A couple of weeks ago, I was in Las Vegas for COMDEX. One night after the show, I was standing in line at the Riviera Hotel and Casino talking to a guy who was the CIO for a major corporation. Our conversation soon turned to wireless networking, and he told me that he would never allow wireless networking in his organization because it was inherently insecure. That statement really bothered me, because it’s a misconception I hear frequently.
I don't think wireless networks have to be insecure. It’s just that many organizations fail to take advantage of the various security mechanisms available for securing WLANs. Let's look at the key issues you need to address when you're preparing for wireless networking security.
Detecting rogue access points
Since wireless access points and network cards are relatively cheap these days, employees in many companies have bought a wireless access point, plugged it into the Ethernet jack in an office, and then started using wireless without the knowledge or sanction of the IT department.
The question is, how do you tell if someone in your company is already running a wireless network? You can find rogue wireless networks by becoming a bit of a hacker (or rather a "whacker," which is the name for a wireless hacker).
One of my favorite wireless hacking tools is a utility called NetStumbler, which is designed to detect wireless networks. By running NetStumbler on a laptop within your organization, you can tell whether anyone has implemented a wireless network.
There are actually two versions of NetStumbler, and you can download both for free from the NetStumbler site. One version is designed for use with laptops, while the other version (Mini Stumbler) is for use with a Pocket PC. Both versions support the use of a GPS card, which allows NetStumbler to create a map showing the locations of wireless access points.
To find out how well NetStumbler works, I loaded a copy onto my laptop. The installation process was a breeze. There’s nothing to configure, and the utility takes up well under 1 MB of disk space. The only thing that’s tricky about NetStumbler is that only a few brands of Wi-Fi cards are supported. The NetStumbler documentation says that the software can be used only with 802.11b networks. However, when I loaded the software, I had a NETGEAR 802.11a card installed in my laptop, and it worked with NetStumbler.
Since few people are using 802.11a networks, I decided that I needed to install an 802.11b NIC. I didn’t actually own any of the NICs that were on the compatibility list but soon found an Orinoco wireless NIC that worked just fine. Once I got the software working, my wife drove me around the neighborhood while I snooped out wireless networks. (Whackers refer to this as "War Walking.")
I learned some interesting things from my experiment. First, I discovered that without the aid of an extra antenna, you must drive very slowly to detect a wireless network. I also found out that where I live (in a rural part of South Carolina), few people have wireless networks. Even so, I was able to detect four networks, as shown in Figure A. Although the software does support GPS mapping, I didn’t have a GPS card in my laptop, so no map was created.
|Even in rural South Carolina, I was able to detect four wireless networks using NetStumbler.|
Before I discuss the results of my little road trip, I want to clarify one thing. All four of the networks shown in Figure A were detected in the wild. I didn’t simulate the experiment in a lab environment, and my own personal network isn’t on the list (because it was running 802.11a).
With that said, take a look at the first entry in my list of detected networks. Notice that the circle to the left of the MAC address has a picture of a small lock inside of it, indicating that the network is using WEP encryption. The other three entries don't include this icon. So, of the four networks I detected, three weren’t using WEP encryption.
The circles to the left of each MAC address change colors based on signal strength (black, red, yellow, green). So not only is it possible to detect a foreign wireless network, but you can also easily tell when the signal strength is sufficient for you to connect to it.
Now, I want you to think about what’s required for connecting to a wireless network. Most of the time, you need to know the network’s channel, SSID, and WEP pass phrase. Of course, some of the newer cards have enough automation built into their drivers that you don’t have to know the SSID or channel. But for the sake of argument, we’ll assume that these two pieces of information are still necessary.
As you can see, NetStumbler provides a list of networks and specifies the SSID, channel, geographic location, and whether WEP is being used. All you have to do to connect to a network that isn’t using WEP is reconfigure your NIC to use the appropriate SSID and channel.
It's true that you’ll also need an IP address to connect to the wireless network. But since virtually every wireless access point has a built-in DHCP server, you can simply let the access point assign you an address. You are then free to browse the foreign network or surf the Internet via the wireless connection. Chances are that the access point’s owner/administrator will have no idea you are connected.
Now that I’ve shown you how to detect and exploit a wireless network, you might be even more apprehensive about installing one. Fortunately, you can do quite a few things to dramatically increase security.
The most obvious step is to enable WEP. Although there are techniques for deciphering the WEP pass phrase, most armature hackers will see that you are using WEP and will move on to an easier target. When you implement WEP encryption, I recommend implementing the highest level of encryption that is compatible with all of your equipment. Just about all wireless equipment supports 40-, 64-, and 128-bit encryption, and some equipment supports much higher encryption levels. For example, the NETGEAR access point I’m using supports up to 152-bit encryption.
Once you’ve enabled WEP, the next step is to implement a local security policy that requires IPSec encryption. IPSec encrypts traffic as it flows across your network. Therefore, if you’re using IPSec to encrypt traffic, and the already-encrypted traffic passes over a wireless link where WEP encryption is applied, the traffic is double-encrypted and very secure.
Protecting the access point
Earlier in this article, I proved that I could detect a foreign wireless network and explained how I could exploit the network to give me access to its resources and to the Internet. That’s just the tip of the iceberg. If you know what you’re doing, you can actually seize control of the wireless access point. You can then reconfigure it to grant you legitimate access or to lock out its true owner.
The trick is knowing the access point’s factory default settings. For example, virtually all access points have a DHCP server that assigns IP addresses in the 192.168.x.x range. You can verify this by simply running IPCONFIG to see what address was assigned to your laptop.
When an access point is using the 192.168.x.x address scheme, one of the first few addresses is usually reserved for the access point. This reserved address is almost always 192.168.0.0, 192.168.0.1, 192.168.0.2, or 192.168.0.3. You can figure out which one is used simply by plugging each address into a Web browser until you gain access to the access point’s Web interface console.
Once you gain access to the console, you will usually be prompted for a username and password. The problem is that most people never bother to change the defaults. So you can look in the Vendor column of NetStumbler and see what brand the access point is (as shown in Figure A). You can then go to the manufacturer’s Web site and find out the default username and password. They're usually something generic. For example, on NETGEAR access points, the username is admin and the password is password. As you can see, it’s extremely easy to break into an access point’s Web interface console.
But you can do a few things to make a hacker’s job more difficult. The first thing you should do is change the unit’s IP address and the address bank used by the DHCP server. Although a hacker can still use the DHCP-assigned address to figure out what address bank is being used, you can set the access point to use a less obvious address. For example, if you configure the DHCP server to use addresses in the 147.100.x.x range, you might assign the access point the address 220.127.116.11 instead of using something like 18.104.22.168. A hacker could easily figure out that the 147.100.x.x address range was being used, but it would be difficult to guess the random IP address you assigned to the access point.
You should also change the access point’s user name and password. Although this seems like common sense, it’s often overlooked—and it's an extremely critical step.
Advanced security features
The security techniques I’ve shown you so far are enough to provide a reasonably secure wireless environment and can be implemented on virtually any wireless hardware. If you’re paranoid like me, though, you may want to take a few more steps to increase your wireless network’s security. The techniques that I’m about to discuss don't work for every access point, so your own individual hardware may or may not support them.
You may be able to adjust the access point’s power output. The idea is that while full power may broadcast a signal clear across the parking lot, setting the transmit power level to medium or low may keep the signal within the confines of the building. Reducing the transmitting power will at least make the signal more difficult to detect from outside, although even weak signals are detectable. A standard 802.11b NIC has a range of less than 1,000 feet, but I once saw someone build a special antenna out of a Pringles can and lock onto a wireless network signal that was being broadcast from almost 10 miles away.
Another thing that you can do is create a list of approved stations. Some access points allow you to enter the MAC address of legitimate wireless network clients. So if a hacker tries to access your network, the hacker’s MAC address isn’t listed in the table, and the hacker will be denied access.
Still another technique is to limit the times of day when wireless access is available. If no one is in the office after 5:00, why leave your wireless network vulnerable after hours? Some access points actually allow you to control the time of day and days of the week that a wireless connection is available.
I’ve shown you how to hack a wireless network, explained how the hack works, and discussed ways you can prevent someone from using the same technique against you. I've also shown you how to use double encryption to protect your WLAN and discussed a few advanced security techniques you can implement. Armed with this knowledge and these strategies for safeguarding your wireless networks, you should be equipped to bring the advantages of WLAN to your organization without putting any data at risk or sacrificing peace of mind.