An overlooked aspect of enterprise network security is wireless security. With the advent of wireless connectivity, security should extend to cover wireless service. Wireless connectivity offers convenience for your users, but it also offers a venue for malicious actors to attack your network. Common attacks on wireless networks are packet sniffing (eavesdropping), rogue access point and evil twin, Man in the Middle (MiTM), and de-authentication attack. Let’s discuss each one and how to protect your network from such attacks.
Packet sniffing or eavesdropping. Since data packets are transmitted over the air in a wireless connection, attackers can capture transmitted traffic using specialized software or hardware, and later analyze for important information, such as login credentials, credit card information, and other important details. Mitigation of this kind of attack involves using strong encryption protocols like WPA3 or WPA2. It is very important to use complex passwords, a combination of alphanumeric characters, and special characters. Remember, even if you apply WPA2 encryption, but if you use plain and simple password, it can be broken.
Arista WIPS can mitigate this attack by classifying and identifying rogue or misconfigured APs and sending spoofed de-authentication packets over the wireless medium, disrupting connection to rogue APs, preventing authorized users from connecting to it.
De-authentication attack. In this attack, malicious actors send spoofed deauthentication packets to the AP, disconnecting users associated to said AP, conducting DoS attack by sending continuous deauth frames. Mitigation to this attack includes using WPA3 encryption, and 802.11w standard. WPA3 includes protections against deauthentication attacks, making it harder to carry out such attack. 802.11w standard, also known as Protected Management Frames (PMF), adds encryption and authentication to the management frames, such as deauthentication packets.
Not broadcasting your SSID is one form of protecting your wireless network, but this does not guarantee security, nor filtering allowed mac addresses. Attackers can still find out the target ssid, spoof allowed mac address to gain access. They employ techniques that expose hidden ssids and allowed mac. You must also use stronger encryption, like WPA2/WPA3, with complex passwords, combination of alphanumeric and special characters to further protect access via wifi. As to mitigating MiTM and Rogue AP, Arista WIP is a very good solution. It can determine which AP is actually a rogue, not a blanket “All unauthorized AP” is a rogue. It can take steps in degrading the signal of rogue APs so that users do not associate to them.
If you’re a network engineer aiming to expand your skills into penetration testing or ethical hacking, this video is a must-watch. It’s especially helpful for wireless network engineers looking to understand and work with various hacking tools.
