Cybersecurity Essentials - Module 5 Cheat Sheet

# Module 5: Wireless Network Communication :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### 5.1 Wireless Communication #### **5.1.2 Wireless versus Wired LANs** The table summarizes the differences between 802.11 Wireless LAN and 802.3 Wired Ethernet LANs: | **Characteristic** | **802.11 Wireless LAN** | **802.3 Wired Ethernet LANs** | |-------------------------|------------------------------------------------------|--------------------------------------------| | **Physical Layer** | Radio frequency (RF) | Physical cables | | **Media Access** | Collision avoidance (CSMA/CA) | Collision detection (CSMA/CD) | | **Availability** | Anyone with a wireless NIC in range of an access point | Physical cable connection required | | **Signal Interference** | Yes | Minimal | | **Regulation** | Different regulations by country | IEEE standard dictates | Additional Notes: - WLANs differ from wired LANs by connecting through a **wireless access point (AP)** or **wireless router** instead of an Ethernet switch. - WLANs support **mobile devices** (battery-powered) as opposed to plugged-in LAN devices. - WLANs have **different Layer 2 frame formats** and require additional header fields. --- #### **5.1.3 802.11 Frame Structure** 802.11 wireless frames include additional fields compared to Ethernet frames. ![image](https://hackmd.io/_uploads/BJN2XGcfJe.png) **Fields in 802.11 Frame:** 1. **Frame Control**: Identifies the type of frame, including protocol version and security settings. 2. **Duration**: Indicates the remaining transmission time. 3. **Address1**: Receiving device or AP's MAC address. 4. **Address2**: Transmitting device or AP's MAC address. 5. **Address3**: Sometimes contains the router interface’s MAC address. 6. **Sequence Control**: Manages frame sequencing and fragmentation. 7. **Address4**: Used in ad hoc mode (often missing). 8. **Payload**: The transmitted data. 9. **FCS (Frame Check Sequence)**: Ensures error control at Layer 2. --- #### **5.1.4 CSMA/CA Process** Wireless LANs use **Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)** to handle shared media and avoid collisions: 1. **Channel Listening**: The client listens to ensure the channel is idle. 2. **Request to Send (RTS)**: The client sends an RTS to request access. 3. **Clear to Send (CTS)**: The AP replies with CTS to grant access. 4. **Data Transmission**: The client sends data. 5. **Acknowledgment**: The client waits for an acknowledgment. If none is received, it assumes a collision and retries after a random delay. --- #### **5.1.5 Wireless Client and AP Association** For wireless devices to communicate over a WLAN, they must associate with an **Access Point (AP)** or wireless router through three stages: ![image](https://hackmd.io/_uploads/B1ApXf5z1e.png) 1. **Discovery**: The client locates the AP. - Passive mode: AP broadcasts beacon frames with SSID and security settings. - Active mode: Client broadcasts a probe request to discover nearby WLANs. 2. **Authentication**: The client authenticates with the AP using Open or Shared Key Authentication. 3. **Association**: Parameters such as SSID, security settings, and channel settings are exchanged to finalize the connection. **Key Parameters for Association:** - **SSID**: Name of the network, mapped to VLANs in larger organizations. - **Password**: Used for authentication. - **Network Mode**: Supports various WLAN standards (e.g., 802.11 a/b/g/n/ac). - **Security Mode**: Includes WEP, WPA, or WPA2. - **Channel Settings**: Frequency bands used for transmission, set manually or automatically. --- #### **5.1.6 Passive and Active Discovery Modes** **Passive Mode:** - AP broadcasts beacon frames containing SSID, supported standards, and security settings. - Wireless clients listen for these frames to identify available networks. ![image](https://hackmd.io/_uploads/Sy6UNMqf1e.png) **Active Mode:** - Wireless clients send a **probe request** to discover networks. The request may include the SSID. - APs respond with **probe responses**, sharing the SSID and supported protocols. ![image](https://hackmd.io/_uploads/Skfu4zqfkx.png) :::danger **Check Your Understanding - AP, LWAP, and WLC** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/11-2-7-check-your-understanding-steps-in-the-client-and-ap-process-answers.html). ::: --- #### **5.1.8 Wireless Devices: AP, LWAP, and WLC** **Key Wireless Devices:** 1. **Access Point (AP)**: Provides wireless connectivity to devices. 2. **Lightweight Access Point (LWAP)**: Relies on a **Wireless LAN Controller (WLC)** for centralized management. - **WLC** manages SSIDs, authentication, and other functions for multiple APs. - Simplifies large-scale WLAN management. :::danger **Check Your Understanding - Identify the LAN Device** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/11-2-9-check-your-understanding-identify-the-lan-device-answers.html). ::: >[!Warning]Recap >Wireless networking devices connect to an Access Point (AP) or Wireless LAN Controller (WLC) suing the 802.11 standard. The 802.11 frame format is similar to the Ethernet frame format, except that it contains additional fields. WLAN devices use carrier sense multiple access with collision avoidance (CSMA/CA) as the method to determine how and when to send data on the network. To connect to the WLAN, wireless devices complete a three-stage process to discover a wireless AP, to authenticate with the AP, and to associate with the AP. APs can be configured autonomously (individually) or by using a WLC to simplify the configuration and monitoring of numerous access points. ### 5.2 WLAN Threats #### **5.2.2 Wireless Security Overview** Wireless LANs (WLANs) are susceptible to unique threats because they rely on **radio frequencies (RF)** for communication. Key vulnerabilities include: 1. **Interception of Data**: - Wireless data must be encrypted to prevent eavesdropping by attackers. 2. **Wireless Intruders**: - Unauthorized users may try to access the network. Use effective authentication methods to prevent this. 3. **Denial-of-Service (DoS) Attacks**: - WLAN services may be disabled intentionally or accidentally. Use monitoring and mitigation techniques to maintain service. 4. **Rogue Access Points (APs)**: - Unauthorized APs can compromise network security. Use monitoring tools to detect and block rogue devices. --- #### **5.2.3 DoS Attacks** Wireless **DoS attacks** can occur due to: 1. **Improperly Configured Devices**: - Errors by administrators or malicious alterations can disable the WLAN. 2. **Malicious Interference**: - Attackers intentionally disrupt wireless communication to block legitimate devices. 3. **Accidental Interference**: - Devices like **microwave ovens**, **cordless phones**, and **baby monitors** can interfere with the WLAN, especially on the **2.4 GHz band**. **Mitigation Tips**: - Use the **5 GHz band** to avoid interference. - Harden devices, secure passwords, and create backups to prevent intentional disruptions. - Monitor the WLAN for interference and address issues promptly. --- #### **5.2.4 Rogue Access Points** A **Rogue AP** is any unauthorized AP or wireless router connected to the corporate network. Threats from rogue APs include: - **Data Capture**: Attackers can capture MAC addresses and data packets. - **Man-in-the-Middle (MITM) Attacks**: Rogue APs can redirect user traffic to malicious actors. - **Circumventing Security**: Personal hotspots or unauthorized APs can bypass network protections. **Prevention**: - Configure **Wireless LAN Controllers (WLCs)** with rogue AP policies. - Actively monitor the **radio spectrum** using specialized software to detect unauthorized devices. --- #### **5.2.5 Man-in-the-Middle (MITM) Attack** A **Man-in-the-Middle (MITM) attack** occurs when a hacker intercepts and potentially modifies communication between two legitimate parties. One common type of MITM attack is the **evil twin AP**: 1. **How it Works**: - An attacker sets up a **rogue AP** with the same SSID as a legitimate AP. ![image](https://hackmd.io/_uploads/By1W3M9z1e.png) - Clients near the rogue AP connect to it because of its stronger signal. - User traffic is captured by the rogue AP before being forwarded to the legitimate AP. ![image](https://hackmd.io/_uploads/By6mhM5zye.png) 2. **Consequences**: - Attackers can steal **passwords**, **personal information**, or gain access to devices. **Prevention**: - Authenticate all devices on the WLAN. - Monitor the network for **abnormal traffic** or unauthorized devices. >[!Warning]Recap >Wireless networks are susceptible to threats, including: data interception, wireless intruders, DoS attacks, and rogue APs. Wireless DoS attacks can be the result of: improperly configured devices, a malicious user intentionally interfering with the wireless communication, and accidental interference. A rogue AP is an AP or wireless router that has been connected to a corporate network without explicit authorization. When connected, a threat actor can use the rogue AP to capture MAC addresses, capture data packets, gain access to network resources, or launch a MITM attack. In a MITM attack, the threat actor is positioned in between two legitimate entities to read or modify the data that passes between the two parties. A popular wireless MITM attack is called the “evil twin AP” attack, where a threat actor introduces a rogue AP and configures it with the same SSID as a legitimate AP. To prevent the installation of rogue APs, organizations must configure WLCs with rogue AP policies. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/12-6-6-check-your-understanding-wlan-threats-answers.html). ::: ### 5.3 Secure WLANs --- #### **5.3.2 SSID Cloaking and MAC Address Filtering** 1. **SSID Cloaking**: - Disables the broadcasting of the SSID beacon frame. - Wireless clients must manually configure the SSID to connect. - **Limitation**: SSIDs can still be discovered by attackers using specialized tools. 2. **MAC Address Filtering**: - Administrators can permit or deny wireless access based on device MAC addresses. - **Limitation**: MAC addresses can be spoofed by attackers. **Note**: These measures deter casual intruders but are ineffective against determined attackers. --- #### **5.3.3 802.11 Original Authentication Methods** 1. **Open System Authentication**: - No password required; any client can associate. - Suitable for public networks with no security concerns (e.g., cafes, hotels). - Clients must rely on **VPNs** for additional security. 2. **Shared Key Authentication**: - Requires pre-shared keys for connection. - Supports **WEP**, **WPA**, **WPA2**, and **WPA3** for encryption and authentication. ![image](https://hackmd.io/_uploads/H1dVRz9zJg.png) --- #### **5.3.4 Shared Key Authentication Methods** | **Authentication Method** | **Description** | |----------------------------|--------------------------------------------------------------------------------------------------------| | **WEP** | Original encryption using **RC4** with a static key. Easily hackable and no longer recommended. | | **WPA** | Uses **TKIP** encryption, improving security but still vulnerable to certain attacks. | | **WPA2** | Current standard using **AES** encryption. Offers strong security. | | **WPA3** | Next-generation standard using advanced cryptographic protocols for enhanced security and IoT support. | --- #### **5.3.5 Authenticating a Home User** 1. **WPA2 Authentication Options**: - **Personal**: Uses a pre-shared key (PSK) for authentication; ideal for home and small office networks. - **Enterprise**: Requires a **RADIUS server** for centralized authentication. Uses the **802.1X** standard and is more secure but complex to set up. --- #### **5.3.6 Encryption Methods** 1. **TKIP (Temporal Key Integrity Protocol)**: - Used in **WPA**. - Provides encryption by addressing WEP flaws but still uses legacy systems. - Includes a **Message Integrity Check (MIC)** to detect tampering. 2. **AES (Advanced Encryption Standard)**: - Used in **WPA2** and **WPA3**. - Stronger encryption using the **CCMP protocol** to ensure secure transmissions and integrity. --- #### **5.3.7 Authentication in the Enterprise** 1. **Enterprise Security**: - Requires an **Authentication, Authorization, and Accounting (AAA)** server, typically **RADIUS**. - Uses **802.1X** standard with **EAP** for secure client authentication. 2. **Configuration**: - **RADIUS Server IP Address**: Configured to authenticate APs. - **UDP Ports**: Uses **1812** for authentication and **1813** for accounting. - **Shared Key**: Authenticates the AP with the RADIUS server (not configured on clients). 3. **802.1X Process**: - Uses **EAP** to authenticate clients securely and negotiate encryption keys for communication. --- #### **5.3.8 WPA3 Features** 1. **WPA3-Personal**: - Prevents brute force attacks by replacing the PSK with **Simultaneous Authentication of Equals (SAE)**. - Ensures that the PSK is never exposed. 2. **WPA3-Enterprise**: - Requires a **192-bit cryptographic suite** for enhanced security. - Complies with the **Commercial National Security Algorithm (CNSA)** Suite. 3. **Open Networks**: - Uses **Opportunistic Wireless Encryption (OWE)** to encrypt traffic, even without authentication. 4. **IoT Onboarding**: - Uses **Device Provisioning Protocol (DPP)** to securely onboard IoT devices using QR codes instead of the vulnerable **WPS** protocol. >[!Warning]Recap >To keep wireless intruders out and protect data, two early security features are still available on most routers and APs: SSID cloaking and MAC address filtering. There are four shared key authentication techniques available: WEP, WPA, WPA2, and WPA3 (Devices with WPA3 are not yet readily available.). Home routers typically have two choices for authentication: WPA and WPA2. WPA2 is the stronger of the two. Encryption is used to protect data. The WPA and WPA2 standards use the following encryption protocols: TKIP and AES. In networks that have stricter security requirements, an additional authentication or login is required to grant wireless clients access. The Enterprise security mode choice requires an Authentication, Authorization, and Accounting (AAA) RADIUS server. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/12-7-9-check-your-understanding-secure-wlans-answers.html). :::