Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...

More documents

Recommendations

Info

64 CHAPTER 4 Wireless Networking The shared-key authentication process is a four-step process that begins when the AP receives the validated request for association. The four steps break down in the following manner: 1. The requestor (the client) sends a request for association. 2. The authenticator (the AP) receives the request, and responds by producing a random challenge text and transmitting it back to the requestor. 3. The requestor receives the transmission, encrypts the challenge with the secret key, and transmits the encrypted challenge back to the authenticator. 4. The authenticator decrypts the challenge text and compares the values against the original. If they match, the requestor is authenticated. However, if the requestor does not have the shared key, the cipher stream cannot be reproduced, therefore the plaintext cannot be discovered, and theoretically the transmission is secured. One of the greatest weaknesses in shared-key authentication is that it provides an attacker with enough information to try to crack the WEP secret key. The challenge, which is sent from authenticator to requestor, is sent in the clear. The requesting client then transmits the same challenge, encrypted using the WEP secret key, back to the authenticator. An attacker who captures both of these packets now has two pieces of a three-piece puzzle: the clear text challenge and the encrypted cipher text of that challenge. The algorithm RC4 is also known. All that is missing is the secret key. To determine the key, the attacker may simply try a brute force search of the potential key space using a dictionary attack. In cryptography, this attack is termed a known-plaintext attack and is the primary reason why shared-key authentication is actually considered slightly weaker than open authentication. 802.11I AUTHENTICATION The IEEE 802.11i standard was created for the purpose of providing a security framework for port-based access control that resides in the upper layers of the protocol stack. The most common method for port-based access control is to enable new authentication and key management methods without changing current network devices. The benefits that are the end result of this work include the following: 1. There is a significant decrease in hardware cost and complexity. 2. There are more options, allowing administrators to pick and choose their security solutions. 3. The latest and greatest security technology can be installed and should still work with the existing infrastructure. 4. You can respond quickly to security issues as they arise. When a client device connects to a port on an 802.11i-capable AP, the AP port determines the authenticity of the devices. Before we discuss the workings of the 802.11i standard, the following terminology must be defined:
Wireless Network Concepts 65 ■ Port A single point of connection to a network. ■ Port access entity (PAE) Controls the algorithms and protocols that are associated with the authentication mechanisms for a port. ■ Authenticator PAE Enforces authentication before allowing access to resources located off of that port. ■ Supplicant PAE Tries to access the services that are allowed by the authenticator. ■ Authentication server Used to verify the supplicant PAE. It decides whether or not the supplicant is authorized to access the authenticator. ■ Extensible Authentication Protocol Over LAN (EAPoL) 802.11i defines a standard for encapsulating EAP messages so that they can be handled directly by a LAN MAC service. 802.11i tries to make authentication more encompassing, rather than enforcing specific mechanisms on the devices. Because of this, 802.111i uses Extensible Authentication Protocol (EAP) to receive authentication information. ■ Extensible Authentication Protocol Over Wireless (EAPoW) When EAPoL messages are encapsulated over 802.11 wireless frames, they are known as EAPoW. The 802.11i standard works in a similar fashion for both EAPoL and EAPoW. The EAP supplicant (in this case, the wireless client) communicates with the AP over an “uncontrolled port.” The AP sends an EAP request/identity to the supplicant and a remote authentication dial-in user service (RADIUS)-access-request to the RADIUS access server. The supplicant then responds with an identity packet and the RADIUS server sends a challenge based on the identity packets sent from the supplicant. The supplicant provides its credentials in the EAP-response that the AP forwards to the RADIUS server. If the response is valid and the credentials validated, the RADIUS server sends a RADIUS-access-accept to the AP, which then allows the supplicant to communicate over a “controlled” port. This is communicated by the AP to the supplicant in the EAP-success packet. User Identification and Strong Authentication With the addition of the 802.1x standard, clients are identified by username, not by the MAC addresses of the devices. This design not only enhances security, but also streamlines the process of authentication, authorization, and accountability (AAA) for the network. 802.1x was designed to support extended forms of authentication using password methods (such as one-time passwords, or GSS_API mechanisms like Kerberos) and nonpassword methods (such as biometrics, Internet key exchange [IKE], and smart cards). Dynamic Key Derivation The IEEE 802.1x standard allows for the creation of per-user session keys. WEP keys do not have to be kept at the client device or at the AP when using 802.1x. These WEP keys are dynamically created at the client for every session, thus making it more secure. The global key, like a broadcast WEP key, can be encrypted
Page 2 and 3:
Syngress is an imprint of Elsevier
Page 4 and 5:
xii About the Authors Technical Edi
Page 6 and 7:
2 CHAPTER 1 Network Fundamentals Ne
Page 8 and 9:
4 CHAPTER 1 Network Fundamentals re
Page 10 and 11:
6 CHAPTER 1 Network Fundamentals
Page 12 and 13:
8 CHAPTER 1 Network Fundamentals Wh
Page 14 and 15:
10 CHAPTER 1 Network Fundamentals d
Page 16 and 17:
12 CHAPTER 1 Network Fundamentals
Page 18 and 19: 14 CHAPTER 1 Network Fundamentals T
Page 20 and 21: 16 CHAPTER 1 Network Fundamentals T
Page 22 and 23: 18 CHAPTER 1 Network Fundamentals I
Page 24 and 25: 20 CHAPTER 2 Network Media DID YOU
Page 26 and 27: 22 CHAPTER 2 Network Media Table 2.
Page 28 and 29: 24 CHAPTER 2 Network Media ■ Perf
Page 30 and 31: 26 CHAPTER 2 Network Media Table 2.
Page 32 and 33: 28 CHAPTER 2 Network Media LAN TECH
Page 34 and 35: 30 CHAPTER 2 Network Media CONNECTO
Page 36 and 37: 32 CHAPTER 2 Network Media EXAM WAR
Page 38 and 39: 34 CHAPTER 2 Network Media problems
Page 40 and 41: 36 CHAPTER 2 Network Media electrom
Page 42 and 43: 38 CHAPTER 3 Network Devices Table
Page 44 and 45: 40 CHAPTER 3 Network Devices some o
Page 46 and 47: 42 CHAPTER 3 Network Devices ■
Page 48 and 49: 44 CHAPTER 3 Network Devices ■
Page 50 and 51: 46 CHAPTER 3 Network Devices EXAM W
Page 52 and 53: 48 CHAPTER 3 Network Devices ■ Du
Page 54 and 55: 50 CHAPTER 3 Network Devices Proxy
Page 56 and 57: 52 CHAPTER 3 Network Devices Top Fi
Page 58 and 59: 54 CHAPTER 3 Network Devices the co
Page 60 and 61: 56 CHAPTER 4 Wireless Networking
Page 64 and 65: 60 CHAPTER 4 Wireless Networking Ta
Page 66 and 67: 62 CHAPTER 4 Wireless Networking WE
Page 70 and 71: 66 CHAPTER 4 Wireless Networking us
Page 74 and 75: 70 CHAPTER 4 Wireless Networking si
Page 76 and 77: 72 CHAPTER 4 Wireless Networking co
Page 78 and 79: 74 CHAPTER 5 The OSI Model and Netw
Page 94 and 95: 90 CHAPTER 6 TCP/IP and Routing ■
Page 96 and 97: 92 CHAPTER 6 TCP/IP and Routing For
Page 98 and 99: 94 CHAPTER 6 TCP/IP and Routing UND
Page 100 and 101: 96 CHAPTER 6 TCP/IP and Routing ■
Page 102 and 103: 98 CHAPTER 6 TCP/IP and Routing Sub
Page 104 and 105: 100 CHAPTER 6 TCP/IP and Routing co
Page 106 and 107: 102 CHAPTER 6 TCP/IP and Routing
Page 108 and 109: 104 CHAPTER 6 TCP/IP and Routing al
Page 110 and 111: CHAPTER 7 Wide Area Networking 107
Page 112 and 113: WAN Protocols and Properties 109 In
Page 114 and 115: WAN Protocols and Properties 111 Cr
Page 116 and 117: Internet Access Methods 113 EXAM WA
Page 118 and 119:
Internet Access Methods 115 Wireles
Page 120 and 121:
Internet Access Methods 117 Top Fiv
Page 122 and 123:
Internet Access Methods 119 with th
Page 124 and 125:
122 CHAPTER 8 Security Standards an
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
144 CHAPTER 9 Network Management
Page 148 and 149:
146 CHAPTER 9 Network Management Wi
Page 150 and 151:
148 CHAPTER 9 Network Management Cr
Page 152 and 153:
150 CHAPTER 9 Network Management
Page 154 and 155:
152 CHAPTER 9 Network Management An
Page 156 and 157:
154 CHAPTER 9 Network Management Lo
Page 158 and 159:
156 CHAPTER 10 Network Troubleshoot
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Glossary 177 Access Determines who
Page 180 and 181:
Glossary 179 Extensible Authenticat
Page 182 and 183:
Glossary 181 Oscilloscope A cable t
Page 184 and 185:
Glossary 183 Wireless Network A net
Page 186 and 187:
186 Index Data link layer, 74-75 fu
Page 188 and 189:
188 Index Network troubleshooting,
show all

Syngress - Eleventh Hour Network+ Exam N10-004 Study Guide (11 ...

Create successful ePaper yourself

Delete template?

Save as template?