Wireless LANs allow both legitimate users and hackers to access your network quickly and easily. By securing your wireless LAN, you can avoid opening your network doors to hackers. In this Daily Drill Down, Scott Lowe shows you what you need to do. A wireless network can allow you and your users to work in a significantly more flexible and convenient manner while still reducing infrastructure costs, but it can also create a number of major security issues that must be addressed when the system is installed. The same flexibility that makes wireless so attractive to your company can allow hackers to leave a giant hole in your otherwise secure network. To keep your wireless network free from security breaches, Scott Lowe explains how to secure your wireless LAN by focusing on security from inception to implementation.
What are the risks?
First, it’s important to understand the security issues that arise with the use of a wireless network. Because a wireless network is accessed via strategically placed antennas, you no longer have specific points of network access like you do with a wired network.
There are a number of security risks associated with the currently widespread 802.11b and 802.11a wireless standards. 802.11b devices operate at up to 11 Mbps while 802.11a devices operate at up to 54 Mbps. Both standards operate using Wired Equivalency Protocol or Wired Equivalent Privacy (WEP), which provides some measure of security for transmission over the airwaves.
There is no one action to take that would secure your wireless LAN. Instead, you’ll need to rely on a number of different actions that will offer a multifaceted approach to wireless security.
Unauthorized usage (aka Insertion Attack)
Perhaps one of the biggest problems with improperly secured wireless networks is their ability to be used by anyone within antenna range—even people outside the building. This is generally not an issue for wired networks, because you know exactly the points through which a potential user could access your network, and you can use security devices such as firewalls to protect against unwanted traffic from outside the network.
The problem of unauthorized users gaining access to unsecured wireless access points is exacerbated by folks who drive around and mark buildings with certain symbols indicating that there is an open wireless network in the area; a practice that has become known as “war chalking” mimicking the old term “war dialing” from the modem days of lore. These symbols have recently caught the attention of the FBI in certain areas, however.
What can you do to make sure that your network does not become identified as a free access point? First, make sure that none of your employees is running a wireless access point that you don’t know about. Before you dismiss this as something that you don’t need to worry about, ask around. This practice is pretty widespread.
Second, try to position your wireless access point antennas in such a way that communication outside a building in public is minimized. A lot of this is trial-and-error, so be prepared to spend a lot of time finding an optimal location.
Third, you can begin to make use of “authorization lists” based on such information as the MAC address of the wireless NIC. This would require the administrator to keep a list of all of the potential wireless devices that would access the network and to make sure that the wireless access points only allow those devices. Obviously, this creates additional administrative overhead to keep the list up-to-date, but it does help you limit the types of devices that connect to your network. Just keep in mind that that MAC addresses can be spoofed. Anyone with a sniffer would be able to just sit and listen to traffic coming from the wireless access point and eventually get an authorized MAC address that they could then use to gain entry. Therefore, don’t just assume you’re secure because you’re limiting access based on MAC addresses.
Treat wireless access points as untrusted until you have reason to believe that they are completely secure. You may even want to consider segregating wireless network access on a portion of the network that is separated from the main network by a firewall.
WEP is severely flawed
There are currently three different “standard” security systems in place for wireless networking: WEP, 802.1X, and 802.11i. The most widespread system in place is currently WEP. WEP is the encryption method that is used between the base station and the mobile device to provide a modicum of secure communication. Most WEP-capable devices support either 40 or 128 bit encryption. Although WEP is supposed to secure networks, security professionals have identified extremely dangerous holes in WEP.
WEP uses the RC4 encryption algorithm. This algorithm takes a key and generates a number of pseudo-random keys based on it in order to provide the encryption. Because of the fact that Ethernet is a collision-based networking system, collisions will definitely occur, even with wireless.
Unfortunately, WEP reinitializes the entire data stream after a collision occurs. While someone just walking by with a wireless adapter may be discouraged by the fact that you are using an encrypted data stream, a determined hacker only needs a matter of hours before he or she is able to read enough air traffic to generate the required WEP key to gain access to your network. This applies to both 40- and 128-bit WEP encryption—within similar time frames. This implies that 128-bit WEP encryption is no better than 40-bit which, unfortunately, is the case.
In addition, there are now tools such as AirSnort and WEPCrack that make this job even easier for hackers. AirSnort works by passively listening to traffic. Once it acquires 5-10 million packets, it can guess the encryption password in under a second.
While I recommend that you use WEP to at least prevent less-prepared hackers from gaining access to your network, you should not count on it as your only source of security.
Slightly newer than WEP, 802.1X is the “second try” for wireless security and has also been proven to have significant security problems, such as being susceptible to session hijacking and man-in-the-middle attacks. Session hijacking involves taking over the session for a client that has already authenticated while man-in-the-middle attacks take advantage of 802.1X’s one-way authentication by inserting a node between the wireless client and an access point. 802.1X, while an improvement, is not a replacement for WEPs; it simply provides authentication services, not the encryption services that WEP provides.
Currently in the works, the 802.11i standard starts with 802.1X and adds significant features to fix its problems. Most importantly, it adds a key distribution infrastructure that replaces static WEP keys. This will be a huge improvement over WEP. In addition, it is slated to make use of AES (Advanced Encryption Standard) rather than WEP’s 40- or 128-bit RC4-based encryption algorithm. For more information on how AES works, check out this Web site. 802.11i is due by the end of 2002.
So, if WEP is not sufficient, how do you make sure that the traffic that is going out over the air is protected? One way is to use encryption just as you would on a wired network by using such tools as VPNs, SSH, and SCP rather than direct network connections, telnet, and FTP. In fact, making use of a VPN from the wireless client may be an excellent idea in any case because VPNs are a much more well-known element than are wireless networks and their security issues are much better understood, making them much easier to patch and monitor.
However, you should keep in mind that there are tools that allow wireless hackers to hijack SSH and SSL sessions, thereby invalidating the security that they provide. Often, the only way that users are made aware that this has happened is when the server they are connected to indicates that the host key has changed. If this message is ignored, the hacker has achieved his goal.
Using default SSIDs
A Service Set Identifier (SSID) is a 32-bit character identifier in the header of packets sent over a wireless LAN and acts as a rudimentary identification, password, and authorization mechanism for access to the network. Clients attaching to a base station with SSID enabled must use the same SSID on their clients in order to make use of it.
Out of the box, most vendors’ 802.11 gear is useless from a security perspective. All of the default configurations are well known and published all over the Web. For example, Cisco’s default SSID is either ”tsunami” or ”2” with no default telnet password.
If someone just buys the access point, sticks the antenna up in the air, and turns it on without making changes to the defaults, he or she has given a potential hacker access to the network. Therefore, it is important to make sure to change the SSID to something unique and not easily guessed, and to enable passwords for telnet and any other remote administration services. Of course, a hacker listening passively to traffic will eventually be able to get it, but having it enabled could still thwart the attempt.
The SSID is also required for people who need to use the access point, which means that the SSID could be illegally obtained by stealing it from the people who need it for access or by using a stolen wireless device.
Wireless security doesn’t have to be an oxymoron
Designing a secure wireless network is a complex task that will result in a lot of work for the administrator that implements it. To keep your wireless network secure, you’ll need to endure significant planning and decision-making sessions. To make your planning a little easier, here is a final look at the steps I’ve covered in this article. Follow these and you’ll be well on your way to a secure wireless LAN:
- Use WEP: Even though it’s full of holes, WEP will still prevent the casual passerby from trying to get to your stuff.
- Change the default SSID: Before an access point is put into production, this is the first thing that should be changed. In addition, you should periodically change the SSID on all of your wireless equipment at regular intervals. Using the default SSID is bad for obvious reasons and changing it every so often can help to thwart people who have figured out your old one, even though changing it can be inconvenient.
- Use 802.1X for authentication: While not perfect, 802.1X is better than WEP’s authentication, although WEP will still be needed to handle certain authentications.
- Use secure tunnels: Whenever possible, make use of software and services that provide end-to-end encryption such as VPNs, SSH, and SSL. Make sure to read the appropriate FAQs and properly harden your equipment to protect it from exploits.
- Carefully position antennas: The less exposure to the outside, the less chance that your network will be stumbled across and used for nefarious, illegal, or otherwise inappropriate activities. To see the locations of some networks that have been “stumbled” upon, check out netstumbler.com, which offers a comprehensive, updated database as well as software for locating these networks.
- Use filters: While not effective as a stand-alone security measure, filtering so that only recognized MAC addresses are allowed access to your network can help to bolster the security of your wireless network.
- Segregate your wireless network: This works best if you use a VPN connection from the wireless device. This consists of setting up your wireless access points outside a firewall and configuring that firewall for VPN access from the wireless devices.
Although it is impossible to completely secure a wireless network, if you use the tips presented in this article, you can help to keep a majority of the attackers away from you. Remember: most organizations with wireless networks have done very little to address security and most attackers would rather go after those easy targets rather than go out of their way to get into your locked-down system.