After deploying a wireless LAN, you need to implement a security assessment,
which ensures that the WLAN complies with effective security policies. For most
situations, this is necessary whether or not the network implements effective
security mechanisms. Don’t put too much trust in the design of a system. It’s
best to run tests to be certain that the network is hardened enough to guard
against unauthorized persons attacking company resources.
In fact companies should conduct regular, periodic security reviews to ensure
that changes to the WLAN don’t make the system vulnerable to hackers. A review
once each year may suffice for low risk networks, but a review each quarter
or more often may be necessary if the network supports high risk information
(e.g., financial data, postal mail routing, manufacturing control functions,
etc.).
When performing a wireless LAN security assessment, consider completing the
following steps:
- Review existing security policies. Before getting too far with the
security assessment, become familiar with the policies that the company has
regarding wireless LAN security. This provides a benchmark for determining
whether or not a company is complying with their own policies. In addition,
you’ll be able to make an assessment and corresponding recommendations for
policy modifications. Determine whether the policy leaves any room for a hacker
(e.g., a disgruntled employee) to access or harm company resources.For example, the policy should describe adequate encryption and authentication
mechanisms, keeping in mind that 802.11 WEP
<DEFINE: WEP> is broken. Also, the policy should mandate that all
employees coordinate with the company’s information systems organization
before purchasing or installing access points. It’s very important that
all access points have configuration settings that comply with the policies
and provide the proper level of security. In addition, you need to ensure
that methods are in place that disseminates security policies to employees
in an effective manner. For more on the types of security policies to consider,
refer to a previous tutorial. - Review the system architecture and configurations. Meet with information
systems personnel and read through related documentation to gain an understanding
of the system’s architecture and configurations of access points. You’ll need
this to determine whether there are any design flaws that provide weaknesses
that could allow a hacker inside the system.For example if static WEP is in use, then a hacker could utilize tools
such as AirSnort to break through the encryption process.
In addition, the dependence on 802.11 authentication alone will only verify
the radio NIC and not the user, which could allow an unauthorized person
to steal someone’s wireless-equipped laptop and access the corporate network. - Review operational support tools and procedures. Some security weaknesses
materialize when a company supports a WLAN. As a result, learn as much as
possible about existing support tools and procedures to spot potential issues.
Most companies, for example, configure the access points over the wired Ethernet
backbone. With this process, the passwords sent to open a connection with
a particular access points is sent in the clear (i.e., unencrypted) over the
wired network. As a result, a hacker with monitoring equipment hooked to the
Ethernet network can likely capture the passwords and reconfigure the access
point.
- Interview users. Be sure to talk with a sample of employees to determine
whether they are aware of the security policies, at least to a level of security
that they can control. For example, do the users know that they must coordinate
the purchase and installation of wireless LAN components with the appropriate
organization? Even thought the policy states this, don’t count on everyone
having knowledge of the policy. A new employee or someone who hasn’t seen
the policy may purchase an access point from a local office supply store and
install it on the corporate network (without any security settings enabled)
to provide wireless connectivity within their office. It’s also a good idea
to verify that people are using personal firewalls (or that they know they
should).
- Verify configurations of wireless devices. A portion of the security
policy should define appropriate access point configurations that will offer
an applicable level of security. As part of the assessment, walk through the
facilities having access points and use tools such as AirMagnet
or AiroPeek to capture the access point
configurations. If the company has centralized support software (such as AirWave
or CiscoWorks) in place, then you should be
able to view the configuration settings from a single console attached to
the wired side of the network. This is to determine which security mechanisms
are actually in use and whether or not they comply with effective policies.For example, the policies may state that access points must disable the
physical console port, but while testing you determine that most access
points have the ports enabled. Of course this would indicate non-compliance
with the policies, and it would enable a hacker to possibly reset the access
point to factory default settings with no security enabled. In addition,
look at the firmware version of each access point to see if it’s up-to-date.
Older firmware versions might not implement the more recent patches that
fix encryption vulnerabilities. - Investigate physical installations of access points. As you walk
through the facilities, investigate the installation of access points by noting
their physical accessibility, antenna
type and orientation, and radio wave propagation into portions of the
facility that don’t have physical security controls. The access points should
be mounted in a position that would make it difficult for someone to go unnoticed
and physically handle the access point. An access point simply placed on top
of book shelf, for example, would make it easy for a hacker to swap the access
point with an open one that doesn’t have any security enabled. Or, the hacker
could attach a laptop to the console port to reset the access point. If the
access points are all mounted above the ceiling tiles and out of plain view,
however, someone would need to use a ladder and would probably be noticed
by an employee or security guard.
- Identify rogue access points. A problem that’s difficult to enforce
and significantly undercuts the security of the wireless LAN is when an employee
installs a "personal" access point in their office. Most of the
time, these installations don’t comply with security policies and result in
an open, non-secure entry port to the corporate network. In fact, a hacker
can utilize sniffing tools to alert them when such an opportunity exists.
As a result, scan for these unauthorized access points as part of the assessment.
Most companies will be surprised to learn how many they’ll find. The most
effective method for detecting rogue access points is to walk through the
facilities with sniffing tools, such as AirMagnet or AiroPeek. In addition,
the company should periodically scan the network for potential rogue access
points from the wired side of the network.
- Perform penetration tests. In addition to hunting for rogue access
points, try going a step further and attempt to access corporate resources
using tools common tools available to hackers. For instance, can you utilize
AirSnort to crack through WEP? Is it possible to associate with an access
point from outside the company’s controlled perimeter? Of course if WEP is
turned off, then your job will be easy. If strong encryption and authentication
techniques are in use, then you’ll likely not find a way in.
- Analyze security gaps. The information you gather during the assessment
provides a basis for understanding the security posture of a company or organization.
After collecting information in the above steps, spend some time thinking
about potential gaps in security. This includes issues with policy, network
architecture, operational support, and other items that weaken security, such
as presence of unauthorized access points and abilities to penetrate the network.
This requires you to think like a hacker and uncover any and all methods that
make it easier for someone to penetrate and access (or control) company resources
through the wireless LAN.
- Recommend improvements. As you spot weaknesses in the security of
the wireless LAN, research and describe methods that will counter the issues.
Start by recommending improvements to the policies, which dictate what the
company requires in terms of security for the wireless LANs. This provides
a basis for defining technical and procedural solutions that will strengthen
the security of the system to a level that protects the company’s interests.
With these steps in mind, you’re on the right tract to performing a wireless
LAN security assessment.
Jim Geier provides independent consulting services to companies
developing and deploying wireless network solutions. He is the author of the
book, Wireless LANs
(SAMs, 2001) and offers computer-based
training (CBT) courses on wireless LANs.
Join Jim for discussions as he answers questions in the 802.11 Planet Forums.