|
WiFi management frames are used between APs and endpoints to find, join, and leave networks. These management frames include:
- Beacons and probe requests and responses.
- Association and re-association requests and responses.
- Disassociation notifications and requests.
- 802.11 authentication and de-authentication.
The process of a wireless client to find and join a wireless network requires that certain frames be accessible to any and all endpoints even if they have not joined the network. So encrypting data at this point would be useless. The unprotected management frames are the following:
- Beacon and probe request/responses before association.
- Announcement traffic indication message (ATIM).
- 802.11 authentication.
- Association request/response.
- Spectrum management actions.
802.11w is a standard that aims to protect management frames and control frames. Data frames (if working with an authentication SSID) should be already protected via the encryption used. Although this standard has been available and supported since 2009, it was not until recently that this standard was required for WPA3 authentication suite of security standards.
This protection is useful to prevent WiFi systems spoofing de-authentication packets to prevent a managed corporate endpoint from connecting to a Rogue AP.
PMF enables protections as follows:
- Prevent forgery of management frames (through SA query).
- Protection from client or AP spoofing.
- Protection from denial-of-service attacks.
- Protection from replay attacks.
- Protection from some man-in-the-middle attacks.
Management frames protected by PMF include:
- Beacon and probe request/responses after association.
- Disassociation (AP or endpoint terminating the session).
- 802.11 de-authentication (of endpoint to AP).
- Certain action frames, such as block acknowledgements, QoS, spectrum management, and Fast BSS Transition.
- Channel change announcements sent as broadcast.
- Channel change announcements sent as unicast to the endpoint.
With PMF enabled, neither clients nor an AP will be able to send management packets as another entity, regardless of whether it is a legitimate use case from WIPS (Wireless Intrusion Prevention Systems) or a malicious attack.
It is important to note that PMF will not protect against Layer 1 denial of service attacks, like a wireless network jamming attack.
PMF on WPA3 and Transition Modes.
- WPA3 associations (PSK or Enterprise for RADIUS authentication) require the use of PMF.
- WPA3 Transition Modes support both WPA2 and WPA3, where 802.11w/PMF is supported/optional and WPA3 clients will use PMF; whereas WPA2 if supported/configured may use PMF (and will be classified as WPA3); WPA2 clients that do not support PMF will join without PMF.
- WPA2 networks optionally support PMF, but it would have to be enabled.
- Enhanced Open with OWE (Encrypted Open Networks) require the use of PMF.
To enable PMF on VAP from FortiAP:
config wireless-controller vap
edit "vap-name"
set pmf disable
next
end
It is possible to identify whether an SSID has PMF enabled or not by looking into the Robust Security Network Information Element (RSN IE) on the beacon. See Technical Tip: Connectivity issue between FortiAP and Aruba UXI Sensor 'UX-G6C'/Printer is an Epson ....
PMF as a protocol provides more security, but still fails on some points. The following are key considerations to keep in mind:
Control frames are not protected, including CTS and RTS, which leaves the network unprotected against layer 2 Denial of Service attacks.
The 4-way-handshake is not protected, meaning the wireless client is susceptible to man-in-the-middle attacks and evil twin attacks at first connection to the network.
On WPA3 transition networks that support WPA2 and WPA3, PMF is not required and some clients will be vulnerable to attacks.
Other resources: Technical Tip: Connectivity issue between FortiAP and Aruba UXI Sensor 'UX-G6C'/Printer is an Epson ....
|
