The 4 main threats to wireless NW’s are:
1) Ad-hoc NW formation
2) Rogue AP’s
3) Client missassociations
4) Directed wireless network attacks
What exactly is client missassociation?
An SSID profile is saved and active scanning is in operation, resulting in a client connecting to a network without knowing
What are 4 examples of directed wireless network attacks?
2) Recon probes
3) Authent. penetration
4) MITM attacks
How are directed wireless network attacks most often mitigated?
By authenticating and encrypting management frames.
What is this process of mitigation called exactly?
MFP: management frame protection
Management frames are usually sent unauthenticated and unencrypted
What does MFP do to management frames?
It digitally signs them
The two MFP modes are:
In infrastructure MFP,
A hash is generated for every management frame and placed before the FCS
Client MFP is only available with…
CCX 5+ “Cisco compatible extensions”
What does Client MFP/CCX do to management frames
It uses 802.11i to encrypt mgmt frames between the client and the AP
What does Client MFP/CCX defend most effectively against?
MITM and DoS attacks
In Client MFP/CCX, a key is generated for each AP
Why can’t mobile devices associate with MFP LAN’s?
They don’t have the processing power required for the extra encryption/authentication techniques
2 older security methods are:
1) SSID —> wrong SSID? no association
2) MAC authentication
What is open authentication?
It means no authentication key is required
What is the 4 step process to open authentication?
2) Probe response
4) Auth response
In WEP authentication, a ____ key is used to encrypt traffic
In WEP, the header is not encrypted is not encrypted, but the the data is is
What encryption type does WEP use?
What are the 3 different sizes for WEP keys?
In WEP, every key is combined with an….
What is the basic process of WEP association?
1) Auth request
2) Challenge text packet
3) Challenge text encrypted by supplicant
4) If AP able to decrypt properly supplicant has the right key
EAP is defined under which two RFC’s?
2284, and 3748
EAP usually works alongside..
802.1x or RADIUS
The 4 EAP message types are
1) Request — to supplicant
2) Response — from supplicant
What is Cisco LEAP?
A proprietary username/PW based auth. system between a client and a RADIUS server
What is Cisco LEAP’s weakness?
Susceptible to eavesdropping
EAP-TLS is defined under…
EAP-TLS uses… _________ for authentication
EAP-TLS uses…__________ to secure communications between client and RADIUS server
In EAP-TLS, the ________ and __________ authenticate to eachother
client and server
What is TLS based on?
What did EAP-TTLS add to EAP-TLS?
PEAP is very similar to..
What are the 3 authentication options for PEAP?
1) EAP-MSCHAP V.2
What is fast-reconnect?
Roaming b/t AP’s made seamless b/c TLS session ID’s are cached by WLC
The 3 roles of the 802.1x framework are…
3) Authentication server
It can be said that the authenticator controls __________ access to the network
If a Cisco ACS is being used as the Authentication server, more _____________ methods of authentication are available
802.1x: After the client sends a probe request to the AP, the AP will respond with a…
AP probe response which contains sec params.
What happens after the AP sends its probe response?
The client is associated but traffic is blocked until 802.1x auth is complete
The 802.1x authentication challenge is encrypted by
How does the client response to this challenge?
With a credential response
What does authenticator do with the credential response?
Converts it to a RADIUS access request and sends it to the AS
What does the AS do upon receiving the RADIUS access request?
It responds with a challenge that specifies what credentials are required of the supplicant
What happens if the client responds with the correct credentials?
The AS transmits a success message and encryption key
WPA2 is aka
What is a PMK?
Pairwise master key,
It is created on a RADIUS server when a client authenticates
Where is the PMK sent?
From the AS to the authenticator
What is PMK used for?
To encrypt the exchange of the temporal session key
What is the PMK derived from that results in the authenticator and supplicant having the same one?
It is derived from client information
PMK’s are used to make PTK’s and GTK’s.
PTK’s and GTK’s are made in a
4 way handshake process
WPA2-PSK is aka
WPA2-PSK is encrypted with…
A 256 bit PMK