Security Essentials, Textbook page 461

Copyright Goodheart-Willcox Co., Inc. 461 Chapter 14 Wireless Network Security Wireless Vulnerabilities Due to the nature of wireless connectivity, it is inherently vulnerable to interception or attack. While security precautions can and should be taken when installing and configuring a wireless network, vulnerabilities can open a network to potential risk due to the inability to control how Wi-Fi users configure their own devices. Import- ant vulnerabilities to consider and monitor include the following. Deprecated Protocols Old wireless security protocols such as WEP and WPS are no longer recommended for use. However, depending on the device used to access a network, an organiza- tion may not be able to control the type of encryption used. Devices operating with deprecated protocols, or protocols that have been discouraged from usage, pose a significant risk to any network to which they connect. For example, WEP utilizes a straightforward cryptographic pattern, making it easy for attackers to break encryp- tion. If a device is operating with WEP and connects to your network, data transmit- ted to and from the device is at risk. Similarly, WPS-enabled devices are at risk due to the possibility of an attacker cracking the access PIN with relative ease. For these reasons, only devices operating with robust, modern cryptography, such as WPA2 or WPA3, should be used to connect to a WLAN. MAC Address Filtering MAC address filtering is among the most common forms of access control on a wire- less network. However, MAC filtering is inherently vulnerable due to the exchange between an AP and a wireless device. The initial exchange of information is typi- cally unencrypted, so an attacker could intercept or monitor packets, record MAC addresses of approved devices, and use those addresses to trick an AP into thinking an attack is being carried out by an authorized device. Additionally, the scope of managing multiple MAC addresses is large and can pose challenges. As new users are added to an organization and given permission to use an AP, the database of approved addresses needs to be updated. Furthermore, as old users leave, those addresses must be removed from the address database. This requires constant attention and updating that is often impractical, if not impossible, in large enterprise settings. SSID Broadcast The name of a wireless network is known as its service set identifier (SSID). Smaller net- works are usually configured as a basic service set (BSS), which is a wireless network with a single access point. Large networks have multiple APs to allow for continuous coverage over a wider area this configuration is called an extended service set (ESS), as illustrated in Figure 14-9. When a network has multiple APs, all the APs have the same name. You have likely noticed SSIDs appear on your phone or laptop when you are within coverage of a network. While broadcasting an SSID is convenient, it also rep- resents a vulnerability. For example, if the SSID of a network includes the name of the organization that owns it, an attacker can easily identify a potential target. The easy solution to this problem is to prevent an AP from broadcasting the SSID. However, this can create connectivity problems for authorized users. Instead of preventing the SSID broadcast, it should be restricted so that only those who know it can connect to it. Another option is to create separate SSIDs or channels for employees and guests so data remains separated. 3.3

Previous Page Next Page

Security Essentials, Textbook Page 461 (475 of 704)

Help