WLAN-Specific Security Considerations
Compared to wire-based LANs, WLANs introduce into the design and deployment of data networks additional and unique security considerations, which are used as communication platforms for passing sensitive business information. Generally, any effective communication process represents an interaction and a relationship among five elements:
Transmitters and receivers exchange messages using a transmission medium and are subject to the rules or protocols that govern the timing, the structure, and the representation of the messages, thus making the communication process possible, practical, and effective.
The biggest (but not the only) difference between wireless and wired LANs is the nature of the transmission medium. Air is considered an unbounded and leaky transmission medium (a new security threat here!) as compared to bounded media like coax, copper, or fiber. In bounded media, the signals representing the message are confined to a specified pathway, and physical access to the media is required to tap into the network. This is not the case with unbounded media. The signals easily propagate past their intended target, and they can be readily intercepted, interfered with, or used to gain access to the network.
Anyone standing in a crowd and carrying on a full-voice conversation with another person is painfully aware that their voice messages propagate over the airwaves in multiple directions past the intended recipient. The continuance of such a conversation depends on whether the individuals involved in it (who alternate as the transmitter and the receiver) care if there are unintended recipients of what is being said. What are the consequences of the conversation being heard by other people? Does it still matter if anyone hears the conversation if it is conducted in a language that is known and understood only by the individuals involved in it? Would it take long for an unintended listener to learn the unknown language in which the conversation is being carried on?
As discussed in Chapter 4, “Overview of the Network Security Issues,” any aspect of network security is best considered in the context of a security policy that identifies the threats. WLAN security is no different. The following subsections outline WLAN security threats, mechanisms, and sound practices that counter some of the threats. However, it's up to you as the designer—based on the user requirements and an SMB's network security policy—to determine the potential impact of the threats, the relevance of the available protection mechanisms, and the implementation of sound security practices that apply to WLANs. Otherwise, they all remain abstractions devoid of practical meaning.
WLAN Security Threats
Security threats unique to WLANs stem from the unbounded nature of air as the transmission medium for network communications. Consider an SMB that occupies a building with a wired private network. The connection to the Internet is considered to be secure thanks to the deployment of a firewall, an intrusion detection system (IDS) on the inside and outside networks, and the maximum implementation of available router security features. The building has reasonable physical security.
All visitors to the SMB's facility must first sign in with a security officer in the lobby. Visitors are allowed to bring notebook computers into the building for the purpose of making presentations or taking notes during meetings, but the SMB security policy does not allow visitors to connect to any portion of the internal network using their notebooks. While on the premises, visitors are to be escorted at all times, with the exception of restroom breaks. SMB employee escorts are responsible for enforcing the policy of preventing visitors from making physical connections to the internal network.
Penetrating this SMB's network from the outside is not going to be easy without collaboration with someone on the inside. But this challenge might be a lure for intruders, if you want to factor the psychology of hacking and cracking into the security equation.
Now, imagine that the same network is wireless. Eavesdropping on the wireless signals and the potential introduction of a rogue access point (AP) can lead to the compromise of that network more easily than if it remained wire-based. Yet, put those threats in perspective. There is a certain irony here that makes WLANs less desirable targets for intruders than wire-based networks.
It's a well-known fact that it is easy to penetrate a poorly secured wireless network. But gaining access to a WLAN through almost an open door makes it a pretty blah experience for those hackers who are after a real challenge. That is not necessarily the attitude of those who are engaged in industrial espionage, if the information transmitted over the WLAN warrants their attention.
The perception of the ease of wireless hacking is mostly thanks to the lack of implementation of the available security features at WLAN installations. In some ways, a WLAN can be more secure than its wire-based counterpart, especially in scenarios in which a wire-based network is poorly managed and the network administrator does not know how many ports are available on the network and where they are located. With a WLAN, you normally secure all or none of your ports.
Thus, it's vital that you create a network security policy, do a risk assessment analysis, and comply with sound network management practices. Dangers to WLANs are real, but so are the means of protecting them from those dangers.
Wireless Eavesdropping
Often, and without detection on the network, unauthorized individuals can readily “listen” or eavesdrop on the WLAN transmissions that propagate outside of an office building where a WLAN is installed. But what does “listening” really mean? It means, for example, that a listening device in the form of a notebook PC with a wireless network interface card (NIC) or a handheld PC with an antenna must be physically present within the range of the wireless signals.
Assuming that the listening device is also equipped with software to identify the presence of an 802.11 WLAN or to collect and decode the wireless data stream, an act of wireless eavesdropping takes place. However, such an act, if sustained over a long period of time, might force a potential intruder to be physically too close for comfort to the actual WLAN location.
NOTE
Wireless products vendors (AirMagnet, for example) offer tools for detecting the presence of wireless intruders on the network.
It's one thing to drive around with a wireless listening device and to attempt to identify WLAN locations and service set identifiers (SSIDs). (It's referred to as wardriving. Warchalking further pinpoints these locations and SSIDs through markings on buildings or sidewalks.) It's another matter, however, to spend hours in the WLAN proximity collecting a sufficient amount of data to be able to crack wired equivalent privacy (WEP) or to even join a completely unsecured WLAN and start using it.
Ironically, wireless hacking requires a greater degree of physical exposure of the perpetrator than hacking a wired network from the privacy of one's own surroundings. If an SMB is sufficiently conscious about physical security, the act of eavesdropping on WLAN transmissions might be quite detectible because of the uncharacteristic level of physical activity in the proximity of the WLAN location.
Other Forms of WLAN IntrusionWhat about WLAN intruders who just want to connect and scrounge off some bandwidth, possibly for free Internet access? If there is no malice on their part, they could, in a worst-case scenario, degrade the WLAN performance. A potentially more devastating way to penetrate WLAN defenses than just eavesdropping or scrounging off bandwidth involves placing an unauthorized wireless access device where it should not be. That method usually requires assistance from the inside, be it deliberate or through nonmalicious ignorance of network security policies. |
Rogue Access Points
The introduction of rogue APs into a WLAN means that an AP that is outside of the administrative control of an SMB is masquerading as a legitimate entry point into the SMB's network. A rogue AP does not always mean that someone has placed an additional physical unit on the SMB's premises without the knowledge of SMB's IT personnel. That, however, is a distinct possibility, whether the perpetrator is an outsider or, most likely, an employee.
A rogue AP could be a legitimately installed AP that has been accidentally or deliberately reset or reconfigured so that it no longer complies with the SMB's network security policy.
Effectively, that AP is outside of SMB's administrative control and becomes a potential open door for penetrating the WLAN and then using it to launch attacks against the rest of the network. Consider now the practicality of rogue APs.
An AP normally connects to the rest of the network via a wire uplink. For an outsider who is attempting to penetrate a network, it might be difficult to gain the kind of physical access to an SMB's facilities that would allow the installation of a rogue AP with an uplink to the rest of the LAN. And placing a rogue AP on the SMB's premises (or off the premises) without an uplink might be of limited value to a potential perpetrator.
Cisco supports repeater APs that do not physically uplink to the rest of the network; instead, they form an association with another AP that might or might not have a physical uplink. The use of APs in the repeater mode requires configuration and the activation of the Aironet extensions, which actually offer a measure of deterrence. Also, not all vendors support repeater APs.
In all likelihood, a rogue AP will prove to be an inside job. If it is deliberate and perpetrated by a skilled IT employee, the SMB has a more serious problem on its hands than just WLAN hacking. Physical security and sound WLAN management practices can prevent or, in the worst case, detect the presence of unauthorized APs that result from accidental resets or benign reconfiguration.
WLAN Security Mechanisms
When it comes to WLAN security mechanisms, the intention is always good (that is, to provide solid security), the execution involves compromises (because we live in a real world), the outcome is debatable (because you can't make everyone happy), and the debate will continue for some time to come (that's what makes the standards process so valuable and exciting). But how effective are the various WLAN security mechanisms?
To start at the beginning, there is the use of the spread spectrum (SS) technology (in 802.11a/g) that dates back to the days of World War II. SS modulations employ wide-frequency bands to transmit comparatively narrow-bandwidth information signals. This makes SS transmissions hard to intercept and more resistant to jamming. SS technology has long been a favorite in military communications, which attests to its inherent security value. However, there is definitely a problem in WLAN deployments with reliance on the inherent security qualities of SS.
If the SS transmitters and receivers (APs and clients, for example) are to be commercially successful, which is what all WLAN vendors want them to be, they need to talk to each other and be widely available to all (including potential intruders) who want to purchase them. Thus, any reliance on the properties of the spread spectrum for security in the context of WLAN deployment is misplaced.
WARNING
The 802.11 standards clearly spell out the frequencies, the modulation/demodulation techniques, and the sequence codes that vendors need to implement to bring to market compatible wireless products. Open commercial environments negate the inherent security value of the SS technology. It is quite a different scenario from secret military communications.
Next come the SSIDs, which are necessary to establish an association between a wireless client and an AP. At best, SSIDs are a weak form of passwords, and free tools exist for detecting them. In addition, if an administrator does not change them from the default values during WLAN deployment, it's not just leaving the door unlocked—it's leaving it wide open.
WARNING
SSIDs are useless as a security mechanism. The exception, perhaps, is an instance where the most benign of hackers who, upon detecting a default SSID with no other security measures implemented, would warn the WLAN administrator of the danger to his or her WLAN. Use of SSIDs to connect to a WLAN is referred to as open authentication.
Now it is time for encryption (to protect the transmitted data) along with an overlay of security enhancements to facilitate robust authentication. Authentication and encryption are widely deployed and well understood in wire-based networks. They represent the areas of WLAN security that warrant a designer's serious attention. Any of the issues regarding the early WEP should be cleared up and replaced with an understanding of the scope of strong security measures that are now available to designers in deploying WLANs.
The Promise and Shortcomings of WEP
The early version of WEP was known to be weak. In 2001, a free program (Airsnort) became available on the Internet to crack WEP, provided that a sufficient amount of data could be accumulated for the program to analyze. Time estimates for WEP cracking range from hours to days, depending on the network's utilization. For a heavily utilized WLAN with a lot of packets radiating through the air, the time to WEP crack is shorter. All that's needed is a Linux-based PC, a wireless 802.11-compliant NIC, and a sufficient amount of time in the vicinity of the victim WLAN.
Yet, what needs to be emphasized here is that the readily crackable WEP is the earlier generation WEP, which relies on the use of static keys that are shared among multiple users. By having dynamically generated keys and implementing measures to guard against replay attacks, WEP acquires more teeth and credibility.
The enhancement that Cisco made to WEP includes the Temporal Key Integrity Protocol (TKIP), which has also been standardized via the 802.11i specification. TKIP relies on per-packet keying (PPK), which involves the use of a different key per packet (or per relatively small group of packets) to prevent cracking the key due to WEP's weak initialization vector of 24 bits. In addition, TKIP implements the message integrity check (MIC), which is a stronger mechanism to prevent message tampering through replay attacks than is the cyclic redundancy check (CRC)-32, which is part of the earlier version of WEP. Cisco supports its own version of TKIP as well as the standards-based one. Whereas WEP provides data encryption, 802.1x facilitates strong authentication.
IEEE's 802.1x Standard in WLANs
The premise of the 802.1x standard is simple. It's sometimes impossible to prevent unauthorized devices from physically attaching to the LAN infrastructure, either through LAN switches (think of all those RJ-45 data jacks accessible to visitors in SMB office environments) or through wireless APs (you don't even have to get inside a building to exploit these). Consequently, 802.1x offers the means (but not the algorithms themselves) to authenticate and to authorize a device that physically attaches to a LAN switch port or that establishes an association with an 802.11 AP. 802.1x defines the concepts of a supplicant, an authenticator, and an authentication server.
Mapping these concepts to the typical WLAN components, a WLAN client becomes the supplicant, an AP is the authenticator, and the presence of an authentication server—Remote Access Dial-In User Service (RADIUS), for example—which is already so common in wire-based LANs, is introduced. By incorporating an authentication server into WLAN security, 802.1x facilitates the implementation by vendors of per-port mutual authentication techniques.
Mutual authentication allows for the authentication server to verify the client credentials (user ID, password, digital certificate), and it allows the client to issue a challenge to the server to authenticate the AP. Mutual authentication that involves the authentication by a client of the AP prevents rogue APs from being used to mount man-in-the-middle (MITM) attacks. The exchanges between the client, the AP, and the server take place via a variant of the Extensible Authentication Protocol (EAP). 802.1x and EAPs are closely coupled.
The Adoption of EAPs in WLANs
EAP was originally developed to extend the rather limited authentication options of the Point-to-Point Protocol (PPP). Prior to EAP, PPP could use Password Authentication Protocol (PAP) or the Challenge Handshake Authentication Protocol (CHAP). RFC 2284 specifies PPP EAP.
EAP, however, has been popularized through its adaptation into the 802.1x standard. From the WLAN design perspective, 802.1x/EAP combinations offer you several authentication-related options to enhance SMB WLAN security. The following EAP variants have been defined:
Each of the EAP variants has its own unique characteristics, which affect WLAN security design decisions.
LEAP
LEAP, which is commonly referred to as the Cisco Wireless EAP, is popular and widely deployed in Cisco wireless products. LEAP supports mutual authentication via a shared secret or a password.
EAP-TLS
EAP-TLS relies on the use of the TLS protocol (standards track RFC 2246) to enhance the security of the authentication process itself. TLS is composed of the TLS Record Protocol and the TLS Handshake Protocol. The TLS Record Protocol ensures the privacy and reliability of the connection between the communicating entities (the client and an authentication server), and it is used to encapsulate the TLS Handshake Protocol.
The TLS Handshake Protocol allows a server and a client to authenticate each other and to negotiate an encryption algorithm and crypto keys before any application-level data is transmitted. Effectively, the TLS Handshake Protocol makes the authentication negotiation secure. It makes the negotiated secret unavailable to eavesdroppers and prevents MITM attacks by denying the secret to those who would place themselves in the middle of an authenticated connection. The negotiation is also reliable because it does not allow an attacker to modify the negotiation without being detected by the communicating parties. EAP-TLS uses digital certificates for mutual authentication and is generally considered more secure than LEAP.
EAP-TTLS
EAP-TTLS extends the TLS Handshake Protocol authentication negotiation process and allows for the exchange of more information over the secure connection than EAP-TLS does. EAP-TTLS also allows the client to use legacy password-based authentication protocols like PAP, CHAP, or the Microsoft versions of CHAP while protecting the use of these protocols against eavesdropping and MITM attacks.
PEAP
PEAP relies on TLS as well. PEAP further extends the security of the EAP frame-work by incorporating device identity protection, which all of the preceding EAP variants lack.
EAP-SIM
EAP-SIM extends the EAP framework even further to enhance the security of authentication and key distribution in Global System for Mobile Communications (GSM).
Summary of the Functionalities of EAPs
As the “extensible” in EAP implies, there will likely be more EAP variants as a function of time, new security exploits, overall maturing, and a greater level of deployment of the WLAN technologies. Keep in mind, as a general perspective, that collectively the combination of 802.1x/EAP facilitates the following:
Mutual per-port authentication, which minimizes or eliminates MITM attacks through the use of rogue access points
Use of dynamic keys for encryption following authentication, which minimizes or (if intruders are not able or willing to exert considerable effort) eliminates the potential for data decryption
Configuration of security policy parameters relating to reauthentication and the timing of the dynamic key regeneration, which gives an SMB a considerable amount of control over WLAN security
If an SMB wants to harden WLAN security, the bar can be raised high even for the most determined intruders. The question is: Is a typical SMB aware of and desirous of implementing maximum security when deploying a WLAN? That's where a designer's expertise in this area comes in.
WLAN Sound Security Practices
The following list identifies sound practices that can be used to enhance WLAN security. Consider applying these practices as appropriate depending on an SMB's security policy, the size of the WLAN installation, and the available features of the WLAN products.
Use the strongest authentication possible— Alternatively, use the authentication method that is in compliance with the SMB's security policy. 802.1x/EAPs offer several choices for mutual authentication and secure key exchange. Check for availability of local authentication that might eliminate the need for a dedicated Authentication, Authorization, and Accounting (AAA) server in smaller deployments. Under no circumstances should SMBs rely on SSIDs as a security mechanism. Change SSIDs from default values and consider turning off SSID broadcasts altogether.
Activate WEP and any of its enhancements, such as TKIP— Despite all of the hoopla about WEP's vulnerability, it takes time and a deliberate effort to collect enough data to crack even its early version. The principle here is that imperfect security with clearly understood limitations is better than none. The type of WEP that uses static shared keys is readily crackable; use of dynamic keys makes it significantly harder to crack WEP. Use stronger encryption—Wi-Fi Protected Access (WPA), 802.11i—if available.
Disable Dynamic Host Configuration Protocol (DHCP) and use static IP addresses instead— DHCP offers convenience in administration, but it also conveniently serves an IP address to an intruder or a loafer within a WLAN range. Keep this practice in perspective, though, as a function of network administration convenience. Static address ranges (especially private) can be guessed or deciphered from e-mail headers. Consider MAC level authentication if DHCP remains enabled.
Ensure that the antennae do not emit too much power— You want to ensure proper coverage for the areas from which authorized users might connect to a WLAN, but ideally you do not want strong signals to travel outside the authorized coverage areas. This process requires some experimentation.
Provide physical security for APs— APs without adequate physical security can be accidentally or deliberately reconfigured or reset to factory defaults.
Deploy WLAN management— WLAN management products are available to help administrators enforce compliance with the SMB's security policy (consistency of AP configuration, for example). You can also use WLAN management tools to monitor WLAN performance, check for the presence of rogue access points, and identify wireless intruders. More than a dozen companies offer products that can assist with WLAN management.