WIRELESS COMMUNICATION and networking technologies have seen rapid growth and adoption over the past few years. Businesses and consumers have adopted wireless technologies for their ability to allow users to be more mobile, unencumbered by wires. Additionally, adopters have taken to the technology because it can allow connections to computers in areas where wires cannot reach or would be expensive to install. Wireless has become one of the most widely used technologies by both consumers and businesses and will most likely continue to be so.
While wireless offers many benefits, one of the concerns of the technology is security. Wireless technologies have many security issues that must be addressed by the security professional. The technology has traditionally suffered from poor or even ignored security features by those who either adopted the technology too quickly or didn't take the time to understand the issues. Those organizations that did take the initiative in a lot of cases went too far, opting to ban the use of the technology instead of finding out how to secure the technology.
This chapter explores how to use wireless technology in the organization, to reap its benefits but do so securely. Like any technology, wireless can be used safely; it is only a matter of understanding the tools available to make the system secure. For example, we can leverage techniques such as encryption and authentication together with other features designed to make the system stronger and more appealing to the business. With the right know-how and some work, wireless can be secured; the technology needn't be banned.
Wireless technologies have been adopted rapidly over the last decade, but security for those networks has not. As individuals and organizations looked to adopt the technology, security was dealt with in a number of different ways: either by not adopting security measures at all in some cases or by blocking the use of the technology in others. Both cases represent extremes that need not be used because wireless can be secured safely if the security vulnerabilities and issues involved are known.
Wireless networks have a number of vulnerabilities that must be understood before they can be properly dealt with.
One of the traits of wireless networks is the way they work through the use of radio frequency (RF) or radio techniques. This is both a strength and a weakness because it allows wireless transmissions to reach out in all directions, enabling connectivity but also allowing anyone in those directions to eavesdrop. As opposed to the transmission of signals in traditional media such as copper or fiber, where someone must be on the "wire" to listen, wireless travels through the air and can easily be picked up by anyone with a device as simple as a notebook with a wireless card. This leads to a huge administrative and security headache and it immediately makes clear the need for additional security measures.
Note
Except for fiber optic media, all networks are subject to emanations in the form of electromagnetic radiation. In the case of copper cables this emanation is a result of electrical charges flowing through the media and generating a field.
Emanations of a wireless network can be affected by a number of different factors that make the transmission go farther or shorter distances, including the following:
Atmospheric conditions—Warm or cold weather will affect how far a signal will go due to the changes in air density that changing temperatures cause.
Building materials—Materials surrounding an access point (AP) such as metal, brick, or stone will impede a wireless signal.
Nearby devices—Other devices in the area (for example, microwaves and cell phones) that give off RF signals or generate strong magnetic fields can affect emanations.
Note
Anything that generates radio signals on the same or related frequencies can interfere with wireless networks in some form. By extension, anything that affects the atmosphere that the signals are traveling through will cause interference. However it is also of note that interference does not mean that a network will be offline. Interference can manifest itself as low or poor performing networks.
Wireless networks have become more and more common over the last few years, being shipped in all manner of devices and gadgets. From the early 2000s up to the current day, wireless technologies in the form of Bluetooth and Wi-Fi have become more common, with both features going from being an option to being standard equipment in notebooks and netbooks. This increased support of wireless technology can be seen even in cell phones, in which Bluetooth support became standard with Wi-Fi support following closely behind on the standard feature list of devices.
The widespread availability of wireless has made management and security much harder for the network and security administrator. With so many devices implementing wireless, it is now more possible that an employee of a company could bring in a wireless-enabled laptop or other device and attach it to the network without the knowledge of an administrator. In some situations, employees have decided that a company IT department that has said "No wireless" is just being unreasonable and, oblivious to the security risks, have taken it upon themselves to install a wireless AP.
Wireless technologies aren't anything new; in fact, wireless has been around for more than a decade for networks and even longer for devices such as cordless phones. The first wireless networks debuted in the mid-1990s with educational institutions, large businesses, and governments as early adopters. The early networks did not resemble the networks in use today because they were mainly proprietary and performed poorly compared with today's deployments.
In today's environment, the business or consumer looking to purchase a wireless networking technology will encounter a large selection of options. Among them is the Institute of Electrical and Electronics Engineers (IEEE) 802.11 family of standards, which range from 802.11a to 802.11n. They are known collectively as Wi-Fi in standard jargon. In addition to the 802.11 family of wireless standards, other wireless technologies have emerged (Bluetooth, for example), each purporting to offer something unique.
When looking at wireless networking it is easy to think of it as one standard, but this is not the case. Wireless networks have evolved into a family of standards over time; each includes unique attributes. To understand wireless, it is worth looking at the different standards and their benefits and performance. The following sections discuss the wireless standards that have been or are in use.
The 802.11 standard was the first wireless standard that saw any major usage outside of proprietary or custom deployments. It was used mainly by large companies and educational institutions that could afford the equipment, training, and implementation costs. One of the biggest problems with 802.11 that led to limited usage was performance. The maximum bandwidth was theoretically 2 megabytes per second (Mbps). In practice, it reached at best only half this speed. The 802.11 standard was introduced in 1997 and saw limited usage, but quickly disappeared.
Its features included:
Bandwidth—2 Mbps
Frequency—2.4 Ghz (gigahertz)
The first widely adopted wireless technology was 802.11b, introduced two years after the original 802.11 standard. It didn't take too long to be adopted by businesses and consumers alike. The most attractive feature of this standard is performance; 802.11b increased performance up to a theoretical 11 Mbps, which translated to a real-world speed of 6-7 Mbps. Other attractive features of the standard include low cost for the consumer and for the product manufacturer.
Note
802.11b is being rapidly replaced in favor of 802.11g and n, but it is still very widely used and supported, with most notebooks still supporting the technology off the shelf and 802.11b APs still available.
Its features include:
Bandwidth—11 Mbps
Frequency—2.4 Ghz
One downside of 802.11b is interference. 802.11b has a frequency of 2.4 Ghz, the same frequency as other devices such as cordless phones and game controllers, so these devices can interfere with 802.11b. Additionally, interference can be caused by home appliances such as microwave ovens.
When 802.11b was being developed, another standard was created in parallel: 802.11a. It debuted around the same time as 802.11b, but never saw widespread adoption due to its high cost and lesser range. One of the largest stumbling blocks that hampered its adoption was equipment prices, so the alternative 802.11b was implemented much more quickly and is seen in more places than 802.11a. Today 802.11a is rarely seen.
The 802.11a standard did offer some benefits over 802.11b, notably much greater bandwidth: 54 Mbps over 802.11b's 11 Mbps. Also, 802.11a offers a higher frequency range (5 Ghz), which means less chance for interference because fewer devices operate in this range. Finally, the signaling of 802.11a prevents the signal from penetrating walls or other materials, allowing it to be somewhat easily contained.
The 802.11a standard is not compatible with 802.11b or any other standard due to the way it is designed. APs that support 802.11a and other standards simply have internals that support both standards.
Its features include:
Bandwidth—54 Mbps
Frequency—5 Ghz
In response to consumer and business demands for higher performance, wireless networks 802.11g emerged. The 802.11g standard is a technology that combines the best of both worlds (802.11a and 802.11b). The most compelling feature of 802.11g is the higher bandwidth of 54 Mbps combined with the 2.4 Ghz frequency. This allows for greater range and backward compatibility with 802.11b (but not 802.11a). In fact, wireless network adapters that use the 802.11b standard are compatible with 802.11g APs, which allowed many business and users to migrate more quickly to the new technology.
Note
Some networks that identify themselves as 802.11b are actually 802.11g networks and are being identified as otherwise by a wireless card that is not aware of 802.11g.
Its features include:
Bandwidth—54 Mbps
Frequency—2.4 Ghz
Currently emerging in the marketplace of wireless technologies is 802.11n, which increased the amount of bandwidth that was available in previous technologies up to 600 Mbps in some configurations. The 802.11n standard uses a new method of transmitting signals known as multiple input and multiple output (MIMO), which can transmit multiple signals across multiple antennas. The 802.11n standard offers backward compatibility with 802.11g, so it will encourage adoption of the technology by consumers.
Its features include:
Bandwidth—Up to 600 Mbps
Frequency—2.4 Ghz
While wireless networking in the form of 802.11 is probably the best known by the average consumer, other wireless technologies are in widespread use, including Bluetooth and WiMax.
Bluetooth is a technology that emerged for the first time in 1998. From the beginning, Bluetooth was designed to be a short-range networking technology that could connect different devices together. The technology offers neither the performance nor the range of some other technologies, but its intention wasn't to connect devices over long distances. Bluetooth was intended to be a connectivity technology that could allow devices to talk over a distance of no more than 10 meters with low bandwidth requirements. While the bandwidth may seem low, consider the fact that the technology is used to connect devices that do not need massive bandwidth like headsets and personal digital assistants (PDAs). Bluetooth falls into the category of technologies known as Personal Area Networking (PAN).
Note
WiMax is being adopted as a technology to cover some metropolitan areas with wireless access in an effort to offer free Internet access to the masses.
Another wireless technology that has emerged over the last few years is WiMax. WiMax is similar in concept to Wi-Fi, but uses different technologies. WiMax is specifically designed to deliver Internet access over the so-called last mile to homes or businesses that may not otherwise be able to get access. In theory, WiMax can cover distances up to 30 miles, but in practice ranges of 10 miles are more likely. The technology was not designed for local area networks; it would fall into the category of Metropolitan Area Networking (MAN).
Bluetooth emerged as a concept in the mid-1990s as a way to reduce the wires and cables that cluttered offices and other environments. In 1998, the Bluetooth Special Interest Group (SIG) was created to develop the concept known as Bluetooth and to speed its adoption among the public. The founders of this group included technology giants such as IBM, Intel, Nokia, Toshiba, and Ericsson. After the standard was implemented, manufacturers rapidly started manufacturing all sorts of Bluetooth devices—everything from mice to keyboards to printers showed up on the market, all Bluetooth enabled.
What makes the technology so attractive is its flexibility. Bluetooth has been used in numerous applications including:
Connections between cell phones and hands-free headsets and earpieces
Low bandwidth network applications
Wireless PC input and output devices such as mice and keyboards
Data transfer applications
GPS connections
Bar code scanners
A replacement for infrared
A supplement to universal serial bus (USB) applications
Wireless bridging
Video game consoles
Wireless modems
Bluetooth has worked very well to link together devices wirelessly, but the technology has problems with security. Bluetooth does, however, support techniques that enforce security to make using enabled devices less vulnerable.
Bluetooth technology was designed to include some security measures to make the technology safer. Each mechanism that is employed can be part of a solution to make using the technology acceptable to individuals and businesses.
Bluetooth employs security mechanisms called "trusted devices," which have the ability to exchange data without asking any permission because they are already trusted to do so.
With trusted devices in use, any device that is not trusted will automatically prompt the user to decide whether to allow the connection or not.
A device that is trusted in this system should adhere to certain guidelines. It should be:
A personal device that you own such as a cell phone, PDA, media player, or other similar device
A device owned by the company and identified as such. These devices could include printers, PDAs, or similar types of devices.
An untrusted device is defined as follows:
A device that is not under the immediate control of an individual or company is questionable. Devices that fall in this category are any public devices for which you cannot readily identify the owner nor trust the owner.
The idea behind trusted devices is that unknown devices are not allowed to connect without being explicitly approved. If an untrusted device were allowed to connect without being approved, it could mean that a device could accidentally or maliciously connect to a system and gain access to the device.
When working with Bluetooth-enabled devices, take special care to attach only to devices you know. Users should be taught to avoid attaching to devices that they do not know and cannot trust. Impress upon users the difference between trusted and untrusted devices when making connections. Stress that unsolicited connection requests should never be accepted
In an effort to make Bluetooth devices easy to configure and pair with other devices, the discoverability feature was added to the product. When Bluetooth devices are set to be discoverable, they can be seen or discovered by other Bluetooth devices that are in range. The problem with a device being set to be discoverable is that it can be seen by the owners of devices who have both good and bad intentions. In fact, a discoverable device could allow an attacker to attach to a Bluetooth device undetected and swipe data off of it quite easily.
It is getting less common to find devices set with their default mode of operation to be discoverable. But don't take anything for granted. When issuing cell phones to employees, always check to make sure that the device is set to be nondiscoverable unless absolutely necessary.
Bluejacking, Bluesnarfing, and Bluebugging are attacks caused by devices being discoverable. Bluejacking involves a Bluetooth user transmitting a business card, a form of text message, to another Bluetooth user. If the recipient doesn't realize what the message is, he or she may allow the contact to be added to their address book. After that, the sender becomes a trusted user. For example, Bluejacking allows someone authorized or unauthorized to send messages to a cell phone. The other threat posed by discoverability is Bluesnarfing, which is used to steal data from a phone. Bluebugging is an attack in which attackers can use the device being attacked for more than accessing data; they can use the services of the device for purposes such as making calls or sending text messages.
An issue that was not initially addressed when Bluetooth debuted was viruses. Viruses were already a well-known fact of life in the computer world, but there really was not much done in Bluetooth to address viruses being spread. Early viruses leveraged the discoverability feature to locate and infect nearby devices with a malicious payload. Nowadays, most cell phones tend to use connections that require the sender to be authenticated and authorized prior to accepting any data, which severely curtails the capability of an unknown device to spread an infection. With the technology the way it stands now, a user must agree to open a file and install it—diminishing the potential threat, but not eliminating it.
Note
Never underestimate the creativity and ambition of an attacker or virus writer. They thrive in adapting their methods to leverage new technologies and devices, and wireless is no different. When Bluetooth debuted, no security was provided because no manufacturer perceived a threat; this opened the door to some notable attacks later.
Bluetooth isn't going away and shouldn't be shunned because of a few security issues; the technology can be secure if used carefully. The makers of Bluetooth have given us the tools to use the technology safely, and these tools coupled with a healthy dose of common sense can make all the difference.
Note
While Bluetooth manufacturers have given us the tools to secure the technology, it is definitely up to us to use them. Manufacturers may or may not enable security features on their devices.
Wireless LANs are built upon the 802.11 family of standards and operate in a similar manner to wired networks. The difference between the two beyond the obvious lack of wires is the fundamental functioning of the network itself.
One of the big differences between wired and wireless is the way signals are transmitted and received on the network.
In networks based on the Ethernet standard (802.3), stations transmit their information using what is known as the Carrier Sense Multiple Access with Collision Detection (CSMA/CD) method. Networks that use this method have stations that transmit their information as needed, but collisions are possible when two stations transmit at the same time. To understand the method, think of the way a phone conversation works: Two people can talk and if they happen to talk at the same time, neither will be able to understand what is being said. In this situation, both talkers stop talking and wait to see who is going to talk instead. This is the same method that CSMA/CD uses. In this setup, if two stations transmit at the same time, a collision takes place and is detected; then both stop and wait for a random period of time before retransmitting.
In wireless networks based on the 802.11 standard, the method is a little different, and is called Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). Networks that use this method "listen" to see whether any other station is transmitting before they transmit themselves. This would be like looking both ways before crossing the street. Much as with CSMA/CD, if a station "hears" another station transmitting, it waits a random period of time before trying again.
An item that is present in wireless networks but not in wired networks is the access point (AP). An AP is a device that wireless clients associate to in order to gain access to the network (more on that later). In order for a wireless client to gain access to the services offered on the wired network on which the AP is connected, it must first associate to it.
APs come in many different types, with a diverse range of capabilities from the consumer to commercial grade. The choice of an AP can have a substantial impact on the overall performance and available features of the network, including range, security, and installation options.
A detail that is universally available in wireless networks is the service set identifier (SSID). The SSID is used to uniquely identify a network, thereby ensuring that clients can locate the correct wireless local area network (WLAN) that they should be attaching to. The SSID is attached to each packet as it is generated and is represented as a 32-character sequence uniquely identifying the network.
The SSID is one of the first details that wireless clients will "see" when connecting to a network, so a few things should be considered. First, in most APs the SSID is set to a default setting such as the manufacturer's name (for example, "Linksys" or "dlink"), which should be changed to something more appropriate. Second, considerations should be made to turn off broadcast of the SSID where appropriate. By default in most networks the SSID broadcast is turned on, which means that the ID will be broadcast, unencrypted, in beacon frames. These beacon frames allow clients to much more easily associate with their AP, but also have the side effect of allowing software such as Netstumbler to identify the network and find its physical location.
Before a wireless client can work with a wireless network, a process known as association must take place. This process is actually quite simple, at least for our purposes, because association occurs when a wireless client has the SSID preconfigured for the network it is supposed to be attaching to. When it is configured in a wireless client, it will look for and then associate to the network whose value has been configured.
While not required, it is desirable to make sure that only those clients that you want to attach to your wireless network can do so. In order to restrict this access, authentication is performed prior to the association process. Authentication can be performed either in an open or preshared key situation, both offering features that may be desirable. With open keys, no secure authentication is performed and anyone can connect. When using this mode, no encryption is performed, so all information is sent in the clear unless another mechanism provides this feature. In preshared key (PSK) situations, both the AP and client have the same key entered ahead of time and therefore can authenticate and associate securely. This also has the benefit of encrypting traffic as well.
In some organizations it is possible that you may have existing tools or infrastructure in place that can be used to authenticate wireless clients. One of these options is RADIUS or Remote Authentication Dial-In User Service.
The RADIUS service is one that is designed to centralize authentication, authorization, and accounting, or AAA. The service allows user accounts and their authorization levels to be stored on a single server and have all authentication and authorization requests forwarded to this location. By consolidating management in this manner it is possible to simplify administration and management of the network by making a single location to carry out these tasks.
Note
RADIUS is available on a wide range of operating systems and is supported by a wide range of enterprise level access points.
In practice when a user connects to wireless access point, his or her connection request can be forwarded to a RADIUS server. This request is then authenticated, authorized, and recorded (accounted), and access takes place as authorized.
Wireless networks and APs can relate in two ways: ad hoc or through infrastructure. Each of these options has advantages and disadvantages that make them attractive options. The following sections show you how they work.
Ad hoc networks can be created very quickly and easily because no AP is required in their setup. Ad hoc networks can be thought of as peer-to-peer networks in which each client can attach to any other client to send and receive information. These clients or nodes become part of one network sharing a form of SSID known as an Independent Basic Service Set (IBSS). While these networks are quick to set up, which is the primary advantage, they do not scale well because they become harder to manage and less secure as the number of clients grows.
Infrastructure-based wireless networks are networks that use an AP that each client associates to. Each client in the network setup will be configured to use the SSID of the AP that will be used to send and receive information. This type of network scales very well compared with the ad hoc-based networks and is much more likely to be used in production environments. Additionally, infrastructure networks can scale to a much larger degree by simply adding more APs to create what is known as an extended service set (ESS).
Wireless networks offer many benefits similar to wired networks, but differ in the threats they face. Wireless networks have many threats that are unique to the way the technology works and each must be understood thoroughly prior to deploying the proper defenses.
Wardriving is the process of an attacker traveling through an area with the goal of detecting wireless APs or devices. An attacker who wants to engage in wardriving can do so with very basic equipment, usually a notebook with a wireless card and special software designed to detect wireless networks. In most cases those engaging in wardriving are looking to get free Internet access; however, it is more than possible for them to do much worse, such as accessing computers on the network, spreading viruses, or even downloading illegal software on someone else's dime.
Wardriving has led to a family of so-called "war" attacks that are all variations of the same concept:
Warwalking—Attackers use a wireless-enabled device to detect wireless networks as they walk around an area.
Warflying—Relatively advanced technique that requires the same equipment as wardriving, but the process uses an aircraft instead of a car
Warballooning—An attacker places a GPS and wireless detection gear on a cluster of small balloons and lets them float over an area. The device is later retrieved and the data imported into the appropriate software.
Every AP, piece of software, or associated hardware has recommended security settings provided by the vendor by default or in the instruction booklet. In a vast number of cases, such as residential or small businesses, APs end up getting implemented without these most basic of settings configured. In some cases, such as with consumer-grade APs, the default settings on the equipment allow the device to work "out of the box," meaning that those that don't know otherwise will assume that everything is OK as is.
Another concern with wireless security is what employees or users may be attaching to. It has been shown that at least 25 percent of business travelers attach to unsecured APs in locations such as hotels, airports, coffee shops, and other locations. This number is expected to increase as companies allow more individuals to travel and work in the field with the associated notebooks and similar devices. The concern with this situation is twofold: what users are transmitting and what is stored on their systems. Transmitting information over an unsecured AP can be extremely problematic and users who leave wireless access such as Bluetooth enabled on a notebook or cell phone may open themselves up to data theft or other dangerous situations.
A problem with wireless is the appearance of rogue APs that have been installed without authorization. The problem with rogue APs comes on a few fronts because they are unmanaged, unknown, and unsecured in most cases. Rogue APs that are installed without the knowledge of the IT department are by their very nature unmanaged and have no controls placed upon them. They are known only to specific individuals, both good and bad. Finally, APs installed in this situation are frequently subject to little or no security, leading to unrestricted access by any party that locates the AP.
A new twist on rogue APs adds an element of phishing. In this attack, an attacker creates a rogue AP with a name that looks the same or is the same as a legitimate AP with the intention that unsuspecting users will attach to it. Once users attach to this AP, their credentials can be captured by the attacker. By using the same method, an attacker can even capture sensitive data as it is transmitted over the network.
Promiscuous clients are APs that are configured to offer strong signals and the offer of good performance. The idea behind these types of APs is that a victim will notice the AP and how strong the signal is and how good the performance is, and then attach to it. When these APs are nearby, they may be owned by an attacker who has the same goals as the malicious owner of a rogue AP: to capture information.
Viruses exist that are specifically designed to leverage the strengths and weaknesses of wireless technologies. Wireless viruses are different because they can replicate quickly using the wireless network, jumping from system to system with relative ease. For example, a virus known as MVW-WIFI can replicate through wireless networks by using one system to detect other nearby wireless networks; it then replicates to those networks, at which point the process repeats.
Note
While wireless viruses are restricted to 802.11 networks, they can and have appeared on other wireless technologies, including Bluetooth devices. In concept, 802.11 viruses and Bluetooth are the same, but the difference in practice is how they use their underlying technologies (wireless or Bluetooth).
Protection on a wireless network is absolutely essential to consider and consider carefully. There are several techniques that you may use to protect yourself and your employees from harm, these include:
Firewalls—In the case of roaming or remote clients that connect to wireless networks at the office or at the local coffee shop or airport, a good personal firewall can provide a much needed level of protection.
Antivirus—An antivirus should be installed on every computer, and a wireless client is no exception, especially due to its higher exposure to threats.
VPN—A virtual private network can enhance protection to a high degree by encrypting all traffic between the roaming client and the company network. By using this technique it is possible to work on a wireless network that has no protection itself and provide this through the VPN.
There are a number of wireless hacking tools available to the attacker who wants to break into or discover wireless networks. Some of the more common ones include:
Kismet
Netstumbler
Medieval Bluetooth Scanner
inSSIDer
Coreimpact
CFI LANguard Network Security Scanner
Cowpatty
Wireshark
Netstumbler is one of the more common tools for locating wireless networks of the 802.11 persuasion. The software is designed to detect any wireless network that your wireless network adapter supports (802.11a, 802.11b, 802.11g, and so on). The software also has the ability to interface with a USB global positioning system (GPS) to map out the location of the APs it detects, usually within a good distance of the actual AP. Netstumbler does not have many options and is very simple to use (see Figure 8-1).
While Netstumbler software offers a good amount of functionality, it is not the only product that can perform wireless network scanning. Another piece of software that can do the same thing is inSSIDer. Metageek, the makers of inSSIDer, describe the benefits of their tool as follows.
Features unique to inSSIDer include:
Uses Windows Vista and Windows XP 64-bit
Uses the Native Wi-Fi application protocol interface (API) and current wireless network card
Can group by Mac Address, SSID, Channel, received signal strength indicator (RSSI), and "Time Last Seen"
Compatible with most GPS devices (NMEA v2.3 and higher)
The inSSIDer tool can do the following:
Inspect your WLAN and surrounding networks to troubleshoot competing APs
Track the strength of received signals in dBm (a measurement of decibels) over time
Filter APs in an easy-to-use format
Highlight APs for areas with high Wi-Fi concentration
Export Wi-Fi and GPS data to a Keyhole Markup Language (KML) file to view in Google Earth
Note
Netstumbler has been a staple of wardriving techniques for awhile, but for all its popularity it does have some limitations, one of which is a lack of 64-bit support. The inSSIDer tool is a full featured replacement for Netstumbler.
The inSSIDer interface is shown in Figure 8-2.
Once a target has been identified and its identifying information noted, the attack can begin.
Wireless networks can be secured if care is taken and knowledge of the vulnerabilities is possessed by the security professional. In some ways a wireless network can be secured like a wired network, but there are techniques specific to wireless networks that must be considered as well.
Note
Using a piece of software such as Netstumbler can discover APs. When one is detected, it is easy to look at the name of the AP and infer that whoever didn't change the name from something such as "Linksys" or "dlink" probably didn't do anything else, either.
Every AP ships with certain defaults already set; these should always be changed. Every manufacturer includes some guidance on what to configure on its APs; this advice should always be followed and mixed with a healthy dose of experience in what is best. Not changing the defaults on an AP can be a big detriment to security because the defaults are generally posted on the manufacturer's Web site.
Placement of a wireless AP can be a potent security measure if undertaken properly. An AP should be placed to cover the areas it needs to, and not as much of the ones it doesn't. For example, an AP should not be located near a window if the people that will be connecting to it are deeper inside the building or only in the building. Positioning an AP near a window gives the signal more distance to emanate outside the building.
Of course, other issues with placement need to be addressed, in particular the issue of interference. Placement of APs near sources of electromagnetic interference (EMI) can lead to unusable or unavailable APs. EMI can lead to APs being available to clients, but with such poor performance that it makes the technology worthless to the organization.
Not much can be done about emanations in wireless network, but there is something that can be done to control the scope and range of these emanations. In some cases, wireless directional antennas can be used to concentrate or focus the signal tightly into a certain area instead of letting it go everywhere. One type of antenna is the Yagi antenna, which can focus a signal into a narrow beam, making it difficult to pick up by others outside the select area.
Rogue APs are somewhat tough to stop, but they can be detected and deterred. The first action to address with rogue APs is the installation of unauthorized ones by employees. In this case, education is the first line of defense; let employees know that installation of rogue APs is not allowed and why. Additionally, perform site surveys using tools such as Netstumbler, Kismet, or any number of commercial wireless site survey packages to detect rogue APs.
The second issue to deal with is individuals connecting to the wrong or to unauthorized APs. In these cases education is again key. Let employees know the names of company-controlled APs and give them information about the dangers of connecting to unknown APs.
By its very nature, wireless data is transmitted so that anyone who wants to listen in can do so. In order to protect wireless networks an appropriate authentication technology should be used. The three that are currently in use are:
Wired Equivalent Privacy (WEP)—Not much used anymore because it is weak and only marginally better than no protection at all. WEP was available on all first-generation wireless networks, but was replaced later with stronger technologies such as WPA.
In theory, WEP was supposed to provide protection, but in practice poor implementation resulted in the use of weak keys. It was found that with enough weak keys simple cryptanalysis could be performed, and a WEP passphrase can now be broken in a few minutes (sometimes 30 seconds).
Wi-Fi Protected Access (WPA)—More robust than WEP, it was designed to replace it in new networks. WPA introduces stronger encryption and better key management that makes for a stronger system.
WPA is supported on most wireless APs manufactured after 2003, and some manufactured prior to this can have their firmware upgraded. WPA should be used if the AP offers the ability to use WEP or WPA.
Wi-Fi Protected Access version 2 (WPA2)—WPA2 is an upgrade to WPA that introduces stronger encryption and eliminates a few of the remaining weaknesses in WPA.
Note
WEP is listed here in the interest of completeness; however, in practice WEP should be avoided at all costs due to its well-known weaknesses. Using an alternative method such as WPA or WPA2 would be much more secure.
Using the appropriate protection for a wireless network is important because it can protect the network from eavesdropping and other attacks in which an attacker can see network traffic. Of course, just having a good protection scheme does not make for a safe environment by itself; there are other factors. In the case of WPA and WPA2, the keys in use make a major difference for how effective the technology is. Using poorly chosen or short passwords (or keys) can weaken the protection and make it breakable by a knowledgeable attacker. When choosing a key it should be random, be of sufficient length, and adhere to the rules for complex passwords.
Note
While MAC filtering does provide a level of protection, a determined attacker can get past it with some knowledge of how networks work. It is also very difficult to use in all but the smallest environments, as managing MAC lists can become very cumbersome.
Media access control (MAC) address filtering is a way to enforce access control on a wireless network by registering the MAC addresses of wireless clients with the AP. Because the MAC address is supposed to be unique, clients are limited to those systems that have their MAC preregistered. To set up MAC filtering you need to record the MAC addresses of each client that will use your AP and register those clients on the AP.
Wireless communication and networking are technologies that have seen rapid growth and adoption over the past few years. Many organizations have chosen to use wireless technologies due to the increased mobility and ability to extend networks that wireless offers. Wireless has become one of the most widely used technologies by both consumers and businesses, and will most likely continue to be so.
For all the benefits that wireless offers, the big concern for the security professional is security. Wireless technologies have many security issues, both real and potential, that must be addressed by the security professional. The technology suffers from poor or even overlooked security options by those who either adopted the technology too quickly or didn't take the time to understand the issues.
This chapter explored how to use wireless technology in an organization, reaping its benefits and doing so securely. Like any technology, wireless can be used safely; it is only a matter of understanding the tools available to make the system secure. To make wireless secure, you can leverage techniques such as encryption and authentication together with other features designed to make the system stronger and more appealing to the business.
802.11
Bluebugging
Bluejacking
Bluesnarfing
Multiple input and multiple output (MIMO)
Personal Area Networking (PAN)
Preshared key (PSK)
Wi-Fi
Wireless local area network (WLAN)
Wireless refers to all the technologies that make up 802.11.
True
False
_______ operates at 5 Ghz.
802.11a
802.11b
802.11g
802.11n
_______ is a short range wireless technology.
Which type of network requires an AP?
Infrastructure
Ad hoc
Peer-to-peer
Client Server
_______dictate(s) the performance of a wireless network.
Clients
Interference
APs
All of the above
_______blocks systems based on physical address.
MAC Filtering
Authentication
Association
WEP
An ad hoc network scales well in production environments.
True
False
Which of the following is used to identify a wireless network?
SSID
IBSS
Key
Frequency
Several APs group together form a(n)_______.
BSS
SSID
EBSS
EBS
_______uses trusted devices.
802.11
Infrared
Bluetooth
CSMA