I am attempting to put a mind map of WLAN issues. I will look forward at expanding each one of the classifications in the revisions of this blog.
This section emphasizes on the Virtual IPs section in the FortiGate. I’ve learnt something which is not obvious behaviour and one of those ‘remind me later’ moments that I’ve encountered.
VIPs are essentially Destination Network Address Translation (DNAT) objects. For sessions matching the VIP, the destination address is translated. Let us go through some examples
In the above diagram, all connections going out from 10.10.10.10 will use 203.0.113.22 and not 203.0.113.10 address.
Now, this is where it gets a bit tricky and deviate from default firewall behaviour. In the below firewall policy we would assume that no connections will be allowed to the LAN(internal_network) but VIPs can live up to their name (very important IP) and get users to access the web server even though the deny policy is at the top of the list.
Often times we come across website which use certificates that not match the certificate of the site. It presents us with a warning message and option to proceed with risks, below image is quite common.
A number of applications and website that use SSL encryption correctly. In this case, the traffic goes through a Secure Sockets Layer (SSL) and is encrypted. However, there are risks associated with its use, since encrypted traffic can be used to around network. In common cases, users can unknowingly download a malicious file during an e-commerce session or there can be a phishing attachment sent with the secure email. Since the traffic is encrypted it can bypass the network’s security measures. To protect from the threat, SSL encryption can hold the key to unlock the sessions, examine the packets to find possible threats and blocks them.
When the deep inspection is used, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. After successful inspection, it re-encrypts the content and creates a new session between FortiGate and recipient. A certificate is used from FortiGate’s own repository in order to re-encrypt the content.
There are 2 methods of deployment being used for SSL inspection.
Multiple clients connecting to multiple servers – This uses a CA certificate and applied to outbound policies destined to unknown servers or websites.
Protecting SSL server – Uses a server certificate, typically used for inbound policies
Different Authentication types
Open Authentication – There is no authentication (Free for all). Device connects to wireless network without any issue. Open Authentication might also redirect to a captive portal like at a Airport or Public Wireless places. There is a two way packet exchange. It is not the secure way to setup the wireless.
PSK / WPA/WPA2 – Preshared Key – Authentication using a set password on the network. Used in small/medium and mostly home deployments. Also deployed in secondary wireless network in organizations.
There is no additional requirements for authentication. PSK can be subjected to dictionary attacks. Suggested to change the PSK regularly. Recently there was an outbreak for WPA2 Krack attack (https://www.krackattacks.com/) You can setup a phrase or lengthy password. Consists of WPA/WPA2 Personal.
802.1X / WPA2 Enterprise – Strongest of all the authentication types. Framework which defines authentication, there is a Supplicant(Client which wants to connect), Authenticator(AP/Controller) and Authentication Server(Radius, ISE etc). Advantageous if there are more than 1 radius servers as a backup if primary server is not available due to any reason. Different EAP (Extensible Authentication Protocol) types are used in this setup. EAP method used (Credentials/Certificate/SIM Card etc) will be defined for the user authentication to the wireless network.
Upcoming Authentication Types in near future
SAE – Simultaneous Authentication of Equals – SAE is resistant to passive attack, active attack, and dictionary attack. It provides a secure alternative to using certificates or when a centralized authority is not available.
DPP – Device provisioning protocol – authenticate device without password like QR code, some kind of tag etc. Applies to lot of IoT devices which do not have screen for authentication.
WPA3 – The new WPA3 security standard is expected to land in devices later in 2019. our new capabilities for personal and enterprise Wi-Fi networks will emerge in 2018 as part of Wi-Fi CERTIFIED WPA3™. Two of the features will deliver robust protections even when users choose passwords that fall short of typical complexity recommendations, and will simplify the process of configuring security for devices that have limited or no display interface. Another feature will strengthen user privacy in open networks through individualized data encryption. Finally, a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, will further protect Wi-Fi networks with higher security requirements such as government, defense, and industrial. (https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements)
Only the payload of data frames are encrypted in general cases. In some advanced cases, management frames can also be encrypted. Encryption here is targeted towards data frames.
None – No Encryption – Open Authentication, relying on application for encryption, not reliable. Suggested to use your personal VPN services to mitigate against any attacks. OWE – (Opportunistic Wireless Encryption) – may offer some encryption for open authentication in the near future. (https://tools.ietf.org/html/draft-wkumari-owe-00)
TKIP (Temporal Key Integrity Protocol)- Introduced in 2002, Patch WEP (Wireless Encryption Protocol). It uses RC4 as its cipher, same as WEP. You should refrain from using TKIP and upgrade your devices. Data rates are also limited to 54Mbps.
CCMP/AES (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) – Strongest of all, not compromised till now. Suggested to use for your network. WPA/WPA2 – WPA uses TKIP, WPA2 uses CCMP/AES and TKIP as well.
Thanks to SemFio network for the diagram below.
Hi IEEE 802.11 Key Concepts
Let’s get started with the IEEE 802.11 Journey synopsis. Standards are defined at physical and mac-sub layer(data-link). We are referring to different ways of transmitting data over the air. Also how our communication signal would deliver information. One of the original ones we’ve come across is FHSS (Frequency Hopping Spread Spectrum) and DSSS (Distributed Sequence Spread Spectrum).
In 2007, the IEEE consolidated 8 ratified amendments along with the original standard, creating a single document that was published as the IEEE standard 802.11-2007
The standard covers IEEE standard 802.11-1999, 802.11a.1999, 802.11b-1999, 802.11g-2003,802.11i-2004
802.11b (Sep 1999) is high rate DSSS – Based on 2.4GHz to 2.4835 GHz ISM band
802.11a (Sep 1999) is OFDM (Orthogonal Frequency Divisional Multiplexing) would operate in 5GHz frequency. There are 3 U-NIII (Unlicensed National Information Infrastructure) frequency bands consisting of 12 channels.
802.11b (1999) – High Rate DSSS, operates in 2.4 GHz frequency. OFDM transmission type and supports BPSK (binary phase shift keying) and QPSK (Quadrature PSK) – 1 & 5.5Mbps and 2 & 11 Mbps.
802.11g (June 2003) – Speeds upto 54Mbps/works similar to 802.11b in 2.4 GHz. Used a new technology called Extended Rate Physical (ERP) – ISM frequency band.
802.11i (Security) – From 1997 – 2004, not much defined in terms of security in the original 802.11 standard. Three key components of security solution – Data Privacy/Data Integrity/Authentication. This amendment defined a RSN (Robust Security Network).
802.11r-2008 (FT)- Technology is more often referred to as fast secure roaming because it defines faster handoffs when roaming occurs between cells in WLAN using a strong security defined by RSN.
802.11w (Sep 2009) – IEEE Task Group was a way of delivering management frames in a security manner. Preventing the management frames from being able to be spoofed.802.11 – only on 2.4. Uses hi rate DSSS. It actually came out before 802.11a. Enabled 5.5 and 11Mbps data rates. 22MHz wide channels. Today these rates have become legacy rates.
802.11n (October 2009) – also known as Wi-Fi 4 is an amendment that improves upon the previous 802.11 standards by adding multiple-input multiple-output antennas (MIMO). 802.11n operates on both the 2.4 GHz and the 5 GHz bands. Support for 5 GHz bands is optional. Its net data rate ranges from 54 Mbit/s to 600 Mbit/s
802.11ac (December 2013) – VTH (Very high throughput, wider channel (20MHz-160MHz) – also known as Wi-Fi 5 is an amendment to IEEE 802.11, published in December 2013, that builds on 802.11n. Changes compared to 802.11n include wider channels (80 or 160 MHz versus 40 MHz) in the 5 GHz band, more spatial streams (up to eight versus four), higher-order modulation (up to 256-QAM vs. 64-QAM), and the addition of Multi-user MIMO (MU-MIMO). As of October 2013, high-end implementations support 80 MHz channels, three spatial streams, and 256-QAM, yielding a data rate of up to 433.3 Mbit/s per spatial stream, 1300 Mbit/s total, in 80 MHz channels in the 5 GHz band
802.11ax ( Sometime in 2019*) – IEEE 802.11ax also known as Wi-Fi 6 is the successor to 802.11ac, and will increase the efficiency of WLAN networks. Currently in development, this project has the goal of providing 4x the throughput of 802.11ac at the user layer, having just 37% higher nominal data rates at the PHY layer. More can be read here
While learning about 802.11 PHYs (Physical) I have come across this extremely useful table from cleartosend podcasts/posts as below
#EVILTWIN #securityattack – Evil Twin attack
“A Fake WiFi access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.” – Wikipedia
Fake WiFi access point is often called as:
- Rogue access point, or
- Evil Twin attack access point
Using this method it is possible to retrieve the WPA/2 passphrase in clear-text within minutes. No need of cracking or any extra hardware other than a Wireless adapter.
In some cases you don’t even need an adapter. When ? that we will discuss
#fresnelzone FRESNEL ZONE
There are an infinite number of Fresnel zones, however, only the first 3 have any real effect on radio propagation.
Fist, what is it? A Fresnel zone is a cylindrical ellipse drawn between transmitter and receiver. The size of the ellipse is determined by the frequency of operation and the distance between the two sites.
Earth Bulge #Earthbulge
Fade Margin #fademargin
Fade Margin is an expression for how much margin – in dB – there is between the received signal strength level and the receiver sensitivity of the radio.
In my own simple words 4-way handshake between a client and an access point
Acronyms used: PMK - pairwise master key PRF = Pseudo Random Function AA = Authenticator Address, SA = Supplicant Address PTK = PRF(PMK | ANonce | SNonce | AA | SA) MIC = Message integrity code GTK = Group temporal key
- EAP-Key Message 1/4 (ANonce) – AP to CLIENT
As the first message is send from AP to client, this message includes a random number as ANonce for PTK generation at the client. Since the client knows its own SNonce and SA as well as the AA (from Beacons, Probe Response and/or Association Response) and PMK, the ANonce from this message is the only missing information.
- EAP-Key Message 2/4 – CLIENT to AP (SNonce, MIC)
As the Supplicant (client) replies to the first EAP Key message, the client sends the used SNonce as clear text to the AP “protected” by a cryptographic hash (HMAC-SHA1) called Message Integrity Code (MIC) for integrity of of this message the installed key on the client side. The AP will generate its own MIC and compare it the the one in this message, if they match, EAP-Key message 3 is send for key installation. This message also includes the Robust Security Network Information Element (RSN IE).
- EAP-Key Message 3/4 – AP to CLIENT >
Message 3 is the last unencrypted key message, as long as no retransmission(s) occur and the pairwise temporal key remains valid. The AP informs the client about the installation of the PTK and the receive sequence counter (RSC) for the GTK. The GTK itself is given in the WPA Key Data field, secured/encrypted with the PTK.
- EAP-Key Message 4/4 CLIENT to AP
The Supplicant acknowledges the installation of PTK and GTK afterwards, encrypted Unicast and Broad-/Multicast transmission can start now.
NOTE: The 4 Way Handshake happens after the open system auth or 802.11 association. WPA/2 right after the association. In case of 802.1x it happens after above process in the image.
Learnt something new today for DUO security. Any app or device can now be configured for MFA. Today i was able to get office 365 and azure login to redirect to DUO, got it working in less than 15 minutes. Quite amazing. Not sure if its so easy to configure or i am getting good at it 🙂 I am sure it is easy.
Followed this Microsoft blogpost to configure MFA with DUO – https://blogs.technet.microsoft.com/cbernier/2017/10/16/azure-ad-3rd-party-mfa-azure-ad-custom-controls/
#Duo #Security #MFA #2FA