WLAN security essentials

The introduction of a Wireless LAN (WLAN) into an organisation’s network dramatically changes the security perimeter and introduces new threats to the network and the systems and information it supports. WLAN security vulnerabilities are more than meets the eye and organisations need to implement measures to safeguard themselves, says Rion Datta

No longer is the network protected by the fact that all users are physically located in your office building, because now a connection can be as easily obtained from an adjacent building or outside. Wireless LANs do not respect traditional security perimeters as it is quite feasible to connect in the parking lot or out on the street.

In addition to ease of access, WLANs also offer a high degree of anonymity to the attacker. They can only be identified whilst connected and unless they have used their name or a personal identifier for their laptop name, only risk being identified if actually caught in the act.

Usual Tactics

Typical quick attacks include looking for shared directories, scanning other machines for vulnerabilities and sniffing the network for passwords.

The principle risks WLANs introduce are:

Unauthorised access to your information—This is the principle threat that any organisation faces, potentially resulting in: loss of intellectual property, industrial espionage, and damage to reputation through information leaked to the media or financial loss from changes to financial records.

Sabotage and destruction of information—Once an attacker has access to the network they may decide to delete files or make changes to systems and the network. This could include introducing a virus or other malicious software that may affect other parts of the organisation and business partners.

Use of your Internet connection—In addition to utilising bandwidth and potentially incurring additional costs for the organisation, an attacker could be downloading pornography or copyright material, such as MP3s, that may expose the organisation to legal action. In some cases attackers have used organisations’ server to host servers with pirated software and other illegal material for others to download.

Use of your network to attack others—An attacker could use the anonymity of using your connection to attack other networks or systems. This could be by installing software to do this or directly from your servers.

Wardriving

Wardriving refers to individuals walking or driving around an area to determine what wireless devices can be found. The associated practice of ‘warchalking’ is marking details of access points on pavements for others to use. A search for either of these on the Internet will reveal a large number of hits containing practical guides and information.

There are several popular wardriving applications freely available on the Internet. These can also be linked to a GPS receiver to enable an attacker to quickly map out all the Wireless LANs in a specific area. These applications typically also identify the SSID and the manufacturer of the AP, which is all useful information to a potential attacker.

Even if the attacker cannot identify the organisation from the SSID, it is a relatively trivial task to work out the location of the AP from monitoring the signal strength from different points.

Wardriving does not need an expensive laptop. One with Windows or Linux installed and a wireless networking card can be used. These cards can be bought for less than a thousand rupees. Wardriving is even possible through a suitably equipped PDA, making the attacker even more inconspicuous.

Defence

These security risks mean that security is a priority when considering wireless LANs, but increased pressure from users and departments has meant that wireless LANs have been installed in many organisations without proper security. So what can an organisation do to implement security on Wireless LANs?

Effective system security—The first line of defence should be the same practices that apply to a traditional network. All users on the network should be required to authenticate to servers and use good passwords. Sensitive information should be given additional protection. The use of Windows file and print sharing should also be banned.

Minimise access—Placing wireless LANs on a separate subnet separated by a firewall can protect critical resources and information and help to minimise the impact of an attack.

Disabling APs when not in use is a simple but effective measure. This can be by manually switching them off or using a simple time-switch. It is important to remember that an attacker is likely to mount an attack out of hours when they believe the risk of detection is minimal.

SSID—This is the first piece of information that an attacker will gain about an organisation. By avoiding the organisation name or other acronym that enables the organisation to be identified a casual attacker may be deterred. The use of ‘default’ or other nondescript identifier is considered good practice. In our survey 30 percent of SSIDs allowed the organisation to be easily identified and only 20 percent were set to a nondescript identifier.

WEP encryption—This is considered as offering a low level of defence, to deter the casual attacker. A recent weakness in the WEP algorithm was discovered, however, that allows the WEP encryption key to be determined once sufficient network traffic has been gathered. On a busy network this can take less than an hour. WEP can be enhanced by changing keys regularly, but this introduces problems with key management. In our survey, only 25 percent of Wireless LANs employed WEP.

802.1x—This uses WEP encryption but changes the keys on a regular basis to minimise problems. In addition an authentication server is used to authenticate the client device to the AP before additional services are permitted. When a client logs off, their services are disabled. 802.1x is supported by Windows XP and most current wireless devices, and should be considered for all large implementations.

VPNs—Virtual Private Networks (VPNs) encrypt all traffic on the network. This protects from an attacker eavesdropping individual packets and reassembling them to determine passwords and information that may be otherwise sent in clear text over the network.

Honeypots are an interesting strategy, where the organisation places a ‘sacrificial’ server on the network that appears attractive to an attacker, but in fact contains no sensitive information. In this way the attacker is enticed to focus on this system instead of the real network.

The Vendor Angle

Vendors are adding security features to Wireless products or introducing new technologies to assist in securing Wireless LANs. Vendors such as Airmagnet and Bluesocket provide products that provide wireless security management. Wireless vendors such as Cisco, Symbol and Netgear are including new security features as part of their wireless solutions.

Traditional WLAN security includes the use of Service Set Identifiers (SSIDs), open or shared-key authentication, static Wired Equivalent Protocol (WEP) keys and optional Media Access Control (MAC) authentication. This combination offers a rudimentary level of access control and privacy, but each element can be compromised.

Practical Notes

During the course of wireless security projects, we have observed that many wireless networks do not have even the basics of security in place.

Access points are easily recognisable, SSIDs clearly identify the organisation, device manufacturer information can be easily detected with the proper tools, and many existing networks do not use basic encryption such as WEP.

Knowing this can allow an attacker to exploit specific vulnerabilities. Our experience in penetration testing of wireless LANs has shown that few implementations can be regarded as totally secure. We would expect an experienced attacker to be able to access information on many of these connections using tools that are freely available on the Internet.

The author is an Information Risk Management Consultant with MIEL eSecurity.