Wi-Fi is a Passion


Legacy Security

There are still some solutions in the 802.11-2012 that should not be used as security solution. We discussed SKA, WEP, and TKIP. In this blog, we talk about VPN protocols, MAC filtering, SSID segmentation, and SSID hiding.

VPN is still a secure solution, but it need to be used for working remotely from home or a branch office. It was used to secure the WLAN connection also inside the enterprise office, and it gives extra overhead.

Point-to-Point Tunneling Protocol doesn’t use any encryption. For encryption, it uses Microsoft Point-to-Point Encryption (MPPE) that uses ARC4 algorithm. As knowing from WEP and TKIP, ARC4 is not considering strong. For authentication PPTP uses Microsoft CHAP (MS-CHAP2) and this can be cracked easily with dictionary attacks with software like ASLEAP.

MAC Filtering
It is possible to filter on MAC addresses within the Wireless LAN Controller (WLC). There are two options, blacklisting or whitelisting. With blacklisting, you need to know all the MAC addresses that you don’t want inside your network. That is pretty hard, since you don’t know who the attackers are. With whitelisting, you can add all the MAC addresses that are allowed on your network. Those are mostly easier to gather, but in big enterprise environments there are a ton of MAC addresses that you want to add. This looks like a great security method, but it is pretty easy to change your MAC address (this is called MAC spoofing). With MAC spoofing you can change your MAC address when you are on the blacklist, or change your MAC address to an address that is on the whitelist. As you can see, this is not a great method at all. When you have a WIPS deployed in you network, the WIPS should notice MAC spoofing. There will be a difference in sequence number and signal strength.

SSID segmentation
Segmentation of your network is good—you don’t want that guest users can access all the resources within the enterprise network (for example, in a school environment students not accessing the resources from teachers). You can make multiple SSIDs and map them each to a different VLAN for segmentation. However, for performance you don’t want more than three or four SSIDs on an access point for overhead. Every access point sends for every SSID every 100 TU a beacon. Most of the time you will see a guest SSID, an employee SSID and a Voice SSID, but it is also possible to use one SSID and use the RADIUS attributes to segment your network. So, yes SSID segmentation is good, and is not really a legacy solution, as long as you don’t use more than four SSIDs on an access point.

SSID hiding
It is possible to hide the SSIDs. You can configure the clients that you want to access your network manually to find your SSID and other clients cannot find your SSID in the list of possible Wi-Fi connections. This sounds great, but it is not hard to figure out and release all the hidden networks. With tools like wireshark you can still see the packages from the hidden networks. The SSIDs that are hidden don’t transmit beacon frames, but there are more frames that show the SSID name. Frames like probe request from the client to the access point have the SSID name in it. The access point needs to know to which network the configured client needs to connect. Also in the probe response, the SSID is visible and in the association and reassociation request frames you are able to see the hidden SSIDs.

Extensible Authentication Protocol (802.1X) provides a secure solution, however there are multiple EAP types. Some EAP types are not considered secure anymore. Those EAP-types are EAP-MD5 that use MD5 hashing. Hashing is just scrambling the password and not encryption. The username is in clear text and there are tools that are able to crack MD5 as well. Another EAP-type that you shouldn’t use is LEAP. LEAP uses MS-CHAP2, the same encryption as the VPN technology PPTP. As told earlier MS-CHAP2 is easy to crack with the tool ASLEAP.