A brief introduction to the various wireless technologies is necessary to ensure we are
speaking the same language. If you feel comfortable with these topics, feel free to skip
ahead to the next chapter. In this section, we will look at a few definitions that represent
a vital, foundational understanding of wireless technologies. I won’t be providing any
information for actually configuring devices; however, the information provided should be
universal across devices.
802.11 is the name for the working group from the Institute of Electrical and Electronic
Engineers (IEEE) for wireless local area networks. IEEE working groups are essentially
committees of experts who define standards of operation for specific technologies so
that manufacturers can build standards that can interoperate. Nowadays, there’s a virtual
alphabet soup of wireless technologies. We won’t focus too much on the differences
here; just understand that with each new generation generally you have an increase in
bandwidth and/or security features.
The IEEE identifies each standard with a letter. For example, 802.11a is different from
802.11b. Although there are some commonalities between technologies, there are also
differences, as well as advantages and disadvantages to choosing one technology over
the other. For the most part, the differences between standards are in speed, modulation
techniques, and whether they are backward compatible and a security technique that
works for one will work for the others. For example, even though 802.11g was developed
after 802.11b, it still supports WEP to ensure backward compatibility.
However, keep in mind that some specific tools will only work for a specific standard.
For example, if a program is written specifically to work with 802.11b, it might not work
for 802.11a or even 802.11g. Because the underlying protocols for how data is handled are
the same across standards, the attacks and defense in theory will be identical.
The 802.11 standards prescribe which frequencies these technologies use as well
as the channels available to them. For example, the 802.11b standard operates in the
2.4 GHz frequency and, in the United States, has 11 unique channels available for use
(labeled Channels 1 through 11). These unique channels assist in allowing networks to
be physically close and not interfere with each other. However, depending on the country,
the channels available for use may be different. For example, in Japan the channels are
actually 1 through 14. This has security implications because an access point operating on
Channel 14 may go completely unnoticed in the U.S. More on this later.
The following is a simple cheat sheet of the 802.11 standards.
|802.11a||5 GHz||54 Mbps||None|
|802.11b||2.4 GHz||11 Mbps||None|
|802.11g||2.4 GHz||54 Mbps||802.11b|
|802.11n||2.4 GHz / 5 GHz||100 Mbps and higher||802.11b, 802.11g|
Various wireless LAN technologies are fairly similar, which is understandable
considering that each new generation of standard is typically backward compatible with its
predecessor. Technologies that are unique to a specific generation of wireless technologies
will be noted as such.
Wireless networks can operate in one of two basic modes: Infrastructure and Ad-Hoc.
In Infrastructure mode, clients connect to an access point. In Ad-Hoc mode, no access
point is involved; instead, clients communicate with each other (or end nodes). We’ll use
the term end node because nowadays a client can be anything from a laptop to a cell phone
to a printer with a built-in wireless network card.
Access points are a vital component of any scalable wireless network. An access point
essentially connects two dissimilar technologies, and a wireless access point represents
the physical device that is the liaison between wireless communications and wired
communications. It is worth noting that back-end communication does not necessarily
have to be wired communication. For example, some cellular providers have started
offering access points with built-in cellular network cards to connect to their cellular
network. In this case, you would still connect to the access point but the access point itself
would not need a wired network connection.
Access points have come a very long way since their introduction. Many new features
(some existing and new) have been added to access points. For example, captive web
portals have existed for a long time before wireless networks became popular but they’ve
been implemented in many access points. We will not discuss every feature available,
but definitely keep in mind that from a security perspective all this added functionality
comes with its own inherent risks. For example, whereas you once could only configure
an access point from a web interface or a limited command line, now you have an almost
full-fledged command line with common network tools. Thus, tools such as Ping, Telnet,
SSH, and Traceroute make an access point an even more appealing target for an attacker
to leverage his position and infiltrate deeper into a network. Also keep in mind that
with added complexity comes a greater chance to misconfigure an access point. More
knowledge is required to securely configure an access point with more features. We’ll go
over this in more detail in Chapter 6.
Autonomous vs. Controller Based
Originally, access points were configured one at a time; such access points are referred to
as autonomous access points because they function as singular units. Obviously, for largescale deployments this requires too much time. Management systems were first introduced
to solve this problem, and now we have controller-based systems that make configuration
A management system would typically be installed on a server (or desktop) and would
simply interact with existing management protocols, thus allowing administrators to
automate some of the more mundane tasks. Existing management protocols include tools
such as Telnet, SSH, and SNMP. An administrator could, for example, create a template
profile with a specified SSID, encryption method, and authentication method and apply
this template to an access point.
The management system would then telnet (or connect using another management
protocol) to the access point and apply the configuration. This, of course, requires that first
the administrator configure basic IP connectivity on the access point and enable Telnet.
Therefore, a level of administrative burden is associated with adding new access points.
To make things even easier on administrators, we have a new generation of access
points that are commonly referred to as lightweight access points. A few protocols deal
with lightweight access points, mainly the Cisco proprietary LWAPP (Lightweight Access
Point Protocol) and CAPWAP (Control And Provisioning of Wireless Access Points),
which is a standard, interoperable protocol based on LWAPP. It is not necessary to
understand the specifics of these protocols; they will be discussed in greater detail later.
Lightweight access points generally allow an administrator to perform 99 percent of
the configuration ahead of time, thus greatly reducing the total administrative effort. An
administrator can create a profile that completely configures an access point. When a new
access point is added to the network, it “discovers” the controller and “automagically”
downloads and applies the appropriate configuration. A myriad of different options are
available for how the access point discovers the controller and how it downloads its
configuration. We will be reviewing these options in Chapter 11. The important thing
to note is that you don’t even need an IP address configured on your lightweight access
points. You can literally take your shiny new lightweight access point out of the box, plug
it into your network, and it will be configured automagically and provide wireless services
Think about how beneficial this would be for large-scale deployments. However,
although this is the latest and greatest technology for configuring wireless access points,
it is not necessary for all new wireless deployments. You must still evaluate the return on
investment. In many cases, just configuring (a few) access points by hand can be a much
more cost-effective solution. We will evaluate the different options for using a controllerbased system in a few test scenarios in later chapters.
SSID, BSSID, MAC Address
The SSID, BSSID and MAC address are all essential unique identifiers for a wireless
network. The Service Set Identifier (SSID) is the human readable name associated with an
802.11 wireless network. It is often called the wireless “network name” and can be shared
by multiple access points. The Basic Service Set Identifier (BSSID) uniquely identifies a
specific access point and is in the same format as a MAC address; thus, most commonly, it
is the MAC address of the access point. The Extended Service Set Identifier (ESSID) can
essentially be thought of as a group of BSSIDs that share the same Layer 2 network and
the same SSID.
Beacons and Broadcasts
Access points send out beacons, which are radio broadcasts that advertise the wireless
settings for a specific BSSID. These settings typically contain the SSID, encryption
method, and so on. Many access points have an option to disable the broadcast of the
SSID. Enabling this option does not typically disable beacons but rather configures the
access points to send a beacon with a blank SSID. However, this does not prevent an
attacker from obtaining the SSID, which you will read about in Chapter 3.
Associating and Authenticating
Association and authentication are performed by clients when they want to join a wireless
network. Associating to an access point means that your client and the access point have
“agreed upon” which parameters to use to ensure proper communication. Things such as
the channel and encryption method have been verified to be the same. Authentication is
a way of verifying that you are authorized to connect to the network. There are multiple
methods of authentication, and authentication happens prior to association. We will
discuss the vulnerabilities with certain authentication mechanisms in Chapter 3 as well as
look at examples of more secure options.
Encryption is utilized just as it is in any other technology. It obscures the data so that
only “authorized” people can view the actual data. You have many different choices for
encrypting network data; some are new implementations created for wireless technologies,
and others have been around for a while. In Chapters 3 and 4, we explore these encryption
options as well as crack some of them.
In this chapter, we covered the foundational knowledge you should have to get the most
from this book. We reviewed 11 different security principles that apply across many
scenarios, not just wireless networking. We also covered the fundamental components for
wireless communications, including the basics of wireless networking. We’ll refer to the
topics introduced here in more detail in future chapters, but you can always refer to this
chapter for a reference on the basics.