security risks and ways to decrease vulnerabilities in a 802.11b
wireless environment
by: Richard Johnson
Introduction
This document explains topics relating to wireless networks.
The main topics discussed include, what type of vulnerabilities
exist today in 802.11 networks and ways that you can help prevent
these vulnerabilities from happening. Wireless networks have not
been around for many years. Federal Express has been using a type
of wireless networks, common to the 802.11 networks used today,
but the general public has recently just started to use wireless
networking technology. Because of weak security that exists in
wireless networks, companies such as Best Buy have decided to
postpone the roll-out of wireless technology. The United States
Government has done likewise and is suspending the use of
wireless until a more universal, secure solution is
available.
Background
What is Wireless?
Wireless LANs or Wi-Fi is a technology used to connect
computers and devices together. Wireless LANs give persons more
mobility and flexibility by allowing workers to stay connected to
the Internet and to the network as they roam from one coverage
area to another. This increases efficiency by allowing data to be
entered and accessed on site.
Besides being very simple to install, WLANs are easy to
understand and use. With few exceptions, everything to do with
wired LANs applies to wireless LANs. They function like, and are
commonly connected to, wired Ethernet networks.
The Wireless Ethernet Compatibility Alliance [WECA] is the
industry organization that certifies 802.11 products that are
deemed to meet a base standard of interoperability. The first
family of products to be certified by WECA is that based on the
802.11b standard. This set of products is what we will be
studying. Also more standards exist such as 802.11a and
802.11g.
The original 802.11 standard was published in 1999 and
provides for data rates at up to 2 Mbps at 2.4 GHz, using either
FHSS or DSSS. Since that time many task groups have been formed
to create supplements and enhancements to the original 802.11
standard.
The 802.11b TG created a supplement to the original 802.11
standard, called 802.11b, which has become the industry standard
for WLANs. It uses DSSS and provides data rates up to 11 Mbps at
2.4 Ghz. 802.11b will eventually be replaced by standards which
have better QoS features, and better security.
Network Topology
There are two main topologies in wireless networks which can
be configured:
Peer-to-peer (ad hoc mode) – This configuration is
identical to its wired counterpart, except without the wires. Two
or more devices can talk to each other without an AP.
Client/Server (infrastructure networking) – This
configuration is identical to its wired counterpart, except
without the wires. This is the most common wireless network used
today, and what most of the concepts in this paper apply to.
Benefits of Wireless LANs
- WLANs can be used to replace wired LANs, or as an extension
of a wired infrastructure. It costs far less to deploy a wireless
LAN than to deploy a wired one. A major cost of installing and
modifying a wired network is the expense to run network and power
cables, all in accordance with local building codes. Example of
additional applications where the decision to deploy WLANs
include:
- Additions or moves of computers.
- Installation of temporary networks
- Installation of hard-to-wire locations
Wireless LANs give you more mobility and flexibility by
allowing you to stay connected to the Internet and to the network
as you roam.
Cons of Wireless LANs
Wireless LANs are a relatively new technology which has only
been around since 1999. With any new technology, standards are
always improving, but in the beginning are unreliable and
insecure. Wired networks send traffic over a dedicated line that
is physically private; WLANs send their traffic over shared
space, airwaves. This introduces interference from other traffic
and the need for additional security. Besides interference from
other wireless LAN devices, the 2.4 GHz is also used by cordless
phones and microwaves.
Security Issues of WLANs
- War-driving
War-driving is a process in which an individual uses a wireless
device such as a laptop or PDA to drive around looking for
wireless networks. Some people do this as a hobby and map out
different wireless networks which they find. Other people, who
can be considered hackers, will look for wireless networks and
then break into the networks. If a wireless is not secure, it can
be fairly easy to break into the network and obtain confidential
information. Even with security, hackers can break the security
and hack. One of the most prevalent tools used on PDAs and
Microsoft windows devices is, Network Stumbler, which can be
downloaded at http://www.netstumbler.com. Equipped with the software
and device, a person can map out wireless access points if a GPS
unit is attached. Adding an antenna to the wireless card
increases the capabilities of Wi-Fi. More information can be
found at: http://www.wardriving.info and http://www.wardriving.com to name a few.
- War-chalking
War-chalking is a method of marking wireless networks by using
chalk most commonly. War-driving is usually the method used to
search for networks, and then the person will mark the network
with chalk that gives information about the network. Some of the
information would include, what the network name is, whether the
network has security, and possibly the contact information of who
owns the network. If your wireless network is War-chalked and you
don\'t realize it, your network can be used and/or broken into
faster, because of information shown about your network.
Eavesdropping & Espionage
Because wireless communication is broadcast over radio waves,
eavesdroppers who just listen over the airwaves can easily pick
up unencrypted messages. These intruders put businesses at risk
of exposing sensitive information to corporate espionage.
Wireless LAN Security – What Hackers Know That You Don\'t
www.airdefense.net Copyright 2002
Internal Vulnerabilities
Within an organization network security can be compromised by
ways such as, Rouge WLANs (or Rouge Aps), Insecure Network
Configuration, and Accidental Associations to name a few.
Rouge Access Points – An employee of an organization
might hook up an access point without the permission or even
knowledge of IT. This is simple to do, all a person has to do is
plug an Access point or wireless router into an existing live LAN
jack and they are on the network. One statistic in 2001 by
Gartner said that, “at least 20 percent of enterprises
already have rouge access points.” Another type of attack
would be if, someone from outside the organization, enters into
the workplace and adds an Access Point by means of Social
Engineering.
Insecure Network Configurations- Many companies think that if
they are using a firewall or a technology such as VPN, they are
automatically secure. This is not necessarily true because all
security holes, big and small, can be exploited. Also if devices
and technologies, such as VPNs, firewalls or routers, are
mis-configured, the network can be compromised.
Accidental Associations – This can happen if a wireless
network is setup using the same SSID as your network and within
range of your wireless device. You may accidentally associate
with their network without your knowledge. Connecting to another
wireless LAN can divulge passwords or sensitive document to
anyone on the neighboring network. Wireless LAN Security –
What Hackers Know That You Don\'t www.airdefense.net Copyright
2002
Social Engineering – Social Engineering is one of the
most effective and scariest types of attacks that can be done.
This type of attack really scares me and can be done for many
other purposes besides compromising security in wireless
networks. A scenario: Someone dressed up as a support person from
Cisco enters the workplace. The secretary sees his fake
credentials and lets him get pass the front desk. The
impersonator walks from cubicle to cubicle, collecting user names
and passwords as he/she goes. After finding a hidden corner,
which seems to be lightly traveled, he plugs an insecure Access
Point into the network. At the same time he configures the Access
Point to not broadcast its SSID and modifies a few other settings
to make it hard for the IT department to find this Rouge Access
Point. He then leaves without ever being questioned by anyone
because it looks like he just fits in. Now, all he has to do is
be within 300 feet from the access point, (more if he added an
antenna), and now has access to all kinds of secure documents and
data. This can be a devastating blow to any corporation and could
eventually lead to bankruptcy if the secrets of the company were
revealed to competitors.
Bruce Schneier came to my classroom and said the following
about Social Engineering, “Someone is just trying to do
their job, and be nice. Someone takes advantage of that by
targeting this human nature. Social Engineering is
unsolvable.”
Securing Wireless Networks
According to Bruce Schneier and others such as Kevin Mitnick,
you can never have a totally secure computing environment. What
is often suggested is to try and control the damage which can be
done if security is breached. One can try many different tools on
the market which can help prevent security breaches.
WEP – WEP supports both 64 and 128-bit keys. Both are
vulnerable, however, because the initialization vector is only
24-bits long in each case. Its RC4 algorithm, which is used
securely in other implementations, such as SSL, is quite
vulnerable in WEP. Http://www.infosecuritymag.com/2002/jan/cover.shtml
Wireless Insecurities By Dale Gardner. Different tools exist to
break WEP keys, including AirSnort, which can be found at
www.airsnort.net. Although this method is not a secure solution,
it can be used to help slowdown an attacker if other means are
not possible financially or otherwise.
VPN and IPSec- IPSec VPNs let companies connect remote offices
or wireless connections using the public Internet rather than
expensive leased lines or a managed data service. Encryption and
authentication systems protect the data as it crosses the public
network, so companies don\'t have to sacrifice data privacy and
integrity for lower costs. A lot of VPN\'s exist on the market
today. An important note about VPNs is, interoperability does not
really exist, and whatever you use for your server has to be the
same brand as your clients most of the time. Some VPNs
include:
- Borderware
- BroadConnex Networks
- CheckPoint
- Cisco
- Computer Associates
DMZ – Adding this to your network enables you to put
your wireless network on an untrusted segment of your
network.
Firewalls – Firewalls are all over the place. Firewalls
range from hardware to software versions. By adding a firewall
between the wireless network and wired network helps prevent
hackers from accessing your wired network. This paper doesn\'t go
into specifics about different firewalls and how to set them up,
but there are many. Some of the firewalls include:
- ZoneAlarm (an inexpensive based software firewall)
Zonelabs.com
- Symantec has many different firewalls depending what you
require.
PKI - Public-key infrastructure (PKI) is the combination of
software, encryption technologies, and services that enables
enterprises to protect the security of their communications and
business transactions on the Internet. What is PKI? http://verisign.netscape.com/security/pki/understanding.html
Site Surveys – Site Surveys involve using a software
package and a wireless device to probe your network for Access
Points and security risks.
Proactive Approaches
Since wireless technology is insecure, companies or anyone can
take a proactive approach to try and identify hackers trying to
gain access via wireless networks.
Honeypots – are fake networks setup to try and lure in
hackers. This enables administrators to find out more about what
type of techniques hackers are using to gain access. One product
is Mantrap created by Symantec.
“ManTrap has the unique ability to detect both host- and
network-based attacks, providing hybrid detection in a single
solution. No matter how an internal or external attacker tries to
compromise the system, Symantec ManTrap\'s decoy sensors will
deliver holistic detection and response and provide detailed
information through its system of data collection
modules.”
Intrusion Detection – Intrusion Detection is software
that monitors traffic on the network. It sounds out a warning if
a hacker it trying to access the network. One such free product
is Snort.
“Before we proceed, there are a few basic concepts you
should understand about Snort. There are three main modes in
which Snort can be configured: sniffer, packet logger, and
network intrusion detection system. Sniffer mode simply reads the
packets off of the network and displays them for you in a
continuous stream on the console. Packet logger mode logs the
packets to the disk. Network intrusion detection mode is the most
complex and configurable configuration, allowing Snort to analyze
network traffic for matches against a user defined rule set and
perform several actions based upon what it sees.” http://www.snort.org/docs/writing_rules/chap1.html#tth_chAp1
Network Monitoring- Network Monitoring would be products such
as snort that monitor the flow of traffic over the network.
Quick tips and tricks
- When setting up wireless networks and access points there are
a few quick steps that can be taken to immediately secure the
network, even though it does not make it secure. Some of these
ways include:
- Change your default SSID: each router or access point comes
with a default SSID. By changing this it can take longer for an
attacker to know what type of device he is trying to hack.
- Change the default password – generic default passwords
are assigned to access points and routers. Sometimes the password
is admin. By changing this password, the attacker cannot modify
settings on your router as easily.
- Disable broadcasting SSID: By default AP\'s broadcast their SSIDs, if you shutoff this setting it is harder for outsiders to find your AP.
- Enable MAC filtering: WARNING: this can only work in smaller
environments where a centralized access list does not need to be
maintained. You can enable only specific wireless cards to access
the AP by only enabling those MAC addresses.
- Turn off shares: If security is important, scanning for
shares and turning off the shares on the network can help. Also
encrypting sensitive data can prevent hackers from accessing the
data.
- Put your wireless access points in a hard to find and reach
spot.
- Keep your drivers on all wireless equipment updated. This
helps patch existing security vulnerabilities.
- Read current press releases about emerging wireless
news.
bgcolor="#DDDDDD">
| 
