This article can also be found in the Premium Editorial Download "Information Security magazine: Captive to SOX compliance? A compliance guide for managers."
Download it now to read this article plus other related content.
Wireless threats & vulnerabilities
Like their wired counterparts, wireless networks are subject to their own kinds of attacks and vulnerabilities, which Information Security used to put four wireless IDS/IPS products to the test.
Attacks included the following:
MAC spoofing. Because wireless MAC addresses are broadcast, potential attackers can sniff the air for legitimate MAC addresses associated with authorized WLAN clients, access points and even wired infrastructure, such as switches and routers. Using changemac.sh, we spoofed addresses for a number of devices.
Denial of service. Using Void11, we directed a flood of authentication packets at deployed access points.
Man-in-the-middle. We configured a rogue access point with the same SSID and channel information as our WLAN, and transmitted spoofed de-authentication packets to internal wireless clients in an effort to terminate their association with an authorized AP and have them associate with the rogue device.
These are the frequently encountered vulnerabilities configured in our testing:
Rogue access points. A wired rogue is created when someone plugs an unauthorized AP into the wired network. A soft AP is a network adapter in a wireless device (often a laptop) functioning as an access point, allowing anyone to attach to the device. Soft APs make it a breeze to tap into laptops and PDAs in hotel lobbies and airports.
Misassociations. These occur when a wireless adapter attaches to the wrong AP. This has turned out to be an ugly problem for early wireless VoIP phones; they may inadvertently attach to the AP with the strongest signal, instead of the one carrying the VoIP call.
Peer-to-peer networks. A Windows XP laptop with a wireless client will try to connect to an SSID that it has successfully connected to before--at home or a hot spot--because the adapter will automatically connect to another AP with the same SSID without the user's knowledge.
Misconfigured devices. If an AP is not in a centrally managed WLAN, chances are this type of misconfiguration would go completely unnoticed.
All four products detected everything we threw at them--including a host of common attacks (see "Wireless Threats & Vulnerabilities").
The way they process the threats is worth noting. AirMagnet and Network Chemistry perform in-depth analysis at the sensor and then send an aggregate back to the server. There is a distinct advantage to this method because, even if the central server goes down, the sensors continue to protect the WLAN. AirTight and AirDefense perform minimal analysis at the sensor, sending collected data back to the server for more extensive analysis and correlation. AirTight allows users to upload SpectraGuard Sensor software onto other vendors' access points, turning them into SpectraGuard Sensors and saving both time and money.
Given the extensive coverage of enterprise WLANs, creating an access policy can be challenging, especially for organizations using a mix of equipment from multiple vendors. The granularity of policy configuration for the tested products covered a vast array of choices--individual and global settings, channel, encryption method, vendor and behavior. For example, we configured our products to ignore traffic that was not trying to connect to any devices associated with our WLAN. This is critical for enterprises that operate in areas in which other WLANs can overlap--such as in high-rise office buildings and business parks.
AirTight shone with rapid response time for identification and extensive details of all attacks.
Network Chemistry responded to our attacks faster than AirDefense and AirMagnet, but didn't provide their robust level of detail. Its alerts offered minimal information, such as the alert type (e.g., rogue AP), the offending address, the location of the nearest sensor, a time and date stamp, and some canned information about the type of alert. The rest of the products provided much more information about the their alerts, including the device name, MAC address, amount of data transferred, duration of the event and other devices involved.
All the products block rogues on both the wired and wireless side. Wireless blocking is done by signal jamming and can be quarantined for a specified amount of time or until the alarm is acknowledged. Wired threats, such as rogue APs, can be traced and blocked at the switch port.
Unlike wired IDS systems, wireless IDS/IPS systems don't need an extensive amount of tuning or frequent signature updates to reduce false positives. Their custom-tuning is much more intuitive and GUI-based than, say, writing Snort signatures. In fact, during our testing, the only false positive returned was from AirMagnet on an older, D-Link 802.11b AP.
No Wireless Allowed
One of the strongest business cases for these stand-alone solutions is their ability to identify unauthorized WLANs in organizations with a zero-wireless policy.
Practically every laptop shipped with Windows XP tries to connect with a wireless network from the moment the it is powered on. With a $20 off-the-shelf access point, an employee can punch a hole in your firewall in less than five minutes by simply plugging into the corporate network. Likewise, in high-rise and campus environments, where existing WLANs often overlap, peer-to-peer networks and inadvertent association from your employees' wireless laptops open your organization to many vulnerabilities.
We set up each product to identify all RF traffic detected. Rogue APs, laptops broadcasting in ad hoc mode and other private WLANs in proximity to the sensors were immediately identified by each product. We were particularly impressed when the AirTight sensor picked up a passing delivery truck's barcode scanner.
Considering its accurate detection at such a low cost, Network Chemistry would be a good choice for implementing a no-wireless policy.
This was first published in March 2006