SemFio Networks

  • Home
  • About
  • Services
    • Wi-Fi DevOps with Mist
  • Partners
    • Mist
  • Training
  • Contacts
  • Blog
  • Home
  • About
  • Services
    • Wi-Fi DevOps with Mist
  • Partners
    • Mist
  • Training
  • Contacts
  • Blog

IEEE 802.11 Standards & Amendments Timeline

10/30/2017

3 Comments

 
Visiting the IEEE website, we can find the details about the IEEE 802.11 standards and amendments displayed on a table: http://grouper.ieee.org/groups/802/11/Reports/802.11_Timelines.htm

In order to put them into perspective, I have displayed them on a timeline. 
As the new amendments and standards are released, this timeline will be updated.

Feel free to download and use the timeline as much as you want. As always, please feel free to share your feedbacks so we can make it better together.

The process made me realize that the 802.11 standard is 20 years old this year!

Click on image to open the PDF version:
Picture
Note: the timeline only displays the published amendments and standards. This is why you won't find 802.11ax for now!


written by François Vergès
3 Comments

The 2017 Magic Quadrant is out!

10/24/2017

1 Comment

 
The Magic Quadrant for the Wired and Wireless LAN Access Infrastructure has been released by Gartner on October 17th:
Picture

The Vendors

Just like last year, the same companies have been identified as leaders: Cisco and HPE Aruba. To me, this is no surprising at all, they lead and dominate the market. However, we can note that they are positioned a little closer to the visionaries section than last year.

Talking about the visionaries, we can see that Extreme Networks is clearly catching up and getting closer and closer to the leaders. Gartner has recognized the successful acquisitions made by Extreme over the past few months. If you want to learn more about it, Rowell Dionicio and I recorded a Clear To Send podcast episode about it with Mike Leibovitz from Extreme.

Among the new comers, Mist Systems has been positioned as a visionary by Gartner. I believe this was expected knowing that the startup has been growing at a fast pace over the past couple of years. They also focus heavily on AI and, therefore, I am not surprised to see them as visionaries.

The appearance of Mojo Networks as a new comer is also interesting, I believe. Mojo decided to advocate the open networking standards and is actively part of the Open Commute Project. This has modified their business model and impacted the company in a good way. They also focus on AI and machine learning.

We can also note that Ubiquiti Networks is not included in this Magic Quadrant. Having following their progress on the Uni-Fi brand, I believe that they are offering good products. However, according to Gartner, they “do not currently meet our inclusion criteria, but they can address enterprise access layer connectivity in certain usage scenarios. In some cases, these vendors sell to customers outside the traditional IT organization”. I would be interested to see how the company reacts to this MQ knowing the difficult times that they are experiencing right now.

The Future

The trend is clearly around software defined networks, artificial intelligence and machine learning. Gartner believes that more and more automation will happen at the access layer of our networks. Here is their prediction: "By 2022, more than 60% of IT organizations will use access layer network automation, up from less than 5% today."

Earlier this year, the Mobility Field Day 2 outlined this trend with presentations from vendors such as Mist Systems, Mojo Networks, Cape Networks and Nyansa.

I believe that, as Network Engineers, we need to prepare for the future and learn more about network automation, scripting and programming.

Resources

If you want to read the full Gartner report, you can get a free copy of the report if you visit Aruba’s website at http://engage.arubanetworks.com/LP_CP_Aruba_510354404_Gartner-Report-ROMA2057.


These were my thoughts on the new 2017 Magic Quadrant. As a Network Engineer, do you trust the Magic Quadrant? Or do you think that vendors are lobbying Gartner in order to get a better spot on the Magic Quadrant?
​

Thank you for reading!



written by François Vergès ​
1 Comment

Fully understand KRACK in 2h

10/18/2017

0 Comments

 
These are a series of videos and documents which will help you to technically understand KRACK. All you need is about 2 hours.

First, you need to understand the 4-way handshake. Marcus Burton is doing a great job explaining it in this video (6mins):
The following videos will have Hemant Chaskar and Vivek Ramachandran explain all of the KRACK vulnerabilities in technical details. Please watch them in order (79 mins).

Finally, read the research paper from Mathy Vanhoefm explaining his findings in details (25-30mins). 

At the end of this 2h KRACK learning session, you should have a better technical understanding of the different vulnerabilities.

Thank you!


​Written by François Vergès
0 Comments

KRACK - Is it the end of WPA2?

10/16/2017

1 Comment

 
By now you have probably heard that some WPA2 vulnerabilities have been discovered and made available to the public by Mathy Vanhoel on www.krackattacks.com.
This article will explain the implication of these vulnerabilities on enterprise WLAN networks.
Picture

What are these vulnerabilities

Nine vulnerabilities has be revealed. Eight of them are client related and one of them is AP related.
Let's begin by explaining the client related vulnerabilities.

When a Wi-Fi network is configured using WPA or WPA2, different group of keys are used between the client device and the access point:
  • PTK or Pairwise Temporal Key: keys used to protect unicast traffic
  • GTK or Group Temporal Key: keys used to protect broadcast and multicast traffic
  • IGTK or Integrity Group Temporal Key: keys used to protect management frames

These keys are generated and installed by the client and the AP during the 4-way handshake.  The 4-way handshake is happening right after the WPA2 authentication phase. The authentication phase is when the client is authenticating using a pre-shared key or 802.1X.
​Here is what a 4-way handshake looks like:
Picture
The vulnerabilities discovered are exploiting the fact that these keys (PTK, GTK, IGTK) can be re-installed by either the client or the AP. The attacks are, therefore, focusing on messages 3 and 4.

The fact of re-installing already-in-use keys will force some variables such as the Packet Number and the Nonce to be reset. This is important because these variables are used to generate the key stream ultimately used to encrypt data. If the keys are re-installed, the same key stream could be used more than once to encrypt data. The attacker will then be able to retrieve the plain text by applying a simple mathematical formula to encrypted packets transmitted using the same encryption key stream.

This means that all WPA2 networks are impacted (WPA2-Personal and WPA2-Enterprise).

This is a high level description of the following CVE:
  • CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.​
  • CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
  • CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.​

For more details on each of them, I would encourage you to watch these really thorough videos produced by Mojo Networks and Pentester Academy: ​http://blog.mojonetworks.com/wpa2-vulnerability.

Now, let's go over the AP related vulnerability.
​
These keys (PTK, GTK, IGTK) are also installed by the client and APs during the 802.11r (or FT) handover. This is not done using the EAPOL packets used during the 4-way handshake. Instead, it is done using the 802.11 management packets used when a client roams:
  • Authentication Request
  • Authentication Response
  • Re-Association Request
  • Re-Association Response
 
Here is an example of these packet exchanges:
Picture
Here the vulnerability is related to the fact that some packets sent by the client (re-association request), can be replayed and resulting in the AP re-installing the keys.

This is a high level description of the following CVE:
  • CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.

​Once again, for more details on each of them, I would encourage you to watch these really thorough videos produced by Mojo Networks and Pentester Academy: ​http://blog.mojonetworks.com/wpa2-vulnerability.

How bad is it?

Unlike what the KRACK attacks website is stating, I don't believe that these weaknesses are in the Wi-Fi standard itself. I believe they are all implementation issues. This is a good news because it means that they can be fixed by applying patches!

You remember the 8 client related vulnerabilities? Is it easy to exploit them?
Well, a man in the middle (MiTM) attack is required in order for an attacker to be able to take advantage of these vulnerabilities. This involves the attacker creating a fake AP with 2 radio interfaces:
  • One radio interface to talk to the AP on channel x
  • One radio interface to talk to the client on channel y
The fake AP will need to spoof the MAC address of the real AP when talking to the client device in order for this attack to succeed.
Moreover, in order to have the victim client device connecting to the fake AP (rather than connecting to the real AP), the attacker would need to place the fake AP close to the victim client device.
These facts increase the complexity of executing such an attack.

Now, how could we fix these vulnerabilities?
The fix would be to have the client NOT re-installing keys if they are already installed. This can be done by updating the implementation of WPA2 on the client device by applying a patch (no hardware change required). This can be tedious if you are supporting a lot of Wi-Fi devices and need to apply patched to all of them. However, it is doable over time.

The issue arise if the vendor do not release any patch to fix this issue. What could you do then, to mitigate KRACK?
In order to mitigate KRACK, you can upgrade the code of your APs and controllers in order to have them mitigating the issue. The AP could stop re-transmitting packets during the 4-way handshake, therefore avoiding the attack to ever take place. The side effect of this mitigation technique could be the generation of false positives. In order to avoid them, you could have the AP de-authenticating the client and forcing the client to go through a full new connection.

Moreover, you could use WIPS (Wireless Intrusion Prevention System) to detect the MiTM attacks and prevent the client devices to connect to these fake APs.

Now, what about the AP related vulnerability (802.11r handover)? Is it easy to exploit it?
It is actually much easier to exploit this vulnerability. No MiTM attack is required. The attacker will be sniffing the packets and replaying them later. This is called a replay attack.

How could we fix this issue?
Since there is no way for the AP to know if the traffic received is traffic coming from a replay attack, the only way to fix is to have the AP NOT re-installing keys if they are already installed.
This can be done by changing the implementation of WPA2 on the controller or AP applying a patch.
Some vendors have already released their patch code and the rest of them will in the coming days.

Is it the end of WPA2?

Following the arguments presented in the previous section, I don't believe this is the end of WPA2. In the coming days, we will see vendors starting to roll out patches in order to avoid these type of vulnerabilities to be exploited.

Most companies have acknowledged the KRACK vulnerabilities and some of them have already released their patches. See this really good article from Andrew Von Nagy for more details: http://www.revolutionwifi.net/revolutionwifi/2017/10/wpa2-krack-vulnerability-getting-information

Patches will be able to fix most of the devices out there. But now, what about these IoT devices that you will never patch? What about these devices that will never receive patches? 8 out of the 9 vulnerabilities revealed will be able to be exploited against them.

So what is next? Do we need a WPA3? 
I believe that, for now, these patches will protect most of the enterprise WLAN networks. However, sooner or later, we will need to provide better security for IoT devices connecting to Wi-Fi networks. Does it mean WPA3? Does it mean that the IEEE will release a new security 802.11 amendment? I guess we will have to wait and see.

To be honest, I am a little worried by the way Mathy Vanhoel concluded his article: 
Picture

Ressources

Here is a list of additional ressourses used to write this article or useful to learn more about KRACK:
  • The KRACK attacks website:  https://www.krackattacks.com/
  • The detailed research paper:  https://papers.mathyvanhoef.com/ccs2017.pdf
  • The series of videos from Mojo Networks:  http://blog.mojonetworks.com/wpa2-vulnerability
  • The great summary from Andrew Von Nagy:  http://www.revolutionwifi.net/revolutionwifi/2017/10/wpa2-krack-vulnerability-getting-information
  • A security point of view from WiFiTraining.com:  https://wifitraining.com/blog/wpa2-vulnerability-krack-know/
  • A great summary from Alex Hudson: https://www.alexhudson.com/2017/10/15/wpa2-broken-krack-now/
  • Cisco's security advisory message: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa
  • Aruba's security advisory message: http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007.txt

Thank you!

Cheers,


​written by François Vergès
1 Comment
    Picture

    François Vergès

    François Vergès is the founder of SemFio Networks. As a Network Engineer, he has a real passion for Wi-Fi.

    Picture Picture Picture

    Categories

    All
    5G
    5GHz
    6GHz
    802.11
    802.11ax
    802.11v
    802.1X
    AirConsole
    Aruba
    ArubaOS
    AutoCAD
    Automation
    Brand
    Capture
    Cisco
    Cisco WLC
    CLI
    Cloud
    Co-Channel Contention
    Controller Upgrade
    Course
    CWNE
    CWNP
    Design
    DFS
    Diagrams
    Ekahau
    FreeRADIUS
    Frequencies
    FSPL
    Hotspot
    Ideas
    Industry Canada
    Interference
    ISED
    Jetson Nano
    KRACK
    London
    MagicQuadrant
    MakeWi FiVisible
    MakeWi-FiVisible
    Market
    Meetup
    Mobility Express
    News
    Packet Analysis
    Programming
    Python
    Reference Guide
    Script
    Security
    SemFio
    Site-survey
    Site-survey
    Spectrum-analysis
    Technology
    Timeline
    Tip
    Training
    Validation
    Video
    Warehouse
    WiFi
    Wi-FI
    Wi-Fi
    Wi Fi 6
    Wi-Fi 6
    Wifitraining
    Wi Fi Troubleshooting
    Wi-Fi Troubleshooting
    Wireshark
    WLAN Pi
    WLPC
    WPA2

    Archives

    July 2020
    March 2020
    February 2020
    January 2020
    December 2019
    October 2019
    August 2019
    July 2019
    June 2019
    April 2019
    January 2019
    December 2018
    November 2018
    August 2018
    May 2018
    April 2018
    March 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    May 2017
    April 2017
    February 2017
    January 2017
    November 2016
    September 2016
    August 2016
    May 2016
    April 2016
    March 2016
    February 2016
    December 2015
    November 2015
    September 2015
    August 2015
    July 2015
    April 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    June 2014
    May 2014

    RSS Feed

SemFioNetworks-EmailContact SemFioNetworks-LinkedInProfile SemFioNetworks-YoutubeChannel

Let's Talk

Please get in touch with us if you have any questions. We offer a wide variety of professional Wi-Fi services that can help your wireless environment becoming faster, more secure and more efficient!
Get in touch
SemFioNetworks-Logo
Copyright © 2020 by SemFio Networks Inc.