Threats and security risks of wireless networks. Wireless threats and vulnerabilities

A major concern for all wireless LANs (and all wired LANs, for that matter) is security. Security is just as important here as for any Internet user. Security is a complex issue and requires constant attention. Enormous harm can be caused to the user due to the fact that he uses random hot spots (hot-spots) or open points WI-FI access home or office and does not use encryption or VPN ( Virtual Private Network - virtual private network). This is dangerous because the user enters his personal or professional data, and the network is not protected from outside intrusion.

WEP

Initially, it was difficult to provide adequate security for wireless LANs.

Hackers easily connected to almost any WiFi networks by breaking initial versions of security systems such as Wired Equivalent Privacy (WEP). These events left their mark, and for a long time, some companies were reluctant to implement or did not implement wireless networks at all, fearing that data transmitted between wireless WiFi devices and Wi-Fi access points could be intercepted and decrypted. Thus, this security model slowed down the integration of wireless networks into businesses and made people using WiFi networks at home nervous. IEEE then created the 802.11i Working Group, which worked to create a comprehensive security model to provide 128-bit AES encryption and authentication to protect data. The Wi-Fi Alliance introduced its own intermediate version of this 802.11i security specification: Wi-Fi Protected Access (WPA). The WPA module combines several technologies to solve the vulnerabilities of the 802.11 WEP system. Thus, WPA provides reliable user authentication using the 802.1x standard (mutual authentication and encapsulation of data transmitted between wireless client devices, access points and server) and the Extensible Authentication Protocol (EAP).

The operating principle of security systems is schematically shown in Fig. 1

Also, WPA is equipped with a temporary module to encrypt the WEP engine through 128-bit key encryption and uses the Temporal Key Integrity Protocol (TKIP). And a message check (MIC) prevents data packets from being altered or formatted. This combination of technologies protects the confidentiality and integrity of data transmission and ensures security by controlling access so that only authorized users have access to the network.

WPA

Further enhancing WPA security and access control is the creation of a new, unique key master for communication between each user's wireless equipment and access points and providing an authentication session. And also, in creating a random key generator and in the process of generating a key for each package.

The IEEE ratified the 802.11i standard in June 2004, significantly expanding many capabilities thanks to WPA technology. The Wi-Fi Alliance has strengthened its security module in the WPA2 program. Thus, the level of transmission security WiFi data The 802.11 standard has reached the required level for the implementation of wireless solutions and technologies in enterprises. One of the significant changes from 802.11i (WPA2) to WPA is the use of 128-bit Advanced Encryption Standard (AES). WPA2 AES uses anti-CBC-MAC mode (a mode of operation for a cipher block that allows a single key to be used for both encryption and authentication) to provide data confidentiality, authentication, integrity and replay protection. The 802.11i standard also offers key caching and pre-authentication to organize users across access points.

WPA2

With the 802.11i standard, the entire security module chain (login, credential exchange, authentication and data encryption) becomes more reliable and effective protection against untargeted and targeted attacks. The WPA2 system allows the Wi-Fi network administrator to switch from security issues to managing operations and devices.

The 802.11r standard is a modification of the 802.11i standard. This standard was ratified in July 2008. The standard's technology more quickly and reliably transfers key hierarchies based on Handoff technology as the user moves between access points. The 802.11r standard is fully compatible with the 802.11a/b/g/n WiFi standards.

There is also the 802.11w standard, which is intended to improve upon the security mechanism based on the 802.11i standard. This standard is designed to protect control packets.

The 802.11i and 802.11w standards are security mechanisms for 802.11n WiFi networks.

Encrypting files and folders in Windows 7

The encryption feature allows you to encrypt files and folders that will subsequently be impossible to read on another device without a special key. This feature is present in versions of Windows 7 such as Professional, Enterprise or Ultimate. The following will cover ways to enable encryption of files and folders.

Enabling file encryption:

Start -> Computer (select the file to encrypt) -> right button mouse over the file->Properties->Advanced (General tab)->Additional attributes->Place a checkmark in the item Encrypt content to protect data->Ok->Apply->Ok (Select apply only to file)->

Enabling folder encryption:

Start -> Computer (select the folder to encrypt) -> right mouse button on the folder -> Properties -> Advanced (General tab) -> Additional attributes -> Check the box Encrypt contents to protect data -> Ok -> Apply -> Ok (Select apply only to file) -> Close the Properties dialog (Click Ok or Close).

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

Federal state budget educational institution higher professional education

Department: Informatics and Information Technologies

Specialty: Applied computer science

COURSE WORK

WIRELESS SECURITY

Completed by a student

Kozlova S.K.

Head of work:

Mityaev V.V.

EAGLE, 2013

Introduction

Conclusion

Bibliography

Application

Introduction

Most modern computers support wireless network access. In other words, they can connect to the Internet (and other wireless devices) without network cable. The main advantage of wireless connections is the ability to work with the Internet anywhere in the home or office (if the distance between the computer and the device allows wireless access to the network). However, if you do not take measures to ensure the security of your wireless network, the following potentially dangerous situations are possible, as a result of which an attacker could:

1. Intercept transmitted or received data;

2. Gain access to a wireless network;

3. Seize the Internet access channel.

Let's turn to the definition of information security. Information security - means the protection of information and information systems from unauthorized access, use, detection, distortion, destruction, modification.

Information security ensures the availability, integrity and confidentiality of information. To implement information security of wireless networks, information security tools and mechanisms are used.

Therefore, if a wireless network is not secure, an attacker can intercept data transmitted over it, gain access to the network and files on the computer, and also access the Internet using the connection. Thus, the data transmission channel is occupied and Internet access slows down.

The topic of wireless network security still remains relevant, although reliable methods for protecting these networks, such as WPA (Wi-Fi Protected Access) technologies, have existed for quite some time.

The purpose of the work is a practical study of security issues and security features of wireless networks.

The object of this course work is network security.

The subject is the security of wireless networks.

The tasks to be solved when performing this work are as follows:

1. Consider the concept of a wireless network;

3. Study the basic provisions of the wireless connection security policy;

4. Analyze solutions for ensuring the security of wireless networks;

5. Assess the need for wireless network security;

6. Develop an algorithm for carrying out work to assess the effectiveness of wireless network protection.

1. Concept of a wireless network and description of the categories of main attacks

1.1 Concept and description of a wireless network

A wireless network is the transmission of information over a distance without the use of electrical conductors or "wires".

This distance can be either small (a few meters, as in television remote control) or very large (thousands or even millions of kilometers for telecommunications).

Wireless communications is generally considered to be a branch of telecommunications.

The popularity of wireless communications is growing at an explosive pace, opening up new markets for operators - from online games on cell phone screens to emergency services.

This is due to the spread of notepad computers, paging systems and the emergence of “personal secretary” class systems ( Personal Digital Assistant (PDA)), expanding the functionality of cell phones.

Such systems must provide business planning, timing, document storage, and communications with remote stations. The motto of these systems was anytime, anywhere, i.e., the provision of communication services regardless of place and time. In addition, wireless channels are relevant where laying cable lines and long distances is impossible or expensive.

Until recently, most wireless computer networks transmitted data at speeds from 1.2 to 14.0 Kbps, often only short messages, because file transfer large sizes or long sessions of interactive work with the database were unavailable. New wireless transmission technologies operate at speeds of several tens of megabits per second.

Alan S. Cohen, senior director of Cisco Systems, responsible for mobile solutions, talks a lot about the prospects for the wireless communications market.

He says wireless technology is quickly becoming an accepted standard that has a pervasive impact on our lives.

There are two on the market important factors, driving the transition to ubiquitous wireless communications. The first factor is the "democratization" of wireless technology, which became noticeable in the mobile market with the advent of the 802.11 or Wi-Fi standard.

The rapid growth in the number of mobile devices and mobile networks in homes, apartments, businesses and cities is very noticeable. Today, it is easy and simple to build a wireless network and provide broadband mobility for the benefit of large corporations and individual users.

He also highlighted another interesting area of application mobile technologies- urban mesh networks that make Wi-Fi technology truly ubiquitous.

Providing access to all city residents throughout its territory is a wonderful example of the democratization of wireless technology. Network architecture and unified communications technology not only combines wired and wireless communications, but also brings together network services provided indoors and outdoors. As a result, you can stay connected to the network wherever you are, inside or outside the building, which is very important for urban communications.

Wireless communications are becoming ubiquitous. It allows you to provide user connectivity where it is difficult cable connection or full mobility is required. In this case, wireless networks interact with wired networks. Nowadays, it is necessary to take wireless solutions into account when designing any network - from a small office to an enterprise. This may save money, labor and time.

There are many cases and reasons why wireless networks are the only or most convenient option for organizing access to a communications network or the Internet:

1) If you need to organize the possibility of nomadic access to the network and the Internet for random users in cafes, airports, train stations, shops and others in public places;

2) If it is necessary to organize a local network in buildings that do not have the ability to lay cable wiring (for example, in historical buildings) or in buildings in which laying cable is a very complex, time-consuming and difficult task;

3) When organizing a temporary local network, including a local network for public access, for example, for holding any events, conferences, etc.;

4) When expanding a local area network in the event that it is necessary to connect any remote isolated segment containing a small number of workstations;

5) If mobile access to network resources is necessary, for example, when moving around an apartment or organization with a laptop, when visiting various patients with a doctor in a hospital to communicate with a central database, or for communicating and coordinating mechanics in large buildings, saturated modern means ensuring their livelihoods;

6) To organize additional communication channels that can be provided by alternative telecom operators creating wireless local networks in different areas.

Depending on the technologies and transmission media used, the following classes of wireless networks can be defined:

Networks on radio modems;

Networks on cellular modems;

Infrared systems;

VSAT systems;

Systems using low-orbit satellites;

Systems with SST technology;

Radio relay systems;

Laser communication systems.

WI-FI is a modern wireless technology for transmitting data over a radio channel (wireless, wlan wifi).

Any equipment that complies with the IEEE 802.11 standard can be tested by the Wi-Fi Alliance and receive the appropriate certification and the right to display the Wi-Fi logo.

Wireless Fidelity, which translated from English means wireless precision. There is also a longer name for the term: EEE 802.11b. Wi-Fi originated in 1985 in the USA, after the frequency part of the radio channel was opened for use without special permission.

The very first standard that became most widespread was the IEEE 802.11b standard.

Equipment that complies with the 802.11b standard appeared back in 2001, and to this day, most wireless networks still operate using this standard, and many wireless Wi-Fi devices with support for 802.11b.

The radio waves that are used for Wi-Fi communications are very similar to the radio waves used in walkie-talkies, receivers, cell phones and other devices. But Wi-Fi has a few notable differences from other radio devices.

Communication is carried out at frequencies of 2.4-5 GHz. This frequency is much higher than the frequencies suitable for mobile phones, portable radios and television.

The higher the signal frequency, the large quantity information is transmitted. A wireless network uses radio waves just like radios, Cell phones, TVs. In fact, Wi-Fi wireless communication is more similar to two-way radio communication.

In Russia, using Wi-Fi without permission to use frequencies from the State Commission for Radio Frequencies (SCRF) is possible to organize a network inside buildings, closed warehouses and industrial areas.

To legally use a Wi-Fi wireless network outside of an office, for example, a radio channel between two neighboring houses, you must obtain permission to use the frequencies. There is a simplified procedure for issuing permits for the use of radio frequencies in the band 2400-2483.5 MHz (standards 802.11b and 802.11g, channels 1-13); obtaining such permission does not require a private decision from SCRF. To use radio frequencies in other bands, in particular 5 GHz (802.11a standard), you must first obtain a private solution from SCRF. In 2007, the situation changed with the release of the document: “Resolution of July 25, 2007, No. 476 “On Amendments to the Resolution of the Government of the Russian Federation” dated October 12, 2004.

The sixteenth paragraph of the resolution excluded from the list of equipment subject to registration - wireless access user equipment in the radio frequency band 2400-2483.5 MHz with a radiation power of transmitting devices up to 100 mW inclusive.

Also, in pursuance of the protocol entry to the decision of the SCRF dated August 19, 2009, No. 09-04-09, the SCRC decided: to allocate radio frequency bands 5150-5350 MHz and 5650-6425 MHz for use on the territory of the Russian Federation with the exception of the cities specified in the appendix No. 2, fixed wireless access by citizens of the Russian Federation and Russian legal entities without issuing separate decisions of the SCRF for each individual or legal entity.

The specified frequency bands correspond to the 802.11a/b/g/n standards and channels with numbers from the ranges 36-64 and 132-165. However, Appendix 2 lists the 164 largest cities in Russia in which the specified frequencies cannot be used to create wireless networks.

Violation of the procedure for using radio-electronic means is subject to liability under Articles 13.3 and 13.4 of the Code of the Russian Federation on Administrative Offences.

By a decision of July 15, 2010, the State Committee for Radio Frequencies of Russia canceled the issuance of mandatory private decisions of the State Committee for Radio Frequencies for the use of fixed wireless access systems in the ranges 5150-5350 MHz and 5650-6425 MHz. The restriction on these frequency ranges has been lifted for the entire territory of Russia.

The following types and varieties of connections are distinguished:

1. Ad-Hoc connection (point-to-point). All computers are equipped wireless cards(clients) and connect directly to each other via a radio channel operating according to the 802.11b standard and providing an exchange rate of 11 Mbit/s, which is quite enough for normal operation;

2. Infrastructure connection. This model is used when it is necessary to connect more than two computers. A server with an access point can act as a router and independently distribute the Internet channel;

3. Access point, using a router and modem. The access point is connected to the router, the router is connected to the modem (these devices can be combined into two or even one). Now on every computer in the zone Wi-Fi actions, which has a Wi-Fi adapter, the Internet will work;

4. Client point. In this mode, the access point acts as a client and can connect to an access point operating in infrastructure mode. But only one MAC address can be connected to it. Here the task is to connect only two computers. Two Wi-Fi adapters can work with each other directly without central antennas;

5. Bridge connection. Computers are connected to a wired network. Each group of networks is connected to access points that connect to each other via a radio channel. This mode is designed to combine two or more wired networks. Connection wireless clients It is impossible to access an access point operating in bridge mode.

Thus, the concept and classes of wireless networks were examined, and the reasons were identified appropriate use wireless connection. The regulatory framework regarding Wi-Fi networks is analyzed. The wireless network was described by providing a typology and type of connections.

During operation of wireless networks, problems often occur. various problems. Some are due to someone else's oversight, and some are the result of malicious actions. In any case, damage is caused. These events are attacks, regardless of the reasons for their occurrence.

There are four main categories of attacks:

1. Access attacks;

2. Modification attacks;

3. Denial of service attacks;

4. Disclaimer attacks.

An access attack is an attempt by an attacker to obtain information for which he does not have permission to view, and which is aimed at violating the confidentiality of information.

To carry out this attack, information and means to transmit it are required.

An access attack is possible wherever information and means for its transmission exist.

Access attacks can also include snooping, eavesdropping and interception.

Snooping is viewing files or documents to search for information of interest to an attacker.

Eavesdropping is when someone listens to a conversation in which they are not a participant (often using electronic devices).

Interception is the capture of information during its transmission to its destination.

Information is stored electronically:

Workstations;

Servers;

In laptop computers;

CDs.

With CDs the situation is clear, because an attacker can simply steal them. With the first two things are different. With legal access to the system, the attacker will analyze the files by simply opening them one by one. In case of unauthorized access, the attacker will try to bypass the control system and gain access to necessary information. It's not difficult to do. Needs to be installed on your computer system network analyzer packets (sniffer). To do this, the attacker must increase his authority in the system or connect to the network. The analyzer is configured to capture any information passing through the network, but especially user IDs and passwords.

Eavesdropping is also carried out in global computer networks such as leased lines and telephone connections. However, this type of interception requires appropriate equipment and special knowledge. In this case, the most suitable place to place the listening device is a cabinet with electrical wiring.

And with the help of special equipment, a qualified hacker can intercept fiber-optic communication systems. However, to succeed, he must place his system in the transmission lines between the sender and receiver of information. On the Internet, this is done by changing the name resolution, causing the computer name to be converted to an incorrect address. Traffic is redirected to the attacker's system instead of the actual destination node. If such a system is configured appropriately, the sender will never know that his information did not reach the recipient.

A modification attack is an attempt to illegally change information. It is aimed at violating the integrity of information and is possible wherever information exists or is transmitted.

There are three types of modification attacks:

1. Replacement;

2. Addition;

3. Removal.

Replacement - replacement existing information directed against both secret and public information.

Addition attack - adding new data.

A deletion attack means moving existing data.

All three types of modification attacks use vulnerabilities systems, for example, “gaps” in the server’s security that allow replacement home page. Even then, extensive work must be done throughout the entire system to prevent detection. Because transactions are numbered sequentially, deleting or adding incorrect transaction numbers will be noted.

If a modification attack is carried out during the transmission of information, then it is necessary to first intercept the traffic of interest, and then make changes to the information before sending it to its destination.

Denial-of-service (DoS) attacks are attacks that prevent a legitimate user from using a system, information, or computer capabilities. In other words, this attack is “Vandalism”, i.e., an attacker.

As a result of a DoS attack, the user usually does not gain access to the computer system and cannot operate with information.

A DoS attack directed against information destroys, distorts or moves it to an inaccessible place.

A DoS attack aimed at applications that process or display information, or at the computer system on which these applications are running, makes it impossible to complete the tasks performed using such an application.

A common type of DoS attack (denial of access to a system) aims to disable computer systems, as a result of which the system itself, applications installed on it and all stored information become inaccessible.

Denial of access to communications means disabling communications facilities that deny access to computer systems and information.

DoS attacks aimed directly at a computer system are implemented through exploits that take advantage of vulnerabilities in operating systems or internetwork protocols.

With the help of these "gaps" the attacker sends to the application specific set commands that it is unable to process correctly, causing the application to crash. A reboot restores its functionality, but during the reboot it becomes impossible to work with the application.

A disclaimer attack targets the ability to identify information, or misrepresent an actual event or transaction.

This type of attack includes:

Masquerade is performing actions under the guise of another user or another system.

Denial of an event is a denial of the fact of an operation.

DoS attacks against the Internet are attacks on the Internet's root name servers.

You can ensure the security of your wireless access device and, accordingly, minimize the risk associated with this type of access using the following simple steps:

1. Change the administrator password on your wireless device. It is easy for a hacker to find out what the device manufacturer's default password is and use that password to access the wireless network. Avoid passwords that are easy to guess or guess;

2. Disable broadcasting of the network identifier (SSID broadcasting, SSID - Service Set Identifier, network identifier) so that the wireless device does not broadcast information that it is turned on;

3. Enable traffic encryption: it is best to use the WPA protocol if the device supports it (if not, then use WEP encryption);

4. Change the network identifier (SSID) of the device. If you leave the device manufacturer's default identifier, an attacker can easily identify the wireless network by learning this identifier. Don't use names that are easy to guess.

As a result of solving this problem, four main categories of attacks and three types of modification attacks were identified and studied. Denial of service and denial of obligation attacks were also subject to consideration. Based on this analysis, steps were developed to ensure the security of wireless access devices.

Thus, to summarize, we can confidently say that wireless connections have now become widespread, mainly due to their ability to work with the Internet anywhere in the home or office.

However, if you do not take measures to ensure the security of your wireless network, an attacker can intercept data transmitted over it, gain access to the network and files on your computer, and also access the Internet using the connection.

2. Review of tools and methods for ensuring information security of wireless networks

2.1 Wireless security policy

The specifics of wireless networks mean that data can be intercepted and changed at any time. Some technologies require a standard wireless adapter, while others require specialized equipment. But in any case, these threats are implemented quite simply, and to counter them, effective cryptographic data protection mechanisms are required.

When building a security system, it is important to determine the threat model, i.e., decide what the protection itself will counter. In fact, there are two threats in wireless networks: unauthorized connection and eavesdropping, but their list can be expanded by highlighting and generalizing the following main threats associated with wireless devices to those listed in the first chapter:

Uncontrolled use and perimeter violation;

Unauthorized connection to devices and networks;

Traffic interception and modification;

Availability violation;

Device positioning.

Widespread use of wireless devices and their low cost lead to gaps in the network security perimeter. Here we're talking about not only about attackers who connected a Wi-Fi-enabled PDA to the company's wired network, but also about more trivial situations. Active wireless adapter on a laptop connected to the corporate network, an access point brought from home for testing - all of these can become convenient channels for penetrating the internal network.

Insufficient authentication and errors in the access control system allow unauthorized connections.

By their nature, wireless networks cannot provide high availability. Various natural, man-made and anthropogenic factors can effectively disrupt the normal functioning of a radio channel. This fact must be taken into account when designing the network, and wireless networks should not be used to organize channels with high availability requirements.

Wi-Fi stations can be easily detected using passive methods, which allows you to determine the location of a wireless device with fairly high accuracy. For example, the Navizon system can use to determine location mobile device GPS system, basic GSM stations and wireless access points.

The security policy for wireless networks can be represented as separate document, and as part of other components of regulatory security. In most cases, a separate document is not required, since the provisions of the wireless network policy largely overlap with the traditional content of such documents. For example, the requirements for physical protection of access points are completely overlapped by issues of physical security of active network equipment. In this regard, the wireless security policy is presented in the form of a separate document during the period of WLAN implementation, after which, with the next revision of the documents, it harmoniously merges with others.

If wireless networks are not used, then the security policy should include a description of protective mechanisms aimed at reducing the risks associated with unauthorized use radio networks.

The world's best practices in the field of information security management are described in the international standard for information security management systems ISO/IEC 27001 (ISO 27001). ISO 27001 specifies requirements for an information security management system to demonstrate an organization's ability to protect its information assets.

The standard is authentic GOST RISO/IEC 27001-2006. It establishes requirements for the development, implementation, operation, monitoring, analysis, support and improvement of a documented information security management system, for the implementation of information security management and control measures.

The main advantages of the ISO/IEC 27001 standard:

Certification allows you to show business partners, investors and clients that the organization has effective information security management;

The standard is compatible with ISO 9001:2000 and ISO 14001:2007;

The standard does not place restrictions on the choice of software and hardware, does not impose technical requirements on IT tools or information security tools and leaves the organization complete freedom to choose technical solutions for information security.

The concept of information security is interpreted international standard as ensuring confidentiality, integrity and availability of information.

Based on this standard, recommendations can be formulated to reduce the likelihood of violating the wireless network security policy in an organization:

1. Training of users and administrators. ISO|IEC 27001 A.8.2.2. As a result of training, users must know and understand the policy's limitations and administrators must be qualified to prevent and detect violations of the policy;

2. Control of network connections. ISO|IEC 27001 A.11.4.3. The risk associated with connecting an unauthorized access point or wireless client can be reduced by disabling unused switch ports, MAC address filtering (port-security), 802.1X authentication, intrusion detection systems and security scanners that monitor the emergence of new network objects;

3. Physical security. ISO|IEC 27001 A.9.1. Controlling devices brought onto the premises allows you to limit the likelihood of wireless devices connecting to the network. Limiting user and visitor access to your computer's network ports and expansion slots reduces the likelihood of a wireless device connecting;

4. Minimizing user privileges. ISO|IEC 27001 A.11.2.2. If the user works on a computer with the minimum necessary rights, then the likelihood of unauthorized changes to the settings of wireless interfaces is reduced;

5. Security policy control. ISO|IEC 27001 6, A.6.1.8. Security analysis tools, such as vulnerability scanners, allow you to detect the appearance of new devices on the network and determine their type (functions for determining OS versions and network applications), as well as monitor deviations of client settings from a given profile. The terms of reference for audit work performed by external consultants must take into account the requirements of the wireless network policy;

6. Inventory of resources. ISO|IEC 27001 A.7.1.1. Availability of a current updated list network resources facilitates the discovery of new network objects;

7. Attack detection. ISO|IEC 27001 A.10.10.2. The use of attack detection systems, both traditional and wireless, makes it possible to promptly detect unauthorized access attempts;

8. Incident investigation. ISO|IEC 27001 A.13.2. Incidents involving wireless networks are not much different from other similar situations, but procedures for their investigation must be defined. For networks where wireless networks are being implemented or used, additions to the policy sections may be required;

9. Legal support. ISO|IEC 27001 A.15.1.1. The use of wireless networks may be subject to both Russian and international regulations. Thus, in Russia, the use of the 2.4 GHz frequency range is regulated by the decision of the SCRF dated November 6, 2004 (04-03-04-003). In addition, since encryption is intensively used in wireless networks, and the use of cryptographic means of protection in some cases is subject to rather strict legislative restrictions, it is necessary to study this issue;

10. Internal and external audit. ISO|IEC 27001 6, A.6.1.8. When carrying out security assessment work, the requirements of the wireless network policy must be taken into account. The possible scope of work to assess WLAN security is described in more detail in the last chapter of this book;

11. Network separation. ISO|IEC 27001 A.11.4.5. Due to the specifics of wireless networks, it is advisable to allocate wireless access points to a separate network segment using a firewall, especially when it comes to guest access;

12. Use of cryptographic security measures. ISO|IEC 27001 A.12.3. The protocols and traffic encryption algorithms used on the wireless network (WPA or 802.11i) must be defined. When using 802.1X technology, the requirements for digital signature protocols and the length of the signing key of certificates used for the purposes are determined;

13. Authentication. ISO|IEC 27001 A.11.4.2. The requirements for storing authentication data, their change, complexity, and security during transmission over the network must be determined. The EAP methods used, the RADIUS server public key protection methods can be explicitly defined;

14. Control of changes in the information system. ISO|IEC 27001 A.12.5.1. Wireless technologies must be taken into account in the IP;

15. Acceptability of Software and Hardware Use. ISO|IEC 27001 A.12.4.1 This section covers requirements for access points, wireless switches, and wireless clients;

16. Attack detection. ISO|IEC 27001 A.10.10.2. Requirements for wireless attack detection systems must be defined, and responsibility for event analysis must be assigned;

17. Logging and analysis of security events. ISO|IEC 27001 A.10.10.1. This section can be expanded by adding wireless-specific events to the list of monitored events. May include the previous section;

18. Remote network access. ISO|IEC 27001 A.11.7.2. In most cases, wireless network users are logically classified as users of remote access systems. This is due to similar threats and, as a consequence, countermeasures characteristic of these IS components. In addition, after completing all stages, the following documents must be generated in one form or another:

Instructions for users regarding the use of a wireless network;

Basic settings of access points, wireless switches, workstations;

Procedures for monitoring the security of wireless networks;

Profiles of attack detection systems;

Wireless Incident Response Procedures.

Thus, the ISO/IEC 27001 standard was analyzed. Based on this standard, recommendations were formulated to reduce the likelihood of violating an organization's wireless security policy. There is also a list of documents that must be generated after completing all stages of the wireless network security policy.

A properly constructed and enforced security policy is a reliable foundation for a secure wireless network. As a result, it is worth paying sufficient attention to it, both at the stage of network implementation and during its operation, reflecting changes occurring in the network in regulatory documents.

2.2 Wireless Security Solutions

An important element of security for any network, not just wireless, is access and privacy management. One of the reliable methods of controlling access to a WLAN is authentication, which allows you to prevent unauthorized users from accessing data communications through access points. Effective WLAN access control measures help determine the range of permitted client stations and associate them only with trusted access points, excluding unauthorized or danger points access.

WLAN confidentiality means that transmitted data will only be correctly decrypted by the party for whom it was intended. The confidentiality status of data transmitted over a WLAN is considered protected if the data is encrypted with a key that can only be used by the recipient of the data for whom it was intended. Encryption means that the integrity of the data is not compromised throughout the entire transmission process - sending and receiving.

Today, companies using WLAN networks are implementing four separate solutions for WLAN security and access and privacy management:

Open access;

Basic security;

Increased security;

Remote access security.

As with any security deployment, it is wise to conduct a network risk assessment before selecting and implementing any of the WLAN security solutions:

1. Open access. All wireless LAN products certified to Wi-Fi specifications are shipped to operate in open access with security features disabled. Open access or lack of security may suit the needs of public hotspots such as coffee shops, college campuses, airports or other public places, but it is not an option for businesses. Security features must be enabled on wireless devices during installation. However, some companies do not include WLAN security features, thereby seriously increasing the level of risk to their networks;

2. Basic security: SSID, WEP and MAC address authentication. Basic security lies in the use of identifiers network SSID(Service Set Identifier), open or shared key authentication, static WEP keys, and optionally MAC address authentication. This combination can be used to set up basic access and privacy controls, but each individual piece of security can be compromised. The SSID is common name network for devices in the WLAN subsystem serves to logically isolate this subsystem. The SSID prevents access from any client device that does not have an SSID. However, by default, the access point broadcasts its SSID among its signals. Even if you disable the broadcast of the SSID, an attacker or hacker can discover the desired SSID using so-called “sniffing” or “sniffing” - unnoticeable network monitoring. The 802.11 standard, a group of specifications for WLAN networks developed by the IEEE, supports two means of client authentication: open authentication and shared key authentication. Open authentication is only slightly different from providing the correct SSID. With shared key authentication, the access point sends a test text packet to the client device, which the client must encrypt with the correct WEP key and return to the access point. Without the correct key, authentication will fail and the client will not be allowed into the access point's user group. Shared key authentication is not considered secure because an attacker who has the initial test text message and the same message encrypted with a WEP key can be decrypted by the WEP key itself. With open authentication, even if a client is authenticated and gains access to the access point's user group, the use of WEP security prevents the client from transmitting data from that access point without the correct WEP key. WEP keys can be 40 or 128 bits long and are usually statically determined by the network administrator at the access point and each client transmitting data through that access point. When using static WEP keys, the network administrator must spend a lot of time entering the same keys into each device on the WLAN. If a device using static WEP keys is lost or stolen, the owner of the missing device can gain access to the WLAN. The administrator will not be able to determine that an unauthorized user has entered the network until the loss is reported. The administrator must then change the WEP key on each device that uses the same static WEP key as the missing device. In a large enterprise network with hundreds or even thousands of users, this can be difficult. To make matters worse, if the static WEP key was decrypted using a tool like AirSnort, there is no way for the administrator to know that the key was compromised by an unauthorized user. Some WLAN solution providers support authentication based on the physical address or MAC address of the client network card (NIC). The access point will only allow a client to associate with the access point if the client's MAC address matches one of the addresses in the authentication table used by the access point. However, MAC address authentication is not an adequate security measure because the MAC address can be spoofed and network card- lost or stolen;

3. Basic Security Using WPA or WPA2 Another form of basic security available today is WPA or WPA2 using Pre-Shared Key (PSK). The shared key authenticates users using a password or identification code (also called a passphrase) at both the client station and the access point. The client can only access the network if the client password matches the access point password. The shared key also provides the data to generate the encryption key that is used by the TKIP or AES algorithms for each packet of data transmitted. While more secure than a static WEP key, a shared key is similar to a static WEP key in that it is stored on the client station and can be compromised if the client station is lost or stolen. It is recommended to use a strong, general passphrase that includes a variety of letters, numbers, and non-alphanumeric characters;

4. Basic Security Summary. Basic WLAN security based on a combination of SSID, open authentication, static WEP keys, MAC authentication, and WPA/WPA2 shared keys is only sufficient for very small companies or those that do not trust vital data to their WLAN networks. All other organizations are encouraged to invest in robust enterprise-grade WLAN security solutions;

5. Increased security. The enhanced level of security is recommended for those customers who require enterprise-class security and security. This requires advanced security that fully supports WPA and WPA2 with the building blocks of 802.1X two-way authentication and TKIP and AESB encryption, including the following capabilities:

802.1X for powerful two-way authentication and dynamic encryption keys per user and per session;

TKIP to extend RC4-based encryption, such as key caching (per packet), message integrity check (MIC), initialization vector (IV) changes, and broadcast key rotation;

AES for state-level data encryption, maximum security;

Capabilities of the Intrusion Prevention System (IPS) and subscriber movement tracking - a transparent view of the network in real time.

6. Wireless LAN security and remote access. In some cases, comprehensive security may be required to protect applications. Using a protected remote access, administrators can set up a virtual private network (VPN) and allow mobile users exchange data with the corporate network from public hotspots, such as airports, hotels and conference rooms. When deployed in an enterprise, the advanced security solution covers all WLAN security requirements, making the use of VPNs on an enterprise WLAN unnecessary. Using a VPN on an internal WLAN can affect WLAN performance, limit roaming capabilities, and make it more difficult for users to log into the network. Thus, the additional overhead and limitations associated with overlaying a VPN network on an internal WLAN network do not seem necessary.

As a result, we can come to the conclusion that to ensure the information security of any network, not just wireless, high-quality access and confidentiality management is important. To achieve this, four separate solutions are currently being actively implemented: open access, basic security, increased security,remote access security.

If network security is properly constructed and all requirements are followed, network security will be at a high level, which will significantly complicate attackers’ access to the wireless network.

3. Assess the need and effectiveness of a wireless network security solution

3.1 Assessing the need for wireless network security

Despite the fact that most companies have already deployed one or another wireless network, specialists usually have many questions about the security of the chosen solutions, and company executives who avoid implementing wireless technologies worry about missed opportunities to increase productivity and reduce infrastructure costs.

Many organization leaders understand that wireless technologies can improve productivity and collaboration, but are hesitant to implement them for fear of vulnerabilities that may arise in the corporate network due to the use of wireless networks. The variety of proposed methods for securing wireless communications and the controversy over their effectiveness only add to these doubts.

There are many challenges associated with implementing wireless technology in a midsize company that make you wonder not only about wireless security, but also whether it is needed at all.

Common problems that can be overcome by properly implementing the security policy discussed in Chapter 2:

Deciding whether to deploy a wireless network;

Understanding and reducing the risk associated with the introduction of wireless technologies;

Defining an approach to protecting a wireless network;

Selecting optimal wireless network security technologies;

Checking the security level of the deployed wireless network;

Integration of existing assets into a wireless network security solution;

Detect and prevent unauthorized wireless network connections.

The benefits provided by wireless networking technologies can be divided into two categories: functional and economic.

Functional benefits include reduced management costs and reduced capital expenditures, while economic benefits include increased productivity, improved business process efficiency, and additional opportunities to create new business functions.

Most of the major economic benefits associated with wireless networks result from increased employee flexibility and mobility. Wireless technology removes the constraints that keep employees at their desks, allowing them to move relatively freely around the office or office building.

But, despite all the advantages, there are also disadvantages, mainly technological, which are expressed in the vulnerability of the wireless network through various attacks from intruders (section 1.2 of this work was devoted to this).

As soon as such technological shortcomings of first-generation wireless networks were discovered, active work began to eliminate them. While some companies were working to improve wireless standards, many analyst firms, network security vendors, etc. were trying to work around the shortcomings inherent in previous standards.

As a result, several approaches to securing wireless networks have been developed.

There are many factors to consider when evaluating possible options for securing your wireless network. When making this assessment, you need to take into account a variety of indicators: from the costs of implementing and administering the solution to its overall security. All of the above approaches have their own advantages and disadvantages, so you need to become more familiar with each of them so that you can make an informed decision.

The latest wireless security standards, namely WPA and WPA2, have eliminated the serious shortcomings of the WEP standard and thus made workarounds such as IPsec or VPN technology unnecessary. Use static or dynamic WEP algorithm is now not recommended in any form, and the omission of security is beneficial in only a few situations. Thus, when developing a comprehensive, effective solution for protecting a wireless network, it is enough to consider only two approaches.

Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) are specifically designed to block threats to wireless networks based on the IEEE 802.11 standard. However, there are some differences between them.

The WPA protocol was developed in 2003 to address the shortcomings of the WEP standard. The developers of WPA did a good job of providing support for mutual authentication, TKIP data encryption, and signed message integrity checks to protect against packet spoofing or replay attacks.

The WPA2 protocol provides even more high level security because it uses AES rather than TKIP to secure network traffic. Therefore, it should always be preferred over WPA.

The WPA and WPA2 protocols are significantly superior to WEP in terms of security, and if the security system is properly configured, there are no known vulnerabilities in either the first or the second. However, WPA2 is considered more secure than WPA, and if the infrastructure supports it and the additional overhead associated with administering a WPA2 solution is acceptable, it should be the choice.

Most access points manufactured today latest versions The OS is certified in accordance with the requirements of the WPA2 protocol. If some access points or client computers in your environment do not support WPA2, wireless devices and client systems that support WPA2 can use the older WPA standard.

We should also not forget about such a development option for the company as refusing to deploy a wireless network. There is a saying among security professionals that says, “The best protected system is the one that no one ever turns on.” Thus, the most reliable way to protect against the vulnerabilities inherent in wireless networks or any other technologies is to not implement them. The disadvantage of this approach is obvious: a company that refuses to implement any technology may find itself uncompetitive in modern economic conditions, when any advantage, including technological, may be a decisive factor for success.

As already discussed, before implementing any new technology in a particular company, one must evaluate the company's needs, its risk tolerance, and the actual risk. Wireless technologies are no exception. Wireless networks have a number of benefits, but for a given organization these benefits may not be as important or important at all.

When choosing a protected wireless solution all possible options must be taken into account, including the abandonment of wireless technologies. If it is determined that an organization is not ready to deploy a wireless network, this decision should be reflected in existing corporate policies to prevent end users from weakening the security of the corporate network environment due to unauthorized creation of wireless networks.

3.2 Development of an algorithm for carrying out work to assess the effectiveness of wireless network protection

In order to determine the advantage of a particular method of protecting a wireless network, it is advisable to assess its security.

This is especially important due to the fact that wireless networks are often deployed for company management. Accordingly, an attacker who gains access to the wireless segment has the opportunity not only to use company resources for his own purposes, but also to gain access to confidential information and block the work of high-priority users.

...

Introduction - WiFi Vulnerabilities

The main reason why user data is vulnerable when this data is transmitted over WiFi networks is that the exchange occurs over radio waves. And this makes it possible to intercept messages at any point where a WiFi signal is physically available. Simply put, if the signal of an access point can be detected at a distance of 50 meters, then interception of all network traffic of this WiFi network is possible within a radius of 50 meters from the access point. In the next room, on another floor of the building, on the street.

Imagine this picture. In the office, the local network is built via WiFi. The signal from this office's access point is picked up outside the building, for example in a parking lot. An attacker outside the building could gain access to office network, that is, unnoticed by the owners of this network. WiFi networks can be accessed easily and discreetly. Technically much easier than wired networks.

Yes. To date, means of protecting WiFi networks have been developed and implemented. This protection is based on encrypting all traffic between the access point and the end device that is connected to it. That is, an attacker can intercept a radio signal, but for him it will be just digital “garbage”.

How does WiFi protection work?

The access point includes in its WiFi network only the device that sends the correct password (specified in the access point settings).

But how does the access point know whether the password is correct or not? What if she also receives a hash, but cannot decrypt it? It's simple - in the access point settings the password is specified in its pure form. The authorization program takes a blank password, creates a hash from it, and then compares this hash with the one received from the client. If the hashes match, then the client’s password is correct. The second feature of hashes is used here - they are unique. The same hash cannot be obtained from two different sets of data (passwords). If two hashes match, then they were both created from the same set of data.

By the way. Thanks to this feature, hashes are used to control data integrity. If two hashes (created over a period of time) match, then the original data (during that period of time) has not been changed.

However, despite the fact that the most modern method of securing a WiFi network (WPA2) is reliable, this network can be hacked. How?

There are two methods for accessing a network protected by WPA2:

Selection of a password using a password database (so-called dictionary search).
Exploitation of a vulnerability in the WPS function.

In the first case, the attacker intercepts the password hash for the access point. The hashes are then compared against a database of thousands or millions of words. A word is taken from the dictionary, a hash is generated for this word and then this hash is compared with the hash that was intercepted. If a primitive password is used on an access point, then cracking the password of this access point is a matter of time. For example, an 8-digit password (8 characters long is the minimum password length for WPA2) is one million combinations. On a modern computer, you can sort through one million values in a few days or even hours.

In the second case, a vulnerability in the first versions of the WPS function is exploited. This feature allows you to connect a device that does not have a password, such as a printer, to the access point. When using this feature, the device and access point exchange a digital code and if the device sends the correct code, the access point authorizes the client. There was a vulnerability in this function - the code had 8 digits, but only four of them were checked for uniqueness! That is, to hack WPS you need to search through all the values that give 4 digits. As a result, hacking an access point via WPS can be done in just a few hours, on any weakest device.

Setting up WiFi network security

The security of the WiFi network is determined by the settings of the access point. Several of these settings directly affect network security.

WiFi network access mode

The access point can operate in one of two modes - open or protected. In case of open access, any device can connect to the access point. In the case of protected access, only the device that transmits correct password access.

There are three types (standards) of WiFi network protection:

WEP (Wired Equivalent Privacy). The very first standard of protection. Today it actually does not provide protection, since it can be hacked very easily due to the weakness of the protection mechanisms.
WPA (Wi-Fi Protected Access). Chronologically the second standard of protection. At the time of creation and commissioning, it provided effective WiFi protection networks. But at the end of the 2000s, hacking opportunities were found WPA security through vulnerabilities in protection mechanisms.
WPA2 (Wi-Fi Protected Access). The latest protection standard. Provides reliable protection when certain rules are followed. To date, there are only two known ways to break WPA2 security.

Dictionary password brute force and a workaround using the WPS service.

Thus, to ensure the security of your WiFi network, you must select the WPA2 security type.

However, not all client devices can support it. For example, Windows XP SP2 only supports WPA.

In addition to choosing the WPA2 standard, additional conditions are required:

Use AES encryption method. The password to access the WiFi network must be composed as follows:
Use letters and numbers in the password. A random set of letters and numbers. Or a very rare word or phrase that is meaningful only to you. Not use simple passwords like name + date of birth, or some word + a few numbers, for example lena1991.
or

dom12345 If you need to use only a digital password, then its length must be at least 10 characters. Because an eight-character digital password is selected using a brute force method in real time (from several hours to several days, depending on the power of the computer). If you use complex passwords in accordance with these rules, then your WiFi network cannot be hacked by guessing a password using a dictionary. For example, for a password like 218340105584896 combinations.

Today it is almost impossible to select. Even if a computer were to compare 1,000,000 (million) words per second, it would take almost 7 years to iterate over all the values.

WPS (Wi-Fi Protected Setup) If the access point has WPS (Wi-Fi Protected Setup

), you need to disable it. If this feature is required, you must ensure that its version is updated to the following capabilities:
Using all 8 PIN code characters instead of 4, as was the case in the beginning.

Enable a delay after several attempts to send an incorrect PIN code from the client.

An additional option to improve WPS security is to use an alphanumeric PIN code.

Public WiFi Security Today it is fashionable to use the Internet via WiFi networks in public places - cafes, restaurants, shopping centers

and so on. It is important to understand that using such networks may lead to theft of your personal data. If you access the Internet through such a network and then log in to a website, your data (username and password) may be intercepted by another person who is connected to the same WiFi network. After all, on any device that has passed authorization and is connected to the access point, you can intercept network traffic from all other devices on this network. And the peculiarity of public WiFi networks is that anyone can connect to it, including an attacker, and not only to an open network, but also to a protected one.

What can you do to protect your data when connecting to the Internet via a public WiFi network? There is only one option - to use the HTTPS protocol. This protocol establishes an encrypted connection between the client (browser) and the site. But not all sites support the HTTPS protocol. Addresses on a site that supports the HTTPS protocol begin with the https:// prefix. If the addresses on a site have the http:// prefix, this means that the site does not support HTTPS or does not use it.

Some sites do not use HTTPS by default, but have this protocol and can be used if you explicitly (manually) specify the https:// prefix. As for other cases of using Internet - chats, Skype, etc., to protect this data you can use free or paid servers VPN. That is, first connect to VPN server

, and only then use chat or an open site.

In the second and third parts of this article, I wrote that when using the WPA2 security standard, one of the ways to hack a WiFi network is to guess the password using a dictionary. But there is another opportunity for an attacker to obtain the password to your WiFi network. If you store your password on a sticky note glued to the monitor, this makes it possible for a stranger to see this password.

And your password can be stolen from a computer connected to your WiFi network. This can be done by an outsider if your computers are not protected from access by outsiders. This can be done using malware. In addition, the password can be stolen from a device that is taken outside the office (house, apartment) - from a smartphone, tablet.

Thus, if you need reliable protection for your WiFi network, you need to take steps to securely store your password. Protect it from access by unauthorized persons. If you found this article useful or simply liked it, then do not hesitate to financially support the author. This is easy to do by throwing money at Yandex Wallet No. 410011416229354 +7 918-16-26-331 .

. Or on the phone

Even a small amount can help write new articles :) WiFi network protection - another question that faces us after we have created home network . The security of a wifi network is not only a guarantee against unwanted third party connections to your Internet, but also a guarantee of the security of your computer and other network devices - after all, viruses from other people’s computers can penetrate through holes and cause a lot of trouble. Security key

wifi, which is usually limited to most users, is not enough in this case. But first things first… First of all, to organize the protection of a wifi network, take care of the mandatory ones, for which I recommend using a key wifi security WPA2/PSK. It requires a fairly complex seven-digit password, which is very difficult to guess. But probably! I thought seriously about this problem when I I found not one, not two, but 10 devices included in the network! Then protecting the wifi network seriously interested me, and I began to look for additional, more reliable methods and, of course, I found it. Moreover, this does not require any specific protection program - everything is done in the settings of the router and computer. Now I will share with you! Yes, the demonstration of methods will be carried out on ASUS devices - modern ones have an identical interface, in particular, in the video course I did everything on the WL-520GU model.

Protecting a wifi network - practical ways

1. Disable SSID broadcast

Anyone who watched my video course knows what I'm talking about. For those who don’t, I’ll explain. SSID is, speaking in Russian, the name of our network. That is, the name that you assigned to it in the settings and which is displayed when scanning routers available for connection.

If your SSID is visible to everyone, then anyone can try to connect to it. In order for only you and your friends to know about it, you need to hide it, that is, so that it is not on this list. To do this, check the “Hide SSID” checkbox. After that, it will disappear from the search results. And you can join it in the following way:

That's it, after this you should log into your secure wifi, although it was not visible.

2. Filtering devices by MAC address

This is an even more reliable way to protect wifi from uninvited guests. The fact is that each device has its own personal identifier, which is called a MAC address. You can allow access only to your computers by entering their ID in the settings of your home router.

But first you need to find out these MACs. To do this, in Windows 7 you need to go through the chain: “Start > Control Panel > Network and Internet > Control Center > Change adapter settings” and double-click on your wifi connection. Next, click on the “Details” button and look at the “Physical Address” item - this is it!

We write it without a hyphen - only numbers and letters.
Then go to the “Wireless Network MAC Address Filter” tab in the router’s admin panel.
Select the “Accept” item from the drop-down list and add the MAC addresses of the computers that are on your local area—I repeat, without hyphens.

After that, save the settings and be glad that someone else’s device won’t log in!

3. Filtering devices by IP address

This is an even more advanced method. Here computers will be screened out not only by MAC, but also by their IP, manually assigned to each one. Modern technologies make it possible to replace the MAC, that is, having learned the number of your gadget, you can imitate it and log in, as if you had connected yourself. By default, IP is distributed to all connected devices automatically within a certain range - this happens due to the router operating in the so-called DCHP server mode. But we can disable it and set IP addresses for each manually.

Let's see how this is done in practice. First, you need to disable the DCHP server, which distributes addresses automatically. Go to the “LAN” section and open the “DCHP Server” tab. Here we disable it (“No” in the first paragraph).

After this, you need to configure each computer or other device. If you are using Windows 7, then go to “Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings > Wireless connections (or whatever you call it).” Double-click on it and go to “Properties > Internet Protocol Version 4 (TCP/IP)”. Here we got all the parameters automatically. Check the box “Use the following IP” and set:

IP is the one you assigned when setting up the router, that is, for me it is 192.168.1.3
Mask - 255.255.255.0
Gateway - router IP, that is, by default on ASUS it is 192.168.1.1

4. Router operating time

This method Suitable for those who work at the computer at the same certain time. The bottom line is that the router will distribute the Internet only at certain hours. For example, you come home from work at 6 pm and stay online until 10. Then we set the device to operate only from 18:00 to 22:00. It is also possible to set specific switching days. For example, if you go to the country on the weekend, you can not broadcast wifi at all on Saturday and Sunday.

Installed this mode in the "Wireless Network" section, "Professional" tab. We set the days of the week for work and hours.

5. Prevent automatic connection to the network

This setting is made on the computer itself and most likely it is not even wifi protection, but to protect the computer from connecting to someone else’s network, through which a virus can be caught. Click on your wireless connection in “Network Connections” (see point 3) and select “Wireless Network Properties” here.

For maximum security of your connection to a wifi network, it is recommended to uncheck all the boxes here to enter the password each time you connect. For the lazy, you can leave it at the first point - automatic connection to current network, but you cannot activate the other two, which allow the computer to independently join any other that is available for connection.

As you can see, WiFi network protection is provided not only by WPA2 encryption - if you follow these simple tips, the security of your wireless network will be guaranteed! Very soon you will also learn how to protect your entire local network at once, and in order not to miss this article, I recommend subscribing to blog updates. If you have any questions, the comment form is at your service 😉

If the article helped, then in gratitude I ask you to do 3 simple things:
Subscribe to our YouTube channel

Send a link to the publication to your wall in social network click on the button above

On this moment Most firms and enterprises are paying more and more attention to using Wi-Fi networks directly. This is due to the convenience, mobility and relative cheapness of connecting individual offices and the ability to move them within the range of the equipment. Wi-Fi networks use complex algorithmic mathematical models authentication, data encryption, control of the integrity of their transmission - which will allow you to be relatively calm about the safety of data when using this technology.

Wireless network security analysis.

At the moment, most firms and enterprises are paying more and more attention to the use of Wi-Fi networks directly. This is due to the convenience, mobility and relative cheapness of connecting individual offices and the ability to move them within the range of the equipment. Wi-Fi networks use complex algorithmic mathematical models for authentication, data encryption, and control of the integrity of their transmission - which will allow you to be relatively calm about the safety of data when using this technology.

However, this security is relative if you do not pay due attention to setting up your wireless network. At this point, there is already a list of “standard” features that a hacker can get if they are negligent in setting up a wireless network:

Access to local network resources;

Listening, stealing (meaning Internet traffic directly) traffic;

Distortion of information passing through the network;

Introducing a fake access point;

A little theory.

1997 – the first IEEE 802.11 standard was published. Network access protection options:

1. A simple SSID (Server Set ID) password was used to access the local network. This option does not provide the required level of protection, especially for the current level of technology.

2. Using WEP (Wired Equivalent Privacy) – that is, the use of digital keys to encrypt data streams using this function. The keys themselves are just ordinary passwords with a length of 5 to 13 ASCII characters, which corresponds to 40 or 104-bit encryption at the static level.

2001 - introduction of the new IEEE 802.1X standard. This standard uses dynamic 128-bit encryption keys, that is, periodically changing over time. The basic idea is that a network user works in sessions, upon completion of which they are sent a new key - the session time depends on the OS (Windows XP - by default the time of one session is 30 minutes).

Currently there are 802.11 standards:

802.11 - The original base standard. Supports data transmission over the radio channel at speeds of 1 and 2 Mbit/s.

802.11a - High-speed WLAN standard. Supports data transmission at speeds up to 54 Mbit/s over a radio channel in the range of about 5 GHz.

I802.11b - The most common standard. Supports data transmission at speeds up to 11 Mbit/s over a radio channel in the range of about 2.4 GHz.

802.11e - Request quality requirement required for all IEEE WLAN radio interfaces

802.11f - A standard that describes the order of communication between peer access points.

802.11g - Establishes an additional modulation technique for the 2.4 GHz frequency. Designed to provide data transmission rates of up to 54 Mbit/s over a radio channel in the range of about 2.4 GHz.

802.11h - A standard that describes the management of the 5 GHz spectrum for use in Europe and Asia.

802.11i (WPA2) - A standard that corrects existing security problems in the areas of authentication and encryption protocols. Affects 802.1X, TKIP and AES protocols.

At the moment, 4 standards are widely used: 802.11, 802.11a, 802.11b, 802.11g.

2003 - The WPA (Wi-Fi Protected Access) standard was introduced, which combines the benefits of dynamic key renewal of IEEE 802.1X with TKIP (Temporal Key Integrity Protocol) encoding, EAP (Extensible Authentication Protocol) and verification technology message integrity MIC (Message Integrity Check).

In addition, many independent security standards from various developers are being developed in parallel. The leaders are such giants as Intel and Cisco.

2004 - WPA2, or 802.11i, appears - the most secure standard at this time.

Technologies Fi-Wi protection networks.

WEP

This technology was developed specifically to encrypt the flow of transmitted data within a local network. The data is encrypted with a key of 40 to 104 bits. But this is not the whole key, but only its static component. To enhance security, the so-called initialization vector IV (Initialization Vector) is used, which is designed to randomize an additional part of the key, which provides different variations of the cipher for different data packets. This vector is 24-bit. Thus, as a result, we obtain a general encryption with a bit depth from 64 (40+24) to 128 (104+24) bits, which allows us to operate with both constant and randomly selected characters during encryption. But on the other hand, 24 bits are only ~16 million combinations (2 24 powers) - that is, after the key generation cycle expires, a new cycle begins. Hacking is done quite simply:

1) Finding a repeat ( minimum time, for a key 40 bits long - from 10 minutes).

2) Hacking the rest of the part (essentially seconds)

3) You can infiltrate someone else's network.

At the same time, there are quite common utilities for cracking the key, such as WEPcrack.

802.1X

IEEE 802.1X is the foundational standard for wireless networks. It is currently supported by Windows XP and Windows Server 2003.

802.1X and 802.11 are compatible standards. 802.1X uses the same algorithm as WEP, namely RC4, but with some differences (greater “mobility”, i.e. it is possible to connect even a PDA device to the network) and corrections (WEP hacking, etc.). P.).

802.1X is based on the Extensible Authentication Protocol (EAP), Transport Layer Security (TLS), and RADIUS (Remote Access Dial-in User Service).

After the user has passed the authentication stage, he is sent a secret key in encrypted form for a certain short time - the time of the currently valid session. At the end of this session, a new key is generated and again sent to the user. The TLS transport layer security protocol provides mutual authentication and integrity of data transmission. All keys are 128-bit.

Separately, it is necessary to mention RADIUS security: it is based on UDP protocol(and therefore relatively fast), the authorization process occurs in the context of the authentication process (i.e., there is no authorization as such), the RADIUS server implementation is focused on single-process client servicing (although multi-process is possible - the question is still open), supports rather limited number of authentication types (cleartext and CHAP), has an average degree of security. In RADIUS, only cleartext passwords are encrypted, the rest of the package remains “open” (from a security point of view, even the username is a very important parameter). But CHAP is a separate matter. The idea is that no cleartext password in any form would never be transmitted through the network. Namely: when authenticating a user, the client sends the user machine a certain Challenge (an arbitrary random sequence of characters), the user enters a password and with this Challenge the user machine performs certain encrypting actions using the entered password (usually this is ordinary encryption using the MD5 algorithm (RFC-1321). This Response is sent back to the client, and the client sends everything (Challenge and Response) to the 3A server for authentication (Authentication, Authorization, Accounting). side user password) performs the same actions with Challeng and compares its Response with the one received from the client: converges - the user is authenticated, no - refusal. Thus, only the user and the 3A server know the cleartext password, and the cleartext password does not “travel” through the network and cannot be hacked.

WPA

WPA (Wi-Fi Protected Access) is a temporary standard (technology for secure access to wireless networks), which is transitional to IEEE 802.11i. Essentially, WPA combines:

802.1X is the foundational standard for wireless networks;

EAP - Extensible Authentication Protocol;

TKIP - Temporal Key Integrity Protocol;

MIC is a technology for checking message integrity (Message Integrity Check).

The main modules are TKIP and MIC. The TKIP standard uses auto-guessed 128-bit keys that are generated in an unpredictable manner and total number There are approximately 500 billion variations. A complex hierarchical system of key selection algorithm and their dynamic replacement every 10 KB (10 thousand transmitted packets) make the system maximally secure. Message Integrity Check technology also protects against external penetration and changes in information. A fairly complex mathematical algorithm allows you to compare data sent at one point and received at another. If changes are noticed and the comparison result does not converge, such data is considered false and discarded.

True, TKIP is not currently the best at implementing encryption, due to the new Advanced Encryption Standard (AES) technology previously used in VPNs.

VPN

VPN (Virtual Private Network) technology was proposed by Intel to provide secure connections between client systems and servers over public Internet channels. VPN is probably one of the most reliable in terms of encryption and authentication reliability.

There are several encryption technologies used in VPNs, the most popular of which are described by the PPTP, L2TP and IPSec protocols with DES, Triple DES, AES and MD5 encryption algorithms. IP Security (IPSec) is used approximately 65-70% of the time. With its help, almost maximum security of the communication line is ensured.

VPN technology was not designed specifically for Wi-Fi - it can be used for any type of network, but protecting wireless networks with its help is the most correct solution.

A fairly large amount of software (Windows NT/2000/XP, Sun Solaris, Linux) and hardware have already been released for VPN. To implement VPN protection within a network, you need to install a special VPN gateway (software or hardware), in which tunnels are created, one for each user. For example, for wireless networks, the gateway should be installed directly in front of the access point. And network users need to install special client programs, which in turn also work outside the wireless network and decryption is carried out beyond its boundaries. Although all this is quite cumbersome, it is very reliable. But like everything, it has its drawbacks, in in this case there are two of them:

The need for fairly extensive administration;

Reducing channel capacity by 30-40%.

Other than that, a VPN is a pretty clear choice. Moreover, recently, the development of VPN equipment is precisely in the direction of improving security and mobility. Complete IPsec VPN solution in the series Cisco VPN 5000 serves as a prime example. Moreover, this line currently includes only the only client-based VPN solution today that supports Windows 95/98/NT/2000, MacOS, Linux and Solaris. Besides free license to use the brand and distribute the IPsec VPN client software comes with all VPN 5000 products, which is also important.

Key points about protecting an organization's Fi-Wi networks.

In light of all of the above, you can make sure that the currently available protection mechanisms and technologies allow you to ensure the security of your network when using Fi-Wi. Naturally, if administrators do not rely only on basic settings, but take care fine tuning. Of course, it cannot be said that in this way your network will turn into an impregnable bastion, but by allocating sufficiently significant funds for equipment, time for configuration and, of course, for constant monitoring, you can ensure security with a probability of approximately 95%.

Key points when organizing and setting up a Wi-Fi network that should not be neglected:

- Selecting and installing an access point:

> before purchasing, carefully read the documentation and currently available information about holes in the software implementation for this class of equipment (the well-known example of a hole in the IOS of Cisco routers that allows an attacker to gain access to the config sheet). It might make sense to limit yourself to buying a cheaper option and updating the OS of the network device;

> explore supported protocols and encryption technologies;

> whenever possible, purchase devices that use WPA2 and 802.11i, as they use new technology for security - Advanced Encryption Standard (AES). At the moment, these can be dual-band access points (AP) to IEEE 802.11a/b/g networks Cisco Aironet 1130AG and 1230AG. These devices support the IEEE 802.11i security standard, Wi-Fi Protected Access 2 (WPA2) intrusion protection technology using Advanced Encryption Standard (AES) and guarantee capacity to meet the highest demands of wireless LAN users. New APs take advantage of dual-band IEEE 802.11a/b/g technologies and remain fully compatible with earlier versions of devices running IEEE 802.11b;

> pre-prepare client machines to work together with the purchased equipment. Some encryption technologies may not be supported by the OS or drivers at this time. This will help avoid wasting time when deploying the network;

> do not install an access point outside the firewall;

> Locate antennas inside the building walls and limit radio power to reduce the likelihood of connections from outside.

> use directional antennas, do not use the default radio channel.

- Access point setup:

> if your access point allows you to deny access to your settings via a wireless connection, then use this feature. Initially, do not give the hacker the opportunity to control key nodes via radio when infiltrating your network. Disable radio broadcasting protocols such as SNMP, web administration interface and telnet;

> be sure(!) to use a complex password to access the access point settings;

> if the access point allows you to control client access by MAC addresses, be sure to use this;

> if the equipment allows you to prohibit broadcasting of the SSID, be sure to do this. But at the same time, a hacker always has the opportunity to obtain the SSID when connecting as a legitimate client;

> the security policy should prohibit wireless clients from making ad-hoc connections (such networks allow two or more stations to connect directly to each other, bypassing the access points that route their traffic). Hackers can use several types of attacks against systems using ad-hoc connections. The primary problem with ad-hoc networks is lack of identification. These networks can allow a hacker to conduct man in the middle attacks, denial of service (DoS), and/or compromise systems.

- Selecting a setting depending on the technology:

> if possible, deny access for clients with SSID;

> if there is no other option, be sure to enable at least WEP, but not lower than 128bit.

> if, when installing network device drivers, you are offered a choice of three encryption technologies: WEP, WEP/WPA and WPA, then select WPA;

> if the device settings offer the choice: “Shared Key” (it is possible to intercept the WEP key, which is the same for all clients) and “Open System” (it is possible to integrate into the network if the SSID is known) - select “Shared Key”. In this case (if you use WEP authentication), it is most advisable to enable filtering by MAC address;

> if your network is not large, you can choose Pre-Shared Key (PSK).

> if it is possible to use 802.1X. However, when setting up a RADIUS server, it is advisable to select the CHAP authentication type;

> the maximum level of security at the moment is provided by the use of VPN - use this technology.

- Passwords and keys:

> when using an SSID, adhere to the same requirements as password protection - the SSID must be unique (do not forget that the SSID is not encrypted and can be easily intercepted!);

> always use the longest possible keys. Do not use keys smaller than 128 bits;

>don't forget about password protection– use a password generator, change passwords after a certain period of time, keep passwords secret;

> in the settings there is usually a choice of four predefined keys - use them all, changing according to a certain algorithm. If possible, focus not on the days of the week (there are always people in any organization who work on weekends - what prevents implementation of the network on these days?).

> try to use long, dynamically changing keys. If you use static keys and passwords, change your passwords after a certain period of time.

> instruct users to keep passwords and keys confidential. It is especially important if some people use laptops that they keep at home to log in.

- Network settings:

> use NetBEUI to organize shared resources. If this does not contradict the concept of your network, do not use the TCP/IP protocol on wireless networks to organize shared folders and printers.

> do not allow guest access to shared resources;

> try not to use DHCP on your wireless network - use static IP addresses;

> limit the number of protocols within the WLAN to only those necessary.

- General:

> use firewalls on all wireless network clients, or at least activate the firewall for XP;

> regularly monitor vulnerabilities, updates, firmware and drivers of your devices;

> use security scanners periodically to identify hidden problems;

> Determine the tools to perform wireless scanning and how often to perform these scans. Wireless scanning can help locate rogue access points.

> if your organization’s finances allow it, purchase intrusion detection systems (IDS, Intrusion Detection System), such as:

CiscoWorks Wireless LAN Solution Engine (WLSE), which includes several new features - self-healing, advanced tamper detection, automated site inspection, warm standby, client tracking with real-time reporting.
CiscoWorks WLSE is a centralized system-level solution for managing the entire wireless infrastructure based on Cisco Aironet products. The advanced radio and device management capabilities supported by CiscoWorks WLSE simplify ongoing wireless network operations, enable seamless deployment, enhance security, and ensure maximum availability while reducing deployment and operational costs.

The Hitachi AirLocation system uses an IEEE802.11b network and is capable of operating both indoors and outdoors. The accuracy of determining the coordinates of an object, according to the developers, is 1-3 m, which is somewhat more accurate than a similar characteristic GPS systems. The system consists of a coordinate determination server, a control server, a set of several base stations, a set of WLAN equipment and specialized software. The minimum price of the kit is about $46.3 thousand. The system determines the location of the required device and the distance between it and each access point by calculating the terminal’s response time to signals sent by points connected to the network with a distance between nodes of 100-200 m. For a sufficiently precise location of the terminal, therefore, only three access points are sufficient.

Yes, the prices for such equipment are quite high, but any serious company can decide to spend this amount in order to be confident in the security of their wireless network.