Wireless LAN Security Assessments Steps

After deploying a wireless LAN, you need to implement a security assessment,
which ensures that the WLAN complies with effective security policies. For most
situations, this is necessary whether or not the network implements effective
security mechanisms. Don’t put too much trust in the design of a system. It’s
best to run tests to be certain that the network is hardened enough to guard
against unauthorized persons attacking company resources.

In fact companies should conduct regular, periodic security reviews to ensure
that changes to the WLAN don’t make the system vulnerable to hackers. A review
once each year may suffice for low risk networks, but a review each quarter
or more often may be necessary if the network supports high risk information
(e.g., financial data, postal mail routing, manufacturing control functions,
etc.).

When performing a wireless LAN security assessment, consider completing the
following steps:

  1. Review existing security policies. Before getting too far with the
    security assessment, become familiar with the policies that the company has
    regarding wireless LAN security. This provides a benchmark for determining
    whether or not a company is complying with their own policies. In addition,
    you’ll be able to make an assessment and corresponding recommendations for
    policy modifications. Determine whether the policy leaves any room for a hacker
    (e.g., a disgruntled employee) to access or harm company resources.

    For example, the policy should describe adequate encryption and authentication
    mechanisms, keeping in mind that 802.11 WEP
    <DEFINE: WEP> is broken. Also, the policy should mandate that all
    employees coordinate with the company’s information systems organization
    before purchasing or installing access points. It’s very important that
    all access points have configuration settings that comply with the policies
    and provide the proper level of security. In addition, you need to ensure
    that methods are in place that disseminates security policies to employees
    in an effective manner. For more on the types of security policies to consider,
    refer to a previous tutorial.

  2. Review the system architecture and configurations. Meet with information
    systems personnel and read through related documentation to gain an understanding
    of the system’s architecture and configurations of access points. You’ll need
    this to determine whether there are any design flaws that provide weaknesses
    that could allow a hacker inside the system.

    For example if static WEP is in use, then a hacker could utilize tools
    such as AirSnort to break through the encryption process.
    In addition, the dependence on 802.11 authentication alone will only verify
    the radio NIC and not the user, which could allow an unauthorized person
    to steal someone’s wireless-equipped laptop and access the corporate network.

  3. Review operational support tools and procedures. Some security weaknesses
    materialize when a company supports a WLAN. As a result, learn as much as
    possible about existing support tools and procedures to spot potential issues.
    Most companies, for example, configure the access points over the wired Ethernet
    backbone. With this process, the passwords sent to open a connection with
    a particular access points is sent in the clear (i.e., unencrypted) over the
    wired network. As a result, a hacker with monitoring equipment hooked to the
    Ethernet network can likely capture the passwords and reconfigure the access
    point.
  1. Interview users. Be sure to talk with a sample of employees to determine
    whether they are aware of the security policies, at least to a level of security
    that they can control. For example, do the users know that they must coordinate
    the purchase and installation of wireless LAN components with the appropriate
    organization? Even thought the policy states this, don’t count on everyone
    having knowledge of the policy. A new employee or someone who hasn’t seen
    the policy may purchase an access point from a local office supply store and
    install it on the corporate network (without any security settings enabled)
    to provide wireless connectivity within their office. It’s also a good idea
    to verify that people are using personal firewalls (or that they know they
    should).
  1. Verify configurations of wireless devices. A portion of the security
    policy should define appropriate access point configurations that will offer
    an applicable level of security. As part of the assessment, walk through the
    facilities having access points and use tools such as AirMagnet
    or AiroPeek to capture the access point
    configurations. If the company has centralized support software (such as AirWave
    or CiscoWorks) in place, then you should be
    able to view the configuration settings from a single console attached to
    the wired side of the network. This is to determine which security mechanisms
    are actually in use and whether or not they comply with effective policies.

    For example, the policies may state that access points must disable the
    physical console port, but while testing you determine that most access
    points have the ports enabled. Of course this would indicate non-compliance
    with the policies, and it would enable a hacker to possibly reset the access
    point to factory default settings with no security enabled. In addition,
    look at the firmware version of each access point to see if it’s up-to-date.
    Older firmware versions might not implement the more recent patches that
    fix encryption vulnerabilities.

  2. Investigate physical installations of access points. As you walk
    through the facilities, investigate the installation of access points by noting
    their physical accessibility, antenna
    type
    and orientation, and radio wave propagation into portions of the
    facility that don’t have physical security controls. The access points should
    be mounted in a position that would make it difficult for someone to go unnoticed
    and physically handle the access point. An access point simply placed on top
    of book shelf, for example, would make it easy for a hacker to swap the access
    point with an open one that doesn’t have any security enabled. Or, the hacker
    could attach a laptop to the console port to reset the access point. If the
    access points are all mounted above the ceiling tiles and out of plain view,
    however, someone would need to use a ladder and would probably be noticed
    by an employee or security guard.
  1. Identify rogue access points. A problem that’s difficult to enforce
    and significantly undercuts the security of the wireless LAN is when an employee
    installs a "personal" access point in their office. Most of the
    time, these installations don’t comply with security policies and result in
    an open, non-secure entry port to the corporate network. In fact, a hacker
    can utilize sniffing tools to alert them when such an opportunity exists.
    As a result, scan for these unauthorized access points as part of the assessment.
    Most companies will be surprised to learn how many they’ll find. The most
    effective method for detecting rogue access points is to walk through the
    facilities with sniffing tools, such as AirMagnet or AiroPeek. In addition,
    the company should periodically scan the network for potential rogue access
    points from the wired side of the network.
  1. Perform penetration tests. In addition to hunting for rogue access
    points, try going a step further and attempt to access corporate resources
    using tools common tools available to hackers. For instance, can you utilize
    AirSnort to crack through WEP? Is it possible to associate with an access
    point from outside the company’s controlled perimeter? Of course if WEP is
    turned off, then your job will be easy. If strong encryption and authentication
    techniques are in use, then you’ll likely not find a way in.
  1. Analyze security gaps. The information you gather during the assessment
    provides a basis for understanding the security posture of a company or organization.
    After collecting information in the above steps, spend some time thinking
    about potential gaps in security. This includes issues with policy, network
    architecture, operational support, and other items that weaken security, such
    as presence of unauthorized access points and abilities to penetrate the network.
    This requires you to think like a hacker and uncover any and all methods that
    make it easier for someone to penetrate and access (or control) company resources
    through the wireless LAN.
  1. Recommend improvements. As you spot weaknesses in the security of
    the wireless LAN, research and describe methods that will counter the issues.
    Start by recommending improvements to the policies, which dictate what the
    company requires in terms of security for the wireless LANs. This provides
    a basis for defining technical and procedural solutions that will strengthen
    the security of the system to a level that protects the company’s interests.

With these steps in mind, you’re on the right tract to performing a wireless
LAN security assessment.

Jim Geier provides independent consulting services to companies
developing and deploying wireless network solutions. He is the author of the
book,
Wireless LANs
(SAMs, 2001) and offers computer-based
training (CBT) courses
on wireless LANs.

Join Jim for discussions as he answers questions in the 802.11 Planet Forums.

News Around the Web