point to allow or disallow clients based on their physical hardware address. However, spoofing MAC addresses is an easy hacker task. MAC address filtering is not considered a security feature. Automatic DHCP
Most WLANs use DHCP to assign IP addresses. DHCP assigns IP addresses to legitimate users as easily as to hackers. Once connected, the hacker sees everyone else who is connected to the network, as well as shared files or resources. Many people overlook this problem, especially when working at home or on a public network. Cracking WEP
Basic 802.11 WEP security is designed to guard against the threat to network security from unauthorized 802.11 devices outside the LAN. Under WEP, the network considers any device with a valid WEP key as a legitimate and authorized user. With only basic WEP encryption enabled (or with no encryption enabled), it is possible to collect data and obtain sensitive network information, such as user login information, account numbers, and personal records. WEP encrypts the body of each frame using the RC4 encryption algorithm, which operates by expanding a short key into a pseudo-random key stream. The sender encrypts data with the key and the receiver uses a copy of the same key to decrypt the data. Unfortunately, a hacker can crack any WEP key with readily available software in two minutes or less. If an attacker obtains the WEP key through hardware loss, theft, or a wireless security exploit, the network and wireless users are vulnerable, and keys must be changed. Most WLAN client utilities assign persistent WEP keys (keys that are stored in nonvolatile memory on the card itself) to a client adapter. Basic 802.11 WEP security provides only one-way authentication. The client is authenticated with the access point (the WEP key is checked), but not vice versa; this is called origin authentication. On the other hand, the client has no way of knowing whether the access point is a legitimate part of the WLAN or a rogue device that uses the same WEP key; this is a concern for man-in-the-middle attacks. A hacker using shared key authentication can capture the challenge text packet that is sent to the client and then capture the encrypted response, thus allowing the hacker to derive the WEP key that is being used: using a WLAN sniffer, a hacker can capture enough packets to crack the security and derive the WEP keys, no matter which method of authentication is being used. Although basic WEP is better than no security, this option is inadequate. Initialization Vector Attack
To avoid encrypting two ciphertexts with the same key stream, WEP uses an Initialization Vector (IV) to augment the shared secret key and produce a different RC4 key for each packet. The IV is included in the packet. A passive or weak IV is another type of attack. The method of changing the IV depends on the vendor implementation. (Cisco Aironet wireless products change the IV on a per-packet basis.) If the IV is transmitted as plaintext, an attacker who is “sniffing” the WLAN can see the IV. Using the same IV repeatedly with the same WEP key, a hacker can capture the frames and derive information about the data in the frame and data from the network. Static WEP keys have proven to be highly vulnerable to this type of attack, and that is why static WEP use is discouraged; instead, use more advanced security features discussed later in this lesson. Cisco Aironet access point firmware includes features to improve RC4 and WEP security by hashing WEP keys, thus protecting against weak IVs. You must take care that you configure WLAN security to protect against this type of attack. Configuring the WEP key timeout on the authentication server provides protection. This practice forces wireless clients to reauthenticate, resulting in the generation of a new WEP key. A shorter timeout period means wireless clients do not use the same WEP key long enough for a hacker to capture the number of frames that are needed to deduce the WEP key. Password Cracking
Most password-based authentication algorithms are susceptible to online (active) and offline (passive) dictionary attacks. During a dictionary attack, an attacker tries to guess a password and gain network access by using every “word” in a dictionary of common passwords or possible combinations of passwords. A dictionary attack relies on the fact that a password is often a common word, name, or concatenation of words or names with a minor modification such as a trailing digit or two. Longer passwords with a variety of characters (such as 4yosc10cP!) offer the greatest protection against dictionary attacks. During an online dictionary attack, an attacker tries to gain network access by trying possible combinations of passwords for a specific user. Online dictionary attacks can be prevented using lockout mechanisms that are available on RADIUS servers to lock the user out after a certain number of invalid login attempts. Online attacks also provide some evidence that a breach or compromise is being attempted, allowing you to take corrective measures. An offline dictionary attack is carried out in two phases to uncover a password. In the first phase, the attacker captures the challenge and response messages between the user and the network. In the second phase, the attacker looks for a password match by computing a list of possible challenge response messages (using a precomputed dictionary, usually with the aid of a password-cracking program) and comparing these messages against the captured challenge and response messages. The attacker uses known authentication protocol vulnerabilities to reduce the size of the user password dictionary. A strong password policy and requirement that users periodically change their passwords significantly reduces the potential for a successful offline attack using these tools. Unlike online attacks, offline attacks are not easily detected. Man-in-the-Middle Attacks
Hackers can monitor 802.11 frames on a WLAN using an 802.11 analyzer and position themselves for a "man-in-the-middle" attack. A hacker views the frames that are sent back and forth between a legitimate user's radio NIC and the access point during the association process. This exchange provides information about the radio card and access point including the IP addresses of both devices, association ID for the radio NIC, and SSID. The hacker can then set up a rogue access point (on a different radio channel) closer to a particular user and force the user's radio NIC to reassociate with the rogue access point. Remember that because the 802.11 standard does not authenticate at the access point, the radio NIC will reassociate with the stronger signal of the rogue access point. The hacker can now capture traffic from unsuspecting users who are attempting to log in to their own services. If a rogue access point is programmed with the correct WEP key, client data can be captured. The access point can also be configured to provide unauthorized users with information about the network, such as MAC addresses of clients (both wireless and wired), the ability to capture and spoof data packets, and, at worst, access to servers and files. DoS Attack
An attacker can insert bogus packets into the wireless LAN to deny services to users. An attacker can launch a brute force DoS attack with a high power signal generator to produce enough RF interference to jam radio NICs. The inherent design of the 802.11 standard causes the NIC to stop broadcasting when the NIC senses other RF activity. Another DoS attack fools valid radio NICs with fake 802.11 frames. By setting up a radio NIC or 802.11 frame generator to send a continuous stream of clear-to-send frames, the attacker mimics an access point by telling one radio NIC to transmit and all other NICs to wait. The hacker can further use a fictitious user’s radio NIC and delay service to everyone else. Security Methods—Authentication and Encryption
The two primary facilities for securing the WLAN are authentication and encryption. Authentication is a process that requires a user to present some form of identifying credentials to be