April 17, 06
Know your wireless enemy
Understanding the tools that could be used against your WLAN.
There are lots of ways to add security to a wireless LAN, but the challenge is knowing which ones to use. In most cases, the business needs and a proper assessment of risk ought to determine the level of security, but there will inevitably be other constraints too - for example, not all devices support the latest WPA spec for encryption.
Most wireless access points (APs) offer a number of security features as standard. Needless to say, you should already have enabled the highest feasible level of encryption, and disabled SSID broadcast where practical.
The other one that most APs offer, MAC (media access control) address filtering, requires a high degree of administration. This alone will rule it out in many large deployments, even before you start worrying that the "locally administered address" overrides the "universally administered address" - which in brief means that MAC addresses can be cloned or spoofed.
Tools that you can use to work with MAC addresses include AirSnare which will let you watch the MAC addresses on your network, detecting unfriendly ones and alerting you to DHCP requests. Spoofing one of those existing MACs is as easy as editing the Windows Registry (under Network Address) or using a program such as SimpleMAC.
Some key facts about keys
Incidentally, it is worth stating at this point that rogue APs are a bigger threat if you decide not to deploy legitimate WLANs than if you have a company wireless network. This is simple psychology - if you have a legitimate and properly secured network, users will not be tempted to set up their own WLANs in competition.
If you do have rogue APs or inadequate encryption, the network is potentially vulnerable to hackers, who come in several different flavours. Freeloaders are just looking for free Internet access, you may even choose to allow this but block access to the company LAN, which is the main target of hacker type two, the intruder. However, freeloading could easily be mistaken for the third possible reason for invading a WLAN, which is spamming and/or spreading viruses.
Useful tools for the net admin hunting down rogue APs include scanners such as Kismet for Linux, NetStumbler for Windows, WiFiFoFum for Windows Mobile and Pocket PC, and NetChaser for PalmOS. Many of these can also be used with a GPS device to help you locate your target AP.
To see how easy it is to recover and crack WEP keys once you've found a network, you can try tools such as WEPcrack, AirSnort or Chopper. These all use statistical analysis - WEP keys are static, so if they can collect enough traffic they can compute the key, but that does require a lot of time and packets.
It is possible to speed up the data gathering process, however, and two FBI agents have demonstrated breaking a 128-bit WEP key in three minutes. They used two attacking clients and a set of tools including Kismet, Aircrack and Void11 to generate extra traffic, either by recording and replaying legitimate packets, or by forcing one of the laptops to disassociate from the WLAN. This approach doesn't need much legitimate traffic - essentially, you are generating lots of extra traffic with one laptop and recording the encrypted responses with the other.
Beating the crackers
In addition, WEP has been supplanted in 802.11i by WPA2, this uses AES encryption which is stronger than WEP's RC4. However, AES is also more computationally intensive, so an interim version - WPA-PSK - was developed using TKIP and per-packet keying instead. It uses passphrases though, and may be vulnerable to dictionary attacks.
If you are moving to WPA, it is very important to consider how you will manage the transition. One option is to maintain backwards compatibility with WEP, but that leaves you still vulnerable to WEP attacks, the other is to prohibit WEP outright, but not all of your PCs and APs will be WPA-capable, so you will need to find and replace the ones that aren't.
There are other ways of securing WLANs, as well. VPN overlays allow anyone to connect to the WLAN, but they must then set up an IPSec tunnel. The drawback is that this does not stop clients from attacking each other, and there is also a performance overhead with IPSec.
Another route is role-based access control via a wireless switch, such as those from Bluesocket, Aruba, Trapeze and Airespace (now owned by Cisco), or via one of a number of network access control (NAC) devices. With these you can set criteria such as role, schedule and location, and use these to grant or limit access. The WLAN can be firewalled off too, on a separate subnet.
But perhaps the cheapest method of all, as long as you don't have too many APs, is also the simplest - hackers often come by out of office hours, when you're not watching your network, so plug your AP into a time switch from the local hardware store and set it to turn off at night.