Guarding Against WLAN Security Threats

In a previous
tutorial
, I discussed security threats that you must consider when deploying
a wireless LAN. If you don’t implement security mechanisms beyond default settings
of the access points and radio NICs, then just about anyone can compromise the
information on the network. Through effective security techniques, however,
you can beef up the security of a wireless LAN to a degree that satisfies specific
requirements.

Simple Security Techniques

In many cases, you may only need to employ deterrents to keep the causal snooper
from messing with your wireless LAN. The following techniques offer partial
security that works for all applications and are generally adequate for home
and small office applications:

  • Turn SSID broadcasting "off." This ensures that the access
    point doesn’t include the SSID (service set identifier) in the beacon frames
    that are sent multiple times per second. Without the broadcasting of SSIDs,
    operating systems such as Windows XP will not discover the SSID and automatically
    configure the user’s radio NIC. As a result, an intruder will have to find
    out the SSID through other, more difficult means. 802.11 association frames
    always include the SSID, even when SSID broadcasting is off. Thus, someone
    can use an 802.11 packet analyzer (e.g., AirMagnet
    or AiroPeek)
    and sniff the air while a legitimate user boots ups and associates with an
    access point. This requires enough effort (and expense) to cause most snoopers
    to go elsewhere. In some cases, though, it may not be practical to turn off
    SSID broadcasting. For example, you should broadcast SSIDs in public wireless
    LANs to provide open connectivity.
  • Utilize static IP addresses. By default, most wireless LANs
    utilize DHCP (dynamic host configuration protocol) to more efficiently assign
    IP addresses automatically to user devices. A problem is that DHCP doesn’t
    differentiate a legitimate user from a hacker. With a proper SSID, anyone
    implementing DHCP will obtain an IP address automatically and become a genuine
    node on the network. By disabling DHCP and assigning static IP addresses to
    all wireless users, you can minimize the possibility of the hacker obtaining
    a valid IP address. This limits their ability to access network services.
    Of course someone can use an 802.11 packet analyzer to sniff the exchange
    of frames over the network and learn what IP addresses are in use. This helps
    the intruder guess what IP address to use that falls within the range of ones
    in use. Thus, the use of static IP addresses isn’t fool proof, but at least
    it’s a deterrent. Also keep in mind that the use of static IP addresses in
    larger networks is very cumbersome, which may prompt network managers to use
    DHCP to avoid support issues.
  • Turn WEP "on." There are certainly problems
    with WEP
    (wired equivalent privacy), but it’s better than nothing. WEP
    encrypts the body of each 802.11 data frame, which makes it very difficult
    for someone with an 802.11 packet analyzer to decipher the actual data. There
    are methods and tools that hackers can use to untangle the encrypted data
    into something meaningful, but that generally requires someone with more technical
    ability than the common, causal snooper. As a result, the use of WEP acts
    like having a strong lock on the front door of your home. It keeps most people
    out, but someone with the right skills and motivation can pick the lock. This
    problem will eventually go away because 802.11 plans to solve the flaws of
    WEP through more advanced encryption methods (refer to a past
    tutorial
    for more details).
  • Utilize shared key authentication. Most wireless LANs on the market
    today allow the use of this optional 802.11 feature, which helps avoid rogue
    radio NICs from gaining access to the network. When the authentication process
    occurs, the access point sends the radio NIC a string of challenge text. The
    radio NIC must encrypt the challenge text with its WEP key and send the encrypted
    version to the access point. After decrypting the challenge text with the
    common WEP key, the access point can determine that the radio NIC has the
    correct key if the challenge text matches what was sent initially. This forms
    the basis for allowing the NIC to authenticate with the access point. (Again,
    this mechanism is only as good as WEP. A determined hacker can still eventually
    break through.) 
  • Install/activate personal firewalls. This is something that many
    people overlook. In smaller networks, you generally keep all of your files
    on a personal computer or laptop. Without personal firewall protection, someone
    having legitimate or devious access to the wireless LAN can easily copy and
    open your files. Keep your files in access-protected directories to avoid
    others from stealing your files. Of course this applies to wired networks
    as well.  

Advanced Security Mechanisms

In addition to the above security techniques, consider the following tips that
offer a greater degree of security to satisfy enterprise and vertical application
requirements:

  • Utilize a virtual private
    network
    (VPN)
    . This involves the use of third-party encryption (e.g.,
    triple Data Encryption Standard or 3DES) that affects all data on the WLAN.
    Generally, the user installs VPN client software on their wireless device,
    which communicates securely with the VPN network. This can be a relatively
    expensive and somewhat inflexible solution, but it provides excellent security.
  • Implement mutual authentication mechanisms. Through the addition
    of a RADIUS server,
    802.1X
    protocols, and possibly an access
    controller
    , you’ll have a framework for deploying mutual authentication
    between users and access points. This reduces man-in-the-middle attacks, such
    as rogue access points. Many enterprise grade access points support these
    features. 802.1X provides port-based access control and mutual authentication
    between clients and access points via an authentication server, such as RADIUS.
    You’ll need to also choose an authentication type, such as EAP-TLS
    or EAP-TTLS. Be sure to implement encryption of user names and passwords or
    use digital certificates to strengthen the authentication process. 802.1X
    also provides a method for distributing encryption keys dynamically to wireless
    LAN devices, which solves the key reuse problem found in the current version
    of 802.11 WEP.
  • Place access points outside the enterprise firewall. To protect intruders
    from accessing corporate network resources, ensure that the wireless LAN access
    points remain outside the firewall. You can configure the firewall to enable
    access from legitimate users based on MAC addresses, which makes it difficult
    (but not impossible) for a hacker to mimic. In fact, you can also incorporate
    MAC address filtering using most enterprise-grade wireless LAN access points.
  • Minimize radio wave propagation
    in non-user areas
    . Try orienting
    antennas
    to avoid covering areas outside the physically controlled boundaries of the
    facility. By steering clear of public areas, such as parking lots, lobbies,
    and adjacent offices, you’ll significantly reduce the ability for an intruder
    to participate on the wireless LAN. This will also minimize the impact of
    someone disabling your wireless LAN with jamming techniques.

The Bottom Line

Don’t count on wireless LANs being secure using factory default configurations
and settings. Be sure to take into account security risks and implement techniques
that guard against attacks. With today’s technologies, you can make a wireless
LAN just as secure –or more secure — than Ethernet-based systems.

Jim Geier provides independent consulting services to companies
developing and deploying wireless network solutions. He is the author of the
book,
Wireless LANs
(SAMs, 2001), and regularly instructs workshops on wireless LANs.

Join Jim for discussions as he answers questions in the 802.11 Planet Forums.

News Around the Web