The new standard in wireless networks--802.11g--offers speed, security, and performance. It is also the most widely employed standard in corporate internal wireless LAN networks. You can transfer data at up to 54Mbps using 802.11g (which is five times the speed of older 802.11b wireless networks). And wireless LANs provide some obvious benefits: they always provide on-network connectivity, they do not require a network cable, and they actually prove less expensive than traditional networks. Wireless networks have evolved into more affordable and logistically acceptable alternatives to wired LANs. But to take advantage of these benefits, your wireless LAN needs to be properly secured.
Network security in a wireless LAN environment is a unique challenge. Whereas wired networks send electrical signals or pulses through cables, wireless signals propagate through the air. Because of this, it is much easier to intercept wireless signals. This extra level of security complexity adds to the challenges network administrators already face with traditional wired networks. There are a number of extremely serious risks and dangers if wireless networks are left open and exposed to the outside world. This article covers the types of attacks wireless networks encounter, preventive measures to reduce the chance of attack, guidelines administrators can follow to protect their company's wireless LAN, and an excellent supply of online resources for setting up a secure wireless network.
Let's have a look at some of the security features available in the 802.11x wireless standard.
Service Set Identifier (SSID):
SSID is meant to differentiate one network from another. SSID is the identification string used by the wireless access points by which clients are able to initiate connections. SSID settings on your network should be considered the first level of security, and should be treated as such. In its standards-adherent state, SSID may not offer any protection to who gains access to your network, but configuring your SSID to something not easily guessable can make it harder for intruders to know what exactly they are looking at. For each wireless access point you deploy, it is very important to choose a unique and difficult-to-guess SSID. Also, by default, wireless gateways happily broadcast the SSID to be picked up by any wireless network device for easy configuration. Hiding the SSID by disabling the SSID broadcast makes the life of an intruder tough.
Before a wireless client and an access point start communicating, they are expected to start a dialogue. This process is called associating. When the 802.11x standard came into the picture, IEEE added an extra feature that allows networks to require authentication immediately after a device associates. This authentication can be considered as an extra layer of keyed security. There is a weakness in this, as it involves a clear text transmission. Thus it is possible for an attacker to get hold of the keys.
Wired Equivalent Privacy (WEP):
WEP is a standard method for encrypting traffic over a wireless network. WEP was intended to give wireless users security equivalent to being on a wired network. With WEP turned on, each packet to be transmitted is first encrypted and then passed through a shredding machine called RC4. 128-bit encryption is preferred over 64-bit encryption, as it is lot more difficult to break. A major problem associated with WEP is key management. When we enable WEP according to the wireless standard, we need to visit each wireless device that we use and type in the proper WEP key. If the key is compromised due to some reasons, either you have to change the key or lose all security. Also, if you have hundreds of users on your network, changing the WEP key creates lots of difficulties. Thus, though WEP has several weaknesses, using WEP is better than not using it.
As in wired networks, the basic controls you'll need include a host system that authenticates the user or device attempting to access the network, and encryption that protects the data as it travels from the user device to the access point, whether to ensure confidentiality or to ensure that no one has tampered with the message or changed its content. The wireless networks based on 802.11x have been plagued by some well-publicized security failings. The IEEE 802.11x protocol provides a different approach to security and security management that overcomes the failings of 802.11x Wired Equivalent Privacy (WEP). The following is the list of some of the main known security risks.
The Wireless Equivalent Privacy (WEP) encryption built into 802.11x can be compromised relatively easily. Wireless sniffing programs, such as AirSnort, can implement attacks that exploit these weaknesses. WEP has some known weaknesses in how the encryption is implemented. Keep in mind that using WEP is better than not using anything; it at least stops casual sniffers.
Let's take a closer look at each type of wireless network attack listed above.
Insertion attacks: These occur when you place unauthorized devices on the wireless network without going through a security process and review. This type of attack can happen when an attacker tries to connect a wireless client to an access point without authorization. It is possible to configure the access points so that they require a password for client access. If there is no password, an intruder can connect to the internal network simply by enabling a wireless client to communicate with the access point.
Interception and monitoring of wireless traffic: As in wired networks, it is possible to intercept and monitor the network traffic across a wireless LAN. For this type of attack to take place, the only condition that needs to be satisfied is that he/she needs to be within the range of an access point.
Misconfiguration: Many access points ship in an unsecured configuration so that they can be handled and deployed easily. Unless each unit is configured prior to deployment, these access points will be a high risk for attack or misuse.
Client-to-client attacks: Two wireless clients can communicate with each other, bypassing the access point. Therefore, there is a need for the users to defend the clients not just against an external attack but also against each other.
Jamming: DoS (Denial of Service) attacks are easily applied to the wireless world, where legitimate information cannot reach the clients or access points, mainly because the legitimate traffic overwhelms the frequencies.
By gathering enough "interesting" packets, that is, those that contain weak initialization vectors (starting keys), the sniffers can decrypt WEP-encoded messages by breaking the keys employed by WEP. Some vendors are trying to fix this problem through firmware updates that provide "weak key avoidance."
Another way of deflecting the attacks is to change the WEP keys periodically. Before an attacker can gather enough information to deduce the keys, the keys themselves change. Unfortunately, WEP does not provide a facility to distribute keys to deployed devices. Traditionally, keys are delivered through some alternate communication method, usually involving a wired network that is considered to be secure. Key distribution is one management problem associated with WEP that causes administrative and security headaches. Another is the management of authorization for deployed devices. Device management is usually done through MAC addresses. A deployed wireless network allows or disallows access to the network by checking the requester's MAC address against an access-control list. Complications arise because most managers administer their access control lists at individual access points, rather than through a centralized database.
This decentralized approach gives rise to a large number of lists. If hardware is lost or stolen, updating the access points individually is time-consuming. Also, access control via MAC addresses has a greater problem: MAC-address spoofing is relatively trivial for the determined hacker or espionage agent to implement. As the above issues illustrate, not only is security flawed, but administration of the security structure in wireless networks is flawed as well.
IEEE 802.11x is an IEEE standard for "port-based network access control." It allows the decision of whether or not to permit network access to be made at the port, the point of contact to the network itself. Until a port is authenticated, it can be used only to pass traffic associated with the authentication process. Authentication can be user-based and managed at a centralized authentication server. In addition, 802.11x provides optional abilities to distribute keys. With its combination of centralized management, management by user instead of device, network protection, and key delivery, 802.11x seems to be the prescription for security, correcting WEP's failings.
The 802.11x protocol specifies Extensible Authentication Protocol (EAP) to carry authentication messages. As "extensible" implies, EAP can carry any number of actual authentication protocols. One example of an EAP authentication method is EAP-TLS. This protocol packages Transport Layer Security (TLS), an evolution of the Secure Sockets Layer (SSL) used in secure web browsing, on top of EAP's message structure. Another example is EAP-OTP, which specifies the use of "one-time passwords." For successful authentication, the entity requesting access to the network and the network's infrastructure must both support the same EAP "flavor." While a deployment requires administrators to consider infrastructure costs and interoperability, the technology is presently available, and deploying a wireless network without it would be a critical oversight.
If your organization wants to establish proper security protections, here are some important guidelines to follow.
Wireless security policy and architectural design: The security policy of an organization should include wireless networking as a part of overall security management.
Treat access points as untrusted: There is need for evaluating access points at regular time periods to find out whether they can be treated as untrusted devices. This will involve placing the appropriate firewalls, VPNs and IDS between the access point and intranets or the internet.
Access point configuration policy: One needs to define the standard security settings for access points before deploying them.
Access point security assessments: With the help of regular security audits, one can identify poorly configured access points.
Ultimately, security is everybody's business, and only with everyone's cooperation and consistent practices will it be achievable. Wireless security is a work in progress, so it is essential to administer a wireless network so that it becomes more and more secure. And with more organizations focusing strongly on wireless security, we can only expect to see many more secured wireless networks in the future.
The following online resources provide detailed information on wireless security.
This site offers information on IEEE 802.11x wireless standards, including a quick checklist on wireless security.
This site offers useful information on various aspects of wireless security, including white papers that provide in-depth details on wireless security.
This site has an interesting article on wireless security. Follow the link for "wireless network security" to learn more about pass phrases and encryption.
This site has useful resources on wireless security and details on securing a wireless network.
This site offers detailed information on security in wireless local area networks. You'll get a clear understanding of wireless standards and the various threats and vulnerabilities to wireless networks, compared with their wired counterparts.
This article explains how to set up a wireless network, focusing on access points and security.
The ten recommendations listed on this site detail what to do to secure a wireless network.
Swayam Prakasha has been working in information technology for several years, concentrating on areas such as operating systems, networking, network security, electronic commerce, Internet services, LDAP, and Web servers. Swayam has authored a number of articles for trade publications, and he presents his own papers at industry conferences. Currently he works at Unisys Bangalore in the Linux Systems Group.
Return to the Security DevCenter.
Copyright © 2009 O'Reilly Media, Inc.