalls (Vacca, 2009). A network firewall controls the handicraft current between two or more networks, and are typically the form of a software application, but dedicated physical devices are also used. Host-based firewalls on the other hand only controls the traffic for an individual cable car (PersonalFirewall, 2017). Both types of firewalls use a set of pre-defined rules that a re defined by an administrator through the use of either built in or third party software (see figure 9).Utilizing a firewall as an extra layer of security is a must for many individual computers and networks, as they provide many strengths including enforcing security and policies for an organizations infrastructure, restricting access to specific services, removes the need to compromise between usability and security, and provides the ability for an administrator to monitor the traffic that flows through the network. Whilst providing many strengths, it does however also have some weaknesses including only being capable of stopping the traffic that passes through the firewall itself, no ability to protect against an approved item, and they cannot protect against issues created from within the network.3.2 Intrusion perception SystemsIntrusion Detection Systems (IDS) are another method used to detect network activity. These systems can take the form of either a device or software ap plication that monitors networks/systems for malicious and/or policy violations (Kurose. 2013) and is logged and handled by management software. IDS systems can be categorized into two types signature-based and anomaly-based.A signature based IDS maintains a database of known attack signatures. Each signature is simply a set of rules retaining characteristics about a known packet(s), such as port numbers, protocol types, string of bits. Signatures are normally created by network security engineers, however customizations and additions can be made. Despite Signature-based IDS systems being widely deployed, they do have limitations. Most notably, they require previous cognition of the attack to generate an high-fidelity signature. An anomaly based IDS on the other hand creates a traffic profile as it observes during normal operation, seeking packets that are unusual statistically. The one major benefit about anomaly-based IDS systems is that they dont rely on previous knowledge about existing attacks, as they can potentially detect new attacks on the go. On the other hand, it is an extremely challenging problem to make love between normal traffic and simply unusual traffic.In conclusion, it is clear from the literature reviewed that wireless networking has become an extremely popular and sophisticated technology, but brings many security issues along with its use over traditional wired connectivity. As wireless networks utilize electromagnetic waves to transfer data, it is much easier for unwanted users to gain access to the data being transferred between a client and access point. Therefore, resulting in a combination of security features being required, including encrypted authentication and data transfer along with extra layers such as a firewall and intrusion detection/prevention systems. With new technologies being developed and standards updated, it is vital that these technologies are used to provide the best security when using wireless networking.Refe rencesAl Tamimi, A. (2006). Security in Wireless Data Networks A flock Paper. online Cs.wustl.edu. available at http//www.cs.wustl.edu/jain/cse574-06/ftp/wireless_security/index.htmlBoudriga, N. and Boudriga, N. (2010). Security of mobile communications. Boca Raton CRC Press.Beal, V. (2017). What is Service Set Identifier (SSID)? Webopedia Definition. online Webopedia.com. purchasable at http//www.webopedia.com/TERM/S/SSID.htmlCisco. (2008). Network VirtualizationAccess have Design Guide. online Available at http//www.cisco.com/c/en/us/td/docs/solutions/ enterprisingness/Network_Virtualization/AccContr.htmlCisco. (2008). Authentication Types for Wireless Devices. online Available at http//www.cisco.com/c/en/us/td/docs/routers/access/wireless/software/guide/SecurityAuthenticationTypes.htmlFarshchi, J. (2003) The Essential Components of a Wireless Policy. Wireless Network Policy Development. Part Two. Symantec Corp. 10 October 2003. URL http//www.securityfocus.com/printable/infoc us/1735IEEE Standard for Information Technology- Telecommunications and Information Exchange Between Systems-Local and Metropolitan Area Networks-Specific Requirements-Part 11. (1997). Place of publication not identified publisher not identified.IEEE 802.11i-2004 Amendment 6 Medium Access Control (MAC) Security Enhancements (pdf), IEEE StandardsIntel. 2017. Wireless Ethernet LAN (WLAN). (2017). 1st ed. ebook Intel. Available at http//www.intel.com/content/dam/www/public/us/en/documents/faqs/wireless-ethernet-lan-faq1.pdfInfoExpress. (2017). Detecting and Preventing MAC Spoofing. online Available at https//infoexpress.com/content/practical/142Kurose, J. and Ross, K. (2013). ready reckoner networking. Boston PearsonMitchell, B. (2016) Wireless Internet Service An IntroductionMicrosoft. (2003). How 802.11 Wireless Works. online Available at https//technet.microsoft.com/en-us/ program library/cc757419(v=ws.10).aspxNetgear. 2014. Wireless Access Points. ONLINE Available at https//kb.net gear.com/235/What-is-a-wireless-access-point?cid=wmt_netgear_organicNetgear. (2016). How to configure Access Control or MAC Filtering (Smart Wizard routers) Answer NETGEAR Support. online Available at https//kb.netgear.com/13112/How-to-configure-Access-Control-or-MAC-Filtering-Smart-Wizard-routers?cid=wmt_netgear_organicNetgear. (2017). WEP Open System Authentication. online Available at http//documentation.netgear.com/reference/nld/wireless/WirelessNetworkingBasics-3-08.htmlOu, G. (2005). The six dumbest ways to secure a wireless LAN ZDNet. online ZDNet. Available at http//www.zdnet.com/ phrase/the-six-dumbest-ways-to-secure-a-wireless-lan/OBrien, J. Marakas, G.M.(2008) Management Information SystemsPersonalFirewall. (2017). What is a Firewall? How does a Firewall Protect your Computer. online Available at https//personalfirewall.comodo.com/what-is-firewall.htmlQnx.com. (2017). Help QNX SDP 6.6 Documentation. online Available at http//www.qnx.com/developers/docs/660/index.jsp ?topic=%2Fcom.qnx.doc.core_networking%2Ftopic%2Fwpa_background_Connecting_WEP.htmlSchenk, R. Garcia, A. Iwanchuk, R. Wireless LAN Deployment and Security Basics. (2001). ExtremeTech.com. URL http//www.extremetech.com/article2/0,3973,1073,00.aspSheridan (2017). Printing Services Optimizing Client Printing at Sheridan. online Available at https//it.sheridancollege.ca/service-catalogue/printing/printing-optimization.htmlChaudhary, S. (2014). Hack WPA/WPA2 PSK Capturing the Handshake. online Kali Linux Hacking Tutorials. Available at http//www.kalitutorials.net/2014/06/hack-wpa-2-psk-capturing-handshake.htmlVacca, J. (2009). Computer and information security handbook. Amsterdam Elsevier.Wallace, K. (2011). CompTIA Network+ Cert Guide Connecting Wirelessly Foundation Topics Pearson IT Certification. online Pearsonitcertification.com. Available at http//www.pearsonitcertification.com/articles/article.aspx?p=1773082NIST, 2007 Guide to Intrusion Detection and Prevention Systems (IDPS) ( PDF).
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.