- Email: [email protected]
How To Secure Your Wireless Network
nesejunenomast.qxd
6/19/02
12:31 PM
Page 8
feature then delete the columns you don’t want. The objectClass attribute tells you if the entry is for a user, a group, a Container etc., so you can use this to extract just the class of objects you’re interested in. The example shows a heavily massaged result, but gives you some idea of how you might use the output. See Figure 3 for an example of a csvlist syntax. There are two other ways to get quick partial reports. The ‘net user’ and ‘net view’ commands list the users and computers defined to the domain, but no information about them. You can
also export lists of the objects in a Container to a text file. First, highlight the OU, then choose the ‘View’ option, and ‘Choose columns’ to display as much information as possible. Then from the Action menu, choose ‘Export list...’ to output the list to a text file. However, what you get is just a list of basic information that identifies the object. It doesn’t show you the object properties.
Conclusion The big change in Windows 2000 is that for the first time, you have a real
How To Secure Your Wireless Network David Watson, Technical Architect
There can be few corporate IT departments that have not yet had some exposure to the rapid uptake in wireless networking. As one of the current batch of hot technologies, wireless networking offers end users the alluring promise of easy installation, cross vendor interoperability, and plug and play configuration under the latest operating systems. It could also mean an end to fighting for meeting room cables, significant benefits in support time, productivity and cost savings, and seamless integration for an increasingly mobile workforce. As you might expect, wireless networking also has the marketing hype to match such a new and potentially liberating technology. Whilst business users might wish to embrace all that wireless networking can offer, corporate IT managers might want to think twice before rushing to enter this networking nirvana. Before
8
Alison Webb BA FCA CISA has been an independent computer audit consultant since 1990. Her telephone number is +44 (0)1223 461316.
out DHCP-based IP network connections to passers by and many readily revealed confidential information in a plain text format. Even those who had implemented security features often used default or easily guessed configurations.
Aerial Achille’s heel
ioko 365 Network Nirvana
opportunity to mirror your organization and its business rules in the design of the network environment. You don’t need to take this opportunity: the basic file permission/user/group structure is still there. However, if you do take time to plan your implementation and match it to the structure and processes of the business, you will reap benefits, not least in better and more manageable security.
implementing a wireless network project, companies should make sure that they fully understand the particular risks that wireless networking may hold. Failure to do so can easily expose an entire company network to external and unauthorized access.
Wireless wild west For many businesses, the threat posed by wireless networking is analogous to the early days of the commercial Internet. Lack of education, standards and accepted best practices, coupled with a strong demand for new and enabling technology, means that early adopters could be exposing themselves to considerable risk. A recent and comprehensive survey of central London by the International Chamber of Commerce’s Cybercrime Service found that 94% of the 5000 wireless networks detected had not taken even basic steps to protect themselves from casual attack. Most handed
High profile wireless security incidents have started to draw the attention of the mainstream press, but many wireless network users remain unaware of the threat the technology may pose to their existing corporate networks. For example, during May 2002 alone it was reported that: • Wireless cash registers of US consumer electronic giant Better Buy Co. allowed passersby to read plain text transaction records, including customer credit card details, from cars parked outside some of the chain’s 480 national branches. • The closed-circuit TV security camera system for the US Defence Information Systems Agency (DISA) headquarters at Arlington, which houses the Defence Department's Global Network Operations Center, Computer Emergency Response Team and Network Security Operations Center, was controlled by a completely unprotected external wireless network. Cruising accidental hackers could view security images
nesejunenomast.qxd
6/19/02
12:31 PM
Page 9
feature and control cameras from a car parked across the road. As drive-by network discovery (so called war-driving or net stumbling) and casual wireless intrusion become more commonplace, it is likely that many more businesses will face embarrassing exposure or confidential data leaks. Since IT managers are traditionally not radio engineers, how can a business proceed to securely deploy and manage wireless networks?
Rebellious radio signals The most obvious and fundamental difference between traditional and wireless networks is the transmission medium. A wired infrastructure, with its inherent structured cabling and the limits enforced by physical boundaries, provides a degree of basic access control that is simply not present in a wireless network. Most companies have some physical access controls in place to prevent an outsider simply wandering in from the street and connecting computer equipment to corporate networks. The same does not apply to wireless networks, as network access can also come from highly mobile sources, such as moving staff or vehiclemounted systems. Current wireless applications are based upon the IEEE 802.11b standard and utilize the 2.4-2.5 GHz portion of the radio spectrum. Signal range will typically be in the order of hundreds of metres, depending upon the sensitivity of the devices and any physical barrier to signal propagation. However, this is only the quoted range for standard business applications and the tiny wireless antennas provided with most laptop cards. Many people do not realize that radio signals travel much further and can be easily picked up with readily available sensitive antennas. Higher signal gain produces additional range. Even an empty Pringles tin can easily be converted into a 6dB gain antenna at little cost.
Start with security Wireless security has to be considered from day one and cannot simply be applied as an afterthought. Initial wireless network feasibility studies should pay close attention to access point positioning, antenna choice (whether omni-directional, zoned or directional), signal amplification or wattage reduction, and signal spread. Positioning access points away from windows and close to the centre of buildings will minimize signal leakage. System implementers must take for granted that radio signals from wireless devices (and therefore unprotected and confidential data) will be publicly available at significant distances beyond physical site boundaries. A low bandwidth connection from the local coffee shop across the road is still a security risk.
WEP weaknesses The original encryption scheme for 802.11b wireless networks, called Wired Equivalency Privacy (WEP), and its underlying RC4 key scheduling algorithm, has been shown to have a number of inherent security weaknesses. These include: • Network wide shared encryption keys, rather than dynamically changing keys common to other encryption schemes.
• Potential for active injection and redirection attacks. Tools exist (such as Airsnort or WEPCrack) that allow attackers to systematically break WEP encryption and gain access to wireless data.
Flawed features Whilst wireless encryption technology has some flaws, enabling what security features your hardware vendor does supply will definitely serve to deter casual drive-by incidents. It also increases the effort that a more determined attacker will have to make to compromise your network and provide a low entry barrier. If you can raise this barrier enough, many attackers will move on to easier pickings elsewhere. Most network vendors disable security features out of the box, to ease configuration for the end user. Corporate users should implement the following recommendations to maximize 802.11b’s inbuilt security features: • Disable broadcast of the 32-bit plain text Service Set Identifier (SSID), so that only clients with the known correct SSID can associate with an access point. By default a client with any SSID can associate with an access point. Note that some vendors do not support disabling of broadcast SSIDs.
• WEP supports weak 40-bit encryption instead of only strong 128-bit encryption.
• More sophisticated attackers will counter a lack of broadcast SSID by analyzing authentication frames with an 802.11 scanner to obtain the plain text SSID. To limit the effect of passive attacks, if possible, only broadcast beacon packets at higher bandwidths and reduce the frequecy of beacon packets to inhibit such methods.
• Statistical weaknesses in the encryption method, initialization vectors and key reuse allow for non-trivial encryption key cracking based upon analysis of 5-10 million passively captured packets (particularly on large networks).
• Set non-standard SSIDs. Don’t use your company name, address, building details, or any other easy to guess information about your organization. This information is simple to guess, and also makes it easy to locate an access point.
• A lack of automated encryption key management software. If manual key changes across an enterprise become laborious, shared keys tend to remain unchanged for long periods of time and weaken security.
9
nesejunenomast.qxd
6/19/02
12:31 PM
Page 10
feature • Don’t choose SSIDs that could be attractive to attackers (i.e. secret-high-security-project). Follow strong password generation methods to create SSIDs that are difficult to guess. A public network with the vendor default SSID still set suggests an owner who does not worry too much about security and is an easy target. • Always enable 40-bit or 128-bit WEP encryption. Although this may not be robust, it is a barrier to casual attack and it is surprising how many networks still do not use it. • If possible, always use 128-bit WEP and don’t buy weaker or non-flash upgradeable wireless products. Devices often require firmware upgrades to support new features. Since this often includes new security features, try to keep up-to-date with firmware releases. • Choose strong encryption keys on all wireless devices and change shared keys regularly. Encryption key changes make it harder for attackers to obtain and maintain a foothold on your network. • Change all default vendor passwords. Attackers can easily determine the vendor of a wireless device from its MAC address, and databases of standard passwords are readily available on a number of websites. If someone does gain unauthorized access to one part of your network, don’t assist attackers in taking control of other areas. • If possible, administer your wireless devices using secure protocols such as SSH or HTTPS, rather than plain text telnet or HTTP. • Select a non-default channel for your network (also helps to avoid interference). • Some vendors supply non-standard security features that are outside the 802.11 standards. If your network is from a single vendor, investigate and deploy any additional 10
features available (but beware of interoperability issues). For example, Cisco LEAP improves user and key management, but only for Cisco supported products. Agere Orinoco base stations support Closed Network to prevent the SSID being revealed.
Defence in depth Using knowledge of the risks and limitations of current wireless technologies, IT managers should ensure that planned wireless network deployments provide defence in depth and follow the three A’s of Security — Access Control, Authentication and Auditing.
Access control Employ the same policies and techniques to wireless LAN security as you would to Internet access, and treat any wireless network as potentially hostile. Segregate your wireless network from your corporate network using a firewall. For example, a wireless network design may be based around a central firewall on site at head office. It would include a wireless guest DMZ segment with Internet access only for clients visiting the company. For warehouse staff, no access to either corporate networks or the Internet would be allowed, except for limited authenticated access for traffic required for asset management and inventory systems. The firewall would ensure that both visitor and warehouse traffic were kept separate from finance, personnel and engineering networks. By default, most wireless access points will accept association requests from any source. Each Ethernet network device has a unique 48-bit hardware identification number — the Medium Access Control (MAC), of which the first 24 bits constitute the Organizationally Unique Identifier (OUI) of the manufacturer. Provided that you have a clear understanding of the assets within your company, MAC filtering can be employed to restrict
access point associations to company owned devices. Some access point products can alert system administrators in the event than an unknown MAC address is detected, and online databases of OUIs can help in tracking down unauthorized network access attempts. Be aware that more sophisticated attackers can spoof MAC addresses to gain access anyway. For large networks, manual administration of MAC address tables can be time consuming. If possible, don’t enable DHCP on your wireless network, instead require static IP addressing. Change the IP address range of the wireless network so that you don’t use the vendor’s default. Many networks still have the 192.168.1.0/24 network with 192.168.1.1 or 192.168.1.254 as the router. Whilst more sophisticated attackers will work round this, again it will help to deter casual drive-by attacks. Consider deploying intrusion detection systems (IDS) to monitor wireless gateways for suspicious traffic. IDSs provides additional monitoring and make it possible to intercept and block potentially hostile wireless network traffic. If your access points are only used for specific purposes or at specific times, consider reducing risk by switching off inactive nodes until needed. Before doing so, check if a power reset will cause a loss of security configuration information on your access point.
Authentication If your wireless network users do require access to your corporate network, employ strong authentication mechanisms such as RADIUS, LDAP, Kerberos and physical tokens. If your wireless data is at all sensitive, consider deploying a wireless VPN to further authenticate and encrypt communications, or use SSL or SSH to secure application data channels. The same firewall that provides access control can also serve as an end point for
nesejunenomast.qxd
6/19/02
12:31 PM
Page 11
feature encryption, and will probably support more robust methods such as IPsec, L2TP or PPTP. Many business users will already be accustomed to using VPN client software installed on laptops for remote access. A number of vendors such as Bluesocket, Vernier Networks, ReefEdge and Ecutel currently market wireless gateway solutions that provide consolidated authentication, access control and VPN capabilities, and many larger vendors look set to enter the marketplace in the near future. Recently, vendors have been moving to address some of the issues in wireless security. Upcoming IEEE standards should strengthen the existing 802.11 security features. 802.1X (now included in Windows XP) adds port-based authentication and wireless encryption key distribution capabilities. Although 802.1X still employs relatively weak WEP encryption, since encryption keys automatically change every few minutes this significantly reduces the key management overhead. This makes WEP key cracking by capture analysis impractical.
Auditing Actively look for the appearance of rogue Access Points on your networks using wireless audit tools such as NetStumbler or Kismet. Since wireless network technology is cheap, simple and quick to set up, users often go ahead and install their own systems without the involvement of anyone else. Unknown, back door or temporary wireless gateway deployments can pose a significant risk to even the most well managed IT department. Conferences and other short one-off events often present major risks through the unplanned deployment of wireless networks. Monitor your access logs and routinely look for suspicious entries. Make sure you have an audit trail to track potential security breaches, and a plan for how to respond should one occur.
Application
Windows
UNIX
Mac
PDA
Cost
Use
Kismet
No
Linux
No
(Linux)
No
AP discovery, traffic logging
Netstumbler
Yes
No
No
WinCE
No
AP discovery
Wellenreiter
No
Linux
No
(Linux)
No
AP discovery, traffic logging
Wardrive
No
Linux
No
(Linux)
No
AP discovery
BSD Airtools
No
BSD
No
No
No
AP discovery
FreeStumble
No
BSD
No
No
No
AP discovery
Airopeek
Yes
No
No
No
Yes
AP discovery, traffic logging
Sniffer Wireless Yes
No
No
No
Yes
AP discovery, traffic logging
MacStumbler
No
No
Yes
No
No
AP discovery
Airsnort
No
Linux
No
(Linux)
No
WEP key decryption
WEPCrack
No
Linux
No
(Linux)
No
WEP key decryption
Ceniffer
No
No
No
WinCE
Yes
Traffic logging
AirMagnet
No
No
No
WinCE
Yes
AP discovery, traffic logging
Figure 1: Recommended wireless auditing tools. If possible, control traffic volumes and create alerts on sudden traffic spikes, detection of unknown MAC addresses or broadcast storms that could be an indicator of unwanted network activity. Use a wireless device to test the signal strength of your wireless network in public areas beyond your site, but remember that more sensitive antennas allow signals to be intercepted beyond the normal corporate device range. Consider purchasing your own higher gain antennas and testing your surroundings before someone else does.
Understand your enemy There are many wireless tools available, some commercial and some freeware. Understanding such tools helps you to gauge the capabilities of attackers and the potential threat to your network.
the enterprise requires planning and attention to known security issues. Current 802.11b devices, when used out of the box, provide little or no security. A determined attacker can compromise even fully configured devices. Wireless networks should always be considered insecure unless additional access control, auditing and authentication are employed. Testing your own networks helps to understand your organization’s wireless footprint. Familiarity with wireless security tools will expose potential risks and allow IT managers to close down any vulnerability. Security tests against exposed wireless systems are important, but make sure that security testing is repeated regularly as wireless networks change more often than conventional networks
Conclusion
Launched in 1995, ioko365 offers consulting and systems integration for large corporate businesses in the financial, pharmaceutical, retail, extraction, entertainment and government sectors.
Wireless networking can be a powerful and enabling technology. However, safely deploying wireless services in
David Watson can [email protected]
be
contacted
11
at
6/19/02
12:31 PM
Page 8
feature then delete the columns you don’t want. The objectClass attribute tells you if the entry is for a user, a group, a Container etc., so you can use this to extract just the class of objects you’re interested in. The example shows a heavily massaged result, but gives you some idea of how you might use the output. See Figure 3 for an example of a csvlist syntax. There are two other ways to get quick partial reports. The ‘net user’ and ‘net view’ commands list the users and computers defined to the domain, but no information about them. You can
also export lists of the objects in a Container to a text file. First, highlight the OU, then choose the ‘View’ option, and ‘Choose columns’ to display as much information as possible. Then from the Action menu, choose ‘Export list...’ to output the list to a text file. However, what you get is just a list of basic information that identifies the object. It doesn’t show you the object properties.
Conclusion The big change in Windows 2000 is that for the first time, you have a real
How To Secure Your Wireless Network David Watson, Technical Architect
There can be few corporate IT departments that have not yet had some exposure to the rapid uptake in wireless networking. As one of the current batch of hot technologies, wireless networking offers end users the alluring promise of easy installation, cross vendor interoperability, and plug and play configuration under the latest operating systems. It could also mean an end to fighting for meeting room cables, significant benefits in support time, productivity and cost savings, and seamless integration for an increasingly mobile workforce. As you might expect, wireless networking also has the marketing hype to match such a new and potentially liberating technology. Whilst business users might wish to embrace all that wireless networking can offer, corporate IT managers might want to think twice before rushing to enter this networking nirvana. Before
8
Alison Webb BA FCA CISA has been an independent computer audit consultant since 1990. Her telephone number is +44 (0)1223 461316.
out DHCP-based IP network connections to passers by and many readily revealed confidential information in a plain text format. Even those who had implemented security features often used default or easily guessed configurations.
Aerial Achille’s heel
ioko 365 Network Nirvana
opportunity to mirror your organization and its business rules in the design of the network environment. You don’t need to take this opportunity: the basic file permission/user/group structure is still there. However, if you do take time to plan your implementation and match it to the structure and processes of the business, you will reap benefits, not least in better and more manageable security.
implementing a wireless network project, companies should make sure that they fully understand the particular risks that wireless networking may hold. Failure to do so can easily expose an entire company network to external and unauthorized access.
Wireless wild west For many businesses, the threat posed by wireless networking is analogous to the early days of the commercial Internet. Lack of education, standards and accepted best practices, coupled with a strong demand for new and enabling technology, means that early adopters could be exposing themselves to considerable risk. A recent and comprehensive survey of central London by the International Chamber of Commerce’s Cybercrime Service found that 94% of the 5000 wireless networks detected had not taken even basic steps to protect themselves from casual attack. Most handed
High profile wireless security incidents have started to draw the attention of the mainstream press, but many wireless network users remain unaware of the threat the technology may pose to their existing corporate networks. For example, during May 2002 alone it was reported that: • Wireless cash registers of US consumer electronic giant Better Buy Co. allowed passersby to read plain text transaction records, including customer credit card details, from cars parked outside some of the chain’s 480 national branches. • The closed-circuit TV security camera system for the US Defence Information Systems Agency (DISA) headquarters at Arlington, which houses the Defence Department's Global Network Operations Center, Computer Emergency Response Team and Network Security Operations Center, was controlled by a completely unprotected external wireless network. Cruising accidental hackers could view security images
nesejunenomast.qxd
6/19/02
12:31 PM
Page 9
feature and control cameras from a car parked across the road. As drive-by network discovery (so called war-driving or net stumbling) and casual wireless intrusion become more commonplace, it is likely that many more businesses will face embarrassing exposure or confidential data leaks. Since IT managers are traditionally not radio engineers, how can a business proceed to securely deploy and manage wireless networks?
Rebellious radio signals The most obvious and fundamental difference between traditional and wireless networks is the transmission medium. A wired infrastructure, with its inherent structured cabling and the limits enforced by physical boundaries, provides a degree of basic access control that is simply not present in a wireless network. Most companies have some physical access controls in place to prevent an outsider simply wandering in from the street and connecting computer equipment to corporate networks. The same does not apply to wireless networks, as network access can also come from highly mobile sources, such as moving staff or vehiclemounted systems. Current wireless applications are based upon the IEEE 802.11b standard and utilize the 2.4-2.5 GHz portion of the radio spectrum. Signal range will typically be in the order of hundreds of metres, depending upon the sensitivity of the devices and any physical barrier to signal propagation. However, this is only the quoted range for standard business applications and the tiny wireless antennas provided with most laptop cards. Many people do not realize that radio signals travel much further and can be easily picked up with readily available sensitive antennas. Higher signal gain produces additional range. Even an empty Pringles tin can easily be converted into a 6dB gain antenna at little cost.
Start with security Wireless security has to be considered from day one and cannot simply be applied as an afterthought. Initial wireless network feasibility studies should pay close attention to access point positioning, antenna choice (whether omni-directional, zoned or directional), signal amplification or wattage reduction, and signal spread. Positioning access points away from windows and close to the centre of buildings will minimize signal leakage. System implementers must take for granted that radio signals from wireless devices (and therefore unprotected and confidential data) will be publicly available at significant distances beyond physical site boundaries. A low bandwidth connection from the local coffee shop across the road is still a security risk.
WEP weaknesses The original encryption scheme for 802.11b wireless networks, called Wired Equivalency Privacy (WEP), and its underlying RC4 key scheduling algorithm, has been shown to have a number of inherent security weaknesses. These include: • Network wide shared encryption keys, rather than dynamically changing keys common to other encryption schemes.
• Potential for active injection and redirection attacks. Tools exist (such as Airsnort or WEPCrack) that allow attackers to systematically break WEP encryption and gain access to wireless data.
Flawed features Whilst wireless encryption technology has some flaws, enabling what security features your hardware vendor does supply will definitely serve to deter casual drive-by incidents. It also increases the effort that a more determined attacker will have to make to compromise your network and provide a low entry barrier. If you can raise this barrier enough, many attackers will move on to easier pickings elsewhere. Most network vendors disable security features out of the box, to ease configuration for the end user. Corporate users should implement the following recommendations to maximize 802.11b’s inbuilt security features: • Disable broadcast of the 32-bit plain text Service Set Identifier (SSID), so that only clients with the known correct SSID can associate with an access point. By default a client with any SSID can associate with an access point. Note that some vendors do not support disabling of broadcast SSIDs.
• WEP supports weak 40-bit encryption instead of only strong 128-bit encryption.
• More sophisticated attackers will counter a lack of broadcast SSID by analyzing authentication frames with an 802.11 scanner to obtain the plain text SSID. To limit the effect of passive attacks, if possible, only broadcast beacon packets at higher bandwidths and reduce the frequecy of beacon packets to inhibit such methods.
• Statistical weaknesses in the encryption method, initialization vectors and key reuse allow for non-trivial encryption key cracking based upon analysis of 5-10 million passively captured packets (particularly on large networks).
• Set non-standard SSIDs. Don’t use your company name, address, building details, or any other easy to guess information about your organization. This information is simple to guess, and also makes it easy to locate an access point.
• A lack of automated encryption key management software. If manual key changes across an enterprise become laborious, shared keys tend to remain unchanged for long periods of time and weaken security.
9
nesejunenomast.qxd
6/19/02
12:31 PM
Page 10
feature • Don’t choose SSIDs that could be attractive to attackers (i.e. secret-high-security-project). Follow strong password generation methods to create SSIDs that are difficult to guess. A public network with the vendor default SSID still set suggests an owner who does not worry too much about security and is an easy target. • Always enable 40-bit or 128-bit WEP encryption. Although this may not be robust, it is a barrier to casual attack and it is surprising how many networks still do not use it. • If possible, always use 128-bit WEP and don’t buy weaker or non-flash upgradeable wireless products. Devices often require firmware upgrades to support new features. Since this often includes new security features, try to keep up-to-date with firmware releases. • Choose strong encryption keys on all wireless devices and change shared keys regularly. Encryption key changes make it harder for attackers to obtain and maintain a foothold on your network. • Change all default vendor passwords. Attackers can easily determine the vendor of a wireless device from its MAC address, and databases of standard passwords are readily available on a number of websites. If someone does gain unauthorized access to one part of your network, don’t assist attackers in taking control of other areas. • If possible, administer your wireless devices using secure protocols such as SSH or HTTPS, rather than plain text telnet or HTTP. • Select a non-default channel for your network (also helps to avoid interference). • Some vendors supply non-standard security features that are outside the 802.11 standards. If your network is from a single vendor, investigate and deploy any additional 10
features available (but beware of interoperability issues). For example, Cisco LEAP improves user and key management, but only for Cisco supported products. Agere Orinoco base stations support Closed Network to prevent the SSID being revealed.
Defence in depth Using knowledge of the risks and limitations of current wireless technologies, IT managers should ensure that planned wireless network deployments provide defence in depth and follow the three A’s of Security — Access Control, Authentication and Auditing.
Access control Employ the same policies and techniques to wireless LAN security as you would to Internet access, and treat any wireless network as potentially hostile. Segregate your wireless network from your corporate network using a firewall. For example, a wireless network design may be based around a central firewall on site at head office. It would include a wireless guest DMZ segment with Internet access only for clients visiting the company. For warehouse staff, no access to either corporate networks or the Internet would be allowed, except for limited authenticated access for traffic required for asset management and inventory systems. The firewall would ensure that both visitor and warehouse traffic were kept separate from finance, personnel and engineering networks. By default, most wireless access points will accept association requests from any source. Each Ethernet network device has a unique 48-bit hardware identification number — the Medium Access Control (MAC), of which the first 24 bits constitute the Organizationally Unique Identifier (OUI) of the manufacturer. Provided that you have a clear understanding of the assets within your company, MAC filtering can be employed to restrict
access point associations to company owned devices. Some access point products can alert system administrators in the event than an unknown MAC address is detected, and online databases of OUIs can help in tracking down unauthorized network access attempts. Be aware that more sophisticated attackers can spoof MAC addresses to gain access anyway. For large networks, manual administration of MAC address tables can be time consuming. If possible, don’t enable DHCP on your wireless network, instead require static IP addressing. Change the IP address range of the wireless network so that you don’t use the vendor’s default. Many networks still have the 192.168.1.0/24 network with 192.168.1.1 or 192.168.1.254 as the router. Whilst more sophisticated attackers will work round this, again it will help to deter casual drive-by attacks. Consider deploying intrusion detection systems (IDS) to monitor wireless gateways for suspicious traffic. IDSs provides additional monitoring and make it possible to intercept and block potentially hostile wireless network traffic. If your access points are only used for specific purposes or at specific times, consider reducing risk by switching off inactive nodes until needed. Before doing so, check if a power reset will cause a loss of security configuration information on your access point.
Authentication If your wireless network users do require access to your corporate network, employ strong authentication mechanisms such as RADIUS, LDAP, Kerberos and physical tokens. If your wireless data is at all sensitive, consider deploying a wireless VPN to further authenticate and encrypt communications, or use SSL or SSH to secure application data channels. The same firewall that provides access control can also serve as an end point for
nesejunenomast.qxd
6/19/02
12:31 PM
Page 11
feature encryption, and will probably support more robust methods such as IPsec, L2TP or PPTP. Many business users will already be accustomed to using VPN client software installed on laptops for remote access. A number of vendors such as Bluesocket, Vernier Networks, ReefEdge and Ecutel currently market wireless gateway solutions that provide consolidated authentication, access control and VPN capabilities, and many larger vendors look set to enter the marketplace in the near future. Recently, vendors have been moving to address some of the issues in wireless security. Upcoming IEEE standards should strengthen the existing 802.11 security features. 802.1X (now included in Windows XP) adds port-based authentication and wireless encryption key distribution capabilities. Although 802.1X still employs relatively weak WEP encryption, since encryption keys automatically change every few minutes this significantly reduces the key management overhead. This makes WEP key cracking by capture analysis impractical.
Auditing Actively look for the appearance of rogue Access Points on your networks using wireless audit tools such as NetStumbler or Kismet. Since wireless network technology is cheap, simple and quick to set up, users often go ahead and install their own systems without the involvement of anyone else. Unknown, back door or temporary wireless gateway deployments can pose a significant risk to even the most well managed IT department. Conferences and other short one-off events often present major risks through the unplanned deployment of wireless networks. Monitor your access logs and routinely look for suspicious entries. Make sure you have an audit trail to track potential security breaches, and a plan for how to respond should one occur.
Application
Windows
UNIX
Mac
PDA
Cost
Use
Kismet
No
Linux
No
(Linux)
No
AP discovery, traffic logging
Netstumbler
Yes
No
No
WinCE
No
AP discovery
Wellenreiter
No
Linux
No
(Linux)
No
AP discovery, traffic logging
Wardrive
No
Linux
No
(Linux)
No
AP discovery
BSD Airtools
No
BSD
No
No
No
AP discovery
FreeStumble
No
BSD
No
No
No
AP discovery
Airopeek
Yes
No
No
No
Yes
AP discovery, traffic logging
Sniffer Wireless Yes
No
No
No
Yes
AP discovery, traffic logging
MacStumbler
No
No
Yes
No
No
AP discovery
Airsnort
No
Linux
No
(Linux)
No
WEP key decryption
WEPCrack
No
Linux
No
(Linux)
No
WEP key decryption
Ceniffer
No
No
No
WinCE
Yes
Traffic logging
AirMagnet
No
No
No
WinCE
Yes
AP discovery, traffic logging
Figure 1: Recommended wireless auditing tools. If possible, control traffic volumes and create alerts on sudden traffic spikes, detection of unknown MAC addresses or broadcast storms that could be an indicator of unwanted network activity. Use a wireless device to test the signal strength of your wireless network in public areas beyond your site, but remember that more sensitive antennas allow signals to be intercepted beyond the normal corporate device range. Consider purchasing your own higher gain antennas and testing your surroundings before someone else does.
Understand your enemy There are many wireless tools available, some commercial and some freeware. Understanding such tools helps you to gauge the capabilities of attackers and the potential threat to your network.
the enterprise requires planning and attention to known security issues. Current 802.11b devices, when used out of the box, provide little or no security. A determined attacker can compromise even fully configured devices. Wireless networks should always be considered insecure unless additional access control, auditing and authentication are employed. Testing your own networks helps to understand your organization’s wireless footprint. Familiarity with wireless security tools will expose potential risks and allow IT managers to close down any vulnerability. Security tests against exposed wireless systems are important, but make sure that security testing is repeated regularly as wireless networks change more often than conventional networks
Conclusion
Launched in 1995, ioko365 offers consulting and systems integration for large corporate businesses in the financial, pharmaceutical, retail, extraction, entertainment and government sectors.
Wireless networking can be a powerful and enabling technology. However, safely deploying wireless services in
David Watson can [email protected]
be
contacted
11
at