CHAPTER 5: Wireless Networking 216
attacks. One possible example includes jamming the wireless network,
thereby forcing clients to lose their connections with authorized APs. Dur-
ing this time, rogue APs can be made available operating at a higher power
than the authorized APs. When the jamming attack is stopped, the clients
will tend to associate back to the AP that is presenting the strongest signal.
Now the attacker owns all of the network clients attached to his rogue APs.
The attack continues from there.
In some cases, you find that RF jamming is not always intentional
and may be the result of other, non-hostile, sources such as a nearby
communications tower or another wireless LAN that is also operating in
the same frequency range. Baby monitors, cordless telephones, microwave
ovens, and many other consumer products may also be sources of possible
interference.
You can take some comfort in knowing that although a jamming attack
is relatively easy and inexpensive to pull off, it is not the preferred means
of attack. The only real victory with a jamming attack for most hackers is
temporarily taking your wireless network offline.
CONFIGURING WINDOWS CLIENT COMPUTERS FOR
WIRELESS NETWORK SECURITY
Wireless LAN security is provided through a myriad of solutions. Some
of these mechanisms are internal to Windows itself, while others are
third-party solutions or part of the IEEE 802.11 standard. In this sec-
tion, we will be focusing primarily on using WEP, WPA, and 802.1x-based
security on Windows XP Professional computers and Windows Vista.
Whatever security mechanism you should decide to implement, you must
ensure that you are diligent about getting it done right. There is rarely a
second chance for security, especially when it comes to securing a
wireless LAN.
Windows XP Professional
Windows XP has been hailed as the OS of choice for wireless LAN

users. Whatever your feelings are about this, it is a fact that Windows
XP brings excellent support for 802.11 wireless networks and 802.1x
security to the mainstream. The only flaw in Windows XP’s solution is
that it can in some cases take the majority of control away from a user
– sometimes this can be a good thing, though. Configuring WEP and
802.1x security on a Windows XP Professional computer is outlined in
Exercise 5.1.
Configuring Windows Client Computers for Wireless Network Security 217
EXERCISE 5.1 Enabling WEP and 802.1x Security In Windows XP
Professional
Click 1. Start | Settings | Control Panel | Network Connections.
Double-click your wireless LAN connection.2.
Click the 3. Properties button and switch to the Wireless tab, shown
in Figure 5.14.
To configure a new connection, click 4. Add. Configure all required
information, including the WEP key.
FIGURE 5.14 The Wireless Tab.
CHAPTER 5: Wireless Networking 218
If your network uses a dynamic keying server, then you need only 5.
to select the key provided for you automatically instead of speci-
fying the WEP key specifics.
Click 6. OK when you have entered all of the required information.
To configure 802.17. x security on the network connection, change to
the Authentication tab, shown in Figure 5.15.
Select 8. Enable network access control using IEEE 802.1x. Select
your EAP type from the drop-down list. Most commonly, this is
going to be Smart Card or other Certificate. By clicking Properties
you can configure the certificate and certificate authority (CA) to be
used for this authentication.
FIGURE 5.15 Configuring 802.1x Security.

Configuring Windows Client Computers for Wireless Network Security 219
FIGURE 5.16 Windows
Vista Network Icon.
For increased security, ensure that the Authenticate as computer 9.
when computer information is available and Authenticate as guest
when user or computer information is unavailable options are not
selected. Click OK to accept the settings.
Windows Vista Business
Windows Vista makes it very simple to connect to a wireless network
and provide security for that connection. Exercise 5.2 shows the steps for
connecting to a wireless network in Vista Business.
EXERCISE 5.2 Enabling WPA in Windows VISTA Business
From the desktop, right click on the 1. network icon as shown in
Figure 5.16.
Choose 2. Connect to a Network.
Choose the appropriate wireless network from the list as in 3.
Figure 5.17.
When prompted for the network key, enter that key as shown in 4.
Figure 5.18.
When prompted choose from Home, Work, or Public as network type.5.
Chapter 5: Wireless Networking 220
Figure 5.17
Choosing the Correct
Wireless Network.
Figure 5.18
Prompted for Passkey.
Summary of Exam Objectives 221
SITE SURVEYS
A site survey is part of an audit done on wireless networks. Site surveys allow
system and network administrators to determine the extent to which their

wireless networks extend beyond the physical boundaries of their buildings.
Typically, a site survey uses the same tools an attacker uses, such as a sniffer
and a WEP cracking tool (for 802.11 network site surveys). The sniffer can
be either Windows-based (such as NetStumbler) or UNIX/Linux-based (such
as Kismet). For WEP cracking, AirSnort is recommended.
Another tool that can be useful is a directional antenna such as a Yagi
antenna or a parabolic dish antenna. Directional and parabolic dish anten-
nas allow for the reception of weak signals from greater distances by pro-
viding better amplification and gain on the signal. These antennas allow
wireless network auditors the ability to determine how far an attacker can
realistically be from the source of the wireless network transmissions to
receive from and transmit to the network.
Finally, another tool that is useful for site surveys is a GPS locator. This
provides for the determination of the geographical latitude and longitude of
areas where wireless signal measurements are taken. Using GPS, auditors
can create a physical map of the boundaries of the wireless network.
SUMMARY OF EXAM OBJECTIVES
Wireless LANs are attractive to many companies and home users because
of the increased productivity that results from the convenience and flex-
ibility of being able to connect to the network without the use of wires.
WLANs are especially attractive when they can reduce the costs of having to
install cabling to support users on the network. For these and other reasons,
WLANs have become very popular in the past few years. However, wireless
LAN technology has often been implemented poorly and without due con-
sideration being given to the security of the network. For the most part, these
poor implementations result from a lack of understanding of the nature of
wireless networks and the measures that can be taken to secure them.
Exam Warning
Site surveys are not likely to appear on the Network exam. However, you should be
aware of them for your daily tasks, and the information is presented here in the event

that you do see a question about some of the tools used to conduct these surveys.
Remember that the tools used to conduct site surveys and audits are essentially the
same tools an attacker uses to gain access to a wireless network.
CHAPTER 5: Wireless Networking 222
WLANs are inherently insecure because of their very nature; the fact
that they radiate radio signals containing network traffic that can be viewed
and potentially compromised by anyone within range of the signal. With the
proper antennas, the range of WLANs is much greater than is commonly
assumed. Many administrators wrongly believe that their networks are
secure because the interference created by walls and other physical obstruc-
tions combined with the relative low power of wireless devices will contain
the wireless signal sufficiently. Often, this is not the case.
There are a number of different types of wireless networks that can be
potentially deployed. These include HomeRF, Bluetooth, 802.11n, 802.11g,
802.11b, and 802.11a networks. The most common type of WLAN in use
today is based on the IEEE 802.11g standard.
The 802.11b standard defines the operation of WLANs in the 2.4 to
2.4835 GHz unlicensed Industrial, Scientific and Medical (ISM) band.
802.11b devices use DSSS to achieve transmission rates of up to 11 Mbps.
All 802.11b devices are half-duplex devices, which mean that a device cannot
send and receive at the same time. In this, they are like hubs and therefore
require mechanisms for contending with collisions when multiple stations
are transmitting at the same time. To contend with collisions, wireless net-
works use CSMA/CA.
The 802.11a and 802.11g standards define the operation of wireless net-
works with higher transmission rates. 802.11a devices are not compatible
with 802.11b because they use frequencies in the 5 GHz band. Furthermore,
unlike 802.11b networks, they do not use DSSS. 802.11g uses the same ISM
frequencies as 802.11b and is backward compatible with 802.11b devices.
The 802.11 standard defines the 40-bit WEP protocol as an optional

component to protect wireless networks from eavesdropping. WEP is imple-
mented in the MAC sublayer of the data link layer (Layer 2) of the OSI
model.
WEP is insecure for a number of reasons. The first is that, because it
encrypts well-known and deterministic IP traffic in Layer 3, and it is
vulnerable to plaintext attacks. That is, it is relatively easy for an attacker to
figure out what the plaintext traffic is (for example a DHCP exchange) and
compare that with the ciphertext, providing a powerful clue for cracking the
encryption.
Another problem with WEP is that it uses a relatively short (24-bit) IV to
encrypt the traffic. Because each transmitted frame requires a new IV, it is
possible to exhaust the entire IV key space in a few hours on a busy network,
resulting in the reuse of IVs. This is known as IV collisions. IV collisions can
also be used to crack the encryption. Furthermore, IVs are sent in the clear
form with each frame, introducing another type of vulnerability.
223
The final stake in the heart of WEP is the fact that it uses RC4 as the
encryption algorithm. The RC4 algorithm is well known and recently it was
discovered that it uses a number of weak keys. Airsnort and Wepcrack are two
well-known open-source tools that exploit the weak key vulnerability of WEP.
Although WEP is not secure, it does nonetheless potentially provide
a good barrier, and its use will slow down determined and knowledgeable
attackers. WEP should always be implemented. The security of WEP is
also dependent on how it is implemented. Because the IV key space can be
exhausted in a relatively short amount of time, static WEP keys should be
changed on a frequent basis.
The response to the weaknesses in WEP is the use of WIFI Protected
Access (WPA) that has a longer IV, a stronger algorithm, and a longer key.
The use of WPA over WEP is suggested.
The best defense for a wireless network involves the use of multiple secu-

rity mechanisms to provide multiple barriers that will slow down attackers,
making it easier to detect and respond to attacks. This strategy is known as
defense-in-depth.
Securing a wireless network should begin with changing the default con-
figurations of the wireless network devices. These configurations include the
default administrative password and the default SSID on the AP.
The SSID is a kind of network name, analogous to an SNMP community
name or a VLAN ID. In order for the wireless clients to authenticate and
associate with an AP, they must use the same SSID as the one in use on the
AP. It should be changed to a unique value that does not contain any infor-
mation that could potentially be used to identify the company or the kind of
traffic on the network.
By default, SSIDs are broadcast in response to beacon probes and can
be easily discovered by site survey tools such as NetStumbler and Windows
XP. It is possible to turn off SSID on some APs. Disabling SSID broadcasts
creates a closed network. If possible, SSID broadcasts should be disabled,
although this will interfere with the ability of Windows XP to automatically
discover wireless networks and associate with them. However, even if SSID
broadcasts are turned off, it is still possible to sniff the network traffic and
see the SSID in the frames.
Wireless clients can connect to APs using either open system or shared
key authentication. Although shared key authentication provides protection
against some denial of service (DoS) attacks, it creates a significant vulner-
ability for the WEP keys in use on the network and should not be used.
MAC filtering is another defensive tactic that can be employed to pro-
tect wireless networks from unwanted intrusion. Only the wireless sta-
tion that possess adaptors that have valid MAC addresses are allowed to
Summary of Exam Objectives
CHAPTER 5: Wireless Networking 224
communicate with the AP. However, MAC addresses can be easily spoofed

and maintaining a list of valid MAC addresses may be impractical in a large
environment.
A much better way of securing WLANs is to use 802.1x. 802.1x was orig-
inally developed to provide a method for port-based authentication on wired
networks. However, it was found to have significant application in wireless
networks. With 802.1x authentication, a supplicant (a wireless worksta-
tion) has to be authenticated by an authenticator (usually a RADIUS server)
before access is granted to the network itself. The authentication process
takes place over a logical uncontrolled port that is used only for the authen-
tication process. If the authentication process is successful, access is granted
to the network on the logical controlled port.
802.1x relies on Extensible Authentication Protocol (EAP) to perform the
authentication. The preferred EAP type for 802.1x is EAP-TLS. EAP-TLS
provides the ability to use dynamic per user, session-based WEP keys, elimi-
nating some of the more significant vulnerabilities associated with WEP.
However, to use EAP-TLS, you must deploy a Public Key Infrastructure (PKI)
to issue digital X.509 certificates to the wireless clients and the RADIUS
server.
Other methods that can be used to secure wireless networks include plac-
ing wireless APs on their own subnets in wireless DMZs (WDMZ). The
WDMZ can be protected from the corporate network by a firewall or router.
Access to the corporate network can be limited to VPN connections that use
either PPTP or L2TP.
New security measures continue to be developed for wireless networks.
Future security measures include TKIP and Message Integrity Code (MIC).
This section should be a summary of what was presented in the chapter,
but actually talks about several new concepts that were not covered through-
out the chapter.
EXAM OBJECTIVES FAST TRACK
Radio Frequency and Antenna Behaviors and Characteristics

Gain occurs when a signal has its strength increased, such as by 
passing it through an amplifier.
Loss is the exact opposite of gain and occurs when a signal has its 
strength decreased, either intentionally through the use of a device
such as an attenuator or unintentionally such as through resistance
losses in a cable.
Exam Objectives Fast Track 225
Reflection occurs when an electromagnetic RF wave has impacted 
upon a surface that has a much larger cross section than that of the
wave itself.
When a wave is refracted, it passes through a medium and changes 
course with some of the original wave being reflected away from the
original wave’s path.
Absorption results when an electromagnetic wave has impacted 
an object that does not pass it on through any means (reflection,
refraction, or diffraction).
When an incoming electromagnetic wave hits a surface that is 
small compared to its wavelength, scattering will occur.
The Fresnel Zone is an elliptical region extending outward from the 
visual LOS that can cause signal loss through reflection, refraction,
and scattering.
Wireless Network Concepts
The most predominant wireless technologies consist of Wireless 
Access Protocol (WAP) and IEEE 802.11 Wireless LAN.
Wireless Equivalent Privacy (WEP) is the security method used 
in IEEE 802.11 WLANs and WTLS provides security in WAP
networks.
WEP provides for two key sizes: 40-bit and 104-bit secret keys. 
These keys are concatenated to a 24-bit IV to provide either a 64 or
128-bit key for encryption.

WEP uses the RC4 stream algorithm to encrypt its data.
802.11 networks use two types of authentication: open system 
authentication and shared key authentication.
There are two types of 802.11 networks modes: ad-hoc and infra-
structure. Ad-hoc 802.11 networks are peer-to-peer in design and
can be implemented by two clients with wireless network cards.
The infrastructure model of 802.11 uses APs to provide wireless
connectivity to a wired network beyond the AP.
To protect against some rudimentary attacks that insert known

text into the stream to attempt to reveal the key stream, WEP