WLAN security essentials
introduction of a Wireless LAN (WLAN) into an organisations network dramatically
changes the security perimeter and introduces new threats to the network and
the systems and information it supports. WLAN security vulnerabilities are more
than meets the eye and organisations need to implement measures to safeguard
themselves, says Rion Datta
No longer is the network protected by the fact that all users are physically
located in your office building, because now a connection can be as easily obtained
from an adjacent building or outside. Wireless LANs do not respect traditional
security perimeters as it is quite feasible to connect in the parking lot or
out on the street.
In addition to ease of access, WLANs also offer a high degree of anonymity to
the attacker. They can only be identified whilst connected and unless they have
used their name or a personal identifier for their laptop name, only risk being
identified if actually caught in the act.
Typical quick attacks include looking for shared directories, scanning other
machines for vulnerabilities and sniffing the network for passwords.
The principle risks WLANs introduce are:
Unauthorised access to your informationThis is
the principle threat that any organisation faces, potentially resulting in:
loss of intellectual property, industrial espionage, and damage to reputation
through information leaked to the media or financial loss from changes to financial
Sabotage and destruction of informationOnce an
attacker has access to the network they may decide to delete files or make changes
to systems and the network. This could include introducing a virus or other
malicious software that may affect other parts of the organisation and business
Use of your Internet connectionIn addition to
utilising bandwidth and potentially incurring additional costs for the organisation,
an attacker could be downloading pornography or copyright material, such as
MP3s, that may expose the organisation to legal action. In some cases attackers
have used organisations server to host servers with pirated software and
other illegal material for others to download.
Use of your network to attack othersAn attacker
could use the anonymity of using your connection to attack other networks or
systems. This could be by installing software to do this or directly from your
Wardriving refers to individuals walking or driving around an area to determine
what wireless devices can be found. The associated practice of warchalking
is marking details of access points on pavements for others to use. A search
for either of these on the Internet will reveal a large number of hits containing
practical guides and information.
There are several popular wardriving applications freely available on the Internet.
These can also be linked to a GPS receiver to enable an attacker to quickly
map out all the Wireless LANs in a specific area. These applications typically
also identify the SSID and the manufacturer of the AP, which is all useful information
to a potential attacker.
Even if the attacker cannot identify the organisation from the SSID, it is a
relatively trivial task to work out the location of the AP from monitoring the
signal strength from different points.
Wardriving does not need an expensive laptop. One with Windows or Linux installed
and a wireless networking card can be used. These cards can be bought for less
than a thousand rupees. Wardriving is even possible through a suitably equipped
PDA, making the attacker even more inconspicuous.
These security risks mean that security is a priority when considering wireless
LANs, but increased pressure from users and departments has meant that wireless
LANs have been installed in many organisations without proper security. So what
can an organisation do to implement security on Wireless LANs?
All users on the network should be required to authenticate
to servers and use good passwords. Sensitive information should be given
additional protection. The use of Windows file and print sharing should
also be banned
Effective system securityThe first line of defence
should be the same practices that apply to a traditional network. All users
on the network should be required to authenticate to servers and use good passwords.
Sensitive information should be given additional protection. The use of Windows
file and print sharing should also be banned.
Minimise accessPlacing wireless LANs on a separate
subnet separated by a firewall can protect critical resources and information
and help to minimise the impact of an attack.
Disabling APs when not in use is a simple but effective measure.
This can be by manually switching them off or using a simple time-switch. It
is important to remember that an attacker is likely to mount an attack out of
hours when they believe the risk of detection is minimal.
SSIDThis is the first piece of information that
an attacker will gain about an organisation. By avoiding the organisation name
or other acronym that enables the organisation to be identified a casual attacker
may be deterred. The use of default or other nondescript identifier
is considered good practice. In our survey 30 percent of SSIDs allowed the organisation
to be easily identified and only 20 percent were set to a nondescript identifier.
WEP encryptionThis is considered as offering
a low level of defence, to deter the casual attacker. A recent weakness in the
WEP algorithm was discovered, however, that allows the WEP encryption key to
be determined once sufficient network traffic has been gathered. On a busy network
this can take less than an hour. WEP can be enhanced by changing keys regularly,
but this introduces problems with key management. In our survey, only 25 percent
of Wireless LANs employed WEP.
802.1xThis uses WEP encryption but changes the
keys on a regular basis to minimise problems. In addition an authentication
server is used to authenticate the client device to the AP before additional
services are permitted. When a client logs off, their services are disabled.
802.1x is supported by Windows XP and most current wireless devices, and should
be considered for all large implementations.
VPNsVirtual Private Networks (VPNs) encrypt all
traffic on the network. This protects from an attacker eavesdropping individual
packets and reassembling them to determine passwords and information that may
be otherwise sent in clear text over the network.
Honeypots are an interesting strategy, where the organisation places a sacrificial
server on the network that appears attractive to an attacker, but in fact contains
no sensitive information. In this way the attacker is enticed to focus on this
system instead of the real network.
The Vendor Angle
Vendors are adding security features to Wireless products or introducing new
technologies to assist in securing Wireless LANs. Vendors such as Airmagnet
and Bluesocket provide products that provide wireless security management. Wireless
vendors such as Cisco, Symbol and Netgear are including new security features
as part of their wireless solutions.
Traditional WLAN security includes the use of Service Set Identifiers (SSIDs),
open or shared-key authentication, static Wired Equivalent Protocol (WEP) keys
and optional Media Access Control (MAC) authentication. This combination offers
a rudimentary level of access control and privacy, but each element can be compromised.
During the course of wireless security projects, we have observed that many
wireless networks do not have even the basics of security in place.
Access points are easily recognisable, SSIDs clearly identify the organisation,
device manufacturer information can be easily detected with the proper tools,
and many existing networks do not use basic encryption such as WEP.
Knowing this can allow an attacker to exploit specific vulnerabilities. Our
experience in penetration testing of wireless LANs has shown that few implementations
can be regarded as totally secure. We would expect an experienced attacker to
be able to access information on many of these connections using tools that
are freely available on the Internet.
The author is an Information Risk Management Consultant
with MIEL eSecurity.