Module 5

System security & Wireless

security
Firewalls
• Definition: A firewall is a security system designed to protect computer networks and
devices from unauthorized access and attacks. It acts as a barrier between an internal
network and the Internet, analyzing incoming and outgoing network traffic based on a
set of predefined security rules. Firewalls can be implemented in hardware, software,
or a combination of both, and are an essential component of network security.

Inbound Traffic: Traffic/services from outside to internal network

Outbound Traffic: Traffic/services from internal network to outside world/internet
outside
Index
● System Security
● Firewalls – Firewall characteristics, Types of Firewalls, Firewall
configurations, Encrypted
● Tunnels, Trusted systems – Data access control, The concept of Trusted
Systems, Trojan horse defense.
● Wireless security
● IEEE 802.11i wireless LAN security - Services, Phases of operation, Wired
● Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2.
 Need for Firewalls

Need for Firewalls

○ Internet access enables the outside world to reach and interact with local network assets-threat
○ Equip each workstation and server with strong security features, such as intrusion protection -
cost-effective
○ When a security flaw is discovered, each potentially affected system must be upgraded to fix
that flaw
○ Widely accepted alternative to host-based security services is the firewall
Firewalls

○ firewall is inserted between the premises network and the Internet to establish a controlled link and to

erect an outer security wall or perimeter

○ aim of this perimeter is to protect the premises network from Internet-based attacks
○ firewall may be a single computer system or a set of two or more systems that cooperate to perform the
firewall function
○ Firewall provides an additional layer of defense, insulating the internal systems from external networks
○ forms a barrier through which the traffic going in each direction must pass
○ firewall security policy dictates which traffic is authorized to pass in each direction
○ may be designed to operate as a filter at the level of IP packets, or may operate at a higher protocol
layer
Firewalls
Firewalls characteristics

Design goals for a firewall:

1. All traffic from inside to outside, and vice versa, must pass through the firewall
2. Only authorized traffic, as defined by the local security policy, will be allowed to pass
3. The firewall itself is immune to penetration
Firewalls characteristics

Techniques used to control access and enforce the site's security policy

1. Service control: Determines the types of Internet services that can be accessed, inbound or
outbound
2. Direction control: Determines the direction in which particular service requests may be
initiated and allowed to flow through the firewall
3. User control: Controls access to a service according to which user is attempting to access it
4. Behavior control: Controls how particular services are used For example, the firewall may
filter email to eliminate spam
Capabilities of Firewall

1. Defines a single choke point that keeps unauthorized users out of the protected network
2. Provides protection from various kinds of IP spoofing and routing attacks
3. Single choke point simplifies security management because security capabilities are
consolidated on a single system or set of systems.
4. Provides a location for monitoring security -related events-Audits and alarms can be
implemented on the firewall system.
5. Convenient platform for several Internet functions that are not security related-Network
address translator
6. Serve as the platform for Ipsec: Using the tunnel mode capability firewall can be used to
implement virtual private networks
 Limitations of Firewall

● Cannot protect against attacks that bypass the firewall

● May not protect fully against internal threats, such as a disgruntled employee
● Improperly secured wireless LAN may be accessed from outside the organization
● The firewall cannot protect against the transfer of virus-infected programs or files.
● laptop, PDA, or portable storage device may be used and infected outside the corporate network,
and then attached and used internally
Firewalls

Types of Firewall

1. Packet Filtering Firewall

2. Stateful Inspection Firewall
3. Application Proxy Firewall
4. Circuit level Proxy Firewall
Firewalls
Packet Filtering Firewall
○ This is the most basic type of firewall that operates at the network layer (Layer 3) of the
OSI model. It examines individual packets of data and filters them based on predefined
rules, such as source and destination IP addresses, port numbers, and protocols.
Packet filtering firewalls are typically fast and efficient but provide limited inspection
capabilities.
○ firewall may act as a packet filter, can operate as a positive filter, allowing to pass only
packets that meet specific criteria
○ or as a negative filter, rejecting any packet that meets certain criteria
○ applies a set of rules to each incoming and outgoing IP packet and then forwards or
discards the packet
○ firewall is typically configured to filter packets going in both directions
Firewalls-Packet Filtering Firewall
Firewalls-Packet Filtering Firewall

Filtering rules are based on information contained in a network packet:

○ Source IP address: The IP address of the system that originated the IP packet (e.g., 192.178.1.1)
○ Destination IP address: The IP address of the system the IP packet is trying to reach (e.g.,
192.168.1.2)
○ Source and destination transport-level address: The transport-level (e.g., TCP or UDP) port
number, which defines applications such as SNMP or TELNET
○ IP protocol field: Defines the transport protocol TCP/UDP
○ Interface: For a firewall with three or more ports, which interface of the firewall the packet came from
or which interface of the firewall the packet is destined for
Firewalls-Packet Filtering Firewall

● set up as a list of rules based on matches to fields in the IP or TCP header

● If there is a match to one of the rules, that rule is invoked to determine whether to forward or
discard the packet
● If there is no match to any rule, then a default action is taken
Two default policies are possible:
• Default = discard: (business/government) - not expressly permitted is prohibited-More Secure
• Default = forward: (universities) - not expressly prohibited is permitted-Less secure-Security admin
need to respond to each threat
Firewalls-Packet Filtering Firewall

Example:
○ packets from a particular external host, SPIGOT, are blocked because that host has a history of
sending massive files in e-mail messages.
○ Inbound mail is allowed (port 25 is for SMTP incoming), but only to a gateway host
Firewalls-Packet Filtering Firewall
Advantages-Packet Filtering
○ Simplicity Transparent to users:
works independently without any
need for user knowledge or
cooperation
○ Highly efficient
○ High Speed
Disadvantages
○ Do not examine upper-layer data, they cannot prevent
attacks that employ application-specific
vulnerabilities or functions
○ limited information available to the firewall, the
logging functionality is limited
○ do not support advanced user authentication schemes
○ vulnerable to attacks such as network layer address
spoofing
○ susceptible to security breaches caused by improper
configurations
Firewalls-Packet Filtering Firewall
Attacks-Packet Filtering
1.IP address spoofing:

○ intruder transmits packets from the outside with a source

IP address field containing an address of an internal host
○ attacker hopes that packets from specific trusted internal hosts are accepted
○ Countermeasure: discard packets with an inside source address if the packet arrives on an external
interface
2. Source Routing Attacks:

○ Source station specifies the route that a packet should take as it crosses the Internet, in the hopes that
this will bypass security measures that do not analyze the source routing information
○ Countermeasure: discard all packets that use this option
Firewalls-Packet Filtering Firewall
3.Tiny Fragment Attacks:

○ intruder uses the IP fragmentation option to create extremely small fragments and force the
TCP header information into a separate packet fragment
○ attack is designed to circumvent filtering rules that depend on TCP header information
Tiny Fragment Attacks: Countermeasure

○ attacker hopes that the filtering firewall examines only the first fragment and that the remaining
fragments are passed through
○ attack can be defeated by enforcing a rule that the first fragment of a packet must contain a
predefined minimum amount of the transport header
○ If the first fragment is rejected, the filter can remember the packet and discard all subsequent
fragments
Firewall - Stateful Inspection Firewall
● This type of firewall operates at the network layer and maintains a record of the state of network
connections. It monitors the full context of a conversation, keeping track of the state of
connections and ensuring that only legitimate packets are allowed based on the established session
information. Stateful inspection firewalls offer greater security than packet filtering firewalls by
considering the entire conversation instead of just individual packets.
● Traditional packet filter makes filtering decisions on an individual packet basis and does not take
into consideration any higher layer context
○ when an application that uses TCP creates a session with a remote host, it creates a TCP
connection in which the
○ TCP port number for the remote (server) application is a number less than 1024
○ TCP port number for the local(client) application is a number between 1024 and 65535
○ numbers less than 1024 are the "well-known" port numbers
○ assigned permanently to particular applications (e.g., 25 for server SMTP) numbers between
1024 and 65535 are generated dynamically
○ have temporary significance only for the lifetime of a TCP connection
Firewall - Stateful Inspection Firewall
Drawback-Packet Filtering Firewall

○ simple packet filtering firewall must permit inbound

network traffic on all these high-numbered ports for
TCP-based traffic to occur
○ creates a vulnerability that can be exploited by
unauthorized users
○ Speciality of Stateful Inspection Firewall
○ tightens up the rules for TCP traffic by creating a
directory of outbound TCP connections
○ entry for each currently established connection
Firewall - Stateful Inspection Firewall

○ Reviews the same packet information as packet filtering but also records information about TCP
connections
○ Some stateful firewalls also keep track of TCP sequence numbers to prevent attacks that depend
on the sequence number
Firewall- Application-Level Gateway
○ An application-level firewall operates at the application layer (Layer 7) of the OSI model. It can examine
the contents of the application data and make decisions based on the specific application protocols being
used, such as HTTP, FTP, or DNS. Application-level firewalls provide more granular control and can detect
and block certain application-specific attacks.

○ Also called an application proxy, acts as a relay of application-level traffic

○ user contacts the gateway using a TCP/IP application, such as
Telnet or FTP
○ gateway asks the user for the name of the remote host to be accessed
○ When the user responds and provides a valid user ID and authentication information, the gateway contacts
the application on the remote host and relays TCP segments containing the application data between the
two endpoints
Firewall- Application-Level Gateway

○ If the gateway does not implement the proxy code for a specific application, the service is not supported and
cannot be forwarded across the firewall
○ Gateway can be configured to support only specific features of an application that the network administrator
considers acceptable while denying all other features
Firewall- Application-Level Gateway

Advantages:

○ more secure than packet filters - only scrutinize a few allowable applications
○ it is easy to log and audit all incoming traffic at the application level

Disadvantage:
• additional processing overhead on each connection - there are two spliced connections between the
end users, with the gateway at the splice point, and the gateway must examine and forward all traffic
in both directions
Firewall- Circuit level Gateway

○ Also called circuit-level proxy

○ can be a stand-alone system or it can be a specialized function performed by an application-
level gateway for certain applications
○ does not permit an end-to-end TCP connection;
rather, the gateway sets up one between itself and a TCP user on an inner host and one between
itself and a TCP user on an outside host two TCP connections,
Firewall- Circuit level Gateway
Firewall- Circuit level Gateway

● Once the two connections are established, the gateway typically relays TCP segments from one
connection to the other without examining the contents
● security function consists of determining which connections will be allowed
● Used in situations where the system administrator trusts the internal users
Gateway can be configured to support:

○ application-level or proxy service on inbound connections and

○ circuit-level functions for outbound connections
Bastion Host -Overview

● DNS (Domain Name

System) server
● Email server
● FTP (File Transfer
Protocol) server
● Honeypot
● Proxy server
● VPN (Virtual Private
Network) server
● Web server
Bastion Host

○ A system identified by the firewall administrator as a critical strong point in the network's
security
○ serves as a platform for an application-level or circuit-level gateway

Characteristics:

1. bastion host hardware platform executes a secure version of its operating system, making it a
trusted system
2. Only the services that the network administrator considers essential are installed on the bastion
host (proxy applications such as Telnet, DNS, FTP, SMTP, and user authentication)
Bastion Host

● May require additional authentication before a user is allowed access to the proxy services
○ Each proxy is configured to support only a subset of the standard application's command set
Each proxy is configured to allow access only to specific host systems
○ Each proxy maintains detailed audit information by logging all traffic, each connection, and the
duration of each connection. The audit log is an essential tool for discovering and terminating
intruder attacks.
Firewall Configurations

● In addition to the use of a simple configuration consisting of a

single system, such as a single packet filtering router or a single
gateway, more complex configurations are possible and are
widely used.

1. Screened host firewall, single-homed bastion configuration

2. Screened host firewall, dual-homed bastion configuration
3. Screened subnet firewall
Firewall Configurations- Screened host firewall, single-homed bastion configuration

Firewall consists of two systems:

● a packet-filtering router and
● a bastion host
Typically, the router is configured so that
1. For traffic from the Internet, only IP packets destined for the bastion host are allowed in.
2. For traffic from the internal network, only IP packets from the bastion host are allowed out.
Firewall Configurations-Screened host firewall, single-homed bastion configuration
Firewall Configurations-Screened host firewall, single-homed bastion configuration

Bastion host performs authentication and proxy functions

This configuration has greater security :
● First, this configuration implements both packet-level and application-level filtering,
allowing for considerable flexibility in defining security policy
● Second, an intruder must generally penetrate two separate systems before the security
of the internal network is compromised
This configuration also affords flexibility in providing direct Internet access
Firewall Configurations-screened host firewall, dual-homed bastion configuration

○ In single-homed configuration if the packet-filtering router is completely

compromised, traffic could flow directly through the router between the Internet and
other hosts on the private network
○ screened host firewall, dual-homed bastion configuration physically prevents such a
security breach
○ Use dual layers of security as well
Firewall Configurations-screened host firewall, dual-homed bastion configuration
Firewall Configurations-screened host firewall, dual-homed bastion configuration

○ bastion host has two network cards- one is used for internal connection and the
second one is used for connection with the router
○ In this case, even if, the router got compromised, the internal network will remain
unaffected since it is in the separate network zone
○ an information server or other hosts can be allowed direct communication with the
router if this is in accord with the security policy
Firewall Configurations- screened subnet firewall configuration
Firewall Configurations- screened subnet firewall configuration

● Most secure configuration but expensive

● Two packet-filtering routers are used Creation of an isolated sub-network
1. one between the bastion host and the Internet and

2. one between the bastion host and the internal network

● This configuration creates an isolated subnetwork, which may consist of simply the
bastion host but may also include one or more information servers and modems for
dial-in capability
Firewall Configurations- screened subnet firewall configuration-Advantages

This configuration offers several advantages:

1. There are now three levels of defense to thwart intruders.
2. The outside router advertises only the existence of the screened subnet to the Internet;
therefore, the internal network is invisible to the Internet
3. The inside router advertises only the existence of the screened subnet to the internal
network; therefore, the systems on the inside network cannot construct direct routes to
the Internet.
Encrypted Tunnels
Hacker & Encrypted packet
Factors affecting encrypted tunnel
Factors affecting encrypted tunnel
Factors affecting encrypted tunnel
Factors affecting encrypted tunnel
Trusted Systems
One way to enhance the ability of a system to defend against intruders and
malicious programs is to implement trusted system technology.

● Data Access Control

○ Following successful logon, the user has been granted access to one or a set of
hosts and applications.
○ This is generally not sufficient for a system that includes sensitive data in its
database.
○ Associated with each user, there can be a profile that specifies permissible
operations and file accesses.
 ❏ A general model of access control as exercised by a file or database management
system is that of an access matrix.
❏ The basic elements of the model are as follows:

❏ Subject: An entity capable of accessing objects. Generally, the concept of

subject equates with that of process. Any user or application actually gains
access to an object by means of a process that represents that user or
application.

❏ Object: Anything to which access is controlled. Examples include files,

portions of files, programs, and segments of memory.
❏ Access right (Access Lists): The way in which an object is accessed by a
subject. Examples are read, write, and execute.
Access Control Structure

• Access Matrix
• There can be multiple programs
• Programs contains multiple segments or
files
• Process denotes users
• Process1 have access to Program1 for
Read & Execute
• Process1 have access to Segment A for
Read & Write
• Process1 have no access to Segment B
• Access Control Lists
• List of process that can access particular
program/segment
• Capability List
• List of operations
 Access Control Structure-More Details

● One axis of the matrix consists of identified subjects that may attempt data access.
Typically, this list will consist of individual users or user groups, although access could
be controlled for terminals, hosts, or applications instead of or in addition to users. The
other axis lists the objects that may be accessed. At the greatest level of detail, objects
may be individual data fields. More aggregate groupings, such as records, files, or even
the entire database, may also be objects in the matrix. Each entry in the matrix
indicates the access rights of that subject for that object.
● The matrix may be decomposed by columns, yielding access control lists. Thus, for
each object, an access control list lists users and their permitted access rights.
● Decomposition by rows yields capability tickets. A capability ticket specifies
authorized objects and operations for a user. Each user has a number of tickets and
may be authorized to loan or give them to others.
The Concept of Trusted Systems

● A somewhat different but widely applicable requirement is to protect data or

resources on the basis of levels of security.
● This is commonly found in the military, where information is categorized as
unclassified (U), confidential (C), secret (S), top secret (TS), or beyond.
● This concept is equally applicable in other areas, where information can be
organized into gross categories and users can be granted clearances to access
certain categories of data.
● For example, the highest level of security might be for strategic corporate planning
documents and data, accessible by only corporate officers and their staff; next
might come sensitive financial and personnel data, accessible only by
administration personnel, corporate officers, and so on.
● When multiple categories or levels of data are defined, the
requirement is referred to as multilevel security.
● A multilevel secure system must enforce the following:
○ No read up: A subject can only read an object of less or equal
security level. This is referred to in the literature as the Simple
Security Property.
○ No write down: A subject can only write into an object of greater
or equal security level. This is referred to in the literature as the *-
Property[1] (pronounced star property).
Reference Monitor Concept
The reference monitor is a controlling element in the hardware and operating system
of a computer that regulates the access of subjects to objects on the basis of security
parameters of the subject and object.

The reference monitor has access to a file, known as the security kernel database,
that lists the access privileges (security clearance) of each subject and the protection
attributes (classification level) of each object.
Reference Monitor Concept
● The reference monitor enforces the security rules (no read up, no write down)
and has the following properties:
○ Complete mediation: The security rules are enforced on every access, not
just, for example, when a file is opened.
○ Isolation: The reference monitor and database are protected from
unauthorized modification.
○ Verifiability: The reference monitor's correctness must be provable. That is,
it must be possible to demonstrate mathematically that the reference monitor
enforces the security rules and provides complete mediation and isolation.
Trojan Horse Defense

A Trojan Horse Virus is a type of malware that downloads onto a computer

disguised as a legitimate program.

The delivery method typically sees an attacker use social engineering to hide
malicious code within legitimate software to try and gain users' system access
with their software.

One way to secure against Trojan horse attacks is the use of a secure, trusted
operating system.
Trojan Horse Defense
Trojan Horse Defense

1. In this case, a Trojan horse is used to get around the standard security mechanism used by
most file management and operating systems: the access control list. In this example, a user
named Bob interacts through a program with a data file containing the critically sensitive
character string "CPE170KS." User Bob has created the file with read/write permission provided
only to programs executing on his own behalf: that is, only processes that are owned by Bob may
access the file. The Trojan horse attack begins when a hostile user, named Alice, gains
legitimate access to the system and installs both a Trojan horse program and a private file to be
used in the attack as a "back pocket." Alice gives read/write permission to herself for this file and
gives Bob write-only permission.
2. Alice now induces Bob to invoke the Trojan horse program, perhaps by advertising it as a useful
utility. When the program detects that it is being executed by Bob, it reads the sensitive character
string from Bob's file and copies it into Alice's back-pocket file. Both the read and write
operations satisfy the constraints imposed by access control lists. Alice then has only to access
Bob's file at a later time to learn the value of the string.
Trojan Horse Defense

3. Now consider the use of a secure operating system in this scenario. Security levels are assigned to
subjects at logon on the basis of criteria such as the terminal from which the computer is being
accessed and the user involved, as identified by password/ID. In this example, there are two security
levels, sensitive and public, ordered so that sensitive is higher than public. Processes owned by Bob
and Bob's data file are assigned the security level sensitive. Alice's file and processes are restricted to
public.

4. If Bob invokes the Trojan horse program, that program acquires Bob's security level. It is therefore
able, under the simple security property, to observe the sensitive character string. When the program
attempts to store the string in a public file (the back-pocket file), however, the is violated and the
attempt is disallowed by the reference monitor. Thus, the attempt to write into the back-pocket file is
denied even though the access control list permits it: The security policy takes precedence over the
access control list mechanism.
Wireless Security

• IEEE 802: a committee responsible for LANs

• IEEE 802.11: responsible for developing wireless protocols
― Many standards
• The Wi-Fi alliance: A global non-profit organization that
promotes and certifies Wi-Fi technology and standards.
• Objective: group of companies with the goal of ensuring
interoperability and promoting the widespread adoption of Wi-
Fi technology.
― Wi-Fi Protected Access (WPA, WPA2, WPA3)
Wireless Networking Components

Wireless client: WIFI-enabled

laptop/tablet, cell phone, Bluetooth
device, …
Access point: Cell towers, WI-FI hotspots,
wireless routers
Transmission medium: carries signals/Wi-
Fi channel
IEEE 802.11i Services

1. Authentication: A protocol is used to define an exchange between a user and an

AS that provides mutual authentication and generates temporary keys to be used
between the client and the AP over the wireless link.
2. Access control: This function enforces the use of the authentication function,
routes the messages properly, and facilitates key exchange. It can work with a
variety of authentication protocols.
3. Privacy with message integrity: MAC-level data (e.g., an LLC PDU) are
encrypted along with a message integrity code that ensures that the data have not
been altered.
IEEE 802.11i Services
IEEE 802.11i standard defines protected Wi-Fi networks with more robust security solutions to the
802.11 standard. IEEE 802.11i is also known as a Robust Security Network (RSN)

Figure indicates the security protocols used to support these services.

IEEE 802.11i Services

Figure lists the cryptographic algorithms used for these services.

IEEE 802.11i Phases of Operation
The operation of an IEEE 802.11i RSN can be broken down into five distinct phases of operation. The exact nature of the
phases will depend on the configuration and the end points of the communication.

1. Discovery: An AP uses messages called Beacons and Probe Responses to advertise its IEEE 802.11i security policy.
The STA uses these to identify an AP for a WLAN with which it wishes to communicate. The STA associates with the
AP, which it uses to select the cipher suite and authentication mechanism when the Beacons and Probe Responses
present a choice.
2. Authentication: During this phase, the STA and AS prove their identities to each other. The AP blocks non-
authentication traffic between the STA and AS until the authentication transaction is successful. The AP does not
participate in the authentication transaction other than forwarding traffic between the STA and AS.
3. Association: As soon as the authentication ends, the client prepares to associates with the AP by forwarding an
association request to negotiate required cipher suites such as TKIP/CCMP/GCMP. During the client's association, the
AP keeps an association ID and sends an association response back. A client can be authenticated to many networks
but can be associated with only one network at a time
4. Key generation and distribution: The AP and the STA perform several operations that cause cryptographic keys to
be generated and placed on the AP and the STA. Frames are exchanged between the AP and STA only.
5. Protected data transfer: Frames are exchanged between the STA and the end station through the AP. As denoted by
the shading and the encryption module icon, secure data transfer occurs between the STA and the AP only; security is
not provided end-to-end.
6. Connection termination: The AP and STA exchange frames. During this phase, the secure connection is torn down
and the connection is restored to the original state.
Types of Wi-Fi networks
● Wi-Fi Personal Networks
● Wi-Fi Enterprise Networks
Mode of operation -Wi-Fi Personal Networks
Mode of operation -Wi-Fi Enterprise Networks
4-Way Handshake Phase
● The 4-way handshake is the process of
exchanging 4 messages between an access
point (authenticator) and the client device
(supplicant) to generate some encryption keys
which can be used to encrypt actual data sent
over Wireless medium.
● PMK (Pairwise Master Key)
● PTK (Pairwise Transient Key):
● Pairwise Transient key is used to encrypt all
unicast traffic between a client station and the
access point. PTK is unique between a client
station and access point. To generate PTK, client
device and access point need the following
information.

● PTK = PRF (PMK + Anonce + SNonce + Mac

(AP)+ Mac (Supplicant/client))
● GTK (group transient key)
 Wi-Fi Service Sets
● Basic Service Set (BSS), as the name suggests, is basically a network
topology that allows all wireless devices to communicate with each
other through a common medium i.e. AP (Access point). It also
manages these wireless devices or clients. It basically provides a
building block to all wireless LAN (Local Area Network).
● BSS basically contains only one AP that is connected to all stations
i.e. all wireless devices within the network. Here, AP is a common
access point that acts as a medium and creates WLAN (Wireless
Local Area Network).
● AP allows all wireless devices to get connected to a wired network
and start communicating with each other. Therefore, AP is considered
a master that controls all wireless devices or stations with BSS or • Independent Basic Service Set
WLAN. (IBSS),
• Basic Service Set (BSS)
● BSS contains only one AP, but it may contain one or more stations. • Extended Service Set (ESS)
BSS is generally considered simplest if it contains one AP and one • Mesh Basic Service Set (MBSS)
station.
Independent Basic Service Set (IBSS)- Ad Hoc
Connection
Basic Service Set (BSS),
Basic Service Set (BSS)- Distribution Systems
Extended Service Set (BSS)
Wired Equivalent Privacy (WEP)
● Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi)
standard, 802.11b. That standard is designed to provide a wireless local area network (WLAN) with a
level of security and privacy comparable to what is usually expected of a wired LAN.

● WEP attempted to limit access to wireless network data in the same way wired local area networks
(LANs) protect data. Users with physical access to the network access points are the only ones with
access to wired networks. Wireless networks like Wi-Fi depend on encryption protocols like WEP to
prevent unauthorized access to network data.
Wired Equivalent Privacy (WEP)
The basic network security services the protocol provides for wireless networks include the following:

● Privacy. WEP initially used a 64-bit key with the RC4 stream encryption algorithm to encrypt data transmitted
wirelessly. Later versions of the protocol added support for 128-bit keys and 256-bit keys for improved security. WEP
uses a 24-bit initialization vector, which resulted in effective key lengths of 40, 104 and 232 bits.
● Data integrity. WEP uses the CRC-32 checksum algorithm to check that transmitted data is unchanged at its
destination. The sender uses the CRC-32 cyclic redundancy check to generate a 32-bit hash value from a sequence of
data. The recipient uses the same check on receipt. If the two values differ, the recipient can request a retransmission.
● Authentication. WEP authenticates clients when they first connect to the wireless network access point. It enables
authentication of wireless clients with these two mechanisms:
1. Open System Authentication. With OSA, Wi-Fi-connected systems can access any WEP network access
point, as long as the connected system uses a service set identifier that matches the access point SSID.
2. Shared Key Authentication. With SKA, Wi-Fi-connected systems use a four-step challenge-response
algorithm to authenticate.
Working of WEP- Encryption
Wired Equivalent Privacy (WEP) - Limitations
❑ Stream cipher. Encryption algorithms applied to data streams, called stream ciphers, can be
vulnerable to attack when a key is reused. The protocol's relatively small key space makes it
impossible to avoid reusing keys.
❑ RC4 weaknesses. The RC4 algorithm itself has come under scrutiny for cryptographic weakness
and is no longer considered safe to use. (sender simply XOR the keystream with plaintext to
produce cyphertext)
❑ If an atatcker flips a bit in ciphertext, corresponding bit in the plaintext will be flipped
❑ If an eavesdropper intercepts two ciphertexts encrypted with same keystream, It is possible
to get XOR of two plain text, This XOR output enables some statistical attacks to recover
plaintext
❑ Optional. As designed, the protocol use is optional. Because it's optional, users often failed to
activate it when installing WEP-enabled devices.
❑ Shared key. The default configuration for these systems uses a single shared key for all users.
You can't authenticate individual users when all users share the same key.
Wifi protected access(WPA)

● The two security protocols and security certification programs are Wi-Fi Protected Access (WPA) and
Wi-Fi Protected Access I (WPA2).
● These are developed by the Wi-Fi Alliance to secure wireless computer networks.
● The Wi-Fi Alliance defined these protocols because of the serious weaknesses the researchers found in
the previous system, Wired Equivalent Privacy (WEP).
● WPA also referred to as the draft IEEE 802.11; standard became available in 2003.
● The Wi-Fi Alliance made it as an intermediate measure in anticipation of the availability of the more
secure and complex WPA2, which became available in 2004 which is a common shorthand for the full
IEEE 802.11i (or IEEE 802.11-2004) standard.
Working of WPA/2 Encryption

● When a client want to send some information (plaintext) to the AP, it uses PTK just negotiated and combine with the packet
number (nonce) to form the packet key for that packet.
● The packet number is incremented by one for every frame transmitted.
● Idea is to combine session key with packet number to create a unique packet key.
● This packet key is fed to the stream cipher to create required keystream.
● This keystream is simply Xor-ed with the plaintext to create the encrypted data (cipher text).
● The nonce (packet number) will be appended in the header of cipher text, so that AP will be able to decrypt the packet.
Wifi protected access(WPA)
● The WPA is an intermediate measure to take the place of WEP.
● WPA could be implemented through firmware upgrades on wireless network interface cards that were
designed for WEP in 1999. However, since more changes were required in the wireless access points (APs)
than those needed on the network cards, most pre-2003 APs could not be upgraded to support WPA.
● The WPA protocol implements almost all of the IEEE 802.11i standard.
● The Temporal Key Integrity Protocol (TIP) was adopted for WPA.
● WEP used a 64-bit or 128-bit encryption key that must be manually entered on wireless access points and
devices which once entered can never be changed.
● TKIP employs a per-packet key, which means that it dynamically generates a new 128-bit key for each packet
and thus prevents the types of attacks that compromised WEP.
Wifi protected access(WPA)
● WPA included a Message Integrity Check, which is designed to prevent an attacker to alter or resend
data packets.
● This replaced the cyclic redundancy check (CRC) that was used by the WEP standard.
● CRC's had a main flaw that it did not provide a sufficiently strong data integrity guarantee for the
packets it handled.
● Well tested message authentication codes existed to solve these problems, but they required too much
computation to be used on old network cards.
● WPA uses a message integrity check algorithm called TKIP to verify the integrity of the packets.
● TKIP is much stronger than a CRC, but the algorithm used in WPA2 is stronger.
● Researchers discovered a flaw in WPA similar to older weaknesses in WEP and the limitations of the
message integrity code hash function, named Michael, that is used to retrieve the keystream from short
packets to use for re-injection and spoofing.
Wifi protected access(WPA2)

● WPA2 replaced WPA.

● WPA2, which requires testing and certification by the Wi-Fi Alliance, implemented the
mandatory elements of IEEE 802.11i. Particularly, it included mandatory support for
CCMP(Counter Mode CBC-MAC protocol), an AES(Advanced Encryption Standard) based
encryption mode.
● Certification began in September, 2004.
● WPA2 certification is mandatory for all new devices to bear the Wi-Fi trademark from
March 13, 2006.
● Latest standard WPA3 began in 2018 (SAE)
Attacks on WPA or WPA2
1. WPA/WPA2 Key Reinstallation Attack (KRACK): KRACK is a severe vulnerability that targets the WPA and WPA2
protocols. It exploits a weakness in the four-way handshake process, allowing an attacker to intercept and decrypt
Wi-Fi traffic, and potentially inject malicious data.
2. Evil Twin Attack: In an evil twin attack, an attacker sets up a rogue access point with a similar name to a legitimate
network. Unsuspecting users connect to the fake network, allowing the attacker to capture their sensitive
information or launch further attacks.
3. Brute Force Attack: A brute force attack involves attempting all possible combinations of passwords until the correct
one is found. This attack can be time-consuming but can be successful if the password is weak or easily guessable.
4. Dictionary Attack: In a dictionary attack, an attacker uses a pre-compiled list of common passwords (dictionary) to
try to gain unauthorized access. This attack is effective against weak and easily guessable passwords.
5. WPS PIN Cracking: Wi-Fi Protected Setup (WPS) is a feature that simplifies the process of connecting devices to a
network. However, it can be vulnerable to brute force attacks on the eight-digit PIN used for authentication.
Attackers can exploit this weakness to gain unauthorized access to the network.
6. Denial-of-Service (DoS) Attack: A DoS attack aims to disrupt the availability of the Wi-Fi network by overwhelming it
with a high volume of malicious traffic or by exploiting vulnerabilities in the WPA standard to crash the network.
Compare the Wireless LAN protocols WEP, WPA and WPA2
University Questions
Short answer questions
● List three design goals for a firewall.
● What information is used by a typical packet-filtering router?
● What are some weaknesses of a packet-filtering router?
● What is the difference between a packet-filtering router and a stateful inspection firewall?
● What is an application-level gateway?
● What is a circuit-level gateway?
● What is a Bastion Host? What are its characteristics?
● Write short note on encrypted channels.
● In the context of access control, what is the difference between a subject and an object?
● What is the difference between an access control list and a capability ticket?
● What are the two rules that a reference monitor enforces?
● What properties are required of a reference monitor?
● Discuss IEEE 802.11i Services.
● What is Wired Equivalent Privacy (WEP)? Lists its limitations.
● How is the concept of association related to that of mobility in wireless networks?
University Questions
Essay type questions
● Illustrate different type of firewalls
● Demonstrate various firewall configurations
● Illustrate the concept of trusted systems with data access control and various access control structures
● Elucidate IEEE 802.11i Phases of Operation when a wireless client wants to connect to an access point.
● Differentiate between Wi-Fi personal and enterprise networks
● Explain various Wi-Fi Service Sets
● With neat diagram, illustrate how encryption is performed in WEP and WPA2 protocols.
● Compare the Wireless LAN protocols WEP, WPA and WPA2
Important University Question
● How is the concept of association related to that of mobility in wireless networks?

● ANS: The concept of association is closely related to mobility in WLAN (Wireless Local Area Network) networks. In
WLAN, association refers to the process by which a wireless client device, such as a laptop or smartphone,
establishes a connection with an access point (AP) to access the network.

● When a client device moves within the coverage area of a WLAN network, it may need to switch its association from
one access point to another as it moves out of range of the current AP and into the range of another AP. This
process is known as mobility or handover.

● During mobility, the client device needs to disassociate from the current AP and then associate with the new AP
seamlessly to maintain an uninterrupted network connection. The new AP, upon receiving the association request
from the client, authenticates and authorizes the client to join the network.

● The association process in WLAN networks plays a crucial role in supporting mobility. It ensures that client devices
can seamlessly roam between different access points without experiencing interruptions or loss of connectivity.
Effective association mechanisms and protocols are essential for enabling efficient mobility management in WLAN
networks.