UNIT-IV

Wireless Security

Wireless Network provides various comfort to end users but actually

they are very complex in their working. There are many protocols and
technologies working behind to provide a stable connection to users.
Data packets traveling through wire provide a sense of security to users
as data traveling through wire probably not heard by eavesdroppers.
To secure the wireless connection, we should focus on the following
areas –
 Identify endpoint of wireless network and end-users i.e.,
Authentication.
 Protecting wireless data packets from middleman i.e., Privacy.
 Keeping the wireless data packets intact i.e., Integrity.
We know that wireless clients form an association with Access Points
(AP) and transmit data back and forth over the air. As long as all
wireless devices follow 802.11 standards, they all coexist. But all
wireless devices are not friendly and trustworthy, some rogue devices
may be a threat to wireless security. Rogue devices can steal our
important data or can cause the unavailability of the network.
Wireless security is ensured by following methods-
 Authentication
 Privacy and Integrity
In this article, we talk about Authentication. There are broadly two types
of Authentication process: Wired Equivalent Privacy (WEP), and
Extensible Authentication Protocol (802.1x/EAP).
These are explained as following below.
1. Wired Equivalent Privacy (WEP) :
For wireless data transmitting over the air, open authentication provides
no security.
WEP uses the RC4 cipher algorithm for making every frame encrypted.
The RC4 cipher also encrypts data at the sender side and decrypt data at
the receiving site, using a string of bits as key called WEP key.
WEP key can be used as an authentication method or encryption tool. A
client can associate with AP only if it has the correct WEP key. AP tests
the knowledge of the WEP key by using a challenge phrase. The client
encrypts the phrase with his own key and send back to AP. AP compares
the received encrypted frame with his own encrypted phrase. If both
matches, access to the association is granted.

2. Extensible Authentication Protocol (802.1x) :

In WEP authentication, authentication of the wireless clients takes
place locally at AP. But Scenario gets changed with 802.1x. A
dedicated authentication server is added to the infrastructure. There is
the participation of three devices –
1. Supplicant –
Device requesting access.
2. Authenticator –
Device that provides access to network usually a Wlan controller
(WLC).
3. Authentication Server –
Device that takes client credentials and deny or grant access.

How Does Wireless Security Work

Wireless security creates layers of defense by combining encryption,
authentication, access control, device security, and intrusion detection to
defend against illegal access and ensure network security. The process
begins with the wireless network’s encryption methods like WPA2 or
WPA3 being activated to scramble data transfers. With this step, the data
is unreadable to unauthorized parties, even if intercepted.
Users or devices wanting to connect to the network would be prompted
to verify their identities to confirm the legitimacy of the connection
request, usually via a password. Access control rules then specify the
users or devices permitted to access the network and the level of access
based on user roles, device kinds, and explicit access rights.
The process continues by securing network devices via maintaining
antivirus software, updating operating systems, and restricting the usage
of administrator credentials to prevent unwanted access. The
integrated intrusion detection and prevention systems (IDPS) and other
tools monitor the network for any unusual activity or security breaches.
These systems detect and respond to unauthorized access attempts,
malware infections, and other threats in real time.
Types of Wireless Network Security Protocols

Wired Equivalent Privacy (WEP)

WEP developed in 1997, was designed to secure wireless networks
using encryption and access restriction. However, its reliance on the
insecure RC4 encryption and shared key authentication made networks
vulnerable to attack. While WEP initially provided encryption similar to
wired networks, its flaws were widely exploited by hackers, making it
obsolete.
The protocol’s discontinuation created more robust alternatives, such as
WPA (Wi-Fi Protected Access). Despite its flaws, WEP’s simplicity and
widespread adoption originally drew attention, but its inherent
vulnerabilities eventually overshadowed its benefits, emphasizing the
significance of constantly updating wireless security standards.
Wi-Fi Protected Access (WPA)
WPA, launched in 2003, emerged as an effective successor to WEP,
addressing its flaws. WPA uses the temporal key integrity protocol
(TKIP) encryption to improve key management and integrity checks. It
has two modes: WPA-Personal for home networks and WPA-Enterprise
for enterprises that use RADIUS servers.
WPA’s 128-bit encryption provides enhanced protection over WEP’s
weaker encryption standards; however, it’s still comparably weaker than
WPA2 resulting in potential flaws and compatibility difficulties.
Furthermore, adopting WPA may necessitate hardware modifications,
providing a problem for users with older equipment.
Wi-Fi Protected Access II (WPA2)
WPA2, released in 2004, is the most popular wireless security standard
that uses the AES encryption technique to provide strong security. Its
advantages over WPA include better administration and lower
vulnerability to assaults. WPA2 is widely adopted as the industry
standard, ensuring device interoperability.
However, vulnerabilities such as the key reinstallation attack (KRACK)
constitute a security risk. While appropriate for most home networks,
difficulties arise in enterprise settings where sophisticated attacks are
more widespread. Furthermore, older gear without WPA2 compatibility
may require upgrades. Despite these issues, WPA2 remains critical to
wireless network security, but with ongoing attempts to address growing
threats and weaknesses.
Wi-Fi Protected Access III (WPA3)
WPA3, launched in 2018, provides greater encryption, protection against
dictionary brute force attacks, and simpler device configuration via Wi-
Fi Easy Connect. Despite these improvements, widespread acceptance is
sluggish. WPA3 comes in three types: WPA3-Personal for home use,
WPA3-Enterprise for organizational settings, and Wi-Fi Enhanced Open
for non-password-protected networks.
While it enhances overall network security, drawbacks include
deployment complexity, low user adoption, and compatibility issues
with older devices and equipment. Despite its benefits, full-scale
deployment of WPA3 has yet to occur, signaling a slow shift from older
security protocols to this more modern standard.
Ways to Secure Wi-Fi Networks

Use Encryption Methods

Encryption scrambles network data, making it harder for unauthorized
users to gain access to important information. Encrypt your Wi-Fi
network using WPA2 or WPA3 standards to protect your data. Update to
the most recent encryption protocols for maximum network security and
defense against potential threats and data breaches.
Activate the Router Firewall
Activate your router’s firewall to provide further protection against
viruses, malware, and hackers. Check its status in your router settings to
boost your network’s defenses. Segment sensitive areas of your network
for increased security, and consider installing firewalls on all linked
devices for complete protection.
Protect Your Service Set Identifier (SSID)
To secure wireless networks, keep personal information like your last
name out of your SSID. Use unusual information to make it more
difficult for hackers to target your network by employing techniques
such as Evil Twin attacks. Obscuring your SSID also lessens the danger
of falling victim to malicious access points and unauthorized access,
hence improving the overall security of your wireless network.
Utilize Virtual Private Networks (VPNs)
A VPN protects your Wi-Fi network by encrypting your data, making it
unreadable to prospective eavesdroppers on public Wi-Fi networks.
Look for VPNs that use industry-standard AES-256 encryption and
double the security by employing dependable open-source protocols for
further protection. Many VPN apps have additional privacy features like
ad blocking, split tunneling, and double VPN capability, which improve
total network security and privacy.
Deploy a Wireless Security Software
Wireless security software improves Wi-Fi network security by
incorporating capabilities such as performance analysis, network
scanning, site surveys, spectrum analysis, heat mapping, audits, traffic
analysis, packet sniffing, penetration testing, monitoring, and
management. Using these features, users can identify vulnerabilities,
detect unwanted access, and adopt effective security measures to protect
their Wi-Fi networks from potential threats and breaches.
Wireless Security in Specific Environments
Wireless security varies between different settings, including home Wi-
Fi networks, business wireless networks, and public networks. To
protect against threats, each location requires tailored precautionary
measures.
Securing Home Wi-Fi
Securing Wi-Fi networks at home not only protects your personal
information, but also assures a stable and reliable network connection.
Here are some tips to strengthen your home Wi-Fi network and reduce
potential security risks:

 Secure passwords: Create a strong Wi-Fi password and update it

on a regular basis to avoid unauthorized access.
 Verify devices: Check linked devices on a regular basis for any
unusual activity or unauthorized access.
 Check the router’s credentials: Access the router’s web
interface, choose administrative settings, and change the default
login and password.
 Update devices: Keep router firmware and associated devices up
to date to prevent vulnerabilities and ensure optimal security.
 Position the router in the best place: Place the router
strategically for maximum coverage and least signal interference.

Securing Business Wireless Networks

Implementing effective wireless network security measures guards
against cyber attacks while also ensuring regulatory compliance and
customer trust. Below are some key ways for strengthening business
networks and mitigating potential security threats:
  Restrict password sharing: Only share passwords with relevant
personnel, and change them on a regular basis to ensure security.
 Upgrade encryption protocols: To improve network security,
replace obsolete WEP encryption with more modern protocols like
WPA2/WPA3.
 Segment business and guest networks: To protect your business’
sensitive data, direct guest and non-business activity to separate
networks.
 Install firewalls: Employ firewalls to discover and prevent
potentially hazardous programs.
 Limit DHCP connections: Regularly validate and delete illegal
devices and consider working with a network security vendor for
comprehensive network safety solutions.

Securing Public Networks

With the increased availability of public Wi-Fi hotspots in cafés,
airports, and other public places, users must take proactive steps to
safeguard their digital privacy and security. Here are five basic tips for
safe and secure browsing on public networks.

 Use an antivirus software: Install and update antivirus software

to detect and warn you of malware risks on public Wi-Fi networks.
 Avoid accessing sensitive information: Don’t access any
confidential information or apps on unprotected public networks,
even if you are using a VPN.
 Utilize VPNs: Turn on your VPN to encrypt data transmission
over public Wi-Fi, preserving privacy and security by establishing
a secure tunnel for data transfer.
 Be wary of phishing emails: Exercise caution while reviewing
email content, validating suspicious links, and confirming sender
identity.
 Disable file-sharing or auto-connect: Turn off automatic
connectivity settings and file-sharing functions on devices to avoid
unauthorized access on public Wi-Fi networks.
Wireless Transport Layer Security (WTLS)

Wireless Transport Layer Security (WTLS) is a security level for the

Wireless Application Protocol (WAP), specifically for the applications
that use WAP. It is based on Transport Layer Security (TLS) v1.0,
which is a security layer used in the internet and is a successor to Secure
Sockets Layer (SSL) 3.1.

Wireless Transport Layer Security explained

WTLS was developed to address issues surrounding mobile network
devices including limited memory capacity, lower processing power and
low bandwidth. It also provides authentication, data integrity and
privacy protection mechanisms.

Designed to support datagram’s in a high-latency, low-bandwidth

environment, WTLS provides an optimized handshake through dynamic
key refreshing, which allows encryption keys to be regularly updated
during a secure session. The method helps clients and servers
communicate over a secure and authenticated connection.

TLS and Wireless Transport Layer Security

The WTLS layer operates above the transport protocol layer. TLS, a
standard security protocol used between web browsers and web servers,
was modified to develop WTLS. The modification was required because
mobile networks could not guarantee end-to-end data security.
Consequently, WTLS is optimized for low-bandwidth mobile devices
compared to TLS (hence the "wireless").

WTLS is more efficient than TLS, and it requires fewer message

exchanges. When a message is in the transport layer, WTLS provides
privacy management, as well as data authorization and data integrity.

Features of Wireless Transport Layer Security

There are several important features and benefits of WTLS.

Data integrity
WTLS achieves data integrity by using message authentication to ensure
that the data sent between a client and gateway is not modified.

Privacy
WTLS uses encryption to ensure that the data cannot be read by an
unauthorized middleman or third party.

Authentication
WTLS uses digital certificates to authenticate the parties involved in a
transaction or communication.
Denial-of-service (DoS) protection
WTLS detects and rejects replayed messages and messages that are not
successfully verified to prevent DoS attacks.

Wireless LAN
A wireless LAN (WLAN) is a type of Local Area Network (LAN) that
uses wireless communication to connect any type of network client or
device.

WLAN stands for Wireless Local Area Network. WLAN is a local

area network that uses radio communication to provide mobility to the
network users while maintaining the connectivity to the wired network.
A WLAN basically, extends a wired local area network. WLAN’s are
built by attaching a device called the access point(AP) to the edge of the
wired network. Clients communicate with the AP using a wireless
network adapter which is similar in function to an ethernet adapter. It is
also called a LAWN is a Local area wireless network.
The performance of WLAN is high compared to other wireless
networks. The coverage of WLAN is within a campus or building or that
tech park. It is used in the mobile propagation of wired networks. The
standards of WLAN are HiperLAN, Wi-Fi, and IEEE 802.11. It offers
service to the desktop laptop, mobile application, and all the devices that
work on the Internet. WLAN is an affordable method and can be set up
in 24 hours. WLAN gives users the mobility to move around within a
local coverage area and still be connected to the network. Most latest
brands are based on IEE 802.11 standards, which are the WI-FI brand
name.

History
A professor at the University of Hawaii who’s name was Norman
Abramson, developed the world’s first wireless computer
communication network. In 1979, Gfeller and u. Bapst published a paper
in the IEE proceedings reporting an experimental wireless local area
network using diffused infrared communications. The first of the IEEE
workshops on Wireless LAN was held in 1991.

WLAN Architecture
Components in Wireless LAN architecture as per IEEE standards are as
follows:
1. Stations: Stations consist of all the equipment that is used to connect
all wireless LANs. Each station has a wireless network controller.
2. Base Service Set(BSS): It is a group of stations communicating at the
physical layer.
3. Extended Service Set(ESS): It is a group of connected Base Service
Set(BSS).
4. Distribution Service (DS): It connects all Extended Service
Set(ESS).

Types of WLANs

As per IEEE standard WLAN is categorized into two basic modes,

which are as follows:
1. Infrastructure: In Infrastructure mode, all the endpoints are
connected to a base station and communicate through that; and this
can also enable internet access. A WLAN infrastructure can be set
up with: a wireless router (base station) and an endpoint (computer,
mobile phone, etc). An office or home WiFi connection is an
example of Infrastructure mode.
2. Ad Hoc: In Ad Hoc mode WLAN connects devices without a base
station, like a computer workstation. An Ad Hoc WLAN is easy to
set up it provides peer-to-peer communication. It requires two or
more endpoints with built-in radio transmission.

Working of WLAN
WLAN transmits data over radio signals and the data is sent in the form
of a packet. Each packet consists of layers, labels, and instructions with
unique MAC addresses assigned to endpoints. This enables routing data
packets to correct locations.

How is a WLAN Created

A WLAN is a collection of nodes interconnected with each other for

the purpose of data sharing, transmitting messages over the internet,
connecting for peer-2-peer connectiob etc. As discussed above in types,
it can be created in following 2 ways :-
1. Connecting through one base station and that could be the router that
acts as a doorway to the internet, and every other nodes (devices like
computer, smartphones) can connect to the internet and to each other
through it.

2. Peer-2-Peer connection using the wifi direct technology. This is

more suitable for situations when we require to connect two or more
devices without internet and only for purpose of data exchange,
connecting over a same local network.

Steps to Configure a New WLAN Network

WLAN stands for Wireless Local Area Network. WLAN is a local area
network that uses radio communication to provide mobility to the
network users while maintaining the connectivity to the wired network.

Steps to Configure WLAN in Cisco Packet Tracer:

Step1: we need these devices to set up the network topology as shown in

the table below:
Model Name(as given in cisco packet
S.No Device tracer) quantity

1. Router WRT300N 1

2. Laptop laptop 3

By using these devices we’ll have to create a network like shown in the
representation:
Step 2: Configuring laptops to make them wireless. First, click on the
laptop0 and turn off its power to change the ports basically we are
going to replace the wired port with the wireless port which
is WPC300N.
 Replace with WPC300N and make sure to turn it ON.
 Repeat the same procedure with Laptop1 and Laptop 2.
 after that, we will assign IP addresses and a default gateway to
the laptops.
Step 3: Configure the Router with an IP address and Generate a
Security key.
 First, click on Router and Go to GUI.
 Then click on a setup where you will find the IP address assigned
to 192.168.0.1 and subnet mask[255.255.255.0].
 Then disable the DHCP server because we have to configure
statically.
 Then Save the settings.
 Then move to the wireless option.
 set Network Name(SSID) is HomeNetwork.
 Save the settings.
 Then we set the security key.
 Click on wireless security and select security mode as WEP.
 Then we’ll generate KEY by entering 10 digit Hexa-numeric value.
eg: 0123456789.
 save the settings.
Step 4: Now we will configure the laptops using the IP addressing
table given below:
S.NO Device IPv4 Address Subnet Mask Default Gateway

1. laptop0 192.168.0.3 255.255.255.0 192.168.0.1

2. laptop1 192.168.0.4 255.255.255.0 192.168.0.1

3. laptop2 192.168.0.2 255.255.255.0 192.168.0.1

Configure Laptop0: To configure the laptop first set the IP
configuration as static then add the IPv4 address and default gateway.
Note: Repeat the same process with Laptop1, laptop2 and configure
both devices by adding IP configuration.
Step 5: Connect the laptop to the router by entering the security key in
the laptop.
 Click on laptop0 and go to desktop.
 Click on connect and refresh the network.
 After a few seconds, it will show the name of the network we have
assigned.
 Click on HomeNetwork.
 Then enter the security key in WEP key 1 and hit on connect.
 laptop0 will connect with the route
 Repeat the same process with Laptop1 and laptop2 so that they can
connect with the router.
 After all of this, all of the hosts will connect with the router
Step 6: Then we’ll verify the wireless connection by pinging the IP
address of any laptop or by sending and receiving data packets. For
example: Go to the command prompt of Laptop0 and type the
following command:
command: ping 192.168.0.3
 Wireless Network Security Considerations

Encryption
All wireless networks should be secured by effective encryption
standards. Older versions of wireless encryption such as WEP and WPA
should not be used because they are easily hacked using widely available
key cracking tools. Both home and business wireless networks should
use WPA2 or WPA3 encryption to secure their data. WPA2 uses strong
Advanced Encryption Standard (AES) encryption and effectively
protects data transmitted over wireless networks. However, WPA2 can
be vulnerable to password attacks such a Dictionary Attacks and
Password List attacks. Dictionary attacks use automated software to
quickly try thousands of common passwords to access the wireless
network. Password List attacks are similar to Dictionary Attacks, but
they use lists of common passwords available on the Dark Web. WPA3
is the latest developed standard for wireless encryption (Wireless
security protocols, n.d.). WPA3 also uses AES encryption and has
protections that prevent Dictionary and Password List attacks.
Wireless piggybacking is a wireless attack that can be mitigated using
encryption. Piggybacking is when unauthorized users connect to the
wireless network. This real-world threat can occur when the network is
not adequately secured using a robust encryption standard such as
WPA2/WPA3. Piggybacking often occurs when a person uses a
neighbor’s Wi-Fi without permission or parks outside a business
location to connect to the business’s wireless network without
permission. Encryption must be paired with a strong password to ensure
effectiveness. The use of strong passwords can be an inconvenience to
users. Therefore, users often create passwords that are composed of
simple words that are easy to remember. These easy-to-remember
passwords are also easy to crack using tools such as Aircrack-ng and
BoopSuite. Therefore, strong wireless passwords should be used for
both business and home networks.
Firewalls
A firewall is a network security device that monitors incoming and
outgoing network traffic and decides whether to allow or block specific
traffic based on a defined set of security rules (firewall) There are two
categories of firewalls: software firewalls and hardware firewalls.
Software firewalls is a program that is installed on a computer that
inspects and filters data that may be malicious. Hardware firewalls are
separate devices that inspect and filter data before it gets to the
network.
Firewalls can be either stateful or stateless. Stateful firewalls scrutinize
multiple aspects of network traffic, including the context of the traffic.
These firewalls analyze the communication channels and characteristics
of the data to determine what traffic is permitted. Stateless firewalls, on
the other hand, inspect the packets alone without considering the
context. Stateless firewalls are generally less expensive and are faster
than stateful firewalls.
Firewalls on wireless networks can help prevent attacks such
as malware and viruses by stopping this malicious traffic before it enters
the network or device. Firewalls should also be deployed on mobile
devices such as phones. Attacks in which other devices attempt to
connect to a phone or mobile device can be thwarted with a properly
configured mobile firewall.
Restrict Wireless Access using MAC Address Filtering
Access to wireless networks can be restricted through the use of MAC
address filtering. Since every device has a MAC address, the network
can be configured only to allow connections from specifically authorized
devices. MAC address filtering enables the organizations to allow
connections from devices that meet required security requirements and
pre-screen for malware or viruses threats. Organizations may even
choose to enable company-owned devices and prevent personally owned
devices from connecting to the network. Restrictions such a these can
be a powerful method to reduce the attack surface of a wireless network.
Wireless Network Design
The wireless network should be designed to limit the ability to access
the network from outside an organization’s workspace. Wireless
networks must meet the users’ needs but can also be configured to
restrict the ability of intruders to gain access to the wireless signal. This
can be accomplished by positioning the wireless access points in the
center of the building or strategic locations within the workspace and
adjusting the signal strength so that the wireless signal does not reach
outside the building.
SSID Broadcasting
The Service Set Identifier (SSID) is the broadcasted name of the
wireless network. It is common for manufacturers to use the same SSID
for all wireless routers that they produce. Therefore, it is essential to
change the default SSID so that the router manufacturer is not disclosed.
SSID broadcasting can be disabled so that the network is not
discoverable. This can be helpful because it will prevent the causal user
from attempting to connect to the network. However, disabling the
SSID is not a real security measure because it does nothing more than
hiding the network name.

Wireless Security - Access Point

Access Point (AP) is the central node in 802.11 wireless

implementations. It is the interface between wired and wireless network,
that all the wireless clients associate to and exchange data with.

For a home environment, most often you have a router, a switch, and an
AP embedded in one box, making it really usable for this purpose.

Wireless Controller (WLC)

In corporate wireless implementation, the number of Access Points is

often counted in hundreds or thousands of units. It would not be
administratively possible to manage all the AP's and their configuration
(channel assignments, optimal output power, roaming configuration,
creation of SSID on each and every AP, etc.) separately.
This is the situation, where the concept of wireless controller comes into
play. It is the "Mastermind" behind all the wireless network operation.
This centralized server which has the IP connectivity to all the AP's on
the network making it easy to manage all of them globally from the
single management platform, push configuration templates, monitor
users from all the AP's in real time and so on.

Working of Repeaters
 Initially the source system transmits the signals. This source systems
can be a mobile phone, laptop or radio.
 This transmitted signal from the source system travels in air if it’s
wireless network or through the cable if it is wired network. As the
signal goes away from the source it’s strength gets weak.
 The signal received to the repeater is not the actual signal sent by
source system but a weak signal. Therefore repeater amplifies this
weak signal to get it strengthen.
 The strengthen signal is now being sent from the repeater to its
destination. This signal is more stronger and can travel at longer
distance. In short, it extends the network without losing the quality
of signal.
 Repeaters are therefore used in various wireless technologies such
as Wi-Fi and wired technologies such as ethernet.

WORKSTATION SECURITY

 Require strong passwords

 Backup data regularly

 Practice regular patch management

 Encrypt your data with a VPN

 Install antivirus software

 Use firewalls

 Use MFA
 Limit user permissions